We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
What is the best way of mitigating security vulnerabilities on static compute resources?
Environment
CentOS 6/7 compute resources
Answer
The best practice is updating the microcode on an early stage by using extra initrd. However, it requires a reboot of the server.
To update the microcode on an early stage, perform the following:
1. Install iucode_tool utility (EPEL repo):
yum install iucode-tool
2. Get the latest microcode:
# git clone https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
3. Prepare early initrd image:
# iucode_tool -S --write-earlyfw=/boot/intel-ucode.img ./Intel-Linux-Processor-Microcode-Data-Files/intel-ucode/ iucode_tool: system has processor(s) with signature 0x000106a5 iucode_tool: Writing selected microcodes to: /boot/intel-ucode.img
4. Add image to boot loader:
For CentOS 6
Edit the /boot/grub/grub.conf file:
title CentOS (2.6.32-754.17.1.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-754.17.1.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet initrd /intel-ucode.img /initramfs-2.6.32-754.17.1.el6.x86_64.img
For CentOS 7
Edit the /boot/grub2.grub.cfg file:
menuentry 'CentOS Linux (3.10.0-957.21.3.el7.x86_64) 7 (Core)' --class rhel fedora --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-229.el7.x86_64-advanced-1a2c9c41-0702-4984-ba9d-25b6efb4b10a' { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 6d72c808-95dc-4fb0-9bcb-fce4aedde595 else search --no-floppy --fs-uuid --set=root 6d72c808-95dc-4fb0-9bcb-fce4aedde595 fi linux16 /vmlinuz-3.10.0-957.21.3.el7.x86_64 root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet LANG=en_US.UTF-8 initrd16 /intel-ucode.img /initramfs-3.10.0-957.21.3.el7.x86_64.img }
5. Reboot the server.