2022-09-08 13:01:32 +00:00
|
|
|
#!/bin/bash
|
|
|
|
set -eo pipefail
|
|
|
|
|
2022-09-22 20:17:53 +00:00
|
|
|
### Updates system
|
2022-09-08 13:01:32 +00:00
|
|
|
echo '> Update packages ...'
|
|
|
|
dnf -yq update
|
|
|
|
dnf -q clean all
|
|
|
|
|
2022-09-22 20:17:53 +00:00
|
|
|
## Sets Grub config
|
|
|
|
echo '> Set grub config ...'
|
2022-09-20 06:45:09 +00:00
|
|
|
KERNEL_OPTIONS=(
|
|
|
|
'audit=1'
|
|
|
|
'audit_backlog_limit=8192'
|
|
|
|
)
|
|
|
|
sed -i -e \
|
|
|
|
"s/.*GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
|
|
|
|
/etc/default/grub
|
|
|
|
|
|
|
|
# Remove any repeated (de-duplicate) Kernel options.
|
|
|
|
OPTIONS=$(sed -e \
|
|
|
|
"s/GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
|
|
|
|
/etc/default/grub |
|
|
|
|
grep -E '^GRUB_CMDLINE_LINUX=' |
|
|
|
|
sed -e 's/GRUB_CMDLINE_LINUX=\"\(.*\)\"/\1/' |
|
|
|
|
tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
|
|
|
|
|
|
|
|
sed -i -e \
|
|
|
|
"s@GRUB_CMDLINE_LINUX=\"\(.*\)\"@GRUB_CMDLINE_LINUX=\"${OPTIONS}\"@" \
|
|
|
|
/etc/default/grub
|
|
|
|
|
|
|
|
grubby --update-kernel=ALL --args="audit=1"
|
|
|
|
grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
|
|
|
|
chmod 600 /boot/grub2/grub.cfg
|
|
|
|
|
2022-09-22 20:17:53 +00:00
|
|
|
### Sets cron permissions
|
|
|
|
echo '> Set cron permissions ...'
|
|
|
|
chmod 0700 /etc/cron.d
|
|
|
|
chmod 0700 /etc/cron.daily
|
|
|
|
chmod 0700 /etc/cron.hourly
|
|
|
|
chmod 0700 /etc/cron.monthly
|
|
|
|
chmod 0700 /etc/cron.weekly
|
|
|
|
chmod 0600 /etc/crontab
|
|
|
|
rm -rf /etc/cron.deny
|
|
|
|
|
2022-09-08 13:01:32 +00:00
|
|
|
### Cleans all audit logs
|
|
|
|
echo '> Cleaning all audit logs ...'
|
|
|
|
if [ -f /var/log/audit/audit.log ]; then
|
|
|
|
cat /dev/null >/var/log/audit/audit.log
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -f /var/log/wtmp ]; then
|
|
|
|
cat /dev/null >/var/log/wtmp
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -f /var/log/lastlog ]; then
|
|
|
|
cat /dev/null >/var/log/lastlog
|
|
|
|
fi
|
|
|
|
|
|
|
|
### Cleans persistent udev rules
|
|
|
|
echo '> Cleaning persistent udev rules ...'
|
|
|
|
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
|
|
|
|
rm /etc/udev/rules.d/70-persistent-net.rules
|
|
|
|
fi
|
|
|
|
|
|
|
|
### Clean the /tmp directories
|
|
|
|
echo '> Cleaning /tmp directories ...'
|
|
|
|
rm -rf /tmp/*
|
|
|
|
rm -rf /var/tmp/*
|
|
|
|
rm -rf /var/cache/dnf/*
|
|
|
|
|
|
|
|
### Clean the SSH keys
|
|
|
|
echo '> Cleaning the SSH keys ...'
|
|
|
|
shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
|
|
|
|
rm -f /etc/ssh/ssh_config.d/allow-root-ssh.conf
|
|
|
|
rm -rf /root/.ssh/authorized_keys
|
|
|
|
|
|
|
|
### Clean the machine-id
|
|
|
|
echo '> Cleaning the machine-id ...'
|
|
|
|
truncate -s 0 /etc/machine-id
|
|
|
|
rm -f /var/lib/dbus/machine-id
|
|
|
|
mkdir -p /var/lib/dbus
|
|
|
|
ln -s /etc/machine-id /var/lib/dbus/machine-id
|
|
|
|
|
|
|
|
### Prepare cloud-init
|
|
|
|
echo '> Preparing cloud-init ...'
|
|
|
|
rm -f /etc/cloud/cloud-init.disabled
|
|
|
|
|
|
|
|
### Clean the shell history
|
|
|
|
echo '> Cleaning the shell history ...'
|
|
|
|
unset HISTFILE
|
|
|
|
history -cw
|
|
|
|
echo >~/.bash_history
|
|
|
|
rm -f /root/.bash_history
|
|
|
|
|
|
|
|
### Done
|
|
|
|
echo '> Done.'
|