An XCCDF Group - A logical subset of the XCCDF Benchmark
pti=on
/boot/loader/entries/*.conf
vsyscall=none
GRUB_DISABLE_RECOVERY
/etc/default/grub
true
$ sudo grubby --update-kernel=ALL
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"
l1tf=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf="
cat /sys/devices/system/cpu/vulnerabilities/l1tf
mce=0
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mce=0"
nosmap
GRUB_CMDLINE_LINUX="..."
# grubby --update-kernel=ALL --remove-args="nosmap"
nosmep
# grubby --update-kernel=ALL --remove-args="nosmep"
rng_core.default_quality
0
1000
rng_core.default_quality=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) rng_core.default_quality="
slab_nomerge=yes
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slab_nomerge=yes"
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
spec_store_bypass_disable=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spec_store_bypass_disable="
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
spectre_v2=on
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on)"
debug-shell
systemctl
tty9
CTRL-ALT-F9
systemd.debug-shel=1
systemd.debug-shell=1
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
/etc/grub.d/01_users
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
grub.cfg
grubby --update-kernel=ALL
# grub2-setpassword