An XCCDF Group - A logical subset of the XCCDF Benchmark
GRUB_DISABLE_RECOVERY
/etc/default/grub
true
$ sudo grubby --update-kernel=ALL
iommu=force
GRUB_CMDLINE_LINUX="... iommu=force ..."
# grubby --update-kernel=ALL --args="iommu=force"
init_on_alloc=1
GRUB_CMDLINE_LINUX="... init_on_alloc=1 ..."
# grubby --update-kernel=ALL --args="init_on_alloc=1"
CONFIG_RANDOM_TRUST_CPU
Y
random.trust_cpu=off
random.trust_cpu=on
GRUB_CMDLINE_LINUX="... random.trust_cpu=on ..."
# grubby --update-kernel=ALL --args="random.trust_cpu=on"
l1tf=
GRUB_CMDLINE_LINUX="... l1tf= ..."
# grubby --update-kernel=ALL --args="l1tf="
cat /sys/devices/system/cpu/vulnerabilities/l1tf
mce=0
GRUB_CMDLINE_LINUX="... mce=0 ..."
# grubby --update-kernel=ALL --args="mce=0"
mds=
GRUB_CMDLINE_LINUX="... mds= ..."
# grubby --update-kernel=ALL --args="mds="
cat /sys/devices/system/cpu/vulnerabilities/mds
nosmap
GRUB_CMDLINE_LINUX="..."
# grubby --update-kernel=ALL --remove-args="nosmap"
nosmep
# grubby --update-kernel=ALL --remove-args="nosmep"
page_alloc.shuffle=1
GRUB_CMDLINE_LINUX="... page_alloc.shuffle=1 ..."
# grubby --update-kernel=ALL --args="page_alloc.shuffle=1"
pti=on
GRUB_CMDLINE_LINUX="... pti=on ..."
# grubby --update-kernel=ALL --args="pti=on"
rng_core.default_quality
0
1000
rng_core.default_quality=
GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
# grubby --update-kernel=ALL --args="rng_core.default_quality="
slab_nomerge=yes
GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
# grubby --update-kernel=ALL --args="slab_nomerge=yes"
cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
spec_store_bypass_disable=
GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."
# grubby --update-kernel=ALL --args="spec_store_bypass_disable="
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
spectre_v2=on
spectre_v2=on)
GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."
# grubby --update-kernel=ALL --args="spectre_v2=on)"
debug-shell
systemctl
tty9
CTRL-ALT-F9
systemd.debug-shel=1
systemd.debug-shell=1
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
vsyscall=none
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
# grubby --update-kernel=ALL --args="vsyscall=none"
/boot/grub2/grub.cfg
root
$ sudo chgrp root /boot/grub2/grub.cfg
/boot/grub2/user.cfg
$ sudo chgrp root /boot/grub2/user.cfg
$ sudo chown root /boot/grub2/grub.cfg
$ sudo chown root /boot/grub2/user.cfg
$ sudo chmod 600 /boot/grub2/grub.cfg
$ sudo chmod 600 /boot/grub2/user.cfg
/etc/grub.d/01_users
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
grub.cfg
grubby --update-kernel=ALL
# grub2-setpassword
$ sudo chmod 700 /boot/grub2/grub.cfg