Using the Known Exploit Detection Feature on the Ksplice Enhanced Client

Note:

Known exploit detection support is available for the Ksplice Enhanced client only. On the 64-bit ARM (aarch64) platform, known exploit detection requires Oracle Linux 8 or later, with the UEK7 (5.15.0) or later kernel.

Oracle provides the known exploit detection feature for supported systems that have the Ksplice Enhanced client installed. This feature reports attempted exploitation by known attack vectors. When new Common Vulnerabilities and Exposures (CVEs) are discovered and patched with Ksplice, Oracle might add tripwires to the code that fire when an erroneous condition is triggered, thus enabling you to monitor systems for suspicious activity.

Note:

Because not all security issues have tripwires added, and also because it's possible to trigger tripwires under normal operations, further analysis of erroneous conditions might be required.

Running Known Exploit Detection on the Ksplice Enhanced Client

You can run the Ksplice known exploit detection on supported Oracle Linux systems that have the Ksplice Enhanced client installed. This feature works for both the online and offline Ksplice Enhanced client.

Note:

This procedure uses the dnf command to describe many package management actions. On releases earlier than Oracle Linux 8, substitute the commands with the appropriate yum commands.

To run known exploit detection with the default configuration:

  1. Install the ksplice-known-exploit-detection package.
    sudo dnf install ksplice-known-exploit-detection
  2. Update the uptrack configuration to enable known exploit detection.

    Add the following lines to the /etc/uptrack/uptrack.conf file: 

    [Known-Exploit-Detection]
enabled = yes
  3. Enable known exploit detection in the running kernel.

    Enable the feature by running the kernel upgrade command: 

    sudo ksplice kernel upgrade
  4. Verify that known exploit detection is running in the kernel.

    Verify that the feature has been enabled for the current kernel: 

    cat /proc/sys/kernel/known_exploit_detection

    If the value is 0 or the file is missing, then the kernel hasn't enabled kernel exploit detection. If the value is 1, known exploit detection is enabled on the system.

The helper file, /usr/sbin/log-known-exploit, is invoked directly by the kernel. To invoke the help manually to check the configuration or perform dry-run tests, use the following command: 

/usr/sbin/log-known-exploit --help

You can specify the following extra options and arguments with this command:

-h, --help

Display the help message and exit.

-c, --config /etc/example.conf

Specify a compatible configuration file. Defaults to /etc/log-known-exploit.conf.

-f, --force

Run the command without checking for root permissions.

-n, --dry-run

Simulate the output and expected actions that would be performed by the helper file.

-d, --dummy

Use sample data to verify that report logging is configured correctly.

Configuring Known Exploit Logging and Email Notification Options

Configuration options for the known exploit detection feature are set in /etc/log-known-exploit.conf. You can edit the configuration file to control the following behaviors.

  • To set up email alerts, edit the [email] section to enable the functionality and to provide a recipient email address for delivery:
    [email]
enabled: 1
recipients: admin@example.com
    The default configuration for the Ksplice known exploit detection feature logs exploit attempts to syslog by using the normal syslog facilities.

    Note:

    Email alerts require that the system is already configured to handle outbound or local mail delivery using a mail transfer agent.
  • To define the logging behavior for tripwires that aren't specified, add a value for default to the list.

    For example, to avoid logging any tripwire reports unless they're specified, do the following: 

    [actions]
default: ignore
  • To specify which tripwire reports must be logged or ignored, add rules to the [actions] configuration section.

    For example, list the CVEs to be reported and the CVEs that can be ignored:

    [actions]
CVE-2024-12345: report
CVE-2024-12346: ignore
    Note that these configuration entries override the default configuration.

    You can also temporarily disable or enable tripwires for different CVEs, to override the stored configuration. See Temporarily Disabling and Enabling Tripwires.

Temporarily Disabling and Enabling Tripwires

You can disable or enable a specific tripwire manually when you need to troubleshoot.

  • Temporarily disable a tripwire.

    To disable a specific tripwire until the next reboot, remove the CVE reference from the /proc/sys/kernel/known_exploit_detection_tripwires file as follows: 

    echo -n '-CVE-2024-12345' | sudo tee /proc/sys/kernel/known_exploit_detection_tripwires
  • Temporarily enable a tripwire.

    To enable a specific tripwire, append the CVE reference to the same configuration file again: 

    echo -n '+CVE-2024-12345' | sudo tee /proc/sys/kernel/known_exploit_detection_tripwires