2.7.1 Running Known Exploit Detection on the Ksplice Enhanced Client

You can run the Oracle Ksplice known exploit detection on supported Oracle Linux systems that have the Ksplice Enhanced client installed. This feature works for both the online and offline Ksplice Enhanced client.

To run known exploit detection with the default configuration:

  1. Install the ksplice-known-exploit-detection package:

    # yum install ksplice-known-exploit-detection
  2. Add the following lines to the /etc/uptrack/uptrack.conf file:

    enabled = yes
  3. Enable the feature by running the kernel upgrade command:

    # ksplice kernel upgrade
  4. Verify that the feature has been enabled for the current kernel:

    # cat /proc/sys/kernel/known_exploit_detection

    If the value is 0 or the file is missing, then the kernel has not enabled kernel exploit detection. If the value is 1, known exploit detection is enabled on the system.

The helper file, /usr/sbin/log-known-exploit, is invoked directly by the kernel. To invoke the help manually to check your configuration or perform dry-run tests, use the following command:

# /usr/sbin/log-known-exploit --help

You can specify the following additional options and arguments with this command:

-h, --help

Display the help message and exit.

-c, --config /etc/example.conf

Specify a compatible configuration file. Defaults to /etc/log-known-exploit.conf.

-f, --force

Run the command without checking for root permissions.

-n, --dry-run

Simulate the output and expected actions that would be performed by the helper file.

-d, --dummy

Use dummy data to verify that report logging is configured correctly.