diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
deleted file mode 100644
index 9581952235f..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# platform = Oracle Linux 7
-# Removes audit argument from kernel command line in /etc/default/grub
-if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"'  '/etc/default/grub' ; then
-	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
-fi
-
-# removing the parameter from the no recovery kernel parameters as well
-sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
-
-# disabling recovery
-sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
-
-#if the line is not present at all, add it
-if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
-	echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub
-fi
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_grub_cfg.fail.sh
similarity index 100%
rename from linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_rhel7.fail.sh
rename to linux_os/guide/auditing/grub2_audit_argument/tests/arg_not_there_grub_cfg.fail.sh
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
deleted file mode 100644
index 4a03a2117f3..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/blank_grubenv_rhel8.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# remediation = none
-
-# Removes audit argument from kernel command line in /boot/grub2/grubenv
-file="/boot/grub2/grubenv"
-# the file needs to have exactly 1024 bytes. The grubenv files add a newline
-# when it gets copied, hence we need to strip the last byte of the file so
-# the command grub2-editenv doesn't end with "/usr/bin/grub2-editenv: error: environment block too small."
-head -c -1 grubenv > "$file"
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh
deleted file mode 100644
index bd99871d284..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/correct_recovery_disabled.pass.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 7
-
-# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
-if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"'  '/etc/default/grub' ; then
-	# modify the GRUB command-line if an audit= arg already exists
-	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/'  '/etc/default/grub'
-else
-	# no audit=arg is present, append it
-	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 audit=1"/'  '/etc/default/grub'
-fi
-
-# removing the parameter from the no recovery kernel parameters as well
-sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
-
-# disabling recovery
-sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
-
-#if the line is not present at all, add it
-if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
-	echo 'GRUB_CMDLINE_LINUX_DEFAULT="audit=1"' >> /etc/default/grub
-fi
-
-grubby --update-kernel=ALL --args="audit=1"
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/double_value_ol7.fail.sh
similarity index 100%
rename from linux_os/guide/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh
rename to linux_os/guide/auditing/grub2_audit_argument/tests/double_value_ol7.fail.sh
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh
deleted file mode 100644
index ce39396e6f2..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 7
-
-# Break the audit argument in kernel command line in /etc/default/grub
-if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
-	# modify the GRUB command-line if an audit= arg already exists
-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/'  '/etc/default/grub'
-else
-	# no audit=arg is present, append it
-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=0"/'  '/etc/default/grub'
-fi
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
deleted file mode 100644
index a68a8fcea67..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 7
-
-# Break the audit argument in kernel command line in /etc/default/grub
-if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*audit=.*"'  '/etc/default/grub' ; then
-	# modify the GRUB command-line if an audit= arg already exists
-	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/'  '/etc/default/grub'
-else
-	# no audit=arg is present, append it
-	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 audit=0"/'  '/etc/default/grub'
-fi
-
-# removing the parameter from the no recovery kernel parameters as well
-sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
-
-# disabling recovery
-sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
-
-#if the line is not present at all, add it
-if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
-	echo 'GRUB_CMDLINE_LINUX_DEFAULT="audit=0"' >> /etc/default/grub
-fi
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_ol7.fail.sh
similarity index 100%
rename from linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel7.fail.sh
rename to linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_ol7.fail.sh
diff --git a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel8.fail.sh
deleted file mode 100644
index 35034f24234..00000000000
--- a/linux_os/guide/auditing/grub2_audit_argument/tests/wrong_value_rhel8.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-
-# Break the audit argument in kernel command line in /boot/grub2/grubenv
-file="/boot/grub2/grubenv"
-if grep -q '^.*audit=.*'  "$file" ; then
-	# modify the GRUB command-line if an audit= arg already exists
-	sed -i 's/\(^.*\)audit=[^[:space:]]*\(.*\)/\1 audit=0 \2/'  "$file"
-else
-	# no audit=arg is present, append it
-	sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit=0/'  "$file"
-fi
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index d7d1a4a00a1..7da54a99f1b 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -6,8 +6,8 @@
    - Kernel opts can be stored in /etc/default/grub so they are persistent between kernel upgrades
 -#}}
 {{% set system_with_expanded_kernel_options_in_loader_entries = false -%}}
-{{% set system_with_referenced_kernel_options_in_loader_entries = false -%}}
 {{% set system_with_kernel_options_in_grubenv = false -%}}
+{{% set system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv = false -%}}
 {{% set system_with_kernel_options_in_etc_default_grub = true -%}}
 {{% set system_with_kernel_options_in_etc_default_grub_d = false -%}}
 {{% set system_with_expanded_kernel_options_in_grub_cfg = false -%}}
@@ -18,8 +18,7 @@
 {{%- endif -%}}
 
 {{% if product in ["ol8", "rhel8"] -%}}
-{{% set system_with_referenced_kernel_options_in_loader_entries = true %}}
-{{% set system_with_kernel_options_in_grubenv = true %}}
+{{% set system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv = true -%}}
 {{%- endif -%}}
 
 {{% if product in ["ol7"] or 'ubuntu' in product -%}}
@@ -34,11 +33,31 @@
 {{% set system_with_bios_and_uefi_support = true %}}
 {{%- endif -%}}
 
+
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
     <criteria operator="AND">
-      {{% if system_with_kernel_options_in_grubenv -%}}
+      {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
+      <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced"
+      comment="Check /boot/loader/entries/*.conf files if they contain direct reference to {{{ ARG_NAME_VALUE }}} or if they contain $kernelopts" />
+      <criteria operator="OR"
+      comment="Expressing implication">
+        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_at_least_one_entry_referenced" negate="true"
+        comment="Negate the result of the test if there exists at least one $kernelopts in /boot/loader/entries" />
+        {{% if system_with_bios_and_uefi_support -%}}
+        <criteria operator="OR">
+        {{%- endif %}}
+        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
+        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_boot_path }}}/grubenv" />
+      {{% if system_with_bios_and_uefi_support -%}}
+        <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env_uefi"
+        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_uefi_boot_path }}}/grubenv" />
+        </criteria>
+        {{%- endif %}}
+      </criteria>
+      {{% elif system_with_kernel_options_in_grubenv -%}}
+        <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
       {{% if system_with_bios_and_uefi_support -%}}
       <criteria operator="OR">
       {{%- endif %}}
@@ -49,11 +68,7 @@
         comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in {{{ grub2_uefi_boot_path }}}/grubenv" />
       </criteria>
       {{%- endif %}}
-      {{%- endif %}}
-      {{% if system_with_referenced_kernel_options_in_loader_entries -%}}
-        <extend_definition comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable" definition_ref="grub2_entries_reference_kernelopts" />
-      {{%- endif %}}
-      {{% if system_with_expanded_kernel_options_in_loader_entries -%}}
+      {{% elif system_with_expanded_kernel_options_in_loader_entries -%}}
           <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
                      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
       {{%- endif %}}
@@ -96,6 +111,36 @@
     </criteria>
   </definition>
 
+{{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced"
+  comment="check all /boot/loader/entries/*.conf for expanded entries of  {{{ ARG_NAME_VALUE }}}. Leave out rescue boot entries. Accept also references to $kernelopts."
+  state_operator="OR" check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced" />
+    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_is_kernelopts" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced" version="1">
+    <ind:path>/boot/loader/entries/</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <filter action="exclude">state_grub2_rescue_entry_for_{{{ _RULE_ID }}}</filter>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_grub2_rescue_entry_for_{{{ _RULE_ID }}}" version="1">
+    <ind:filename operation="pattern match">.*rescue\.conf$</ind:filename>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_at_least_one_entry_referenced"
+  comment="check all /boot/loader/entries/*.conf files if there is at least one entry referencing $kernelopts. Leave out rescue entries."
+  check="all" check_existence="at_least_one_exists" version="1">
+    <ind:object object_ref="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries_expanded_or_referenced" />
+    <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_is_kernelopts" />
+  </ind:textfilecontent54_test>
+{{% endif %}}
+
+
 {{%- if system_with_kernel_options_in_etc_default_grub %}}
   <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
   comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
@@ -154,7 +199,7 @@
   </ind:textfilecontent54_object>
 {{%- endif %}}
 
-{{%- if system_with_kernel_options_in_grubenv %}}
+{{%- if system_with_kernel_options_in_grubenv or system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
 {{%- macro test_and_object_for_kernel_options_grub_env(base_name, path) %}}
   <ind:textfilecontent54_test id="test_{{{ base_name }}}"
   comment="check for kernel command line parameters {{{ ARG_NAME_VALUE }}} in {{{ path }}} for all kernels"
@@ -225,6 +270,13 @@
 {{%- endif %}}
 {{%- endif %}}
 
+{{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
+  <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_is_kernelopts"
+  version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?\$kernelopts(?:\s.*)?$</ind:subexpression>
+  </ind:textfilecontent54_state>
+{{% endif %}}
+
 {{% if ARG_VALUE %}}
   <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
   version="1">
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
new file mode 100644
index 00000000000..765e03ce3c4
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_entries.fail.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,multi_platform_rhel
+# packages = grub2,grubby
+
+source common.sh
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
+# Removes argument from kernel command line in /boot/loader/entries/*.conf
+
+for file in /boot/loader/entries/*.conf ; do
+  if grep -q '^.*{{{ ESCAPED_ARG_NAME }}}=.*'  "$file" ; then
+	    sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 \2/'  "$file"
+  fi
+# ensure that grubenv is not referenced
+  if grep -q '\$kernelopts' "$file"; then
+    sed -i 's/^\(options.*\)\$kernelopts\(.*\)$/\1\2/' "$file"
+  fi
+done
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub.fail.sh
similarity index 58%
rename from shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
rename to shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub.fail.sh
index b594abe6de4..8862f974cf6 100644
--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub.fail.sh
@@ -1,16 +1,12 @@
 #!/bin/bash
 
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
-{{%- if 'ubuntu' in product %}}
-# packages = grub2
-{{%- else %}}
-# packages = grub2,grubby
-{{%- endif %}}
+# platform = multi_platform_all
 
 source common.sh
 
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
 # Removes argument from kernel command line in /etc/default/grub
 if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"'  '/etc/default/grub' ; then
 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
 fi
-
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh
new file mode 100644
index 00000000000..c6f6e8ec77c
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# platform = multi_platform_all
+
+source common.sh
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
+# Removes the argument from kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*{{{ARG_NAME}}}=.*"'  '/etc/default/grub' ; then
+	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+	echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub
+fi
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_and_not_referenced.pass.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_and_not_referenced.pass.sh
new file mode 100644
index 00000000000..59d4ddd5d11
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_and_not_referenced.pass.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+# packages = grub2,grubby
+
+{{%- if ARG_VARIABLE %}}
+# variables = {{{ ARG_VARIABLE }}}=correct_value
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+{{%- endif %}}
+
+source common.sh
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+# ensure that the grubenv entry is not referenced
+# also in RHEL 8, after performing previous steps, the only option is $kernelopts
+# so add the arg=value there so that the test passes
+for entry in /boot/loader/entries/*.conf; do
+  if grep -q '\$kernelopts' "$entry"; then
+    sed -i 's/^\(options.*\)\$kernelopts\(.*\)$/\1\2 mock {{{ ARG_NAME_VALUE }}}/' "$entry"
+  fi
+done
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_but_referenced.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_but_referenced.fail.sh
new file mode 100644
index 00000000000..6e71637d957
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_in_grubenv_but_referenced.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+# packages = grub2,grubby
+
+source common.sh
+
+for entry in /boot/loader/entries/*.conf; do
+  if ! grep -q '\$kernelopts' "$entry"; then
+    sed -i 's/^\(options.*\)$/\1 \$kernelopts/' "$entry"
+  fi
+done
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
deleted file mode 100644
index e52ae2417f9..00000000000
--- a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_grubenv.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
-# packages = grub2,grubby
-
-source common.sh
-
-# Removes audit argument from kernel command line in /boot/grub2/grubenv
-file="/boot/grub2/grubenv"
-if grep -q '^.*{{{ARG_NAME}}}=.*'  "$file" ; then
-	sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 \2/'  "$file"
-fi
-
diff --git a/shared/templates/grub2_bootloader_argument/tests/common.sh b/shared/templates/grub2_bootloader_argument/tests/common.sh
index aee25a74370..b7fdbadf352 100644
--- a/shared/templates/grub2_bootloader_argument/tests/common.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/common.sh
@@ -1,14 +1,11 @@
 #!/bin/bash
 
-# We need to mock these files if they do not exist yet
-# Because:
-# - it is not possible to setup kernel / grub env properly in containerized env
-# - even if it would be possible, it takes long time
-
+# this file prepares unified test environment used by other scenarios
 # These should be tuned per product to match defaults
 
+{{% if product in ["ol8", "rhel8"] -%}}
 mkdir -p /boot/grub2
-if [ ! -f /boot/grub2/grubenv ]; then
+rm -f /boot/grub2/grubenv
 	# File size must be exactly 1KiB
 	{
 		echo '# GRUB Environment Block'
@@ -18,10 +15,11 @@ if [ ! -f /boot/grub2/grubenv ]; then
 		dd if=/dev/zero bs=1K count=1 | tr '\0' '#'
 	} > /boot/grub2/grubenv
 	truncate --size=1K /boot/grub2/grubenv
-fi
+{{% endif %}}
+
 
 mkdir -p /etc/default
-if [ ! -f /etc/default/grub ]; then
+rm -f /etc/default/grub
 	{
 		echo 'GRUB_CMDLINE_LINUX="rhgb ro ouiet"'
 		echo 'GRUB_CMDLINE_LINUX_DEFAULT="rhgb ro quiet mock"'
@@ -31,12 +29,11 @@ if [ ! -f /etc/default/grub ]; then
 		echo 'GRUB_ENABLE_BLSCFG=true'
 		echo 'GRUB_TIMEOUT=30'
 	} > /etc/default/grub
-fi
 
+{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhel10"] -%}}
 mkdir -p /boot/loader/entries
 shopt -s nullglob
-boot_loader_entries=(/boot/loader/entries/*.conf)
-if [ "${#boot_loader_entries[@]}" -eq 0 ]; then
+rm -f /boot/loader/entries/*.conf
 	{
 		echo 'title OS 1'
 		echo 'version 5.0'
@@ -46,4 +43,4 @@ if [ "${#boot_loader_entries[@]}" -eq 0 ]; then
 		echo 'grub_users $grub_users'
 		echo 'grub_arg --unrestricted'
 	} > /boot/loader/entries/mock.conf
-fi
+{{%- endif -%}}
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_recovery_disabled.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_recovery_disabled.pass.sh
new file mode 100644
index 00000000000..a824bf70c57
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_recovery_disabled.pass.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+{{%- if 'ubuntu' in product %}}
+# packages = grub2
+{{%- else %}}
+# packages = grub2,grubby
+{{%- endif %}}
+
+source common.sh
+
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*{{{ ESCAPED_ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
+	# modify the GRUB command-line if an arg=value already exists
+	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
+else
+	# no arg is present, append it
+	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+	echo 'GRUB_CMDLINE_LINUX_DEFAULT="{{{ ARG_NAME_VALUE }}}"' >> /etc/default/grub
+fi
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value_grubenv_only.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value_grubenv_only.pass.sh
new file mode 100644
index 00000000000..aaf5b34ab68
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value_grubenv_only.pass.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+# packages = grub2,grubby
+
+{{%- if ARG_VARIABLE %}}
+# variables = {{{ ARG_VARIABLE }}}=correct_value
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+{{%- endif %}}
+
+
+source common.sh
+
+# adds argument from kernel command line into /etc/default/grub
+file="/etc/default/grub"
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"'  "$file"; then
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 {{{ARG_NAME_VALUE}}} \2/'  "$file"
+else
+	sed -i 's/^GRUB_CMDLINE_LINUX=".*/GRUB_CMDLINE_LINUX="{{{ARG_NAME_VALUE}}}"/'  "$file"
+fi
+
+# configure the argument in kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file"; then
+	# modify the GRUB command-line if the arg already exists
+	sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME_VALUE}}} \2/'  "$file"
+else
+	# no arg is present, append it
+	sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME_VALUE}}}/'  "$file"
+fi
+
+
+rm -f /boot/loader/entries/*.conf
+
+# create an entry which references grubenv
+	{
+		echo 'title OS 1'
+		echo 'version 5.0'
+		echo 'linux /vmlinuz'
+		echo 'initrd /initramfs'
+		echo 'options root=UUID=abc-def rhgb ro quiet mock $kernelopts'
+		echo 'grub_users $grub_users'
+		echo 'grub_arg --unrestricted'
+	} > /boot/loader/entries/mock2.conf
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value_mix_entries_and_grubenv.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value_mix_entries_and_grubenv.pass.sh
new file mode 100644
index 00000000000..0460db436dc
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value_mix_entries_and_grubenv.pass.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8
+# packages = grub2,grubby
+
+{{%- if ARG_VARIABLE %}}
+# variables = {{{ ARG_VARIABLE }}}=correct_value
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+{{%- endif %}}
+
+
+source common.sh
+
+# adds argument from kernel command line into /etc/default/grub
+file="/etc/default/grub"
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"'  "$file"; then
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 {{{ARG_NAME_VALUE}}} \2/'  "$file"
+else
+	sed -i 's/^GRUB_CMDLINE_LINUX=".*/GRUB_CMDLINE_LINUX="{{{ARG_NAME_VALUE}}}"/'  "$file"
+fi
+
+# configure the argument in kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file"; then
+	# modify the GRUB command-line if the arg already exists
+	sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME_VALUE}}} \2/'  "$file"
+else
+	# no arg is present, append it
+	sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME_VALUE}}}/'  "$file"
+fi
+
+
+rm -f /boot/loader/entries/*.conf
+# setup the first entry with the expanded option
+	{
+		echo 'title OS 1'
+		echo 'version 5.0'
+		echo 'linux /vmlinuz'
+		echo 'initrd /initramfs'
+		echo 'options root=UUID=abc-def rhgb ro quiet mock {{{ARG_NAME_VALUE}}}'
+		echo 'grub_users $grub_users'
+		echo 'grub_arg --unrestricted'
+	} > /boot/loader/entries/mock.conf
+
+# now create a second entry which references grubenv
+	{
+		echo 'title OS 1'
+		echo 'version 5.0'
+		echo 'linux /vmlinuz'
+		echo 'initrd /initramfs'
+		echo 'options root=UUID=abc-def rhgb ro quiet mock $kernelopts'
+		echo 'grub_users $grub_users'
+		echo 'grub_arg --unrestricted'
+	} > /boot/loader/entries/mock2.conf
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value_noupdate.fail.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value_noupdate.fail.sh
index f3c573a60ad..bae032f54a8 100644
--- a/shared/templates/grub2_bootloader_argument/tests/correct_value_noupdate.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value_noupdate.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# platform = multi_platform_ubuntu
+# platform = multi_platform_all
 # packages = grub2
 
 {{%- if ARG_VARIABLE %}}
@@ -8,6 +8,8 @@
 {{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
 {{%- endif %}}
 
+source common.sh
+
 # Clean up
 rm -f /etc/default/grub.d/*
 echo "GRUB_CMDLINE_LINUX=\"\"" > /etc/default/grub
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value_remediated.pass.sh
similarity index 100%
rename from shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
rename to shared/templates/grub2_bootloader_argument/tests/correct_value_remediated.pass.sh
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
index f43aa99c49f..87e9a599cc9 100644
--- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
@@ -1,12 +1,13 @@
 #!/bin/bash
 
-# platform = Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_fedora
+# platform = multi_platform_fedora,multi_platform_rhel
 # packages = grub2,grubby
 
 source common.sh
 
-# Removes argument from kernel command line in /boot/loader/entries/*.conf
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
 
+# Breaks argument from kernel command line in /boot/loader/entries/*.conf
 for file in /boot/loader/entries/*.conf ; do
   if grep -q '^.*{{{ ESCAPED_ARG_NAME }}}=.*'  "$file" ; then
       # modify the GRUB command-line if an ={{{ARG_NAME}}} arg already exists
@@ -15,4 +16,8 @@ for file in /boot/loader/entries/*.conf ; do
 	    # no {{{ARG_NAME}}}=arg is present, append it
 	    sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/'  "$file"
   fi
+# ensure that grubenv is not referenced
+  if  grep -q '\$kernelopts' "$file"; then
+    sed -i 's/^\(options.*\)\$kernelopts\(.*\)$/\1\2/' "$file"
+  fi
 done
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefault.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefault.fail.sh
index 2e088d483ce..2abd04035c2 100644
--- a/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefault.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefault.fail.sh
@@ -1,7 +1,12 @@
 #!/bin/bash
 
-# platform = multi_platform_ubuntu
+# platform = multi_platform_all
+
+{{%- if 'ubuntu' in product %}}
 # packages = grub2
+{{%- else %}}
+# packages = grub2,grubby
+{{%- endif %}}
 
 {{%- if ARG_VARIABLE %}}
 # variables = {{{ ARG_VARIABLE }}}=correct_value
@@ -12,6 +17,8 @@
 {{%- set ARG_NAME_VALUE_WRONG= "wrong_variable" %}}
 {{%- endif %}}
 
+source common.sh
+
 # Clean up and make sure we are at a passing state
 rm -f /etc/default/grub.d/*
 echo "GRUB_CMDLINE_LINUX=\"{{{ ARG_NAME_VALUE }}}\"" > /etc/default/grub
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
new file mode 100644
index 00000000000..4464d9f3c0c
--- /dev/null
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+source common.sh
+
+{{%- if ARG_VARIABLE %}}
+# variables = {{{ ARG_VARIABLE }}}=correct_value
+{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=correct_value" %}}
+{{%- set ARG_NAME_VALUE_WRONG= ARG_NAME ~ "=correct_value" %}}
+{{%- else %}}
+{{%- set ARG_NAME_VALUE= ARG_NAME %}}
+{{%- set ARG_NAME_VALUE_WRONG= "wrong_variable" %}}
+{{%- endif %}}
+
+# Clean up and make sure we are at a passing state
+rm -f /etc/default/grub.d/*
+
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*{{{ ESCAPED_ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
+	# modify the GRUB command-line if an arg=value already exists
+	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME }}}={{{ ARG_NAME_VALUE_WRONG }}} \2/'  '/etc/default/grub'
+else
+	# no arg is present, append it
+	sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 {{{ ARG_NAME }}}={{{ ARG_NAME_VALUE_WRONG }}}"/'  '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+	echo 'GRUB_CMDLINE_LINUX_DEFAULT="{{{ ARG_NAME_VALUE }}}"' >> /etc/default/grub
+fi
+
+{{{ grub_command("update") }}}
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_grubenv.fail.sh
similarity index 61%
rename from shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
rename to shared/templates/grub2_bootloader_argument/tests/wrong_value_grubenv.fail.sh
index 0c97377f29b..259bc41ffc0 100644
--- a/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_grubenv.fail.sh
@@ -5,6 +5,8 @@
 
 source common.sh
 
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+
 # Break the argument in kernel command line in /boot/grub2/grubenv
 file="/boot/grub2/grubenv"
 if grep -q '^.*{{{ARG_NAME}}}=.*'  "$file" ; then
@@ -14,3 +16,11 @@ else
 	# no arg is present, append it
 	sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/'  "$file"
 fi
+
+# Ensure that grubenv is referenced through $kernelopts
+# othervise contents of grubenv are ignored
+for entry in /boot/loader/entries/*.conf; do
+  if ! grep -q '\$kernelopts' "$entry"; then
+    sed -i 's/^\(options.*\)$/\1 \$kernelopts/' "$entry"
+  fi
+done