Documentation Glibc and OpenSSL patching (KernelCare+)
Glibc and OpenSSL patching is now available for the following operating systems:
- CentOS/RHEL/CloudLinux OS 7
- CloudLinux OS 8
- AlmaLinux 8
- Oracle Linux 7
- Oracle Linux 8
- Debian 9/10
- Ubuntu 16.04/18.04/20.04
- Proxmox VE 6.
- Scientific Linux
Installation and upgrade
Userspace processes patching feature is available in the KernelCare package.
Usage
To apply the available patches to all userspace processes, run the following command:
$ kcarectl --lib-update
To gather information about what processes were patched, run the following command:
$ kcarectl --lib-info
To gather information about applyed patches:
$ kcarectl --lib-patch-info
To unpatch all involved processes, run the following command:
$ kcarectl --lib-unload
Blacklisting
If you need to avoid patching of some particular process it could be done by blacklist defining.
Default one is located in /var/lib/libcare/blacklist and contains a package-provided list.
You can overwrite those values by creating /var/cache/kcare/userspace/blacklist file with the higher priority.
Auto update
Userspace patching cron job is disabled by default. To enable it, run the following command:
libcare-cron init
Troubleshooting
Auditd logs
The libcare tools heavily use a ptrace syscall and, in case of auditd trace it's calls, there will be a lot of records in a log. There is a rule that provided by kernelcare package and located here /etc/audit/rules.d/kernelcare.rules. It will exclue kernelcare processes from audit.
Note: no such rule is provided for el6 due to old autditd restrictions. There is a command that will add such rule in runtime
auditctl -l | grep kcare | cut -d' ' -f2- | xargs -t -L1 -r auditctl -d && pgrep libcare-server | xargs -t -n1 -i auditctl -A exit,never -F arch=b64 -S ptrace -F pid="{}" -k kcarever | xargs -t -n1 -i auditctl -A exit,never -F arch=b64 -S ptrace -F pid="{}" -k kcare
It removes all currently enabled kernelcare rules and adds a new one by libcare's process ID.
