Using the ksplice Command For the Ksplice Enhanced Client
Summary
You manage the Ksplice Enhanced client by using the ksplice command.
The ksplice command can perform user space patching, in addition to
kernel patching.
Usage
The ksplice command performs actions on the following subsystems:
kernel: action is performed on the kernel subsystem onlyuser: action is performed on the user space subsystem onlyall: : action is performed on all subsystems
Actions, in the form of subcommands include:
list-target: list the available targets that can be patched by the clientshow: show updates that have already been applied by the clientapply: apply an update to the system specified by an update pathundo: undo an update to the system specified by a unique Ksplice identifierupgrade: update the system with all available Ksplice updatesremove: remove updates either by specified Ksplice identifiers or by using the--alloption to remove all updates.
Command syntax is as follows:
ksplice [OPTIONS] SUBSYSTEM SUBCOMMANDSee the ksplice(8) manual page for more information.
Ksplice Subcommands
-
List targets.
To display all the running user space processes that the client can patch, use the
ksplice all list-targetscommand, for example:sudo ksplice all list-targetsOutput might appear as follows:
User-space targets: glibc-libm-2.34.100.0.1.ksplice1.el9_4.2: - crond (46435) - ksplice (51778) glibc-libc-2.34.100.0.1.ksplice1.el9_4.2: - crond (46435) - ksplice (51778) - less (51781) openssl-libssl-3.0.7.27.0.3.ksplice1.el9: - ksplice (51778) openssl-libcrypto-3.0.7.27.0.3.ksplice1.el9: - ksplice (51778) Kernel version: Linux/x86_64/5.15.0-206.153.7.el9uek.x86_64/#2 SMP Thu May 9 15:59:05 PDT 2024For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.
-
Show updates.
To display the updates that have been applied to the system, use the
ksplice all showcommand:sudo ksplice all showOutput might appear as follows:
Ksplice user-space updates: chronyd (705) httpd (1503) ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp(). └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r(). Ksplice kernel updates: Installed updates: [nf9nfyzj] Enablement update for live patching. [fe2qyrtu] Denial-of-service when checking if an address is a jump label. [bvjiimlr] Enable livepatching of jump labels. [id9g0y8c] Known exploit detection. [aq4p03vt] Known exploit detection for CVE-2019-9213. [pjd4ekqc] Known exploit detection for CVE-2017-1000253. [syt1v7t7] Known exploit detection for CVE-2022-0847. [rpa4ixvy] Known exploit detection for CVE-2022-27666. [hisf1nu9] Known exploit detection for CVE-2016-5195. ... [gsf5wlo8] CVE-2024-36934: Information leak in QLogic BR-series Ethernet driver. [e12zrdy5] CVE-2024-36919: Denial-of-service in QLogic Fiber-Channel-over-Ethernet offload driver. [ednh9erf] CVE-2024-36904: Remote code execution in TCP/IP networking stack. [8vkhpraf] CVE-2024-27398: Denial-of-service in Bluetooth Classic (BR/EDR) features. Effective kernel version is 5.15.0-208.159.3.el9uekThe command reports the updates that have been applied to running processes, and the updates to the kernel. In the example output, Ksplice applied updates for
CVE-2014-7817andCVE-2015-1781to some user space processes.To restrict the scope of the
ksplicecommand to user space updates or kernel updates, specifyuserorkernelinstead ofallwith the command.To display the updates that have been applied to a process specified by its PID, use the
--pid=$PIDoption with theksplice user showcommand:sudo ksplice user show --pid=705Output similar to the following is displayed:
chronyd (705) ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp(). └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r(). -
Remove updates.
Use the
removesubcommand to remove all the updates from a process, for example:sudo ksplice user remove --all --pid=705To remove a specific update that Ksplice has applied to a process, use the
undosubcommand:sudo ksplice user undo --pid=705 h73qvumnNote:
You can prevent Ksplice from patching specified executables and libraries. See Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries.
Ksplice patches are stored in the
/var/cache/uptrackdirectory. Following a reboot, Ksplice automatically reapplies these patches early in the boot process before the network is configured so that the system is hardened before any remote connections can be established. -
List and install available updates.
To list all the available Ksplice updates, use the
upgradesubcommand:sudo ksplice -n kernel upgradeTo install all the available Ksplice updates, use the
upgradesubcommand as follows:sudo ksplice -y user upgrade -
Show kernel version.
After Ksplice applies updates to a running kernel, the kernel has an effective version that's different than the original boot version displayed by the
uname -acommand.Use the
ksplice kernel uname -rcommand to display the effective version of the kernel:sudo ksplice kernel uname -rThe
ksplice kernel unamecommand supports the commonly usedunameflags, including-aand-r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.
Example 3-1 Example Usage
The following examples show ways in which you can view information about Ksplice updates and administer Ksplice updates on a system.
View the updates that Ksplice Uptrack has made to the running kernel:
sudo ksplice kernel showView the updates that are available to be installed:
sudo ksplice kernel show --availableRemove all updates from the kernel:
sudo ksplice kernel remove --all/etc/uptrack/disable:
touch /etc/uptrack/disable Or, you can specify nouptrack as a parameter on the boot command line
when you next restart the system.