An XCCDF Group - A logical subset of the XCCDF Benchmark
GRUB_DISABLE_RECOVERY
/etc/default/grub
true
$ sudo grub2-mkconfig -o /boot/grub2/grub2.cfg
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"
l1tf=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf="
cat /sys/devices/system/cpu/vulnerabilities/l1tf
mce=0
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mce=0"
nosmap
GRUB_CMDLINE_LINUX="..."
# grubby --update-kernel=ALL --remove-args="nosmap"
nosmep
# grubby --update-kernel=ALL --remove-args="nosmep"
rng_core.default_quality
0
1000
rng_core.default_quality=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) rng_core.default_quality="
slab_nomerge=yes
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slab_nomerge=yes"
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
spec_store_bypass_disable=
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spec_store_bypass_disable="
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
spectre_v2=on
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on)"
debug-shell
systemctl
tty9
CTRL-ALT-F9
systemd.debug-shel=1
systemd.debug-shell=1
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
/boot/grub2/grub.cfg
root
$ sudo chgrp root /boot/grub2/grub.cfg
$ sudo chown root /boot/grub2/grub.cfg
$ sudo chmod 600 /boot/grub2/grub.cfg
# grub2-mkpasswd-pbkdf2
/etc/grub.d/40_custom
set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
grub.cfg
grub2-mkconfig -o /boot/grub2/grub2.cfg