An XCCDF Group - A logical subset of the XCCDF Benchmark
GRUB_DISABLE_RECOVERY
/etc/default/grub
true
$ sudo grubby --update-kernel=ALL
iommu=force
GRUB_CMDLINE_LINUX="... iommu=force ..."
# grubby --update-kernel=ALL --args="iommu=force"
l1tf=
GRUB_CMDLINE_LINUX="... l1tf= ..."
# grubby --update-kernel=ALL --args="l1tf="
cat /sys/devices/system/cpu/vulnerabilities/l1tf
mce=0
GRUB_CMDLINE_LINUX="... mce=0 ..."
# grubby --update-kernel=ALL --args="mce=0"
nosmap
GRUB_CMDLINE_LINUX="..."
# grubby --update-kernel=ALL --remove-args="nosmap"
nosmep
# grubby --update-kernel=ALL --remove-args="nosmep"
rng_core.default_quality
0
1000
rng_core.default_quality=
GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
# grubby --update-kernel=ALL --args="rng_core.default_quality="
slab_nomerge=yes
GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
# grubby --update-kernel=ALL --args="slab_nomerge=yes"
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
spec_store_bypass_disable=
GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."
# grubby --update-kernel=ALL --args="spec_store_bypass_disable="
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
spectre_v2=on
spectre_v2=on)
GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."
# grubby --update-kernel=ALL --args="spectre_v2=on)"
debug-shell
systemctl
tty9
CTRL-ALT-F9
systemd.debug-shel=1
systemd.debug-shell=1
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
vsyscall=none
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
# grubby --update-kernel=ALL --args="vsyscall=none"
/boot/grub2/grub.cfg
root
$ sudo chgrp root /boot/grub2/grub.cfg
/boot/grub2/user.cfg
$ sudo chgrp root /boot/grub2/user.cfg
$ sudo chown root /boot/grub2/grub.cfg
$ sudo chown root /boot/grub2/user.cfg
$ sudo chmod 600 /boot/grub2/grub.cfg
$ sudo chmod 600 /boot/grub2/user.cfg
/etc/grub.d/01_users
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
grub.cfg
grubby --update-kernel=ALL
usb0
cd
fd0
set root='hd0,msdos1'
# grub2-setpassword
/boot/efi/EFI/redhat/grub.cfg
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
/boot/efi/EFI/redhat/user.cfg
$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
$ sudo chown root /boot/efi/EFI/redhat/user.cfg
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg