Add (untested) lastlog disabling support.

diff --git a/README b/README
index 3a0ef240ff2e89d0b3508db299c53caf19943f25..48100c5d58bbbffa94f278a2feb8e2e357262f9f 100644 (file)
--- a/README
+++ b/README
@@ -22,6 +22,12 @@ $disable_faillog
 Default: faillog is disabled.
 When set to false, faillog is enabled.
 
+$disable_lastlog
+----------------
+
+Default: lastlog is disabled.
+When set to a false, non-empty value, lastlog is not changed.
+
 Copyright
 =========
 

diff --git a/manifests/debian.pp b/manifests/debian.pp
index 8bc296d9f3748f56e988ec708fd4828d889db115..8cf95f16145fc99377114fe8fed1f9ae57fe54aa 100644 (file)
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -1,5 +1,6 @@
 class loginrecords::debian inherits loginrecords::base {
 
+    $pam_login_file  = '/etc/pam.d/login'
     $login_defs_file = '/etc/login.defs'
 
     if $disable_faillog {
@@ -9,4 +10,8 @@ class loginrecords::debian inherits loginrecords::base {
         include loginrecords::faillog::enable
     }
 
+    if $disable_lastlog {
+        include loginrecords::lastlog::disable
+    }
+
 }

diff --git a/manifests/init.pp b/manifests/init.pp
index 0dbe627f354ff4813ca625ea8f25cc81d29ea298..6826c32d07855bdfe5ad1fa63d561c43a5fe9f9a 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -6,6 +6,9 @@ class loginrecords {
     if $disable_faillog == '' {
         $disable_faillog = true
     }
+    if $disable_lastlog == '' {
+        $disable_lastlog = true
+    }
 
     # Include main class
     case $kernel {

diff --git a/manifests/lastlog.pp b/manifests/lastlog.pp
new file mode 100644 (file)
index 0000000..da6c735
--- /dev/null
+++ b/manifests/lastlog.pp
@@ -0,0 +1,7 @@
+class loginrecords::lastlog::disable {
+    replace { 'loginrecords-lastlog-disable':
+        file        => $pam_login_file,
+        pattern     => '^session[[:space:]]+optional[[:space:]]+pam_lastlog.so$',
+        replacement => '#session    optional   pam_lastlog.so',
+    }
+}