From d9ded258d58a8fe11feedea6ea35859c0b40df5f Mon Sep 17 00:00:00 2001 From: Thomas Bellman <bellman@lysator.liu.se> Date: Sat, 29 Sep 2018 22:18:45 +0200 Subject: [PATCH] Definition for managing /etc/securetty entries. This adds a definition console::rootlogin for allowing or forbidding root logins on specific terminals, i.e. entries in /etc/securetty. --- manifests/rootlogin.pp | 44 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 manifests/rootlogin.pp diff --git a/manifests/rootlogin.pp b/manifests/rootlogin.pp new file mode 100644 index 0000000..2781969 --- /dev/null +++ b/manifests/rootlogin.pp @@ -0,0 +1,44 @@ +# Copyright © 2019 Thomas Bellman, Linköping, Sweden +# Licensed under the GNU LGPL v3+; see the README file for more information. + + +/* + * Allow or forbid root to login on specific terminals. + * Manages entries in /etc/securetty. + * + * Parameters: + * - name Name of terminal device, without the /dev/ prefix. + * - ensure Wether to 'allow' or 'forbid' root to login on the + * terminal in question. + */ +define console::rootlogin($ensure) +{ + case $ensure + { + 'allow': { + augeas { + "console::serial::login::securetty::${name}": + incl => '/etc/securetty', + lens => 'Securetty.lns', + context => '/files/etc/securetty', + changes => "set 099 '${name}'", + onlyif => "get *[.='${name}'] != '${name}'"; + } + } + + 'forbid': { + augeas { + "console::serial::login::securetty::${name}": + incl => '/etc/securetty', + lens => 'Securetty.lns', + context => '/files/etc/securetty', + changes => "rm *[.='${name}']"; + } + } + + default: { + fail("Console::Rootlogin[${title}]: ", + "Bad value for parameter ensure, `${ensure}'") + } + } +} -- GitLab