Kernel vulnerability mitigations missing
One or more CPU vulnerability mitigations (Spectre, Meltdown, MDS, TSA, Downfall, etc.) report unmitigated or partial coverage in /sys/devices/system/cpu/vulnerabilities/. Alert message shows one bullet per unmitigated vuln plus a state hint: Unmitigated CPU vulnerabilities: • tsa: Vulnerable: Clear CPU buffers attempted, no microcode [software band-aid engaged; awaiting AMD microcode] • gather_data_sampling: Vulnerable: No microcode [update CPU microcode + kernel and reboot; vendor-side only if still Vulnerable afterwards] Default action is to update the CPU microcode + kernel packages and reboot (on Debian/Ubuntu the microcode is in the non-free-firmware component; enable it if apt reports no candidate). A vuln is vendor-side (ACK-able) only when a kernel software band-aid is already engaged for every unmitigated vuln AND updating microcode does not clear it. The alert auto-resolves when /sys flips to "Mitigation: ...".
Remediation
When this rule fires on one of your servers, the dashboard alert detail page renders the full remediation guidance: the command to run, what to verify after, and Furnace's annotation for your specific distro + hardware. Sign in at app.glassmkr.com to see the live alert.