Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Certificate store
    13. 22 Intrusion detection with AIDE
  6. III Network security
    1. 23 X Window System and X authentication
    2. 24 SSH: secure network operations
    3. 25 Masquerading and firewalls
    4. 26 Configuring a VPN server
    5. 27 Managing a PKI with XCA, X certificate and key manager
    6. 28 Improving network security with sysctl variables
    7. 29 Enabling FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 30 Introducing AppArmor
    2. 31 Getting started
    3. 32 Immunizing programs
    4. 33 Profile components and syntax
    5. 34 AppArmor profile repositories
    6. 35 Building and managing profiles with YaST
    7. 36 Building profiles from the command line
    8. 37 Profiling your Web applications using ChangeHat
    9. 38 Confining users with pam_apparmor
    10. 39 Managing profiled applications
    11. 40 Support
    12. 41 AppArmor glossary
  8. V SELinux
    1. 42 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 43 Understanding Linux audit
    2. 44 Setting up the Linux audit framework
    3. 45 Introducing an audit rule set
    4. 46 Useful resources
  10. A Achieving PCI DSS compliance
  11. B GNU licenses
Navigation
Applies to SUSE Linux Enterprise Server 15 SP3

17 Spectre/Meltdown checker

spectre-meltdown-checker is a shell script to test if your system is vulnerable to the several speculative execution vulnerabilities that are in nearly all CPUs manufactured in the past 20 years. This is a hardware flaw that potentially allows an attacker to read all data on the system. On cloud computing services, where multiple virtual machines are on a single physical host, an attacker can gain access to all virtual machines. Fixing these vulnerabilities requires redesigning and replacing CPUs. Until this happens, there are several software patches that mitigate these vulnerabilities. If you have kept your SUSE systems updated, all of these patches should already be installed.

spectre-meltdown-checker generates a detailed report. It is impossible to guarantee that your system is secure, but it shows you which mitigations are in place, and potential vulnerabilities.

17.1 Using spectre-meltdown-checker

Install the script, and then run it as root without any options:

root # zypper in spectre-meltdown-checker
root # spectre-meltdown-checker.sh

You will see colorful output like Figure 17.1, “Output from spectre-meltdown-checker”:

Partial output of spectre-meltdown-checker.sh
Figure 17.1: Output from spectre-meltdown-checker

spectre-meltdown-checker.sh --help lists all options. It is useful to pipe plain text output, with no colors, to a file:

root # spectre-meltdown-checker.sh --no-color| tee filename.txt

The previous examples are on a running system, which is the default. You may also run spectre-meltdown-checker offline by specifying the paths to the kernel, config, and System.map files:

root # cd /boot
root # spectre-meltdown-checker.sh \
--no-color \
--kernel vmlinuz-4.12.14-lp151.28.13-default \
--config config-4.12.14-lp151.28.13-default \
--map System.map-4.12.14-lp151.28.13-default| tee filename.txt

Other useful options are:

--verbose, -v

Increase verbosity; repeat for more verbosity, for example -v -v -v

--explain

Print human-readable explanations

--batch [short] [json] [nrpe] [prometheus]

Format output in various machine-readable formats

Important
Important: --disclaimer option

spectre-meltdown-checker.sh --disclaimer provides important information about what the script does, and does not do.

17.2 More information

For more information, see the following references:

Print this page