System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors

An XCCDF Rule

Description

Verify that Meltdown mitigations are not disabled:

$ sudo grubby --info=ALL | grep mitigations

The mitigations must not be set to "off".

Rationale

Hardware vulnerabilities allow programs to steal data that is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser; personal photos, emails, and instant messages; and business-critical documents.

ID: xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
Severity: Medium
References: CCI-000366

CM-6(b) CM-6.1(iv)

SRG-OS-000480-GPOS-00227

OL08-00-010424

SV-248593r779345_rule
Updated: 8 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL08-00-010424
  - NIST-800-53-CM-6(b)  - NIST-800-53-CM-6.1(iv)
  - grub2_mitigation_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --remove-args="mitigations=off"
  when: '"grub2-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL08-00-010424
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - grub2_mitigation_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then

grubby --update-kernel=ALL --remove-args=mitigations=off --env=/boot/grub2/grubenv

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors

Description

Rationale

Remediation - Ansible

Remediation - Shell Script