Last active
January 16, 2018 08:16
-
-
Save daBONDi/6f86210e54c68e84e85372fc4d1f0d82 to your computer and use it in GitHub Desktop.
Ansible Runbook to manage Windows Server Systems for Meltdown/Spectre
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install an Check result of Security Cheks | |
- name: "Check security posture agains CVE 2017-573,5715,5754" | |
hosts: windows | |
gather_facts: true | |
vars: | |
restart_allowed: false | |
enable_meltdown: true | |
enable_spectre: false | |
handlers: | |
- name: "restart_system" | |
win_reboot: | |
shutdown_timeout: 3600 | |
reboot_timeout: 3600 | |
when: restart_allowed | |
tasks: | |
# Install SpeculationControl Powershell Script on Server 2016 Systems | |
- name: "Ensure SpeculationControl PS Module installed - Server 2016 Systems" | |
win_psmodule: | |
name: SpeculationControl | |
ensure: present | |
when: | |
- ansible_os_family == "Windows" | |
- ansible_distribution_major_version == "10" # Windows 10/Server 2016 System have 10.0.x | |
# TODO Ensure SpeculationControl Powershell Util for older Systems | |
# Check the desired Settings for each System Type | |
# - VMware Host System | |
- name: "Exeuction Speculation Control Check" | |
raw: Get-SpeculationControlSettings | |
register: check_result | |
changed_when: false | |
# https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution | |
# https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell | |
- name: "Set Fact from Speculation Control Check" | |
set_fact: | |
speculation_control_settings: | |
BTIHardwarePresent: "{{ 'BTIHardwarePresent : True' in check_result.stdout }}" | |
BTIWindowsSupportPresent: "{{ 'BTIWindowsSupportPresent : True' in check_result.stdout }}" | |
BTIWindowsSupportEnabled: "{{ 'BTIWindowsSupportEnabled : True' in check_result.stdout }}" | |
BTIDisabledBySystemPolicy: "{{ 'BTIDisabledBySystemPolicy : True' in check_result.stdout }}" | |
BTIDisabledByNoHardwareSupport: "{{ 'BTIDisabledByNoHardwareSupport : True' in check_result.stdout }}" | |
KVAShadowRequired: "{{ 'KVAShadowRequired : True' in check_result.stdout }}" | |
KVAShadowWindowsSupportPresent: "{{ 'KVAShadowWindowsSupportPresent : True' in check_result.stdout }}" | |
KVAShadowWindowsSupportEnabled: "{{ 'KVAShadowWindowsSupportEnabled : True' in check_result.stdout }}" | |
KVAShadowPcidEnabled: "{{ 'KVAShadowPcidEnabled : True' in check_result.stdout }}" | |
- debug: | |
var: speculation_control_settings | |
# Set Registry Key to enable fix ist for server systems | |
# CVE-2017-5715 - Spectre = Bit 0 = Banchtarget Injection = BITWindowsSupportEnabled=Enabled | |
# CVE-2017-5754 - Meltdown = Bit 1 = rogue data cache load = VAShadowWindowsSupportEnabled | |
# FeatureSettingsOverride represents a bitmap that overrides the default setting and controls which mitigations will be disabled. | |
# Bit 0 controls the mitigation corresponding to CVE-2017-5715 | |
# and Bit 1 controls the mitigation corresponding to CVE-2017-5754. | |
# The bits are set to “Zero” to enable the mitigation and to “One” to disable the mitigation. | |
# FeatureSettingsOverrideMask represents a bitmap mask that is used in conjunction with FeatureSettingsOverride and | |
# in this case, we use the value 3 (0x11) which indicates the first two bits that correspond to the available mitigations. | |
# This registry key is set to 3 both when we want to enable the mitigations and to disable the mitigations. | |
- name: "Setup Fixes" | |
block: | |
- name: "Ensure FeatureSettingsOverride = 0 - Disable Fixes" | |
win_regedit: | |
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' | |
name: 'FeatureSettingsOverride' | |
data: 0 | |
type: dword | |
notify: restart_system | |
when: | |
- enable_meltdown == false | |
- enable_spectre == false | |
- name: "Ensure FeatureSettingsOverride = 2 - Meltdown Only" | |
win_regedit: | |
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' | |
name: 'FeatureSettingsOverride' | |
data: 1 | |
type: dword | |
notify: restart_system | |
when: | |
- enable_meltdown | |
- enable_spectre == false | |
- name: "Ensure FeatureSettingsOverride = 1 - Spectre Only" | |
win_regedit: | |
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' | |
name: 'FeatureSettingsOverride' | |
data: 2 | |
type: dword | |
notify: restart_system | |
when: | |
- enable_meltdown == false | |
- enable_spectre | |
- name: "Ensure FeatureSettingsOverride = 3 - All Fixes" | |
win_regedit: | |
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' | |
name: 'FeatureSettingsOverride' | |
data: 3 | |
type: dword | |
notify: restart_system | |
when: | |
- enable_meltdown | |
- enable_spectre | |
- name: "Ensure FeatureSettingsOverrideMask = 3" | |
win_regedit: | |
path: 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' | |
name: 'FeatureSettingsOverrideMask' | |
data: 3 | |
type: dword | |
notify: restart_system | |
when: | |
- speculation_control_settings.BTIWindowsSupportPresent | |
- speculation_control_settings.KVAShadowWindowsSupportPresent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment