From b85da540b2a4a7626f1b8ec5bb0231502e3452cc Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Tue, 20 Sep 2022 08:45:09 +0200
Subject: [PATCH] feat: add audit kernel options to grub

---
 rocky-9/data/init.ks.pkrtpl.hcl |  3 ++-
 scripts/20-rocky-9.sh           | 28 +++++++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/rocky-9/data/init.ks.pkrtpl.hcl b/rocky-9/data/init.ks.pkrtpl.hcl
index 69f4cea..9621dac 100644
--- a/rocky-9/data/init.ks.pkrtpl.hcl
+++ b/rocky-9/data/init.ks.pkrtpl.hcl
@@ -70,7 +70,7 @@ volgroup vg00 --pesize=4096 pv.01
 ### Create logical volumes.
 logvol swap --fstype swap --name=lv_swap --vgname=vg00 --size=2048 --label=SWAPFS
 logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=6000 --label=ROOTFS
-logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS
+logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS --fsoptions="nodev"
 logvol /opt --fstype xfs --name=lv_opt --vgname=vg00 --size=1000 --label=OPTFS
 logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=512 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
 logvol /var --fstype xfs --name=lv_var --vgname=vg00 --size=2000 --label=VARFS --fsoptions="nosuid"
@@ -99,6 +99,7 @@ curl
 python3
 python3-libselinux
 jq
+grubby
 -aic94xx-firmware
 -atmel-firmware
 -b43-openfwwf
diff --git a/scripts/20-rocky-9.sh b/scripts/20-rocky-9.sh
index 3babe89..54a4cec 100644
--- a/scripts/20-rocky-9.sh
+++ b/scripts/20-rocky-9.sh
@@ -1,11 +1,37 @@
 #!/bin/bash
 set -eo pipefail
 
-#### Update system
+### Update system
 echo '> Update packages ...'
 dnf -yq update
 dnf -q clean all
 
+## Adjust Grub config
+echo '> Adjust Grub config ...'
+KERNEL_OPTIONS=(
+    'audit=1'
+    'audit_backlog_limit=8192'
+)
+sed -i -e \
+    "s/.*GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
+    /etc/default/grub
+
+# Remove any repeated (de-duplicate) Kernel options.
+OPTIONS=$(sed -e \
+    "s/GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
+    /etc/default/grub |
+    grep -E '^GRUB_CMDLINE_LINUX=' |
+    sed -e 's/GRUB_CMDLINE_LINUX=\"\(.*\)\"/\1/' |
+    tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
+
+sed -i -e \
+    "s@GRUB_CMDLINE_LINUX=\"\(.*\)\"@GRUB_CMDLINE_LINUX=\"${OPTIONS}\"@" \
+    /etc/default/grub
+
+grubby --update-kernel=ALL --args="audit=1"
+grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
+chmod 600 /boot/grub2/grub.cfg
+
 ### Cleans all audit logs
 echo '> Cleaning all audit logs ...'
 if [ -f /var/log/audit/audit.log ]; then