How to upgrade from a ‘free patchset’ to a fully functional, paid KernelCare license
If you installed our complementary Symlink Protection patchset and now would like to take advantage of the comprehensive kernel security updates without reboots that KernelCare delivers, below describes how to do it.
If you are using an IP-based license, nothing else is required and you are all set.
If you are using a key-based license, run:
$ /usr/bin/kcarectl --register KEY
To check if patches were applied, run:
$ /usr/bin/kcarectl --info
The software will automatically check for new patches every 4 hours, but if you would like to perform an update manually, run:
$ /usr/bin/kcarectl --update
Note: ‘Free’ patches are changed to ‘default’ now. If you still need symlink protection, you would need to apply ‘extra’ patches - they include symlink protection plus the security fixes for CentOS 6 and CentOS 7 (there are no extra charges for extra patches).
To enable extra patches and apply patch, run:
kcarectl --set-patch-type extra --update
To enable extra patches without update, run:
kcarectll --set-patch-type extra
The ‘extra’ patch will be applied on the next automatic update.
To see details run:
You should see something similar to:
time: 2017-07-31 22:46:22
kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
kpatch-description: symlink protection (kpatch adaptation)
kpatch-description: fix ipset list shrinking for no reason
To enable Symlink Owner Match Protection, add the following line:
Into /etc/sysconfig/kcare/sysctl.conf. And run:
sysctl -w fs.enforce_symlinksifowner=1
More information can be found here: http://www.kernelcare.com/faq.php.