changing btmp perms to 600 on RHEL systems

cb038662 · Jonathan Lent · 37536fdb · cb038662 · cb038662
Commit cb038662 authored 9 years ago by Jonathan Lent
--- a/NEWS
+++ b/NEWS
 unreleased (??)
+    [newsyslog] Change permissions of /var/log/btmp to '600' in RHEL
+    systems so that sshd stops complaining (jlent)
    [dns] Make dns_cache a class-level parameter, so that it can be set in 
    Hiera (as base::dns::dns_cache) (akkornel)

--- a/manifests/newsyslog.pp
+++ b/manifests/newsyslog.pp
@@ -48,6 +48,14 @@ class base::newsyslog {
      purge   => true,
  }
+  # btmp permissions must be 600 in RHEL systems
+  # sshd on RHEL systems will complain otherwise, since bad ssh attempts
+  # often are the result of entering a password as a username
+  $btmp_perms = $osfamily ? {
+    'RedHat' => '600',
+    default  => '660',
+  }
  # Rotate btmp and wtmp monthly and save one year's worth of those files.
  # This requires two separate log configurations because there isn't a way to
  # represent different permissions for different files in
@@ -56,7 +64,7 @@ class base::newsyslog {
    frequency => 'monthly',
    log_owner => 'root',
    log_group => 'utmp',
-    log_mode  => '660',
+    log_mode  => $btmp_perms,
    logs      => [ 'btmp' ],
    save_num  => '12',
  }
@@ -75,7 +83,7 @@ class base::newsyslog {
    ensure => file,
    owner  => 'root',
    group  => 'utmp',
-    mode   => '0660',
+    mode   => $btmp_perms,
  }
  # Remove an old misspelled configuration file.