packer-hcloud/scripts/20-rocky-9.sh
Robert Kaussow b85da540b2
All checks were successful
continuous-integration/drone/push Build is passing
feat: add audit kernel options to grub
2022-09-20 08:45:09 +02:00

87 lines
2.1 KiB
Bash

#!/bin/bash
set -eo pipefail
### Update system
echo '> Update packages ...'
dnf -yq update
dnf -q clean all
## Adjust Grub config
echo '> Adjust Grub config ...'
KERNEL_OPTIONS=(
'audit=1'
'audit_backlog_limit=8192'
)
sed -i -e \
"s/.*GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
/etc/default/grub
# Remove any repeated (de-duplicate) Kernel options.
OPTIONS=$(sed -e \
"s/GRUB_CMDLINE_LINUX=\"\(.*\)\"/GRUB_CMDLINE_LINUX=\"\1 ${KERNEL_OPTIONS[*]}\"/" \
/etc/default/grub |
grep -E '^GRUB_CMDLINE_LINUX=' |
sed -e 's/GRUB_CMDLINE_LINUX=\"\(.*\)\"/\1/' |
tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
sed -i -e \
"s@GRUB_CMDLINE_LINUX=\"\(.*\)\"@GRUB_CMDLINE_LINUX=\"${OPTIONS}\"@" \
/etc/default/grub
grubby --update-kernel=ALL --args="audit=1"
grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
chmod 600 /boot/grub2/grub.cfg
### Cleans all audit logs
echo '> Cleaning all audit logs ...'
if [ -f /var/log/audit/audit.log ]; then
cat /dev/null >/var/log/audit/audit.log
fi
if [ -f /var/log/wtmp ]; then
cat /dev/null >/var/log/wtmp
fi
if [ -f /var/log/lastlog ]; then
cat /dev/null >/var/log/lastlog
fi
### Cleans persistent udev rules
echo '> Cleaning persistent udev rules ...'
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
rm /etc/udev/rules.d/70-persistent-net.rules
fi
### Clean the /tmp directories
echo '> Cleaning /tmp directories ...'
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /var/cache/dnf/*
### Clean the SSH keys
echo '> Cleaning the SSH keys ...'
shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
rm -f /etc/ssh/ssh_config.d/allow-root-ssh.conf
rm -rf /root/.ssh/authorized_keys
### Clean the machine-id
echo '> Cleaning the machine-id ...'
truncate -s 0 /etc/machine-id
rm -f /var/lib/dbus/machine-id
mkdir -p /var/lib/dbus
ln -s /etc/machine-id /var/lib/dbus/machine-id
### Prepare cloud-init
echo '> Preparing cloud-init ...'
rm -f /etc/cloud/cloud-init.disabled
### Clean the shell history
echo '> Cleaning the shell history ...'
unset HISTFILE
history -cw
echo >~/.bash_history
rm -f /root/.bash_history
### Done
echo '> Done.'