mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-22 01:57:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Hardware-and-Firmware-Secur.../verification
History
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973 ec50b224be
Update README.md 
Added more info. Update might be finished now.
2019-06-13 18:32:33 -04:00
..
windows
restructure verification
2018-02-15 14:14:19 -05:00
README.md
Update README.md
2019-06-13 18:32:33 -04:00

README.md

Verification

Verification of mitigations is currently being developed for operating systems and applications.

1. Windows

Verification of Windows operating system and application mitigations are being developed as custom Nessus audit files. Custom audit files can be leveraged by using a Policy Compliance scan in Nessus. DoD components can acquire Nessus via the ACAS program.

See the Windows page for more information.

1.1 PowerShell

Microsoft has introduced a PowerShell module that reports on a system's vulnerability to several variants of Spectre and Meltdown. Color-coded, true or false output is returned. The presence of mitigations in BIOS/UEFI firmware and the Windows OS kernel are indicated. The tool also provides suggested actions if a missing mitigation is detected. Use the following commands from an administrator-elevated PowerShell terminal:

Install-Module SpeculationControl

Import-Module SpeculationControl

Get-SpeculationControlSettings

For more specifics, see the bottom section of this Microsoft information post.

1.2 Products

Products from Eclypsium and Tenable are known to report on the status of Spectre and Meltdown vulnerability and mitigations. Other anti-malware, firmware inspection, and intrusion detection products may also offer detection capabilities -- consult with the software vendor to confirm.

1.3 Open Source Scripts

2. Linux

2.1 Terminal Commands

2.1.1 Red Hat and Ubuntu

Kernel page tablet isolation is an indicator of Spectre and Meltdown patch application. Use the following command to query the status of isolation on Red Hat Enterprise Linux (RHEL) and Ubuntu devices:

cat /boot/config-3.10.0-957.12.2.el7.x86_64 | grep CONFIG_PAGE_TABLE_ISOLATION

Y indicates that patching is compiled into the kernel. N indicates that software vulnerability may exist.

2.1.2 Red Hat Only

Red Hat Enterprise Linux (RHEL) provides a package and script for checking the status of multiple Spectre and Meltdown variants. Full instructions and download of the tool requires a Red Hat support contract. See the Red Hat website for details.

2.1.3 Ubuntu Only

Ubuntu provides a package named "spectre-meltdown-checker" that can be downloaded, installed, and executed on an endpoint. After installing the package, simply execute the following from a terminal:

spectre-meltdown-checker

2.2 Products

Products from Eclypsium and Tenable are known to report on the status of Spectre and Meltdown vulnerability and mitigations. Other anti-malware, firmware inspection, and intrusion detection products may also offer detection capabilities -- consult with the software vendor to confirm.

2.3 Open Source Scripts

3. Mac OS

Check the current version of Mac OS. The version number must be at least 10.13.2.

4. iOS

Check the current version of iOS. The version number must be at least 11.2.

5. Android

Check the current security patch level. The version must be 2018-01-05 or newer.