2.6.1 Running Known Exploit Detection on the Ksplice Enhanced Client

You can run the Oracle Ksplice known exploit detection feature on Oracle Linux 6 and Oracle Linux 7 systems that have the Ksplice Enhanced client installed. Note that the feature works on both online and offline clients.

To run known exploit detection with the default configuration:

  1. Install the ksplice-known-exploit-detection package:

    # yum install ksplice-known-exploit-detection
  2. Add the following lines to the /etc/uptrack/uptrack.conf file:

    [Known-Exploit-Detection]
    enabled = yes
  3. Enable the feature by running the kernel upgrade command:

    # ksplice kernel upgrade
  4. Verify that the feature has been enabled for the current kernel:

    # cat /proc/sys/kernel/known_exploit_detection

    If the value is 0 or the file is missing, then the kernel has not enabled kernel exploit detection. If the value is 1, then known exploit detection is enabled on the system.

The helper file, /usr/sbin/log-known-exploit, is invoked directly by the kernel. To invoke the help manually to check your configuration or perform dry-run tests, use the following command:

# /usr/sbin/log-known-exploit --help

You can specify the following additional options and arguments with this command:

-h, --help

Display the help message and exit.

-c, --config /etc/example.conf

Specify a compatible configuration file. Defaults to /etc/log-known-exploit.conf.

-f, --force

Run the command without checking for root permissions.

-n, --dry-run

Simulate the output and expected actions that would be performed by the helper file.

-d, --dummy

Use dummy data to verify that report logging is configured correctly.