OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.

STIG ID: OL08-00-010424  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-248593

Vulnerability Discussion

Hardware vulnerabilities allow programs to steal data that is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser; personal photos, emails, and instant messages; and business-critical documents.

Check

Determine the default kernel:
$ sudo grubby --default-kernel

/boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64

Using the default kernel, verify that Meltdown mitigations are not disabled:

$ sudo grubby --info=<path-to-default-kernel> | grep mitigation

If the mitigation parameter is set to "off" this is a finding.

Fix

Determine the default kernel:

$ sudo grubby --default-kernel

/boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64

Using the default kernel, remove the Meltdown mitigations:

$ sudo grubby --update-kernel=<path-to-default-kernel> --remove-args=mitigation=off

Reboot the system for the change to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.