forked from evolix/evocheck
Squashed commit of the following:
commitdb23167246
Author: Benoît S <bserie@evolix.fr> Date: Thu Jun 28 11:48:22 2018 +0200 Add a check for kernel config gile commitae1ec7b2b9
Author: Benoît S <bserie@evolix.fr> Date: Wed Jun 27 18:01:07 2018 +0200 Redo the jessie part commit62b61aabf1
Author: Benoît S <bserie@evolix.fr> Date: Wed Jun 27 17:49:44 2018 +0200 Well... For Stretch use only /sys/devices/system/cpu/vulnerabilities/ commit33b19090e6
Author: Benoît S <bserie@evolix.fr> Date: Wed Jun 27 17:45:11 2018 +0200 Add check for spectre v2 commit3451218a16
Author: Benoît S <bserie@evolix.fr> Date: Wed Jun 27 17:33:24 2018 +0200 Do not use the BOOT_IMAGE trick commitee60e28a5a
Author: Benoît S <bserie@evolix.fr> Date: Wed Jun 27 17:30:18 2018 +0200 We cannot rely on dmesg commit57bd4312ce
Author: Benoît.S <benpro@benpro.fr> Date: Thu Jan 11 14:46:46 2018 +0100 Breakline indentation commitd2278292cc
Author: Benoît.S <benpro@benpro.fr> Date: Thu Jan 11 14:45:12 2018 +0100 Diffrent test for Jessie kernel commit1418d4306e
Author: Benoît.S <benpro@benpro.fr> Date: Thu Jan 11 11:52:43 2018 +0100 Modified Meltdown check to handle kaiser and pti commit2c6d075e2a
Author: Benoît.S <benpro@benpro.fr> Date: Thu Jan 11 11:24:42 2018 +0100 Add IS_MELTDOWN We check kaiser flags in /proc/cpuinfo and CONFIG_PAGE_TABLE_ISOLATION in kernel config file.
This commit is contained in:
parent
5f19fbdf65
commit
8e2741dd99
23
evocheck.sh
23
evocheck.sh
|
@ -105,6 +105,7 @@ IS_EVOLIX_USER=1
|
|||
IS_EVOACME_CRON=1
|
||||
IS_EVOACME_LIVELINKS=1
|
||||
IS_APACHE_CONFENABLED=1
|
||||
IS_MELTDOWN_SPECTRE=1
|
||||
|
||||
#Proper to OpenBSD
|
||||
IS_SOFTDEP=1
|
||||
|
@ -804,6 +805,28 @@ if [ -e /etc/debian_version ]; then
|
|||
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
|
||||
echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
|
||||
# For Stretch, detection is easy as the kernel use
|
||||
# /sys/devices/system/cpu/vulnerabilities/
|
||||
if is_debianversion stretch; then
|
||||
for vuln in meltdown spectre_v1 spectre_v2; do
|
||||
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
done
|
||||
# For Jessie this is quite complicated to verify and we need to use kernel config file
|
||||
elif is_debianversion jessie; then
|
||||
if grep -q BOOT_IMAGE= /proc/cmdline; then
|
||||
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
|
||||
kernelVer=${kernelPath##*/vmlinuz-}
|
||||
kernelConfig="config-${kernelVer}"
|
||||
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
|
||||
if [ -f /boot/$kernelConfig ]; then
|
||||
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue