infra/packer-hcloud
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

feat: add audit kernel options to grub
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Robert Kaussow 2022-09-20 08:45:09 +02:00
parent 15d971d909
commit b85da540b2
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
2 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rocky-9/data/init.ks.pkrtpl.hcl
View File

@ -70,7 +70,7 @@ volgroup vg00 --pesize=4096 pv.01
### Create logical volumes. ### Create logical volumes.
logvol swap --fstype swap --name=lv_swap --vgname=vg00 --size=2048 --label=SWAPFS logvol swap --fstype swap --name=lv_swap --vgname=vg00 --size=2048 --label=SWAPFS
logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=6000 --label=ROOTFS logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=6000 --label=ROOTFS
logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS --fsoptions="nodev"
logvol /opt --fstype xfs --name=lv_opt --vgname=vg00 --size=1000 --label=OPTFS logvol /opt --fstype xfs --name=lv_opt --vgname=vg00 --size=1000 --label=OPTFS
logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=512 --label=TMPFS --fsoptions="nosuid,noexec,nodev" logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=512 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
logvol /var --fstype xfs --name=lv_var --vgname=vg00 --size=2000 --label=VARFS --fsoptions="nosuid" logvol /var --fstype xfs --name=lv_var --vgname=vg00 --size=2000 --label=VARFS --fsoptions="nosuid"
@ -99,6 +99,7 @@ curl
python3 python3
python3-libselinux python3-libselinux
jq jq
grubby
-aic94xx-firmware -aic94xx-firmware
-atmel-firmware -atmel-firmware
-b43-openfwwf -b43-openfwwf

28
scripts/20-rocky-9.sh
View File

@ -1,11 +1,37 @@
#!/bin/bash #!/bin/bash
set -eo pipefail set -eo pipefail
#### Update system ### Update system
echo '> Update packages ...' echo '> Update packages ...'
dnf -yq update dnf -yq update
dnf -q clean all dnf -q clean all
## Adjust Grub config
echo '> Adjust Grub config ...'
KERNEL_OPTIONS=(
'audit=1'
'audit_backlog_limit=8192'
)
sed -i -e \
"s/.*GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
/etc/default/grub
# Remove any repeated (de-duplicate) Kernel options.
OPTIONS=$(sed -e \
"s/GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
/etc/default/grub |
grep -E '^GRUB_CMDLINE_LINUX=' |
sed -e 's/GRUB_CMDLINE_LINUX=\"\(.*\)\"/\1/' |
tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
sed -i -e \
"s@GRUB_CMDLINE_LINUX=\"\(.*\)\"@GRUB_CMDLINE_LINUX=\"${OPTIONS}\"@" \
/etc/default/grub
grubby --update-kernel=ALL --args="audit=1"
grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
chmod 600 /boot/grub2/grub.cfg
### Cleans all audit logs ### Cleans all audit logs
echo '> Cleaning all audit logs ...' echo '> Cleaning all audit logs ...'
if [ -f /var/log/audit/audit.log ]; then if [ -f /var/log/audit/audit.log ]; then