d96093171a
verbose: add PCID check for performance impact of PTI
2018-01-14 17:18:34 +01:00
dcc4488340
Merge pull request #80 from speed47/cpuid_spec_ctrl
...
v0.30, cpuid spec ctrl and other enhancements
2018-01-14 16:48:02 +01:00
32e3fe6c07
bump to v0.30 to reflect changes
2018-01-14 16:45:59 +01:00
71213c11b3
ibrs: check for spec_ctrl_ibrs in cpuinfo
2018-01-14 16:36:51 +01:00
2964c4ab44
add support for NixOS kernel
...
this removes the need to specify the kernel version manually on NixOS
2018-01-14 16:18:29 +01:00
749f432d32
also check for spec_ctrl flag in cpuinfo
2018-01-14 15:47:51 +01:00
a422b53d7c
also check for cpuinfo flag
2018-01-14 15:47:51 +01:00
c483a2cf60
check spec_ctrl support using cpuid
2018-01-14 15:47:51 +01:00
dead0054a4
fix: proper detail msg in vuln status
2018-01-14 15:47:22 +01:00
e5e4851d72
proper return codes regardless of the batch mode
2018-01-14 14:24:31 +01:00
7f92717a2c
add info about accuracy when missing kernel files
2018-01-13 13:59:17 +01:00
b47d505689
AMD now vuln to variant2 (as per their stmt)
2018-01-13 13:35:31 +01:00
4a2d051285
minor is_cpu_vulnerable() changes ( #71 )
...
* correct is_cpu_vulnerable() comment
As far as I can tell, the function and usage are correct for the comment
to be inverted.
Add a clarifying note as to why the value choice makes sense.
* exit on invalid varient
If this happens, it's a bug in the script. None of the calling code
checks for status 255, so don't let a scripting bug cause a false
negative.
* no need to set vulnerable CPUs
According to comment above this code:
'by default, everything is vulnerable, we work in a "whitelist" logic here.'
2018-01-13 13:16:37 +01:00
f3551b9734
Only show the name of the script, not the full path ( #72 )
2018-01-13 13:14:19 +01:00
45b98e125f
fix some typos ( #73 )
2018-01-13 13:13:40 +01:00
dce917bfbb
add --version, bump to v0.28
2018-01-12 19:10:44 +01:00
8f18f53aba
add cpu model in output
2018-01-12 19:08:12 +01:00
8bd093173d
Fixed a few spelling errors ( #60 )
2018-01-12 11:46:36 +01:00
bfe5a3b840
add some debug
2018-01-12 10:53:19 +01:00
6a0242eea3
bump to v0.27
2018-01-11 15:36:41 +01:00
bc4e39038a
fix(opcodes): fix regression introduced in previous commit
...
We were saying unknown instead of vulnerable when the count of lfence opcodes was low
This was not impacting batch mode or the final decision, just the human-readable output of the script.
2018-01-11 15:35:57 +01:00
62f8ed6f61
adding support for new /sys interface ( #55 )
...
* adding support for new /sys interface
* fix(objdump): prefer -d instead of -D, some kernels crash objdump otherwise
2018-01-11 12:23:16 +01:00
52a8f78885
send warning to stderr. ( #53 )
...
With --batch json there must not be any other output on stdout, so redirect warnings to stderr will show the warning on the console and only the json output is on stdout.
2018-01-11 09:55:43 +01:00
a09a5ba38f
bump to v0.25 to reflect changes
2018-01-11 09:08:29 +01:00
5a7d8d7edf
Produce JSON output formatted for Puppet, Ansible, Chef... ( #50 )
...
Produce JSON output formatted for Puppet, Ansible, Chef...
2018-01-11 09:04:13 +01:00
49fdc6c449
Merge pull request #51 from cowanml/file_read_check_fixup
...
fixed file read test
2018-01-10 21:39:09 +01:00
af3de2a862
fixed file read test
2018-01-10 15:17:14 -05:00
c6e1b0ac8a
feat(kernel): add support for LZ4 decompression
2018-01-10 20:10:57 +01:00
eb0ebef5a8
fix(opensuse): add specific location for ibrs_enabled file
2018-01-10 17:40:33 +01:00
a658de2f01
fix(kernel): fix detection for separate /boot partitions
2018-01-10 16:27:16 +01:00
8ed1f5e3af
feat(kernel): check the BOOT_IMAGE info from cmdline before trying the default names
2018-01-10 15:46:29 +01:00
ffc542eb82
bump to v0.23 to reflect changes
2018-01-10 15:25:55 +01:00
74bc7ba637
add --variant to specify what check we want to run
2018-01-10 15:22:30 +01:00
59fe8c2ad8
Error on unknown batch format
2018-01-10 13:57:10 +00:00
7c11d07865
Stray tab
2018-01-10 11:59:33 +00:00
7c5cfbb8c3
batch nrpe
2018-01-10 11:57:45 +00:00
381038eceb
NRPE mode
2018-01-10 11:18:45 +00:00
d6e4aa43f0
Merge pull request #37 from deufrai/better-dmesg-support
...
Improve PTI detection
2018-01-09 19:52:45 +01:00
e5e09384f0
typofix
2018-01-09 18:54:35 +01:00
7222367f04
add disclaimer and bump to 0.21
2018-01-09 18:52:21 +01:00
ab512687cf
Merge pull request #38 from Alkorin/fixARM
...
Fix ARM checks
2018-01-09 18:47:25 +01:00
335439dee0
Fix small typo in error message
2018-01-09 18:44:15 +01:00
45297b6f7d
Fix ARM checks
2018-01-09 18:41:48 +01:00
a7b14306d5
Improve PTI detection even more
...
when PTI detection relies on dmesg, dmesg output is checked first
then /var/log/dmesg if dmesg output lacks boot time messages
2018-01-09 18:26:32 +01:00
608952ff71
Improve PTI detection
...
In case of a busy or misconfigured server, kernel message buffer loop
can be filled with messages broadcasted later than boot time. So dmesg
command wont return boot time messages.
Grepping /var/log/dmesg fixes it and this log file location semms pretty
standard across many common distros
2018-01-09 18:17:39 +01:00
1c3d349667
Merge pull request #31 from Feandil/batch
...
Add a "batch" and "verbose" mode
2018-01-09 18:12:39 +01:00
b93b13263d
fix(pti): remove escapes since we use grep -E now
2018-01-09 16:01:44 +01:00
ad342cab06
Introduce "verbose" and "batch" modes
...
Rewrite the way the output is processed:
- Define verbosity level (currently warn, info (default) & verbose)
- Add a batch mode, for simple machine parsing
2018-01-09 15:58:13 +01:00
5fd85e288b
No-color: interpret string (-e) to be able to mach \x1B
2018-01-09 15:57:10 +01:00
322f4efc8f
fix broken logic of 68961f9, increment version to 0.20
2018-01-09 14:55:12 +01:00
Stéphane Lesimple
Andreas Rammhold
Corey Hickey
Sylvestre Ledru
M. Willis Monroe
Tobias Rüetschi
Abdoul Bah
Matt Cowan
Marcus Downing
Alkorin
Frederic CORNU
Vincent Brillault