search

vibrato / inspec-meltdownspectre

Inspec profile to test for the presence of the Meltdown/Spectre vulnerabilities
https://supermarket.chef.io/tools/inspec-meltdownspectre
MIT License
11 stars 5 forks source link

inspec exec failed for Red Hat Enterprise Server 7.4 #7

Open kamal2222ahmed opened 6 years ago

kamal2222ahmed commented 6 years ago

here is the error trace, with run on stdout:

inspec exec inspec-meltdownspectre -t ssh://ec2-user@127.0.0.1 -i ~/goldk.pem

Profile: Meltdown and Spectre Exploit Check (meltdownspectre) Version: 0.1.0 Target: ssh://ec2-user@127.0.0.1:22

× Meltdown and Spectre Vulnerability Check (Linux): Linux Patch status for Meltdown and Spectre vulnerabilities (expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/ Diff: @@ -1,2 +1,104 @@ -/^bugs\s+:.\bcpu_insecure\b/ +processor : 0 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 0 +initial apicid : 0 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 1 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 2 +initial apicid : 2 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 2 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 1 +initial apicid : 1 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 3 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 3 +initial apicid : 3 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: ) × File /proc/cpuinfo content should match /^bugs\s+:.\bcpu_insecure\b/ expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/ Diff: @@ -1,2 +1,104 @@ -/^bugs\s+:.*\bcpu_insecure\b/ +processor : 0 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 0 +initial apicid : 0 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 1 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 2 +initial apicid : 2 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 2 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 1 +initial apicid : 1 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 3 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x428 +cpu MHz : 2499.917 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 3 +initial apicid : 3 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management:

↺ Meltdown and Spectre Vulnerability Check (Windows): Windows Patch status for Meltdown and Spectre vulnerabilities ↺ Skipped control due to only_if condition.

Profile Summary: 0 successful controls, 1 control failure, 1 control skipped Test Summary: 0 successful, 1 failure, 1 skipped

kamal2222ahmed commented 6 years ago

This was run on an ec2 instance

aaronlippold commented 6 years ago

you have to run it with --sudo

aaronlippold commented 6 years ago

inspec exec inspec-meltdownspectre --sudo -t ssh://ec2-user@127.0.0.1 -i ~/goldk.pem

kamal2222ahmed commented 6 years ago

i tried with --sudo: $ git pull origin master From https://github.com/vibrato/inspec-meltdownspectre

i cloned the inspec repo

$ git remote -v origin https://github.com/chef/inspec (fetch) origin https://github.com/chef/inspec (push)

$ inspec check examples/profile Location: examples/profile Profile: profile Controls: 4 Timestamp: 2018-01-28T05:15:47+00:00 Valid: true

No errors or warnings

kamal2222ahmed commented 6 years ago

adding to above:

$ inspec exec inspec-meltdownspectre --sudo -t ssh://ec2-user@127.0.0.1 -i ~/goldk.pem Could not fetch inspec profile in "inspec-meltdownspectre". $ cd .. $ inspec exec inspec-meltdownspectre --sudo -t ssh://ec2-user@127.0.0.1 -i ~/goldk.pem

Profile: Meltdown and Spectre Exploit Check (meltdownspectre) Version: 0.1.0 Target: ssh://ec2-user@127.0.0.1:22

à Meltdown and Spectre Vulnerability Check (Linux): Linux Patch status for Meltdown and Spectre vulnerabilities (expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/ Diff: @@ -1,2 +1,104 @@ -/^bugs\s+:.\bcpu_insecure\b/ +processor : 0 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 0 +initial apicid : 0 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 1 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 2 +initial apicid : 2 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 2 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 1 +initial apicid : 1 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 3 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 3 +initial apicid : 3 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: ) à File /proc/cpuinfo content should match /^bugs\s+:.\bcpu_insecure\b/ expected "processor\t: 0\nvendor_id\t: GenuineIntel\ncpu family\t: 6\nmodel\t\t: 62\nmodel name\t: Intel(R) Xe...4\ncache_alignment\t: 64\naddress sizes\t: 46 bits physical, 48 bits virtual\npower management:\n\n" to match /^bugs\s+:.\bcpu_insecure\b/ Diff: @@ -1,2 +1,104 @@ -/^bugs\s+:.*\bcpu_insecure\b/ +processor : 0 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 0 +initial apicid : 0 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 1 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 2 +initial apicid : 2 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 2 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 0 +cpu cores : 2 +apicid : 1 +initial apicid : 1 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management: + +processor : 3 +vendor_id : GenuineIntel +cpu family : 6 +model : 62 +model name : Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz +stepping : 4 +microcode : 0x42a +cpu MHz : 2500.071 +cache size : 25600 KB +physical id : 0 +siblings : 4 +core id : 1 +cpu cores : 2 +apicid : 3 +initial apicid : 3 +fpu : yes +fpu_exception : yes +cpuid level : 13 +wp : yes +flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase smep erms xsaveopt +bogomips : 5000.07 +clflush size : 64 +cache_alignment : 64 +address sizes : 46 bits physical, 48 bits virtual +power management:

⺠Meltdown and Spectre Vulnerability Check (Windows): Windows Patch status for Meltdown and Spectre vulnerabilities ⺠Skipped control due to only_if condition.

Profile Summary: 0 successful controls, 1 control failure, 1 control skipped Test Summary: 0 successful, 1 failure, 1 skipped

chrisfowles commented 6 years ago

Hi @kamal2222ahmed

What's your expected behavior here?

Your output is not a stack trace, and is showing the expected output for an un-patched OS.

The test is checking for the cpu_insecure bug flag in cpuinfo - this doesn't appear to be set on your host; hence the test failure.

Let me know if I'm missing something here.

Cheers

kamal2222ahmed commented 6 years ago

Chris, I now understand what you are referring to. Just few observations as to the readability of output generated:

  1. At first pass its not evident that expected is compared with actual
  2. Not sure why the diff is being printed
  3. I have checked /proc/cpuinfo in a bunch of amazon ec2 instances, and cpu_insecure flag is not set, and its literally impossible to set it in thousands of machines, due to the ephemeral nature of the machines in cloud. e.g. Auto Scaling Groups, etc
  4. I actually expected to know if this host has all 3 variants of Meltdown and Spectre
  5. Some color coding would help ( green is ok )
  6. When you print Test Summary: 0 successful, 1 failure, 1 skipped, so why do you skip a test and what failed ? Shouldn't there be 3 tests for three variants ?
  7. cpu_insecure seems to be a requirement, if not there dont even bother to run anything, just exit
  8. Imagine 20 CPUs the expected output would go on for some time, not quite readable.

Hope this helps Thanks.