OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.

STIG ID: OL08-00-010424  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-248593 | 

Vulnerability Discussion

Hardware vulnerabilities allow programs to steal data that is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser; personal photos, emails, and instant messages; and business-critical documents.

Check

Determine the default kernel:
$ sudo grubby --default-kernel

/boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64

Using the default kernel, verify that Meltdown mitigations are not disabled:

$ sudo grubby --info= | grep mitigations

If the "mitigations" parameter is set to "off", this is a finding.

Fix

Determine the default kernel:

$ sudo grubby --default-kernel

/boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64

Using the default kernel, remove the argument that sets the Meltdown mitigations to "off":

$ sudo grubby --update-kernel= --remove-args=mitigations=off

Reboot the system for the change to take effect.