3 Different Ways to apply Linux Kernel Security Patches

apply Linux Kernel Security Patches

We know that the most effective way to strengthen system security and protect against any cyber threat is to keep our system updated with the latest OS and application software patches. For Linux the kernel upgrades and security patches require a system reboot, hence it is hard to maintain the OS safe. Here we are going to see how to update the Linux kernels, without a reboot.

There are 3 different methods and let’s what are they.

Command Line

The command line is the standard way to do an update and if you’re using Ubuntu, you can follow the below command.

sudo apt-get upgrade linux-image-generic
sudo reboot

For Debian you can use;

sudo apt-get upgrade kernel
sudo reboot

For CentOS kernel update and either for Red Hat Enterprise Linux (RHEL) or for any other RPM-based distribution, you can use the below command:

sudo yum update kernel
sudo reboot

After these you will have to reboot, otherwise, the kernel patch won’t make any effect unless and until you reboot. It might take some time to bounce back, so ensure you notify your customer before that’s why system administrators defer patch installation, avoiding downtime but compromising system security.

You won’t require installation or automation expect rebooting.

kexec: Quicker reboots

If you want to do a quick reboot you can use Kexec. This will let you boot into a new kernel, skipping the boot loader and hardware initialization phases which can eventually reduce the reboot time.

In order to use this, you need to install kexec-tools.

On Ubuntu/Debian:

sudo apt-get install kexec-tools

CentOS/RHEL:

sudo yum install kexec-tools

Now, install a new kernel and you can choose any from below;

sudo yum update kernel

or

sudo rpm -qa kernel

Where output looks;

kernel-3.10.0-514.26.1.el7.x86_64 
kernel-3.10.0-862.3.2.el7.x86_64

For the chosen version now reboot.

sudo kexec -l /boot/vmlinuz-3.10.0-862.3.2.el7.x86_64  
-initrd=/boot/initramfs-3.10.0-862.3.2.el7.x86_64.img  
-reuse-cmdline 
sudo sync; sudo umount -a; sudo kexec –e

The advantage is one time install and quick reboot but if you didn’t script it well there could be errors.

If you need tech assistance you can Get Here.

Update the kernel without rebooting

Are you looking to update the kernel without rebooting? Here is the way to do it. Patching for security is quite critical, so the processes get terminated while rebooting. If you are using an “always-on” or “high-availability” system, you are probably aware of this problem.

Since it only applies patches for serious bugs or security vulnerabilities, it cannot replace full kernel upgrades. However, in many cases, it requires, and by these techniques, a server can be kept secure and operational for years without having to reboot.

Rebootless kernel upgrades are provided by a number of Linux providers. So, you should choose based on the distribution you run. Let’s see a few of the robot-less kernel upgrades details:

  • Oracle Ksplice– It was the first rebootless kernel update implementation that was commercially available. After Oracle eventually acquired Ksplice Inc., the software is currently accessible only through Oracle Linux and RedHat Enterprise Linux distributions, and the deployment requires an Oracle license.

To deploy it:

sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc
sudo sh install-uptrack-oc -autoinstall

It will automatically update the new kernels and deploy them. There is no downtime or scheduling and it does not require any reboot.

  • KernelCare – The Linux kernel live patching service from TuxCare stands out among kernel patching options for its wide range of supported operating systems, including CentOS, RHEL, Oracle Linux, Debian, Ubuntu, and others. The earlier 2.6.32 kernels from RHEL 6 are also supported by KernelCare, similar to Oracle’s solution. Without requiring the server to reboot, KernelCare automatically downloads and applies updated kernel security fixes after installation. It enables fixed-date and custom patching.

To install KernelCare:

wget -qq -O -- https://kernelcare.com/installer | bash
sudo /usr/bin/kcarectl --register <your key>
  • Canonical Livepatch Service – For live-patching kernels, Canonical uses this method. Even though it can be challenging and time-consuming work, you can make your own patches. For Ubuntu 16.04 and newer, as well as RHEL 7.x, the service is accessible (beta). It will update automatically and the custom kernel patches are difficult. Only a limited number of hosts can be updated.

It is implemented as follows:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable [TOKEN]
  • Red Hat Kpatch – This is a kernel patching tool created by Red Hat.It has been ported to function on Fedora, CentOS, and Debian-based systems, including Ubuntu and Gentoo.

Deploying it on RHEL 7:

sudo yum install kpatch
sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm

It is not automatic, unlike Ubuntu’s Livepatch service or Oracle’s Ksplice, and you must manually check and install each available kernel. No reboot is required but distributions are limited.

  • SUSE Kgraft – Kgraft is SUSE’s live patching and it is only available for SUSE’s own Linux Enterprise Server 12 and is preinstalled. It operates on a different principle than other approaches but has a feature set comparable to Kpatch. There is no installation and rebooting is required. It supports only one platform.

Wrapping Up:

Updating the kernel is relatively painless when you use the standard tools on the command line. To enable your infrastructure security, you can use live patching technology and if you need any assistance with patch management – Get Instant Assistance

Also check: Quick Patch Management Fixes

To get more updates you can follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox