Force kernel panic on uncorrected MCEs
An XCCDF Rule
Description
A Machine Check Exception is an error generated by the CPU itdetects an error
in itself, memory or I/O devices.
These errors may be corrected and generate a check log entry, if an error
cannot be corrected the kernel may panic or SIGBUS.
To force the kernel to panic on any uncorrected error reported by Machine Check
set the MCE tolerance to zero by adding mce=0
to the default GRUB 2 command line for the Linux operating system.
To ensure that mce=0
is added as a kernel command line
argument to newly installed kernels, add mce=0
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... mce=0 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="mce=0"
Rationale
Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue trying to exploit a vulnerability such as Rowhammer.
- ID
- xccdf_org.ssgproject.content_rule_grub2_mce_argument
- Severity
- Medium
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "mce=0"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-88098-9
- grub2_mce_argument
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=mce=0
else