{"description": "Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.\nAn exploit for Spectre V2 tricks the indirect branch predictor into executing\ncode from a future indirect branch chosen by the attacker, even if the privilege\nlevel is different.\n\nSince Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:\n<tt>cat /sys/devices/system/cpu/vulnerabilities/spectre_v2</tt>\n\nEnforce the Spectre V2 mitigation by adding the argument\n<tt>spectre_v2=on</tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>spectre_v2=on</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>spectre_v2=on</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... spectre_v2=on ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "The Spectre V2 vulnerability allows an attacker to read memory that he should not have\naccess to.", "severity": "high", "references": {"anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "spectre_v2 mitigation is not enforced", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>spectre_v2=on</tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spectre_v2=on.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*spectre_v2=on.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>spectre_v2=on</tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'spectre_v2=on'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enforce Spectre v2 mitigation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "spectre_v2", "arg_value": "on"}, "backends": {}}}