From sdodier at lanl.gov Thu May 5 17:14:14 2022 From: sdodier at lanl.gov (Dodier, Steven M) Date: Thu, 5 May 2022 17:14:14 +0000 Subject: [kpatch] kpatch Use Questions Message-ID: Hello, I am new to kpatch, so please forgive my ignorance on this subject. Our team has recently started using kpatch, and I have the following questions. I have read several Red Hat articles and already searched online for these answers without luck. The only reference that I have for kpatch is our use of a similar product, ksplice for Oracle Linux. So, starting with an example of how ksplice works will lead into my kpatch questions. When I ksplice a kernel in Oracle Linux 7, it changes the effective kernel to the latest available kernel. # uname -r 4.14.35-2025.404.1.2.el7uek.x86_64 # ksplice kernel uname -r 4.14.35-2047.502.4.1.el7uek.x86_64 Our Nessus Tenable scanner detects the use of the ksplice using PluginID 65047. After scanning the host, you can see an ?Info? finding for ?KSplice: Installed Patches?. Within this finding, you can see all the ?Installed updates? & CVEs applied. Now to my questions: 1. After installing the kpatch-patch for my running kernel, Nessus uses a plugin ID of 138014 to detect the kpatch. It has an ?Info? finding just like ksplice does, but it does not show any CVEs applied. Should it be showing what ?Installed updates? & CVEs are applied? If not, can I run a kpatch command to see that? Here is the output that Nessus shows: * Kernel patches determined to be loaded through kpatch: kpatch_3_10_0_1160_53_1_1_2 Kernel CVEs determined to be patched through kpatch: NONE kpatch is installed, but no loaded patch modules appear to cover any CVEs. kpatch list output: Loaded patch modules: kpatch_3_10_0_1160_53_1_1_2 [enabled] Installed patch modules: kpatch_3_10_0_1160_53_1_1_2 (3.10.0-1160.53.1.el7.x86_64) 1. At what point is it prudent to reboot a server into the latest kernel? For instance, at minimum we do quarterly patching of all servers. If we kpatch a kernel, and there are two minor releases newer than the one we are on, is the current kpatched kernel just as secure as the latest kernel? I did see some notes about kpatch-patch releases will only be updated for a certain time period (6 months). So, once there are no new updates for a kpatch-patch, is it time to reboot? 2. Following onto the above question, here is an example: * # rpm -qa|grep -i kernel-3 kernel-3.10.0-1160.53.1.el7.x86_64 kernel-3.10.0-1160.45.1.el7.x86_64 kernel-3.10.0-1160.62.1.el7.x86_64 # uname -r 3.10.0-1160.53.1.el7.x86_64 # kpatch list Loaded patch modules: kpatch_3_10_0_1160_53_1_1_2 [enabled] Installed patch modules: kpatch_3_10_0_1160_53_1_1_2 (3.10.0-1160.53.1.el7.x86_64) * QUESITON: Is it necessary to patch other kernels that are installed, but not running? Or, would those other kpatched kernels only be applicable if it is the currently running kernel? # yum install kpatch-patch-3_10_0-1160_45_1.x86_64 # kpatch list Loaded patch modules: kpatch_3_10_0_1160_53_1_1_2 [enabled] Installed patch modules: kpatch_3_10_0_1160_45_1_1_3 (3.10.0-1160.45.1.el7.x86_64) kpatch_3_10_0_1160_53_1_1_2 (3.10.0-1160.53.1.el7.x86_64) 1. With this setting in the /etc/yum.conf: installonly_limit=3, how will this affect the fact of staying on a kernel that is 4 versions behind? I?m assuming it woudn?t uninstall any part of a running kernel, but wanted to ask if this has been tested. Sorry for all the questions, just so many issues I?m not sure about. Thanks in advance, Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: