mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 13:46:26 -05:00
24 lines
1.2 KiB
Text
24 lines
1.2 KiB
Text
## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Definitions:
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
|
|
|
## Disable access to the GRUB single-user (recovery) mode menu entries.
|
|
##
|
|
## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
|
|
##
|
|
GRUB_DISABLE_RECOVERY="true"
|
|
|
|
## Disable access to Dracut's recovery console.
|
|
## Prevents the emergency shell from starting automatically during boot failures.
|
|
##
|
|
## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
|
|
## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
|
|
## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
|
|
##
|
|
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
|
|
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0"
|