diff --git a/README.md b/README.md index 82045c4..a80ec8f 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,12 @@ If a different module manages Kerberos for root, disable Kerberos in this module root::manage_kerberos: false ``` +Set an automatic logout for idle interactive shells (in seconds): + +```yaml +root::logout_timeout: 600 +``` + ## Reference [http://treydock.github.io/puppet-module-root/](http://treydock.github.io/puppet-module-root/) diff --git a/manifests/init.pp b/manifests/init.pp index 4b524e2..f0b0a78 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -44,6 +44,9 @@ # @param ssh_public_key_source # The source for root's SSH RSA public key # +# @param logout_timeout +# Time (in seconds) before idle interactive terminals will logout +# # @param manage_kerberos # Boolean that sets if Kerberos files should be managed # @@ -70,6 +73,7 @@ Boolean $manage_kerberos = true, Array $kerberos_login_principals = [], Hash[String[1], Variant[String, Array]] $kerberos_users_commands = {}, + Optional[Integer[0, default]] $logout_timeout = undef, ) inherits root::params { if $mailaliases_hiera_merge { @@ -160,6 +164,28 @@ notify => Exec['root newaliases'], } + if $logout_timeout { + $timeout_ensure = 'file' + } else { + $timeout_ensure = 'absent' + } + + file {'/etc/profile.d/root_logout_timeout.sh': + ensure => $timeout_ensure, + owner => 'root', + group => 'root', + mode => '0644', + content => template('root/root_logout_timeout.sh.erb') + } + + file {'/etc/profile.d/root_logout_timeout.csh': + ensure => $timeout_ensure, + owner => 'root', + group => 'root', + mode => '0644', + content => template('root/root_logout_timeout.csh.erb') + } + if $_ssh_authorized_keys =~ Array { $_ssh_authorized_keys.each |$key| { root::ssh_authorized_key { $key: } diff --git a/spec/classes/root_spec.rb b/spec/classes/root_spec.rb index fc06a79..4837a29 100644 --- a/spec/classes/root_spec.rb +++ b/spec/classes/root_spec.rb @@ -73,6 +73,14 @@ it { is_expected.to contain_mailalias('root').with_ensure('absent') } + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.csh').with(ensure: 'absent') + end + + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.sh').with(ensure: 'absent') + end + context 'authorized_keys as an Array' do let(:params) { { ssh_authorized_keys: ['ssh-rsa longhashfoo== foo', 'ssh-dss longhashbar== bar'] } } @@ -134,6 +142,57 @@ end end + context 'with timeout set over 1 minute' do + let(:params) { { logout_timeout: 90 } } + + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.csh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*set -r autologout 1$}) + end + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.sh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*TMOUT=90$}) + end + end + + context 'with timeout set less than 1 minute' do + let(:params) { { logout_timeout: 20 } } + + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.csh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*set -r autologout 1$}) + end + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.sh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*TMOUT=20$}) + end + end + + context 'with timeout set to 0' do + let(:params) { { logout_timeout: 0 } } + + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.csh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*set -r autologout 0$}) + end + it do + is_expected.to contain_file('/etc/profile.d/root_logout_timeout.sh').with(ensure: 'file', + owner: 'root', + group: 'root', + mode: '0644').with_content(%r{^\s*TMOUT=0$}) + end + end + context 'export_key => true' do let(:params) { { export_key: true } } let(:facts) do diff --git a/templates/root_logout_timeout.csh.erb b/templates/root_logout_timeout.csh.erb new file mode 100644 index 0000000..99e9362 --- /dev/null +++ b/templates/root_logout_timeout.csh.erb @@ -0,0 +1,11 @@ +# File managed by Puppet (root::logout_timeout = <%= scope['root::logout_timeout'] %>), DO NOT EDIT +<% if scope['root::logout_timeout'] -%> +<% inminutes = Integer(scope['root::logout_timeout'] / 60) -%> +<% if scope['root::logout_timeout'] > 0 && inminutes == 0 -%> +<%# csh defines in minutes not seconds, cover edge case <60 seconds -%> +<% inminutes = 1 -%> +<% end -%> +if ( `id -u` == "0" ) then + set -r autologout <%= inminutes %> +endif +<% end -%> diff --git a/templates/root_logout_timeout.sh.erb b/templates/root_logout_timeout.sh.erb new file mode 100644 index 0000000..cc69230 --- /dev/null +++ b/templates/root_logout_timeout.sh.erb @@ -0,0 +1,7 @@ +# File managed by Puppet (root::logout_timeout = <%= scope['root::logout_timeout'] %>), DO NOT EDIT +<% if scope['root::logout_timeout'] -%> +if [ `id -u` = 0 ] ; then + TMOUT=<%= scope['root::logout_timeout'] %> + export TMOUT +fi +<% end -%>