How to upgrade from a ‘free patchset’ to a fully functional, paid KernelCare license
If you installed our complementary Symlink Protection patchset and now would like to take advantage of the comprehensive kernel security updates without reboots that KernelCare delivers, below describes how to do it.
If you are using an IP-based license, nothing else is required and you are all set.
If you are using a key-based license, run:
$ /usr/bin/kcarectl --register KEY
To check if patches were applied, run:
$ /usr/bin/kcarectl --info
The software will automatically check for new patches every 4 hours, but if you would like to perform an update manually, run:
$ /usr/bin/kcarectl --update
Free patches are changed to default now. If you still need symlink protection, you would need to apply extra patches - they include symlink protection plus the security fixes for CentOS 6 and CentOS 7 (there are no extra charges for extra patches.
To enable extra patches and apply patch, run:
kcarectl --set-patch-type extra --update
To enable extra patches without update, run:
kcarectl --set-patch-type extra
The extra patch will be applied on the next automatic update.
To see details, run:
You should see something similar to:
OS: centos6 kernel: kernel-2.6.32-696.6.3.el6 time: 2017-07-31 22:46:22 uname: 2.6.32-696.6.3.el6 kpatch-name: 2.6.32/symlink-protection.patch kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection. kpatch-kernel: kernel-2.6.32-279.2.1.el6 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/ kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-2.6.32-279.2.1.el6 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/ kpatch-name: 2.6.32/ipset-fix-list-shrinking.patch kpatch-description: fix ipset list shrinking for no reason kpatch-kernel: N/A kpatch-cve: N/A kpatch-cvss:N/A kpatch-cve-url: N/A kpatch-patch-url: https://bugs.centos.org/view.php?id=13499
To enable Symlink Owner Match Protection, add the following line:
/etc/sysconfig/kcare/sysctl.conf. And run:
sysctl -w fs.enforce_symlinksifowner=1
More information can be found here: http://www.kernelcare.com/faq.php.