An XCCDF Group - A logical subset of the XCCDF Benchmark
GRUB_DISABLE_RECOVERY
/etc/default/grub
true
$ sudo update-grub
iommu=force
GRUB_CMDLINE_LINUX="... iommu=force ..."
# update-grub
l1tf=
GRUB_CMDLINE_LINUX="... l1tf= ..."
cat /sys/devices/system/cpu/vulnerabilities/l1tf
mce=0
GRUB_CMDLINE_LINUX="... mce=0 ..."
nosmap
GRUB_CMDLINE_LINUX="..."
# grubby --update-kernel=ALL --remove-args="nosmap"
nosmep
# grubby --update-kernel=ALL --remove-args="nosmep"
rng_core.default_quality
0
1000
rng_core.default_quality=
GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
slab_nomerge=yes
GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
spec_store_bypass_disable=
GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
spectre_v2=on
spectre_v2=on)
GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."
debug-shell
systemctl
tty9
CTRL-ALT-F9
systemd.debug-shel=1
systemd.debug-shell=1
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
/boot/grub/grub.cfg
root
$ sudo chown root /boot/grub/grub.cfg
$ sudo chmod 600 /boot/grub/grub.cfg
# grub2-mkpasswd-pbkdf2
/etc/grub.d/40_custom
set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
grub.cfg
update-grub