3 Using the Ksplice Enhanced Client
Note:
Some examples use the yum
command. For Oracle Linux 8
or Oracle Linux 9, use the dnf
command, as appropriate.
- About the Ksplice Enhanced Client
- Limitations of the Ksplice Enhanced Client
- Installing the Ksplice Enhanced Client From ULN
- Using the ksplice Command to Manage the Ksplice Enhanced Client
- Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries
- Configuring the Ksplice Enhanced Client for Offline Mode
- Using the Known Exploit Detection Feature on the Ksplice Enhanced Client
- Removing the Ksplice Enhanced Client Software
Limitations of the Ksplice Enhanced Client
Be aware of the following important Oracle Ksplice limitations:
-
Ksplice reports an error similar to the following if it cannot apply updates to processes that do not have access to the
/var/cache/ksplice
directory:Ksplice was unable to load the update as the target process is in a different mount namespace or has changed root. The service must be restarted to apply on-disk updates. Extra information: the process has changed root or mount namespace. └─ rtkit-daemon (3680)
This error might typically occur with processes that use
chroot
or those that run in an LXC or Docker container. In such cases, you must restart the process to apply any available updates. For example, to restart thertkit-daemon
service, you would use thesystemctl restart rtkit-daemon
command.To avoid having to restart a
chrooted
application that you maintain and compile, ensure that the/var/cache/ksplice
directory is bind-mounted in thechrooted
environment. -
Ksplice cannot patch applications that use either
setcontext
orswapcontext
fromglibc
to perform user space context switching between process threads. -
Because of certain kernel limitations, Ksplice does not patch the
init
process (PID1
).On Oracle Linux 7, the
init
process, which is actuallysystemd
, is automatically executed again on system updates, so it does not require patching with Ksplice.On Oracle Linux 6, Upstart is not capable of executing itself again, so any updates to
glibc
that can affect Upstart might require a reboot.
Installing the Ksplice Enhanced Client From ULN
Note:
If using Oracle Cloud Infrastructure, Ksplice is already installed by default (on all Oracle Linux instances launched after August 25, 2017). For more information, see Oracle Ksplice on Oracle Cloud Infrastructure.
Note:
The following procedure applies only to Oracle Linux releases. To use Ksplice to patch the Xen hypervisor on Oracle VM 3.4.5 and later releases, refer to the Oracle VM documentation that corresponds to the release that you are running. For example, if you are running Oracle VM 3.4.5, see Updating Oracle VM Server With Oracle Ksplice in the Oracle VM Administration Guide for Release 3.4.
-
Before installing the Enhanced Client:
- Verify that the system is running Oracle Linux 6, Oracle Linux 7, Oracle Linux 8, or Oracle Linux 9 with a supported version of either the Unbreakable
Enterprise Kernel (UEK) or the Red Hat Compatible Kernel (RHCK) installed.
Use the
uname -a
command to verify the kernel version. See Maintained Kernels. Ksplice applies updates to the currently running kernel only, so ensure that the running kernel is the one you want to update. -
For an online client, register the system with ULN and verify it has a connection to the Oracle Uptrack server.
- For an offline client, configure a local ULN mirror.
- Verify that the system is running Oracle Linux 6, Oracle Linux 7, Oracle Linux 8, or Oracle Linux 9 with a supported version of either the Unbreakable
Enterprise Kernel (UEK) or the Red Hat Compatible Kernel (RHCK) installed.
-
Log in to ULN at https://linux.oracle.com. Provide the ULN user name and password that you used to register the system.
-
Subscribe to the necessary channels:
-
On the Systems tab, click the link named for your system in the list of registered machines.
-
On the System Details page, click Manage Subscriptions.
The Ksplice Enhanced client and Ksplice-aware user space packages are available in the following channels on ULN:
-
Ksplice for Oracle Linux 6 (x86_64) (
ol6_x86_64_ksplice
) -
Ksplice for Oracle Linux 7 (x86_64) (
ol7_x86_64_ksplice
) -
Ksplice for Oracle Linux 7 (aarch64) (
ol7_aarch64_ksplice
) -
Ksplice for Oracle Linux 8 (x86_64) (
ol8_x86_64_ksplice
) -
Ksplice for Oracle Linux 8 (aarch64) (
ol8_aarch64_ksplice
) -
Ksplice for Oracle Linux 9 (x86_64) (
ol9_x86_64_ksplice
) -
Ksplice for Oracle Linux 9 (aarch64) (
ol9_aarch64_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 6 (x86_64) (
ol6_x86_64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 7 (x86_64) (
ol7_x86_64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 7 (aarch64) (
ol7_aarch64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 8 (x86_64) (
ol8_x86_64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 8 (aarach64) (
ol8_aarch64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 9 (x86_64) (
ol9_x86_64_userspace_ksplice
) -
Ksplice-aware user space packages for Oracle Linux 9 (aarach64) (
ol9_aarch64_userspace_ksplice
)
-
-
On the System Summary page, select both the Ksplice user space and Ksplice channels from the list of available channels, then click the right arrow (>) to move them to the list of subscribed channels.
-
Accept the licensing terms for the Ksplice Enhanced client packages.
-
Save the subscription and log out of ULN.
-
-
If you use an Internet proxy, configure the HTTP and HTTPS settings for the proxy in the shell as follows:
-
For the
sh
,ksh
, orbash
shells, use commands such as the following:sudo http_proxy=http://proxy_URL:http_port sudo https_proxy=http://proxy_URL:https_port sudo export http_proxy https_proxy
For the
csh
shell, use commands such as the following:sudo setenv http_proxy=http://proxy_URL:http_port sudo setenv https_proxy=http://proxy_URL:https_port
-
-
Log in to the system as the
root
user. -
If
prelink
is installed, revert all of the prelinked binaries and any dependent libraries to their original state, then remove theprelink
package:sudo prelink -au sudo yum remove prelink
Note:
prelink
is installed and enabled by default on Oracle Linux 6, but not Oracle Linux 7, Oracle Linux 8 or Oracle Linux 9. -
Install the
ksplice
package:-
For the Ksplice online client, use the following command:
sudo yum install -y ksplice uptrack
-
For the Ksplice offline client, use the following command:
sudo yum install -y ksplice ksplice-offline uptrack-offline
The access key for Ksplice Uptrack is retrieved from ULN and added to the
/etc/uptrack/uptrack.conf
file, as shown in the following example:[Auth] accesskey = 0e1859ad8aea14b0b4306349142ce9160353297daee30240dab4d61f4ea4e59b
The following packages are installed on the system:
-
ksplice-core
-
Contains the shared user space libraries, such as
glibc
andopenssl
, that support Ksplice patching. -
ksplice-helper
-
Contains a helper library that enables user space executables to be patched by Ksplice.
-
ksplice-helper-devel
-
Contains the development environment for creating user space libraries that support Ksplice patching.
-
ksplice-tools
-
Contains the
ksplice
executable andksplice(8)
manual page.
-
-
Update the system to install the Ksplice-aware versions of the user space libraries:
sudo yum update
To install just the libraries and not update any other packages, limit the update to the following channels, as appropriate:
-
ol6_x86_64_userspace_ksplice
-
ol7_x86_64_userspace_ksplice
-
ol7_aarch64_userspace_ksplice
-
ol8_x86_64_userspace_ksplice
-
ol8_aarch64_userspace_ksplice
-
ol9_x86_64_userspace_ksplice
-
ol9_aarch64_userspace_ksplice
For example, you would update the packages for the Oracle Linux 7 Ksplice user-aware x86_64 channels as follows:
sudo yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update
You can also use the
glibc*
andopenssl*
syntax with theinstall
command for your package manager. To use this client to perform kernel updates, install it in the same way that you are able to use the standard Uptrack client, for example:sudo yum install uptrack-updates-`uname -r`
-
-
To enable the automatic installation of updates, change the entry in the
/etc/uptrack/uptrack.conf
file fromno
toyes
:autoinstall = yes
-
Reboot the system for the changes to take effect.
sudo systemctl reboot
For Oracle Linux 6, use the following command:
sudo reboot
The Kpslice Enhanced client uses the same configuration file
(/etc/uptrack/uptrack.conf
) as the Ksplice
Uptrack client. See Configuring the Ksplice Uptrack Client.
To manage the Ksplice Enhanced client, use the ksplice
command. See Using the ksplice Command to Manage the Ksplice Enhanced Client.
Using the ksplice Command to Manage the Ksplice Enhanced Client
You manage the Ksplice Enhanced client by using the ksplice command. Use this command instead of the uptrack commands that are used with the traditional Ksplice Uptrack client. The ksplice command enables you to perform user space patching, in addition to kernel patching.
List Targets
To display all of the running user space processes that the client can patch, use the ksplice all list-targets command, for example:
sudo ksplice all list-targets
User-space targets:
glibc-ISO8859-1-2.17.78.0.1.1.ksplice25.el7
└─ gnome-shell (3783)
glibc-libutil-2.17.78.0.1.1.ksplice25.el7
├─ firewalld (680)
├─ tuned (695)
├─ libvirtd (1492)
├─ sshd (1497)
├─ httpd (1503)
├─ httpd (1706)
├─ httpd (1707)
├─ httpd (1708)
├─ httpd (1709)
├─ httpd (1710)
├─ colord (1942)
├─ gdm-session-wor (3418)
├─ gnome-session (3460)
├─ gvfsd (3534)
├─ gvfsd-fuse (3555)
├─ ssh-agent (3617)
├─ gnome-settings- (3658)
├─ gvfs-udisks2-vo (3727)
├─ gvfs-afc-volume (3754)
├─ gvfs-mtp-volume (3761)
├─ gvfs-gphoto2-vo (3765)
├─ gvfs-goa-volume (3769)
├─ goa-daemon (3772)
├─ gnome-shell (3783)
├─ ibus-daemon (3817)
├─ ibus-dconf (3821)
├─ ibus-x11 (3823)
├─ evolution-sourc (3853)
├─ nautilus (3882)
├─ ibus-engine-sim (3884)
├─ tracker-store (3943)
├─ abrt-applet (3980)
├─ tracker-miner-f (4040)
├─ gvfsd-trash (4062)
├─ sshd (29328)
├─ packagekitd (29465)
└─ python (29679)
...
Kernel version: Linux/x86_64/3.10.0-229.el7.x86_64/#1 SMP Fri Mar 6 04:05:24 PST 2015
Xen version: xen/x86_64/#2 SMP Tue Aug 15 13:47:00 PDT 2017/Tue Aug 1 20:27:56 PDT 2017
To display just the Xen hypervisor targets that the client can patch, use the ksplice xen list-targets command:
sudo ksplice xen list-targets
For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.
Show Updates
To display the updates that have been applied to the system, use the ksplice all show command:
sudo ksplice all show
httpd (1706)
httpd (1708)
httpd (1707)
httpd (1709)
httpd (1710)
rsyslogd (689)
chronyd (705)
httpd (1503)
├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
└─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().
Ksplice kernel updates installed:
Installed updates:
[rfywob9d] Clear garbage data on the kernel stack when handling signals.
[6w5ho5e2] Provide an interface to freeze tasks.
[ftjj21d0] CVE-2015-1421: Privilege escalation in SCTP INIT collisions.
[kw5m66w8] CVE-2015-8159: Privilege escalation in Infiniband userspace access.
[2w6jgsn7] CVE-2015-3331: Privilege escalation in Intel AES RFC4106 decryption.
[p0gek4ir] CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.
[sjqkwypd] CVE-2014-9529: Use-after-free when garbage collecting keys.
[tfn81scy] CVE-2015-1593: Stack layout randomization entropy reduction.
[jga5l35w] CVE-2015-1573: Use-after-free when flushing netfilter rules.
[gdzmj5lc] CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.
[01560qvg] CVE-2015-2830: mis-handling of int80 fork from 64bits application.
[7ylonu77] CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.
[7yehlpm8] Kernel hang on UDP flood with wrong checksums.
[xp1v1o7h] CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.
[89yjgn50] CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.
[g327jyvw] CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.
Ksplice xen updates installed
[87x4i9rd]: XSA-230: Information leak when using grant tables.
[25aiflvq]: XSA-228: Race condition when allocating grant pages.
[frevokn8]: XSA-227: User controlled memory corruption when mapping a grant reference.
The command reports the updates that have been applied to running processes, as well as the updates to the kernel. In the previous example, Ksplice applied updates for CVE-2014-7817
and CVE-2015-1781
to all of the listed processes.
To restrict the scope of the ksplice command to user space updates or kernel updates, specify user or kernel instead of all with the command.
To restrict the ksplice command to just the Xen hypervisor, specify xen instead of all with the command.
To display the updates that have been applied to a process specified by its PID, use the --pid=$PID option with the ksplice user show command:
sudo ksplice user show --pid=705
Output similar to the following is displayed:
chronyd (705) ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp(). └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().
Remove Updates
Use the remove subcommand to remove all of the updates from a process, for example:
sudo ksplice user remove --all --pid=705
To remove a specific update that Ksplice has applied to a process, use the undo subcommand:
sudo ksplice user undo --pid=705 h73qvumn
Note:
If necessary, you can prevent Ksplice from patching specified executables and libraries. See Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries.
Ksplice patches are stored in the /var/cache/uptrack
directory. Following a reboot, Ksplice automatically reapplies these patches early in the boot process before the network is configured so that the system is hardened before any remote connections can be established.
List Available Updates
To list all of the available Ksplice updates, use the upgrade subcommand:
sudo ksplice -n kernel upgrade
To install all of the available Ksplice updates, use the upgrade subcommand as follows:
sudo ksplice -y user upgrade
To list all of the available Ksplice updates for the Xen hypervisor, use the upgrade subcommand:
sudo ksplice -n xen upgrade
Show Kernel Version
After Ksplice applies updates to a running kernel, the kernel has an effective version that is different than the original boot version displayed by the uname -a command.
Use the ksplice kernel uname -r command to display the effective version of the kernel:
sudo ksplice kernel uname -r
3.8.13-55.1.1.el6uek.x86_64
The ksplice kernel uname command supports the commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.
Examples
The following examples show ways in which you can view information about Ksplice updates and administer Ksplice updates on a system.
View the updates that Ksplice Uptrack has made to the running kernel:
sudo ksplice kernel show
View the updates that Ksplice Uptrack has made to the Xen hypervisor:
sudo ksplice xen show
View the updates that are available to be installed:
sudo ksplice kernel show --available
Remove all updates from the kernel:
sudo ksplice kernel remove --all
Remove all updates from the Xen hypervisor:
sudo ksplice xen remove --all
/etc/uptrack/disable
: touch /etc/uptrack/disable
Alternatively, you can specify nouptrack as a parameter on the boot command line when you next restart the system.
Manual Page
For more information and examples, see the ksplice(8)
manual page.
Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries
If you do not want Ksplice to patch the user space processes for
certain executables or libraries, you can specify the information
in a /etc/ksplice/blacklist.d
configuration
file. The following is an example of a
localblacklist.conf
file. The example shows how
you would prevent Ksplice from patching any process that
corresponds to any executable in the
/opt/app/bin
or
/usr/local/bin
directory, or from patching any
shared library with a name matching liblocal-*
.
The following example shows the format of the rules, which are Python regular expressions:
[executables] ^/opt/apt/bin/.*$ ^/usr/local/bin/.*$ [targets] ^liblocal-.*$
Configuring the Ksplice Enhanced Client for Offline Mode
The offline version of the Ksplice Enhanced Client removes the requirement that a server on your intranet has a direct connection to the Oracle Uptrack server or ULN. Prior to configuring an offline client, you must set up a local ULN mirror that can act as a Ksplice mirror.
For more information about running Ksplice offline, see About Ksplice Offline Mode.
-
Before proceeding, ensure you have configured a local ULN mirror.
-
Import the GPG key.
sudo rpm --import /usr/share/rhn/RPM-GPG-KEY
-
Disable any existing yum repositories that are configured in the
/etc/yum.repos.d
directory.You can either edit any existing repository files and disable all of the entries by setting
enabled=0
; or, you can useyum-config-manager
, for example:sudo yum-config-manager --disable \*
Alternatively, you can rename any of the files in this directory so that they do not use the
.repo
suffix. This change causes theyum
command to ignore these entries, as shown in the following example:cd /etc/yum.repos.d for i in *.repo; do mv $i $i.disabled; done
-
In the
/etc/yum.repos.d
directory, create thelocal-yum.repo
file, which contains entries such as the following for an Oracle Linux 7 yum client:[local_ol7_x86_64_ksplice] name=Ksplice for Oracle Linux $releasever - $basearch baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/ksplice/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY gpgcheck=1 enabled=1 [local_ol7_x86_64_ksplice_userspace] name=Ksplice aware userspace packages for Oracle Linux $releasever - $basearch baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/userspace/ksplice/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY gpgcheck=1 enabled=1 [local_ol7_latest] name=Oracle Linux $releasever - $basearch - latest baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/latest/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY gpgcheck=1 enabled=1 [local_ol7_UEKR5_latest] name=Unbreakable Enterprise Kernel Release 5 for Oracle Linux $releasever - $basearch - latest baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/UEKR5/latest/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY gpgcheck=1 enabled=1 [local_ol7_addons] name=Oracle Linux $releasever - $basearch - addons baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/addons/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY gpgcheck=1 enabled=1
-
Replace local_uln_mirror with the IP address or resolvable host name of the local ULN mirror.
-
To distinguish the local repositories from the ULN repositories, optionally prefix the labels for each entry with a string such as
local_
. Note that you must also edit the uptrack configuration, as described in step 7. -
The previous example configuration enables the
local_ol7_x86_64_ksplice
,local_ol7_x86_64_ksplice_userspace
,local_ol7_latest
,local_ol7_UEKR5_latest
, andlocal_ol7_addons
channels.
-
-
Test the configuration:
-
Clear the yum metadata cache.
sudo yum clean metadata
-
Verify the configuration.
sudo yum repolist
If the
yum
commands cannot connect to the local ULN mirror, check that the firewall settings on the local ULN mirror server allow incoming TCP connections to the HTTP port (usually, port 80).
-
-
If
prelink
is installed, revert all of the prelinked binaries and dependent libraries to the original states and then remove theprelink
package as follows:prelink -au sudo yum remove prelink
The
prelink
package is installed and enabled by default on Oracle Linux 6, but not on Oracle Linux 7, Oracle Linux 8 or Oracle Linux 9. -
Install the offline version of the enhanced client package.
sudo yum install ksplice-offline
-
Add a configuration directive to the
/etc/uptrack/uptrack.conf
file to provide the enhanced client with the label of the local, user space channel in your local yum repository configuration.Note:
You can skip this step if you did not use the
local_
prefix for the channel label, and this label is an exact match of the label that is used on ULN. If you used thelocal_
prefix or labeled this channel differently, add the following lines, but instead of local_ol7_x86_64_ksplice_userspace, specify the same label that you used for the Ksplice user space channel, for example:[User] yum_userspace_ksplice_repo_name = local_ol7_x86_64_ksplice_userspace
-
To install offline update packages, install the relevant packages, for example:
sudo yum install ksplice-updates-glibc ksplice-updates-openssl
If you are installing the offline updates package for the Xen hypervisor, specify the release in the command, for example:
sudo yum install ksplice-updates-xen-$RELEASE
For the previous command, $RELEASE is the update package that corresponds to the version of the hypervisor that is currently running, as shown in this example:
sudo yum install ksplice-updates-xen-4.4.4-153.el6
After you have installed these packages, the offline version of the enhanced client behaves exactly the same way as the online version.
-
Update the system to install the Ksplice-aware versions of the user space libraries:
sudo yum update
To install just the libraries and not any other packages, limit the update to the Ksplice user space channel, for example,
ol7_x86_64_userspace_ksplice
channel:sudo yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update
Alternatively, you can use the following command:
sudo yum update *glibc *openssl*
You might also use this client to perform kernel updates in the same way that you are able to use the standard uptrack client:
sudo yum install uptrack-updates-`uname -r`
-
To enable the automatic installation of updates, change the entry in
/etc/uptrack/uptrack.conf
fromno
toyes
, as shown in the following example:autoinstall = yes
-
Reboot the system so that the system uses the new libraries.
Note:
If you installed updates for the Xen hypervisor, no special configuration is required, and you do not need to reboot the system for the updates to be applied.
Using the Known Exploit Detection Feature on the Ksplice Enhanced Client
Note:
Known exploit detection support is available for the Ksplice Enhanced client only and is currently not supported on the 64-bit Arm (aarch64) platform.
Oracle provides the known exploit detection feature for supported systems that have the Ksplice Enhanced client installed. This feature reports attempted exploitation by known attack vectors. When new Common Vulnerabilities and Exposures (CVEs) are discovered and patched with Ksplice, Oracle may add tripwires to the code that fire when an erroneous condition is triggered, thus enabling you to monitor your systems for suspicious activity.
Note:
Because not all security issues have tripwires added, and also because it is possible to trigger tripwires under normal operations, additional analysis of erroneous conditions might be required.
Running Known Exploit Detection on the Ksplice Enhanced Client
You can run the Ksplice known exploit detection on supported Oracle Linux systems that have the Ksplice Enhanced client installed. This feature works for both the online and offline Ksplice Enhanced client.
To run known exploit detection with the default configuration:
-
Install the
ksplice-known-exploit-detection
package:sudo yum install ksplice-known-exploit-detection
-
Add the following lines to the
/etc/uptrack/uptrack.conf
file:[Known-Exploit-Detection] enabled = yes
-
Enable the feature by running the
kernel upgrade
command:sudo ksplice kernel upgrade
-
Verify that the feature has been enabled for the current kernel:
cat /proc/sys/kernel/known_exploit_detection
If the value is
0
or the file is missing, then the kernel has not enabled kernel exploit detection. If the value is1
, known exploit detection is enabled on the system.
The helper file, /usr/sbin/log-known-exploit
,
is invoked directly by the kernel. To invoke the help manually
to check your configuration or perform dry-run tests, use the
following command:
/usr/sbin/log-known-exploit --help
You can specify the following additional options and arguments with this command:
- -h, --help
-
Display the help message and exit.
- -c, --config /etc/example.conf
-
Specify a compatible configuration file. Defaults to
/etc/log-known-exploit.conf
. - -f, --force
-
Run the command without checking for root permissions.
- -n, --dry-run
-
Simulate the output and expected actions that would be performed by the helper file.
- -d, --dummy
-
Use dummy data to verify that report logging is configured correctly.
Setting Up Email Alerts for Exploit Attempts
The default configuration for the Ksplice known exploit detection feature only logs exploit attempts to syslog
by using the normal syslog
facilities. To set up email alerts, edit the /etc/log-known-exploit.conf
file as follows:
[email] enabled: 1 recipients: admin@example.com
You can use the same configuration file to specify which tripwire reports should be logged or ignored:
[actions] CVE-2019-12345: report CVE-2019-12346: ignore
To define the logging behavior for tripwires that are not
specified, add a value for default
to the
list. For example, to avoid logging any tripwire reports unless
they are specified, do the following:
[actions]
default: ignore
Temporarily Disabling and Enabling Tripwires
For troubleshooting purposes, you can disable or enable a specific tripwire manually.
To disable a specific tripwire until the next reboot, remove the
CVE reference from the
/proc/sys/kernel/known_exploit_detection_tripwires
file as follows:
echo -n '-CVE-2019-12345' |sudo tee /proc/sys/kernel/known_exploit_detection_tripwires
To enable a specific tripwire, append the CVE reference to the same configuration file again:
echo -n '+CVE-2019-12345' |sudo tee /proc/sys/kernel/known_exploit_detection_tripwires
Removing the Ksplice Enhanced Client Software
To remove the Ksplice Enhanced client software:
sudo yum -y remove ksplice
To remove the offline version of the Ksplice Enhanced client software:
sudo yum -y remove ksplice-offline
To remove the Ksplice-aware versions of the glibc+openssl
packages from the system:
-
Unsubscribe all of the currently subscribed Ksplice-aware user space channels from the yum repository.
-
Manually downgrade the Ksplice-aware packages using the yum shell and enter the following lines separately:
yum shell > erase ksplice-helper > downgrade glibc* openssl* > run
Note:
The following single command performs the same downgrade action without needing manual entry and can be used for automation purposes:printf 'erase ksplice-helper\n downgrade glibc* openssl*\n run' | yum -y shell