From ef2e21a7644eb5eb6d31bad47076a33abb02801c Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 17 Oct 2010 20:23:20 +0200
Subject: Also disable /var/run/utmp (opt-out).

---
 README              | 8 +++++---
 manifests/debian.pp | 8 ++++++++
 manifests/init.pp   | 3 +++
 manifests/utmp.pp   | 9 +++++++++
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 manifests/utmp.pp

diff --git a/README b/README
index a9cf0ef..94571ec 100644
--- a/README
+++ b/README
@@ -16,10 +16,12 @@ Dependencies
 Configuration
 =============
 
-$disable_btmp, $disable_wtmp
-----------------------------
+$disable_btmp, $disable_utmp, $disable_wtmp
+-------------------------------------------
+
+Default: /var/log/btmp, /var/run/utmp and /var/log/wtmp are ensured to
+be absent.
 
-Default: /var/log/btmp and /var/log/wtmp are ensured to be absent.
 These variables, when set to a false, non-empty value, have these
 files created and their logging enabled again.
 
diff --git a/manifests/debian.pp b/manifests/debian.pp
index d8432d6..3d4c7c1 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -3,6 +3,7 @@ class loginrecords::debian inherits loginrecords::base {
     $pam_login_file  = '/etc/pam.d/login'
     $login_defs_file = '/etc/login.defs'
     $btmp_file       = '/var/log/btmp'
+    $utmp_file       = '/var/run/utmp'
     $wtmp_file       = '/var/log/wtmp'
 
     if $disable_btmp {
@@ -23,6 +24,13 @@ class loginrecords::debian inherits loginrecords::base {
         include loginrecords::lastlog::disable
     }
 
+    if $disable_utmp {
+        include loginrecords::utmp::disable
+    }
+    else {
+        include loginrecords::utmp::enable
+    }
+
     if $disable_wtmp {
         include loginrecords::wtmp::disable
     }
diff --git a/manifests/init.pp b/manifests/init.pp
index e575dee..b2d063b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -12,6 +12,9 @@ class loginrecords {
     if $disable_lastlog == '' {
         $disable_lastlog = true
     }
+    if $disable_utmp == '' {
+        $disable_utmp = true
+    }
     if $disable_wtmp == '' {
         $disable_wtmp = true
     }
diff --git a/manifests/utmp.pp b/manifests/utmp.pp
new file mode 100644
index 0000000..3b79374
--- /dev/null
+++ b/manifests/utmp.pp
@@ -0,0 +1,9 @@
+class loginrecords::utmp::disable {
+    file { "$utmp_file": ensure => 'absent' }
+}
+
+class loginrecords::utmp::enable {
+    file { "$utmp_file":
+        ensure => 'present', mode => 660, owner => 'root', group => 'utmp',
+    }
+}
-- 
cgit v1.2.3