{"description": "Certain CPUs are vulnerable to an exploit against a common wide industry wide performance\noptimization known as Speculative Store Bypass (SSB).\n\nIn such cases, recent stores to the same memory location cannot always be observed by later\nloads during speculative execution. However, such stores are unlikely and thus they can be\ndetected prior to instruction retirement at the end of a particular speculation execution\nwindow.\n\nSince Linux Kernel 4.17 you can check the SSB mitigation state with the following command:\ncat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass\n\nSelect the appropriate SSB state by adding the argument\nspec_store_bypass_disable= to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that spec_store_bypass_disable= is added as a kernel command line\nargument to newly installed kernels, add spec_store_bypass_disable= to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n/etc/default/grub as shown below:\n
GRUB_CMDLINE_LINUX=\"... spec_store_bypass_disable= ...\"
\nRun the following command to update command line for already installed kernels:
# update-grub
", "rationale": "In vulnerable processors, the speculatively forwarded store can be used in a cache side channel\nattack. An example of this is reading memory to which the attacker does not directly have access,\nfor example inside the sandboxed code.", "severity": "medium", "references": {"anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "SSB is not configured appropriately", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin /etc/default/grub. If it includes spec_store_bypass_disable=,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
\nIf this option is set to true, then check that a line is output by the following command:\n
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*spec_store_bypass_disable=.*' /etc/default/grub
\nIf the recovery is disabled, check the line with\n
$ sudo grep 'GRUB_CMDLINE_LINUX.*spec_store_bypass_disable=.*' /etc/default/grub
.Moreover, current Grub config file grub.cfg must be checked. The file can be found\neither in /boot/grub in case of legacy BIOS systems, or in /boot/grub in case of UEFI systems.\nIf they include spec_store_bypass_disable=, then the parameter\nis configured at boot time.\n
$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'spec_store_bypass_disable='
\nFill in GRUB_CFG_FILE_PATH based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"performance": "Disabling Speculative Store Bypass may impact performance of the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Speculative Store Bypass Mitigation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "spec_store_bypass_disable", "arg_variable": "var_spec_store_bypass_disable_options"}, "backends": {}}}