#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  3.6       Disable IPv6
#  4.1.3     Enable early boot audit (before auditd starts)
#----------------------------------------------------------------------

SELF=$(readlink -f $0)

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform shellvars_list.lns incl /etc/default/grub
    transform shellvars.lns incl      /etc/selinux/config
    load

    # Make sure GRUB_CMDLINE_LINUX exists
    set /files/etc/default/grub/GRUB_CMDLINE_LINUX/quote '"'

    # Disable IPv6 [3.6]
    set /files/etc/default/grub/GRUB_CMDLINE_LINUX/value[. =~ regexp('.*ipv6.disable=.*','i')] 'ipv6.disable=1'

    # Enable early boot audit (before auditd starts) [4.1.3]
    set /files/etc/default/grub/GRUB_CMDLINE_LINUX/value[. =~ regexp('.*audit=.*','i')] 'audit=1'

EOD

# Do we need to regenerate grub.cfg?
[ /etc/default/grub -nt /boot/grub2/grub.cfg ] && grub2-mkconfig -o /boot/grub2/grub.cfg
