{"description": "A Machine Check Exception is an error generated by the CPU itdetects an error\nin itself, memory or I/O devices.\nThese errors may be corrected and generate a check log entry, if an error\ncannot be corrected the kernel may panic or SIGBUS.\n\nTo force the kernel to panic on any uncorrected error reported by Machine Check\nset the MCE tolerance to zero by adding <tt>mce=0</tt>\nto the default GRUB 2 command line for the Linux operating system.\nTo ensure that <tt>mce=0</tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>mce=0</tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... mce=0 ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>", "rationale": "Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue\ntrying to exploit a vulnerability such as Rowhammer.", "severity": "medium", "references": {"anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "MCE tolerance is not set to zero", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>mce=0</tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mce=0.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*mce=0.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>mce=0</tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'mce=0'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Force kernel panic on uncorrected MCEs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "mce", "arg_value": "0"}, "backends": {}}}