Enforce Spectre v2 mitigation

An XCCDF Rule

Description

Spectre V2 is an indirect branch poisoning attack that can lead to data leakage. An exploit for Spectre V2 tricks the indirect branch predictor into executing code from a future indirect branch chosen by the attacker, even if the privilege level is different. Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Enforce the Spectre V2 mitigation by adding the argument spectre_v2=on to the default GRUB 2 command line for the Linux operating system. To ensure that spectre_v2=on) is added as a kernel command line argument to newly installed kernels, add spectre_v2=on) to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="spectre_v2=on)"

Rationale

The Spectre V2 vulnerability allows an attacker to read memory that he should not have access to.

ID: xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
Severity: High
References: BP28(R8)

CCE-90763-4
Updated: about 1 year ago

[customizations.kernel]
append = "spectre_v2=on"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Check spectre_v2 argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=.*spectre_v2=' /etc/default/grub
  failed_when: false
  register: argcheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Check spectre_v2 argument exists
  command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
  failed_when: false
  register: linecheck
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Add spectre_v2 argument
  ansible.builtin.lineinfile:
    line: GRUB_CMDLINE_LINUX="spectre_v2=on "
    state: present
    dest: /etc/default/grub
    create: true
    mode: '0644'
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc != 0
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Replace existing spectre_v2 argument
  replace:
    path: /etc/default/grub
    regexp: spectre_v2=[a-zA-Z0-9,]+
    replace: spectre_v2=on
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and
    linecheck.rc == 0
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Add spectre_v2 argument
  replace:
    path: /etc/default/grub
    regexp: (^\s*GRUB_CMDLINE_LINUX=.*)"
    replace: \1 spectre_v2=on"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and
    linecheck.rc == 0
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="spectre_v2=on"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90763-4
  - grub2_spectre_v2_argument
  - high_severity
  - low_disruption
  - medium_complexity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*spectre_v2=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an spectre_v2= arg already exists       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)spectre_v2=[^[:space:]]\+\(.*\"\)/\1spectre_v2=on\2/"  '/etc/default/grub'
# Add to already existing GRUB_CMDLINE_LINUX parameters
elif grep -q '^\s*GRUB_CMDLINE_LINUX='  '/etc/default/grub' ; then
       # no spectre_v2=arg is present, append it
       sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 spectre_v2=on\"/"  '/etc/default/grub'
# Add GRUB_CMDLINE_LINUX parameters line
else
       echo "GRUB_CMDLINE_LINUX=\"spectre_v2=on\"" >> '/etc/default/grub'
fi
grubby --update-kernel=ALL --args=spectre_v2=on

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enforce Spectre v2 mitigation

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script