INTRODUCTION
A patch is a piece of software that designed to update computer program or its supported data. There are several different ways with the help of which malicious can compromise your network and gain access to your systems.It all tend to take advantages of unpatched vulnerabilities into your operating systems, applications to do their damage. Once attacker finds flaw in your system they can easily exploit it with any number of canned attacks and it is very difficult to trace such attacks. To avoid such instances many major Linux distributions provides patch to update kernel as well as application level patches.
Patching with YUM
In this section I will tell you how to keep your Linux system upto date by patching with YUM repository.
1) If you want to update your Linux system with all patches available then simply run bellow command:
~]# yum update
If you run above command it will show you all update available for the current version of kernel as shown in screen bellow:
Select Yes or No whether you want to install update or not. It will list our all packages as well as dependencies that need to update. Suppose if you want to exclude any particular package from getting updated then you can run:
~]# yum update -x package_name
Insert the name of package that need to exclude from updating. Yum is very powerful utility which will automatically list our all dependencies and will update your system. You need to reboot your system to for updates to take effect.
2) What if you want to update only security patches in your system and need not want to update any other OS patches. There is a way of doing this simply install yum-security-plugin.
~]# yum install yum-security
Yum-security plugin of yum provides various option of yum.
To install only security updates available we can use:
~]# yum update-minimal
Above command will only install security patches available and no other patches will get updated.
Once you update security or kernel level patches you need to reboot your system. So its very important to take downtime before doing update on system.
3) Running Live Update without reboot:
Suppose you are running mission critical applications on server and it is very difficult to take downtime. In that case most of the time we avoid patching systems with latest security and OS updates. But there are chances that someone will take advantages of the security breaches present in the system and take unauthorized access of your servers. So what is the solution on this issue.
Now we can update important security patches without rebooting systems with the help of kpatch.
What is Kpatch?
Kpatch is a set of open source tools developed by Redhat which allow for generation of the patch modules directly from a source level patch and the application of those patch modules to a running kernel without need to reboot or restart any processes. Its still under development and will available soon.
Primary focus of Kpatch is on urgent security fixes, CVE's (contains remote exploits). Secondary kpatch also supports updating urgent stability fixes, driver issues, kernel development.
~]# yum install kpatch-patch
Once, any patch is available you just need to install that patch with yum as follow:
~]# yum update kpatch-patch
Your system will get protected with new Security patch available without rebooting your server. You can check the list of loaded modules in kpatch using bellow command:
~]# kpatch list
You will get useful information on kpatch on github link: https://github.com/dynup/kpatch
Canonical Live Patch
Canonical Live Patch
Similar to kpatch Ubuntu has developed Canonical live patch from Ubuntu 16.04 version with the help of which we can update patches on Ubuntu servers without rebooting Ubuntu server.
How to enable Canonical Live patch service
1) Install Canonical live patch daemon
After installing Daemon you need to generate token for canonical livepatch to apply on server.
For that you have to visit and sign up on bellow link:
https://www.ubuntu.com/server/livepatch
Once you generate Token enable that token as follow:
How to enable Canonical Live patch service
1) Install Canonical live patch daemon
~]$ sudo snap install canonical-livepatch
For that you have to visit and sign up on bellow link:
https://www.ubuntu.com/server/livepatch
Once you generate Token enable that token as follow:
~]$ sudo canonical-livepatch enable [Token]
To verify the status of daemon:
I recommend to test this live patch functionality which will be very helpful in avoiding Unnecessary downtimes.
~]$ canonical-livepatch status --verbos
I recommend to test this live patch functionality which will be very helpful in avoiding Unnecessary downtimes.
Comments
Post a Comment