From d9ded258d58a8fe11feedea6ea35859c0b40df5f Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@lysator.liu.se>
Date: Sat, 29 Sep 2018 22:18:45 +0200
Subject: [PATCH] Definition for managing /etc/securetty entries.

This adds a definition console::rootlogin for allowing or forbidding
root logins on specific terminals, i.e. entries in /etc/securetty.
---
 manifests/rootlogin.pp | 44 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 manifests/rootlogin.pp

diff --git a/manifests/rootlogin.pp b/manifests/rootlogin.pp
new file mode 100644
index 0000000..2781969
--- /dev/null
+++ b/manifests/rootlogin.pp
@@ -0,0 +1,44 @@
+# Copyright © 2019   Thomas Bellman, Linköping, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Allow or forbid root to login on specific terminals.
+ * Manages entries in /etc/securetty.
+ *
+ * Parameters:
+ *  - name	Name of terminal device, without the /dev/ prefix.
+ *  - ensure	Wether to 'allow' or 'forbid' root to login on the
+ *		terminal in question.
+ */
+define console::rootlogin($ensure)
+{
+    case $ensure
+    {
+	'allow': {
+	    augeas {
+		"console::serial::login::securetty::${name}":
+		    incl => '/etc/securetty',
+		    lens => 'Securetty.lns',
+		    context => '/files/etc/securetty',
+		    changes => "set 099 '${name}'",
+		    onlyif => "get *[.='${name}'] != '${name}'";
+	    }
+	}
+
+	'forbid': {
+	    augeas {
+		"console::serial::login::securetty::${name}":
+		    incl => '/etc/securetty',
+		    lens => 'Securetty.lns',
+		    context => '/files/etc/securetty',
+		    changes => "rm *[.='${name}']";
+	    }
+	}
+
+	default: {
+	    fail("Console::Rootlogin[${title}]: ",
+		 "Bad value for parameter ensure, `${ensure}'")
+	}
+    }
+}
-- 
GitLab