{"description": "Verify that Meltdown mitigations are not disabled:\n<pre>$ sudo grubby --info=ALL | grep mitigations</pre>\n\nThe mitigations must not be set to \"off\".\n\nCheck that the line <pre>GRUB_CMDLINE_LINUX=\"...\"</pre> within <tt>/etc/default/grub</tt>\ndoesn't contain the argument <tt>mitigations=off</tt>.\nRun the following command to update command line for already installed kernels:\n<pre># grubby --update-kernel=ALL --remove-args=\"mitigations=off\"</pre>", "rationale": "Hardware vulnerabilities allow programs to steal data that is currently processed on the\ncomputer. While programs are typically not permitted to read data from other programs, a\nmalicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of\nother running programs. This might include passwords stored in a password manager or browser;\npersonal photos, emails, and instant messages; and business-critical documents.", "severity": "medium", "references": {"nist": ["CM-6(b)", "CM-6.1(iv)"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "mitigations is set to off", "ocil": "Verify that Meltdown mitigations are not disabled in any kernel:\n\n<pre>$ sudo grubby --info=ALL | grep mitigations</pre>", "oval_external_content": null, "fixtext": "Remove the Meltdown mitigations:\n\n<pre>$ sudo grubby --update-kernel=ALL --remove-args=mitigations=off</pre>\n\nReboot the system for the change to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml", "template": {"name": "grub2_bootloader_argument_absent", "vars": {"arg_name": "mitigations=off"}, "backends": {}}}