Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
  1. About This Guide
  2. 1 Security and Confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting Up Authentication Clients Using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network Authentication with Kerberos
    6. 8 Active Directory Support
    7. 9 Setting Up a FreeRADIUS Server
  5. II Local Security
    1. 10 Physical Security
    2. 11 Software Management
    3. 12 File Management
    4. 13 Encrypting Partitions and Files
    5. 14 Storage Encryption for Hosted Applications with cryptctl
    6. 15 User Management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown Checker
    9. 18 Configuring Security Settings with YaST
    10. 19 The Polkit authentication framework
    11. 20 Access Control Lists in Linux
    12. 21 Intrusion Detection with AIDE
  6. III Network Security
    1. 22 X Window System and X Authentication
    2. 23 Securing network operations with OpenSSH
    3. 24 Masquerading and Firewalls
    4. 25 Configuring a VPN Server
    5. 26 Improving Network Security with sysctl Variables
    6. 27 Enabling compliance with FIPS 140-2
  7. IV Confining Privileges with AppArmor
    1. 28 Introducing AppArmor
    2. 29 Getting Started
    3. 30 Immunizing Programs
    4. 31 Profile Components and Syntax
    5. 32 AppArmor Profile Repositories
    6. 33 Building and Managing Profiles with YaST
    7. 34 Building Profiles from the Command Line
    8. 35 Profiling Your Web Applications Using ChangeHat
    9. 36 Confining Users with pam_apparmor
    10. 37 Managing Profiled Applications
    11. 38 Support
    12. 39 AppArmor Glossary
  8. V SELinux
    1. 40 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 41 Understanding Linux Audit
    2. 42 Setting Up the Linux Audit Framework
    3. 43 Introducing an Audit Rule Set
    4. 44 Useful Resources
  10. A Payment Card Industry Data Security Standard (PCI DSS)
  11. B GNU-Lizenzen
Applies to SUSE Linux Enterprise Server 15 SP2

17 Spectre/Meltdown Checker


spectre-meltdown-checker is a shell script to test if your system is vulnerable to the several speculative execution vulnerabilities that are in nearly all CPUs manufactured in the past 20 years. This is a hardware flaw that potentially allows an attacker to read all data on the system. On cloud computing services, where multiple virtual machines are on a single physical host, an attacker can gain access to all virtual machines. Fixing these vulnerabilities requires redesigning and replacing CPUs. Until this happens, there are several software patches that mitigate these vulnerabilities. If you have kept your SUSE systems updated, all of these patches should already be installed.

spectre-meltdown-checker generates a detailed report. It is impossible to guarantee that your system is secure, but it shows you which mitigations are in place, and potential vulnerabilities.

17.1 Using spectre-meltdown-checker

Install the script, and then run it as root without any options:

# zypper in spectre-meltdown-checker
# spectre-meltdown-checker.sh

You will see colorful output like Figure 17.1, “Output from spectre-meltdown-checker”:

Partial output of spectre-meltdown-checker.sh
Figure 17.1: Output from spectre-meltdown-checker

spectre-meltdown-checker.sh --help lists all options. It is useful to pipe plain text output, with no colors, to a file:

# spectre-meltdown-checker.sh --no-color| tee filename.txt

The previous examples are on a running system, which is the default. You may also run spectre-meltdown-checker offline by specifying the paths to the kernel, config, and System.map files:

# cd /boot
# spectre-meltdown-checker.sh \
--no-color \
--kernel vmlinuz-4.12.14-lp151.28.13-default \
--config config-4.12.14-lp151.28.13-default \
--map System.map-4.12.14-lp151.28.13-default| tee filename.txt

Other useful options are:

--verbose, -v

Increase verbosity; repeat for more verbosity, for example -v -v -v


Print human-readable explanations

--batch [short] [json] [nrpe] [prometheus]

Format output in various machine-readable formats

Important: --disclaimer Option

spectre-meltdown-checker.sh --disclaimer provides important information about what the script does, and does not do.

17.2 Additional Information about Spectre/Meltdown

For more information, see the following references:

Print this page