Merge pull request #18 from jordiprats/master

improved pam::ttyaudit class
NTTCom-MS · Sep 20, 2017 · 1d04577 · 1d04577
2 parents 90a3e22 + 5cc0110
commit 1d04577
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 16 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,6 @@
 /spec/fixtures/manifests
 /spec/fixtures/modules
 /Gemfile.lock
+/.yardwarns
+/.yardoc
+/doc
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 0.1.15
+
+* added ensure to **pam::ttyaudit**
+
 ## 0.1.14
 
 * improved CIS support by setting an arbitrary option order

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -43,7 +43,7 @@
           $cracklib_package_name = 'libpwquality'
           $pwqualityconf = '/etc/security/pwquality.conf'
           $pamcracklib = false
-          $pam_lockout='faillock'
+          $pam_lockout = 'faillock'
           #
           $authconfig_systemauth_custom_file='/etc/pam.d/system-auth-local'
           $authconfig_systemauth_template="${module_name}/lockout/faillock/systemauth.erb"

diff --git a/manifests/ttyaudit.pp b/manifests/ttyaudit.pp
@@ -1,14 +1,14 @@
 #
+# @param ensure enable/disable pam_tty_audit (default: present)
+# @param enable array of userts to enable pam_tty_audit
+# @param disable array of users without pam_tty_audit (default: empty array)
+#
 class pam::ttyaudit (
-                      $disable=undef,
-                      $enable=['*']
+                      $ensure  = 'present',
+                      $enable  = [ '*' ],
+                      $disable = [],
                     ) inherits pam::params {
 
-  if($disable!=undef)
-  {
-    validate_array($disable)
-  }
-
   if($enable!=undef)
   {
     validate_array($enable)
@@ -18,12 +18,24 @@
     path => '/sbin:/bin:/usr/sbin:/usr/bin',
   }
 
-  #    command => "sed '/pam_tty_audit.so/d' -i /etc/pam.d/sshd; echo 'session required pam_tty_audit.so enable=${enable}' >> /etc/pam.d/sshd",
-  #    unless  => "grep 'session required pam_tty_audit.so enable=${enable}' /etc/pam.d/sshd",
-  exec { 'afegint pam_tty_audit sshd':
-    command => inline_template('sed \'/pam_tty_audit.so/d\' -i /etc/pam.d/sshd; echo \'session required pam_tty_audit.so<% if defined?(@disable) %> disable=<%= @disable.join(\',\') %><% end %> enable=<%= @enable.join(\',\') %>\' >> /etc/pam.d/sshd'),
-    unless  => inline_template('grep \'session required pam_tty_audit.so<% if defined?(@disable) %> disable=<%= @disable.join(\',\') %><% end %> enable=<%= @enable.join(\',\') %>\' /etc/pam.d/sshd'),
+  case $ensure
+  {
+    'present':
+    {
+      #    command => "sed '/pam_tty_audit.so/d' -i /etc/pam.d/sshd; echo 'session required pam_tty_audit.so enable=${enable}' >> /etc/pam.d/sshd",
+      #    unless  => "grep 'session required pam_tty_audit.so enable=${enable}' /etc/pam.d/sshd",
+      exec { 'afegint pam_tty_audit sshd':
+        command => inline_template('sed \'/pam_tty_audit.so/d\' -i /etc/pam.d/sshd; echo \'session required pam_tty_audit.so<% if @disable.any? %> disable=<%= @disable.join(\',\') %><% end %> enable=<%= @enable.join(\',\') %>\' >> /etc/pam.d/sshd'),
+        unless  => inline_template('grep \'session required pam_tty_audit.so<% if @disable.any? %> disable=<%= @disable.join(\',\') %><% end %> enable=<%= @enable.join(\',\') %>\' /etc/pam.d/sshd'),
+      }
+    }
+    'absent':
+    {
+      exec { 'eliminant pam_tty_audit sshd':
+        command => inline_template('sed \'/pam_tty_audit.so/d\' -i /etc/pam.d/sshd'),
+        onlyif  => inline_template('grep \'session required pam_tty_audit.so\' /etc/pam.d/sshd'),
+      }
+    }
+    default: { fail('unsupported') }
   }
-
-
 }
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-pam",
-  "version": "0.1.14",
+  "version": "0.1.15",
   "author": "eyp",
   "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management",
   "license": "Apache-2.0",