I wonder whether there’s a way to leverage the RHSMPlugin to download the script…
Well, since the RH script is official, it would be nice if BigFix development could now provide an official fixlet too.
That is what I’m hoping for, but I have never used it before myself. I am planning on looking at some existing examples and go from there.
FYI a tool from GRC for spectre detection on windows: https://www.grc.com/inspectre.htm
I created an offer to run this as the current user: https://github.com/jgstew/bigfix-content/blob/master/fixlet/Run%20GRC’s%20InSpectre%20tool%20-%20Windows%20-%20Offer.bes
This is a nicer UI option than running powershell and it something that could be made available for IT Staff to run on machines they are on to validate settings or it could be made available to anyone if they are curious.
I haven’t tested this yet, but this is my first attempt at the RedHat detection script for meltdown/spectre. For now it requires manual caching of the script on the root server, but ideally it could use the RHEL download plugin instead, but I haven’t figured that part out yet.
- https://github.com/jgstew/bigfix-content/blob/master/fixlet/Run%20RedHat’s%20Linux%20Meltdown%20and%20Spectre%20Detection%20Tool.bes
- https://github.com/jgstew/bigfix-content/blob/master/analyses/Meltdown%20and%20Spectre%20Detection%20Results%20-%20Linux.bes
I’ll update once I’ve tested this on some VMs.
Hey James,
I did a little different as RH 5/6 doesn’t mount automatically the /sys/kernel/debug:
prefetch spectre_meltdown.sh sha1:a2f5749d3fa420b0dcfdc5b37a0f4529cf988d78 size:11273 https://127.0.0.1:52311/Uploads/a2f5749d3fa420b0dcfdc5b37a0f4529cf988d78/spectre_meltdown.sh sha256:1c5843813d4e24be5c3e7f829c5c1a6c3028cf1dbe2d76cd55b15402d712b2c5
if { (NOT exists match (regex "Red Hat Enterprise (Client|Server|Workstation) 7") of name of operating system ) OR ( (NOT exists match (regex "CentOS.* 7") of name of it) of operating system ) }
delete "{(client folder of current site as string) & "/__createfile"}"
createfile until __EOF__
mount | grep "nodev on /sys/kernel/debug" > /dev/null 2>&1
if [ $? == 1 ]; then
mount -t debugfs nodev /sys/kernel/debug
bash '{pathname of file "spectre_meltdown.sh" of folder "__Download" of client folder of current site}' > '{ pathname of folders "Logs" of folders "__Global" of data folders of client }/results_spectre_meltdown.txt'
umount nodev
else
bash '{pathname of file "spectre_meltdown.sh" of folder "__Download" of client folder of current site}' > '{ pathname of folders "Logs" of folders "__Global" of data folders of client }/results_spectre_meltdown.txt'
fi
__EOF__
wait chmod 555 "{(client folder of current site as string) & "/__createfile"}"
wait bash "{(client folder of current site as string) & "/__createfile"}"
elseif
wait bash -c "bash '{pathname of file "spectre_meltdown.sh" of folder "__Download" of client folder of current site}' > '{ pathname of folders "Logs" of folders "__Global" of data folders of client }/results_spectre_meltdown.txt'"
endif
So does that mean this doesn’t work on RH 5 or 6 unless you do the extra work of mounting that?
my understanding is that the script needs to have access to the /sys/kernel/debug files to get the correct results.
PS: if you run the script on RH5/6 without the mountpoint, the script itself ll ask to get it mounted.
Microsoft has resumed offering updates for AMD processors
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
This link doesn’t make it sound like they have changed anything about the updates themselves, just that they are resuming. I would assume that if they were causing major bluescreen or boot issues on some AMD devices then they would have to change the updates themselves to allow them to no longer do this.
FYI: RedHat is reverting microcode updates due to problems:
Intel has new CPU fixes which are supposed to fix the stability issues: https://www.techradar.com/news/intels-spectre-fix-is-now-good-to-go-for-broadwell-and-haswell-processors
Microsoft is beginning to release microcode through the Update Catalog
I agree that KB4090007 was mislabeled as a cumulative patch, and now I’m seeing that its superseded in BigFix.
When I look at the MS update catalog, I’m not seeing a replacement KB.
Would it be possible to have KB4091664 added to BigFix as well? This is the MS microcode update for Spectre variant 2 on Win10 1607.
I see KB4091664 has been published. Thank you!
EDIT: replied to wrong post.