Using the Ksplice Enhanced Client

Limitations of the Ksplice Enhanced Client

Be aware of the following important Oracle Ksplice limitations:

Ksplice reports an error similar to the following if it cannot apply updates to processes that do not have access to the /var/cache/ksplice directory:
```
Ksplice was unable to load the update as the target process is in a
different mount namespace or has changed root.  The service must be
restarted to apply on-disk updates.
Extra information: the process has changed root or mount namespace.
  └─ rtkit-daemon (3680)
```
This error might typically occur with processes that use chroot or those that run in an LXC or Docker container. In such cases, you must restart the process to apply any available updates. For example, to restart the rtkit-daemon service, you would use the systemctl restart rtkit-daemon command.

To avoid having to restart a chrooted application that you maintain and compile, ensure that the /var/cache/ksplice directory is bind-mounted in the chrooted environment.
Ksplice cannot patch applications that use either setcontext or swapcontext from glibc to perform user space context switching between process threads.
Because of certain kernel limitations, Ksplice does not patch the init process (PID 1).

On Oracle Linux 7, the init process, which is actually systemd, is automatically executed again on system updates, so it does not require patching with Ksplice.

On Oracle Linux 6, Upstart is not capable of executing itself again, so any updates to glibc that can affect Upstart might require a reboot.

Installing the Ksplice Enhanced Client From ULN

Note:

If using Oracle Cloud Infrastructure, Ksplice is already installed by default (on all Oracle Linux instances launched after August 25, 2017). For more information, see Oracle Ksplice on Oracle Cloud Infrastructure.

Note:

The following procedure applies only to Oracle Linux releases. To use Ksplice to patch the Xen hypervisor on Oracle VM 3.4.5 and later releases, refer to the Oracle VM documentation that corresponds to the release that you are running. For example, if you are running Oracle VM 3.4.5, see Updating Oracle VM Server With Oracle Ksplice in the Oracle VM Administration Guide for Release 3.4.

Before installing the Enhanced Client:
- Verify that the system is running Oracle Linux 6, Oracle Linux 7, Oracle Linux 8, or Oracle Linux 9 with a supported version of either the Unbreakable Enterprise Kernel (UEK) or the Red Hat Compatible Kernel (RHCK) installed.
  Use the uname -a command to verify the kernel version. See Maintained Kernels. Ksplice applies updates to the currently running kernel only, so ensure that the running kernel is the one you want to update.
- For an online client, register the system with ULN and verify it has a connection to the Oracle Uptrack server.
- For an offline client, configure a local ULN mirror.
Log in to ULN at https://linux.oracle.com. Provide the ULN user name and password that you used to register the system.
Subscribe to the necessary channels:
1. On the Systems tab, click the link named for your system in the list of registered machines.
2. On the System Details page, click Manage Subscriptions.
  
  The Ksplice Enhanced client and Ksplice-aware user space packages are available in the following channels on ULN:
  - Ksplice for Oracle Linux 6 (x86_64) (ol6_x86_64_ksplice)
  - Ksplice for Oracle Linux 7 (x86_64) (ol7_x86_64_ksplice)
  - Ksplice for Oracle Linux 7 (aarch64) (ol7_aarch64_ksplice)
  - Ksplice for Oracle Linux 8 (x86_64) (ol8_x86_64_ksplice)
  - Ksplice for Oracle Linux 8 (aarch64) (ol8_aarch64_ksplice)
  - Ksplice for Oracle Linux 9 (x86_64) (ol9_x86_64_ksplice)
  - Ksplice for Oracle Linux 9 (aarch64) (ol9_aarch64_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 6 (x86_64) (ol6_x86_64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 7 (x86_64) (ol7_x86_64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 7 (aarch64) (ol7_aarch64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 8 (x86_64) (ol8_x86_64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 8 (aarach64) (ol8_aarch64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 9 (x86_64) (ol9_x86_64_userspace_ksplice)
  - Ksplice-aware user space packages for Oracle Linux 9 (aarach64) (ol9_aarch64_userspace_ksplice)
3. On the System Summary page, select both the Ksplice user space and Ksplice channels from the list of available channels, then click the right arrow (>) to move them to the list of subscribed channels.
4. Accept the licensing terms for the Ksplice Enhanced client packages.
5. Save the subscription and log out of ULN.

If you use an Internet proxy, configure the HTTP and HTTPS settings for the proxy in the shell as follows:

For the sh, ksh, or bash shells, use commands such as the following:

sudo http_proxy=http://proxy_URL:http_port
sudo https_proxy=http://proxy_URL:https_port
sudo export http_proxy https_proxy

For the csh shell, use commands such as the following:

sudo setenv http_proxy=http://proxy_URL:http_port
sudo setenv https_proxy=http://proxy_URL:https_port

Log in to the system as the root user.
If prelink is installed, revert all of the prelinked binaries and any dependent libraries to their original state, then remove the prelink package:
```
sudo prelink -au
sudo yum remove prelink
```
Note:

prelink is installed and enabled by default on Oracle Linux 6, but not Oracle Linux 7, Oracle Linux 8 or Oracle Linux 9.
Install the ksplice package:
- For the Ksplice online client, use the following command:
```
sudo yum install -y ksplice uptrack
```
- For the Ksplice offline client, use the following command:
```
sudo yum install -y ksplice ksplice-offline uptrack-offline
```
The access key for Ksplice Uptrack is retrieved from ULN and added to the /etc/uptrack/uptrack.conf file, as shown in the following example:
```
[Auth]
accesskey = 0e1859ad8aea14b0b4306349142ce9160353297daee30240dab4d61f4ea4e59b
```
The following packages are installed on the system:

ksplice-core

Contains the shared user space libraries, such as glibc and openssl, that support Ksplice patching.

ksplice-helper

Contains a helper library that enables user space executables to be patched by Ksplice.

ksplice-helper-devel

Contains the development environment for creating user space libraries that support Ksplice patching.

ksplice-tools

Contains the ksplice executable and ksplice(8) manual page.
Update the system to install the Ksplice-aware versions of the user space libraries:
```
sudo yum update
```
To install just the libraries and not update any other packages, limit the update to the following channels, as appropriate:
- ol6_x86_64_userspace_ksplice
- ol7_x86_64_userspace_ksplice
- ol7_aarch64_userspace_ksplice
- ol8_x86_64_userspace_ksplice
- ol8_aarch64_userspace_ksplice
- ol9_x86_64_userspace_ksplice
- ol9_aarch64_userspace_ksplice
For example, you would update the packages for the Oracle Linux 7 Ksplice user-aware x86_64 channels as follows:
```
sudo yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update
```
You can also use the glibc* and openssl* syntax with the install command for your package manager. To use this client to perform kernel updates, install it in the same way that you are able to use the standard Uptrack client, for example:
```
sudo yum install uptrack-updates-`uname -r`
```
To enable the automatic installation of updates, change the entry in the /etc/uptrack/uptrack.conf file from no to yes:
```
autoinstall = yes
```
Reboot the system for the changes to take effect.
```
sudo systemctl reboot
```
For Oracle Linux 6, use the following command:
```
sudo reboot
```

The Kpslice Enhanced client uses the same configuration file (/etc/uptrack/uptrack.conf) as the Ksplice Uptrack client. See Configuring the Ksplice Uptrack Client.

To manage the Ksplice Enhanced client, use the ksplice command. See Using the ksplice Command to Manage the Ksplice Enhanced Client.

Using the ksplice Command to Manage the Ksplice Enhanced Client

You manage the Ksplice Enhanced client by using the ksplice command. Use this command instead of the uptrack commands that are used with the traditional Ksplice Uptrack client. The ksplice command enables you to perform user space patching, in addition to kernel patching.

List Targets

To display all of the running user space processes that the client can patch, use the ksplice all list-targets command, for example:

sudo ksplice all list-targets
User-space targets:

glibc-ISO8859-1-2.17.78.0.1.1.ksplice25.el7
  └─ gnome-shell (3783)

glibc-libutil-2.17.78.0.1.1.ksplice25.el7
  ├─ firewalld (680)
  ├─ tuned (695)
  ├─ libvirtd (1492)
  ├─ sshd (1497)
  ├─ httpd (1503)
  ├─ httpd (1706)
  ├─ httpd (1707)
  ├─ httpd (1708)
  ├─ httpd (1709)
  ├─ httpd (1710)
  ├─ colord (1942)
  ├─ gdm-session-wor (3418)
  ├─ gnome-session (3460)
  ├─ gvfsd (3534)
  ├─ gvfsd-fuse (3555)
  ├─ ssh-agent (3617)
  ├─ gnome-settings- (3658)
  ├─ gvfs-udisks2-vo (3727)
  ├─ gvfs-afc-volume (3754)
  ├─ gvfs-mtp-volume (3761)
  ├─ gvfs-gphoto2-vo (3765)
  ├─ gvfs-goa-volume (3769)
  ├─ goa-daemon (3772)
  ├─ gnome-shell (3783)
  ├─ ibus-daemon (3817)
  ├─ ibus-dconf (3821)
  ├─ ibus-x11 (3823)
  ├─ evolution-sourc (3853)
  ├─ nautilus (3882)
  ├─ ibus-engine-sim (3884)
  ├─ tracker-store (3943)
  ├─ abrt-applet (3980)
  ├─ tracker-miner-f (4040)
  ├─ gvfsd-trash (4062)
  ├─ sshd (29328)
  ├─ packagekitd (29465)
  └─ python (29679)
...
Kernel version: Linux/x86_64/3.10.0-229.el7.x86_64/#1 SMP Fri Mar 6 04:05:24 PST 2015
Xen version: xen/x86_64/#2 SMP Tue Aug 15 13:47:00 PDT 2017/Tue Aug  1 20:27:56 PDT 2017

To display just the Xen hypervisor targets that the client can patch, use the ksplice xen list-targets command:

sudo ksplice xen list-targets

For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.

Show Updates

To display the updates that have been applied to the system, use the ksplice all show command:

sudo ksplice all show
httpd (1706)
httpd (1708)
httpd (1707)
httpd (1709)
httpd (1710)
rsyslogd (689)
chronyd (705)
httpd (1503)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

Ksplice kernel updates installed:

Installed updates:
[rfywob9d] Clear garbage data on the kernel stack when handling signals.
[6w5ho5e2] Provide an interface to freeze tasks.
[ftjj21d0] CVE-2015-1421: Privilege escalation in SCTP INIT collisions.
[kw5m66w8] CVE-2015-8159: Privilege escalation in Infiniband userspace access.
[2w6jgsn7] CVE-2015-3331: Privilege escalation in Intel AES RFC4106 decryption.
[p0gek4ir] CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.
[sjqkwypd] CVE-2014-9529: Use-after-free when garbage collecting keys.
[tfn81scy] CVE-2015-1593: Stack layout randomization entropy reduction.
[jga5l35w] CVE-2015-1573: Use-after-free when flushing netfilter rules.
[gdzmj5lc] CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.
[01560qvg] CVE-2015-2830: mis-handling of int80 fork from 64bits application.
[7ylonu77] CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.
[7yehlpm8] Kernel hang on UDP flood with wrong checksums.
[xp1v1o7h] CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.
[89yjgn50] CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.
[g327jyvw] CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

Ksplice xen updates installed

  [87x4i9rd]: XSA-230: Information leak when using grant tables.
  [25aiflvq]: XSA-228: Race condition when allocating grant pages.
  [frevokn8]: XSA-227: User controlled memory corruption when mapping a grant reference.

The command reports the updates that have been applied to running processes, as well as the updates to the kernel. In the previous example, Ksplice applied updates for CVE-2014-7817 and CVE-2015-1781 to all of the listed processes.

To restrict the scope of the ksplice command to user space updates or kernel updates, specify user or kernel instead of all with the command.

To restrict the ksplice command to just the Xen hypervisor, specify xen instead of all with the command.

To display the updates that have been applied to a process specified by its PID, use the --pid=$PID option with the ksplice user show command:

sudo ksplice user show --pid=705

Output similar to the following is displayed:

chronyd (705)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

Remove Updates

Use the remove subcommand to remove all of the updates from a process, for example:

sudo ksplice user remove --all --pid=705

To remove a specific update that Ksplice has applied to a process, use the undo subcommand:

sudo ksplice user undo --pid=705 h73qvumn

Note:

If necessary, you can prevent Ksplice from patching specified executables and libraries. See Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries.

Ksplice patches are stored in the /var/cache/uptrack directory. Following a reboot, Ksplice automatically reapplies these patches early in the boot process before the network is configured so that the system is hardened before any remote connections can be established.

List Available Updates

To list all of the available Ksplice updates, use the upgrade subcommand:

sudo ksplice -n kernel upgrade

To install all of the available Ksplice updates, use the upgrade subcommand as follows:

sudo ksplice -y user upgrade

To list all of the available Ksplice updates for the Xen hypervisor, use the upgrade subcommand:

sudo ksplice -n xen upgrade

Show Kernel Version

After Ksplice applies updates to a running kernel, the kernel has an effective version that is different than the original boot version displayed by the uname -a command.

Use the ksplice kernel uname -r command to display the effective version of the kernel:

sudo ksplice kernel uname -r
3.8.13-55.1.1.el6uek.x86_64

The ksplice kernel uname command supports the commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.

Examples

The following examples show ways in which you can view information about Ksplice updates and administer Ksplice updates on a system.

View the updates that Ksplice Uptrack has made to the running kernel:

sudo ksplice kernel show

View the updates that Ksplice Uptrack has made to the Xen hypervisor:

sudo ksplice xen show

View the updates that are available to be installed:

sudo ksplice kernel show --available

Remove all updates from the kernel:

sudo ksplice kernel remove --all

Remove all updates from the Xen hypervisor:

sudo ksplice xen remove --all

Prevent Ksplice from reapplying the updates at the next system reboot, create the empty file /etc/uptrack/disable:

touch /etc/uptrack/disable

Alternatively, you can specify nouptrack as a parameter on the boot command line when you next restart the system.

Manual Page

For more information and examples, see the ksplice(8) manual page.

Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries

If you do not want Ksplice to patch the user space processes for certain executables or libraries, you can specify the information in a /etc/ksplice/blacklist.d configuration file. The following is an example of a localblacklist.conf file. The example shows how you would prevent Ksplice from patching any process that corresponds to any executable in the /opt/app/bin or /usr/local/bin directory, or from patching any shared library with a name matching liblocal-*.

The following example shows the format of the rules, which are Python regular expressions:

[executables]
^/opt/apt/bin/.*$
^/usr/local/bin/.*$

[targets]
^liblocal-.*$

Configuring the Ksplice Enhanced Client for Offline Mode

The offline version of the Ksplice Enhanced Client removes the requirement that a server on your intranet has a direct connection to the Oracle Uptrack server or ULN. Prior to configuring an offline client, you must set up a local ULN mirror that can act as a Ksplice mirror.

For more information about running Ksplice offline, see About Ksplice Offline Mode.

Before proceeding, ensure you have configured a local ULN mirror.

Import the GPG key.

sudo rpm --import /usr/share/rhn/RPM-GPG-KEY

Disable any existing yum repositories that are configured in the /etc/yum.repos.d directory.

You can either edit any existing repository files and disable all of the entries by setting enabled=0; or, you can use yum-config-manager, for example:
```
sudo yum-config-manager --disable \*
```
Alternatively, you can rename any of the files in this directory so that they do not use the .repo suffix. This change causes the yum command to ignore these entries, as shown in the following example:
```
cd /etc/yum.repos.d
for i in *.repo; do mv $i $i.disabled; done
```

In the /etc/yum.repos.d directory, create the local-yum.repo file, which contains entries such as the following for an Oracle Linux 7 yum client:

[local_ol7_x86_64_ksplice]
name=Ksplice for Oracle Linux $releasever - $basearch
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/ksplice/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_x86_64_ksplice_userspace]
name=Ksplice aware userspace packages for Oracle Linux $releasever - $basearch
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/userspace/ksplice/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_latest]
name=Oracle Linux $releasever - $basearch - latest
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_UEKR5_latest]
name=Unbreakable Enterprise Kernel Release 5 for Oracle Linux $releasever - $basearch - latest
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/UEKR5/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_addons]
name=Oracle Linux $releasever - $basearch - addons
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

Replace local_uln_mirror with the IP address or resolvable host name of the local ULN mirror.
To distinguish the local repositories from the ULN repositories, optionally prefix the labels for each entry with a string such as local_. Note that you must also edit the uptrack configuration, as described in step 7.
The previous example configuration enables the local_ol7_x86_64_ksplice, local_ol7_x86_64_ksplice_userspace, local_ol7_latest, local_ol7_UEKR5_latest, and local_ol7_addons channels.

Test the configuration:
1. Clear the yum metadata cache.
```
sudo yum clean metadata
```
2. Verify the configuration.
```
sudo yum repolist
```
  If the yum commands cannot connect to the local ULN mirror, check that the firewall settings on the local ULN mirror server allow incoming TCP connections to the HTTP port (usually, port 80).
If prelink is installed, revert all of the prelinked binaries and dependent libraries to the original states and then remove the prelink package as follows:
```
prelink -au
sudo yum remove prelink
```
The prelink package is installed and enabled by default on Oracle Linux 6, but not on Oracle Linux 7, Oracle Linux 8 or Oracle Linux 9.
Install the offline version of the enhanced client package.
```
sudo yum install ksplice-offline
```
Add a configuration directive to the /etc/uptrack/uptrack.conf file to provide the enhanced client with the label of the local, user space channel in your local yum repository configuration.
Note:

You can skip this step if you did not use the local_ prefix for the channel label, and this label is an exact match of the label that is used on ULN. If you used the local_ prefix or labeled this channel differently, add the following lines, but instead of local_ol7_x86_64_ksplice_userspace, specify the same label that you used for the Ksplice user space channel, for example:
```
[User]
yum_userspace_ksplice_repo_name = local_ol7_x86_64_ksplice_userspace                 
```
To install offline update packages, install the relevant packages, for example:
```
sudo yum install ksplice-updates-glibc ksplice-updates-openssl
```
If you are installing the offline updates package for the Xen hypervisor, specify the release in the command, for example:
```
sudo yum install ksplice-updates-xen-$RELEASE              
```
For the previous command, $RELEASE is the update package that corresponds to the version of the hypervisor that is currently running, as shown in this example:
```
sudo yum install ksplice-updates-xen-4.4.4-153.el6
```
After you have installed these packages, the offline version of the enhanced client behaves exactly the same way as the online version.
Update the system to install the Ksplice-aware versions of the user space libraries:
```
sudo yum update
```
To install just the libraries and not any other packages, limit the update to the Ksplice user space channel, for example, ol7_x86_64_userspace_ksplice channel:
```
sudo yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update
```
Alternatively, you can use the following command:
```
sudo yum update *glibc *openssl*
```
You might also use this client to perform kernel updates in the same way that you are able to use the standard uptrack client:
```
sudo yum install uptrack-updates-`uname -r`
```
To enable the automatic installation of updates, change the entry in /etc/uptrack/uptrack.conf from no to yes, as shown in the following example:
```
autoinstall = yes
```
Reboot the system so that the system uses the new libraries.

Note:

If you installed updates for the Xen hypervisor, no special configuration is required, and you do not need to reboot the system for the updates to be applied.

Using the Known Exploit Detection Feature on the Ksplice Enhanced Client

Note:

Known exploit detection support is available for the Ksplice Enhanced client only and is currently not supported on the 64-bit Arm (aarch64) platform.

Oracle provides the known exploit detection feature for supported systems that have the Ksplice Enhanced client installed. This feature reports attempted exploitation by known attack vectors. When new Common Vulnerabilities and Exposures (CVEs) are discovered and patched with Ksplice, Oracle may add tripwires to the code that fire when an erroneous condition is triggered, thus enabling you to monitor your systems for suspicious activity.

Note:

Because not all security issues have tripwires added, and also because it is possible to trigger tripwires under normal operations, additional analysis of erroneous conditions might be required.

Running Known Exploit Detection on the Ksplice Enhanced Client

You can run the Ksplice known exploit detection on supported Oracle Linux systems that have the Ksplice Enhanced client installed. This feature works for both the online and offline Ksplice Enhanced client.

To run known exploit detection with the default configuration:

Install the ksplice-known-exploit-detection package:
```
sudo yum install ksplice-known-exploit-detection
```
Add the following lines to the /etc/uptrack/uptrack.conf file:
```
[Known-Exploit-Detection]
enabled = yes
```
Enable the feature by running the kernel upgrade command:
```
sudo ksplice kernel upgrade
```
Verify that the feature has been enabled for the current kernel:
```
cat /proc/sys/kernel/known_exploit_detection
```
If the value is 0 or the file is missing, then the kernel has not enabled kernel exploit detection. If the value is 1, known exploit detection is enabled on the system.

The helper file, /usr/sbin/log-known-exploit, is invoked directly by the kernel. To invoke the help manually to check your configuration or perform dry-run tests, use the following command:

/usr/sbin/log-known-exploit --help

You can specify the following additional options and arguments with this command:

-h, --help: Display the help message and exit.
-c, --config /etc/example.conf: Specify a compatible configuration file. Defaults to /etc/log-known-exploit.conf.
-f, --force: Run the command without checking for root permissions.
-n, --dry-run: Simulate the output and expected actions that would be performed by the helper file.
-d, --dummy: Use dummy data to verify that report logging is configured correctly.

Setting Up Email Alerts for Exploit Attempts

The default configuration for the Ksplice known exploit detection feature only logs exploit attempts to syslog by using the normal syslog facilities. To set up email alerts, edit the /etc/log-known-exploit.conf file as follows:

[email]
enabled: 1
recipients: admin@example.com

You can use the same configuration file to specify which tripwire reports should be logged or ignored:

[actions]
CVE-2019-12345: report
CVE-2019-12346: ignore

To define the logging behavior for tripwires that are not specified, add a value for default to the list. For example, to avoid logging any tripwire reports unless they are specified, do the following:

[actions]
default: ignore

Temporarily Disabling and Enabling Tripwires

For troubleshooting purposes, you can disable or enable a specific tripwire manually.

To disable a specific tripwire until the next reboot, remove the CVE reference from the /proc/sys/kernel/known_exploit_detection_tripwires file as follows:

echo -n '-CVE-2019-12345' |sudo tee /proc/sys/kernel/known_exploit_detection_tripwires

To enable a specific tripwire, append the CVE reference to the same configuration file again:

echo -n '+CVE-2019-12345' |sudo tee /proc/sys/kernel/known_exploit_detection_tripwires

Removing the Ksplice Enhanced Client Software

To remove the Ksplice Enhanced client software:

sudo yum -y remove ksplice

To remove the offline version of the Ksplice Enhanced client software:

sudo yum -y remove ksplice-offline

To remove the Ksplice-aware versions of the glibc+openssl packages from the system:

Unsubscribe all of the currently subscribed Ksplice-aware user space channels from the yum repository.
Manually downgrade the Ksplice-aware packages using the yum shell and enter the following lines separately:
```
yum shell
> erase ksplice-helper
> downgrade glibc* openssl*
> run
```
Note:
The following single command performs the same downgrade action without needing manual entry and can be used for automation purposes:
```
printf 'erase ksplice-helper\n downgrade glibc* openssl*\n run' | yum -y shell
```