Puppet Class: cis_security_hardening::rules::sshd_printlastlog

Defined in:
manifests/rules/sshd_printlastlog.pp

Summary

Ensure Printlastlog is enabled

Overview

The operating system must display the date and time of the last successful account logon upon an SSH logon.

Rationale: Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.

Examples:

class { 'cis_security_hardening::rules::sshd_printlastlog':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# File 'manifests/rules/sshd_printlastlog.pp', line 19

class cis_security_hardening::rules::sshd_printlastlog (
  Boolean $enforce = false,
) {
  if $enforce {
    $path = ($facts['os']['name'] == 'SLES' and $facts['os']['release']['major'] == '12') ? {
      true    => '/usr/etc/ssh/sshd_config',
      default => '/etc/ssh/sshd_config',
    }
    file_line { 'sshd-printlastlog':
      ensure             => present,
      path               => $path,
      line               => 'PrintLastLog yes',
      match              => '^#?PrintLastLog.*',
      append_on_no_match => true,
      notify             => Exec['reload-sshd'],
    }
  }
}