Git Product home page Git Product logo

Comments (7)

kamal2222ahmed avatar kamal2222ahmed commented on May 24, 2024

This was run on an ec2 instance

from inspec-meltdownspectre.

aaronlippold avatar aaronlippold commented on May 24, 2024

you have to run it with --sudo

from inspec-meltdownspectre.

aaronlippold avatar aaronlippold commented on May 24, 2024

inspec exec inspec-meltdownspectre --sudo -t ssh://[email protected] -i ~/goldk.pem

from inspec-meltdownspectre.

kamal2222ahmed avatar kamal2222ahmed commented on May 24, 2024

i tried with --sudo:
$ git pull origin master
From https://github.com/vibrato/inspec-meltdownspectre

Now just to confirm, if inspec is working on this RHEL 7.4 host

i cloned the inspec repo

$ git remote -v
origin https://github.com/chef/inspec (fetch)
origin https://github.com/chef/inspec (push)

$ inspec check examples/profile
Location: examples/profile
Profile: profile
Controls: 4
Timestamp: 2018-01-28T05:15:47+00:00
Valid: true

No errors or warnings

from inspec-meltdownspectre.

kamal2222ahmed avatar kamal2222ahmed commented on May 24, 2024

adding to above:

$ inspec exec inspec-meltdownspectre --sudo -t ssh://[email protected] -i ~/goldk.pem
Could not fetch inspec profile in "inspec-meltdownspectre".
$ cd ..
$ inspec exec inspec-meltdownspectre --sudo -t ssh://[email protected] -i ~/goldk.pem

Profile: Meltdown and Spectre Exploit Check (meltdownspectre)
Version: 0.1.0
Target: ssh://[email protected]:22

à Meltdown and Spectre Vulnerability Check (Linux): Linux Patch status for Meltdown and Spectre vulnerabilities (expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/
Diff:
@@ -1,2 +1,104 @@
-/^bugs\s+:.\bcpu_insecure\b/
+processor : 0
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 0
+cpu cores : 2
+apicid : 0
+initial apicid : 0
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 1
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 1
+cpu cores : 2
+apicid : 2
+initial apicid : 2
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 2
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 0
+cpu cores : 2
+apicid : 1
+initial apicid : 1
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 3
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 1
+cpu cores : 2
+apicid : 3
+initial apicid : 3
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
)
à File /proc/cpuinfo content should match /^bugs\s+:.\bcpu_insecure\b/
expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/
Diff:
@@ -1,2 +1,104 @@
-/^bugs\s+:.*\bcpu_insecure\b/
+processor : 0
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 0
+cpu cores : 2
+apicid : 0
+initial apicid : 0
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 1
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 1
+cpu cores : 2
+apicid : 2
+initial apicid : 2
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 2
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 0
+cpu cores : 2
+apicid : 1
+initial apicid : 1
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:
+
+processor : 3
+vendor_id : GenuineIntel
+cpu family : 6
+model : 62
+model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz
+stepping : 4
+microcode : 0x42a
+cpu MHz : 2500.071
+cache size : 25600 KB
+physical id : 0
+siblings : 4
+core id : 1
+cpu cores : 2
+apicid : 3
+initial apicid : 3
+fpu : yes
+fpu_exception : yes
+cpuid level : 13
+wp : yes
+flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt
+bogomips : 5000.07
+clflush size : 64
+cache_alignment : 64
+address sizes : 46 bits physical, 48 bits virtual
+power management:

⺠Meltdown and Spectre Vulnerability Check (Windows): Windows Patch status for Meltdown and Spectre vulnerabilities
⺠Skipped control due to only_if condition.

Profile Summary: 0 successful controls, 1 control failure, 1 control skipped
Test Summary: 0 successful, 1 failure, 1 skipped

from inspec-meltdownspectre.

chrisfowles avatar chrisfowles commented on May 24, 2024

Hi @kamal2222ahmed

What's your expected behavior here?

Your output is not a stack trace, and is showing the expected output for an un-patched OS.

The test is checking for the cpu_insecure bug flag in cpuinfo - this doesn't appear to be set on your host; hence the test failure.

Let me know if I'm missing something here.

Cheers

from inspec-meltdownspectre.

kamal2222ahmed avatar kamal2222ahmed commented on May 24, 2024

Chris, I now understand what you are referring to. Just few observations as to the readability of output generated:

  1. At first pass its not evident that expected is compared with actual
  2. Not sure why the diff is being printed
  3. I have checked /proc/cpuinfo in a bunch of amazon ec2 instances, and cpu_insecure flag is not set, and its literally impossible to set it in thousands of machines, due to the ephemeral nature of the machines in cloud. e.g. Auto Scaling Groups, etc
  4. I actually expected to know if this host has all 3 variants of Meltdown and Spectre
  5. Some color coding would help ( green is ok )
  6. When you print Test Summary: 0 successful, 1 failure, 1 skipped, so why do you skip a test and what failed ? Shouldn't there be 3 tests for three variants ?
  7. cpu_insecure seems to be a requirement, if not there dont even bother to run anything, just exit
  8. Imagine 20 CPUs the expected output would go on for some time, not quite readable.

Hope this helps
Thanks.

from inspec-meltdownspectre.

Related Issues (1)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.