Enforce Spectre v2 mitigation
An XCCDF Rule
Description
Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
An exploit for Spectre V2 tricks the indirect branch predictor into executing
code from a future indirect branch chosen by the attacker, even if the privilege
level is different.
Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Enforce the Spectre V2 mitigation by adding the argument
spectre_v2=on to the default
GRUB 2 command line for the Linux operating system.
To ensure that spectre_v2=on) is added as a kernel command line
argument to newly installed kernels, add spectre_v2=on) to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."Run the following command to update command line for already installed kernels:
# update-grub
Rationale
The Spectre V2 vulnerability allows an attacker to read memory that he should not have access to.
- ID
- xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
- Severity
- High
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "spectre_v2=on"
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*spectre_v2=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an spectre_v2= arg already exists