Summary

You manage the Ksplice Enhanced client by using the ksplice command. Use this command instead of the uptrack commands that are used with the traditional Ksplice Uptrack client. The ksplice command can perform user space patching, in addition to kernel patching.

Usage

The ksplice command performs actions on the following subsystems:

• kernel: action is performed on the kernel subsystem only
• user: action is performed on the user space subsystem only
• all: : action is performed on all subsystems

Actions, in the form of subcommands include:

• list-target: list the available targets that can be patched by the client
• show: show updates that have already been applied by the client
• apply: apply an update to the system specified by an update path
• undo: undo an update to the system specified by a unique Ksplice identifier
• upgrade: update the system with all available Ksplice updates
• remove: remove updates either by specified Ksplice identifiers or by using the --all option to remove all updates.

Command syntax is as follows:

ksplice [OPTIONS] SUBSYSTEM SUBCOMMAND

See the ksplice(8) manual page for more information.

Ksplice Subcommands

• List targets.

  To display all the running user space processes that the client can patch, use the ksplice all list-targets command, for example:

  sudo ksplice all list-targets

  Output might appear as follows:

  User-space targets:
  
  glibc-libm-2.34.100.0.1.ksplice1.el9_4.2:
   - crond (46435)
   - ksplice (51778)
  
  glibc-libc-2.34.100.0.1.ksplice1.el9_4.2:
   - crond (46435)
   - ksplice (51778)
   - less (51781)
  
  openssl-libssl-3.0.7.27.0.3.ksplice1.el9:
   - ksplice (51778)
  
  openssl-libcrypto-3.0.7.27.0.3.ksplice1.el9:
   - ksplice (51778)
  
  
  Kernel version: Linux/x86_64/5.15.0-206.153.7.el9uek.x86_64/#2 SMP Thu May 9 15:59:05 PDT 2024

  For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.

• Show updates.

  To display the updates that have been applied to the system, use the ksplice all show command:

  sudo ksplice all show

  Output might appear as follows:

  Ksplice user-space updates:
  chronyd (705)
  httpd (1503)
    ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
    └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().
  
  Ksplice kernel updates:
  Installed updates:
  [nf9nfyzj] Enablement update for live patching.
  [fe2qyrtu] Denial-of-service when checking if an address is a jump label.
  [bvjiimlr] Enable livepatching of jump labels.
  [id9g0y8c] Known exploit detection.
  [aq4p03vt] Known exploit detection for CVE-2019-9213.
  [pjd4ekqc] Known exploit detection for CVE-2017-1000253.
  [syt1v7t7] Known exploit detection for CVE-2022-0847.
  [rpa4ixvy] Known exploit detection for CVE-2022-27666.
  [hisf1nu9] Known exploit detection for CVE-2016-5195.
  ...
  [gsf5wlo8] CVE-2024-36934: Information leak in QLogic BR-series Ethernet driver.
  [e12zrdy5] CVE-2024-36919: Denial-of-service in QLogic Fiber-Channel-over-Ethernet offload driver.
  [ednh9erf] CVE-2024-36904: Remote code execution in TCP/IP networking stack.
  [8vkhpraf] CVE-2024-27398: Denial-of-service in Bluetooth Classic (BR/EDR) features.
  
  Effective kernel version is 5.15.0-208.159.3.el9uek

  The command reports the updates that have been applied to running processes, and the updates to the kernel. In the example output, Ksplice applied updates for CVE-2014-7817 and CVE-2015-1781 to some user space processes.

  To restrict the scope of the ksplice command to user space updates or kernel updates, specify user or kernel instead of all with the command.

  To display the updates that have been applied to a process specified by its PID, use the --pid=$PID option with the ksplice user show command:

  sudo ksplice user show --pid=705

  Output similar to the following is displayed:

  chronyd (705)
    ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
    └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

• Remove updates.

  Use the remove subcommand to remove all the updates from a process, for example:

  sudo ksplice user remove --all --pid=705

  To remove a specific update that Ksplice has applied to a process, use the undo subcommand:

  sudo ksplice user undo --pid=705 h73qvumn

  Note:

  You can prevent Ksplice from patching specified executables and libraries. See Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries.

  Ksplice patches are stored in the /var/cache/uptrack directory. Following a reboot, Ksplice automatically reapplies these patches early in the boot process before the network is configured so that the system is hardened before any remote connections can be established.

• List and install available updates.

  To list all the available Ksplice updates, use the upgrade subcommand:

  sudo ksplice -n kernel upgrade

  To install all the available Ksplice updates, use the upgrade subcommand as follows:

  sudo ksplice -y user upgrade

• Show kernel version.

  After Ksplice applies updates to a running kernel, the kernel has an effective version that's different than the original boot version displayed by the uname -a command.

  Use the ksplice kernel uname -r command to display the effective version of the kernel:

  sudo ksplice kernel uname -r

  The ksplice kernel uname command supports the commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.

sudo ksplice kernel show

sudo ksplice kernel show --available

sudo ksplice kernel remove --all

touch /etc/uptrack/disable