Red Hat resources
The two spaces of Linux system operations
Linux system operations are divided into two sections: the user space (where all the services and applications operate), and the kernel space (where the core system operations are). The kernel is an intermediary for all of the applications to access hardware resources like the CPU and storage. Along with the kernel itself, administrators can create custom kernel modules to extend or modify functionality, and these kernel modules can be loaded and executed dynamically, even after boot.
What kernel live patching tools do is create a kernel module out of the patched code, then using the ftrace (function trace) tool to route from the obsolete function to the new replacement function, patch module, or patched function.
Figure 1: How kernel live patching works
Ksplice was the first project for live patching the Linux kernel; however, ksplice was sold to Oracle and eventually changed to a closed-source tool. Other development teams began trying to come up with open source projects that could replace ksplice, with two slightly different projects launching in 2014: kpatch from Red Hat and kgraft from SuSE. Ultimately, for the good of the Linux kernel community, Red Hat and SuSE developers worked together to create livepatch, which is a common layer within the Linux kernel that allows people to develop compatible kernel live patching tools.
Why does kernel live patching matter?
The key thing to remember is that patches are specifically used for addressing security risks. One of the challenges that sysadmins have is that they not only need to account for security patching in Linux systems, they also need to make sure that they are meeting uptime requirements. This means they may not be able to take systems offline outside preset maintenance windows. This is a constant tension that is only increasing.
According to the Red Hat Security Risk Report, there was a massive spike of identified security issues (called common vulnerabilities and exposures or CVEs) from 2019 to 2020—up about 155% (1,313 to 2,040). Although that dropped slightly in 2021 (1,596), it was still 22% higher than 2019. Most of this has been an increase in moderate severity vulnerabilities; important CVEs have stayed roughly steady and critical vulnerabilities have been dropping.
Kernel updates and patches are released every 6 weeks, and then minor updates of Red Hat Enterprise Linux come out every six months with all the security patches included. The ability for live patching service to be done to the Linux kernel without a reboot removes the need to decide which policy to follow.
Kernel CVEs
CVEs related to the kernel are one of the top concerns, with four of the top 10 most-viewed CVEs in 2021 relating to the kernel.
Being able to perform Linux kernel security patching live is much more than a convenience. It is an important tool for security teams to proactively address security vulnerabilities, keep kernel functions running, and maintain the safety of their systems.
I enjoy the patching processes and the way Red Hat Enterprise Linux has elements set up. I have never had a patch session fail, even when installing a thousand packages at a time.
The Red Hat Enterprise Linux difference
Kernel live patching is one specific tool to manage security, but it is far from the only one available with Red Hat Enterprise Linux. Red Hat Enterprise Linux includes different tools for managing security, such as SELinux for permissions and access control and system roles to help automate configuration and tasks. Upgrading your Red Hat Enterprise Linux infrastructure can help maintain your security posture by ensuring uninterrupted access to the latest fixes.
There is no single solution to create a "secure environment." Threats are always changing and evolving, with different attack vectors emerging and different targets pinpointed. Security starts at the operating system level—even the very source code—and works up through the technology stack and throughout the lifecycle, which is why having a variety of tools is essential.
Manage kernel live patching from the Red Hat Enterprise Linux web console to greatly reduce the complexity of performing critical maintenance. This new web console capability provides a simplified interface for both highly-skilled and non-experienced administrators to apply kernel updates without having to use command line tooling.
Red Hat Lightspeed (formerly Red Hat Insights) is available with any Red Hat Enterprise Linux subscription, providing a unified management experience for addressing security concerns. This includes:
- Visual dashboards that cover your entire infrastructure, showing vulnerable systems and patch status, allowing you to find and fix critical bugs without a separate subscription to Red Hat Satellite Server.
- Relevant CVEs and other updates.
- Playbooks for automated Linux security patching.
- Both defined security profiles and custom profiles to manage system configuration.
- Using baseline configs and flagging systems which diverge from the baselines.
Why choose Red Hat?
Linux kernel live patching came to exist when a need was identified and an open project created to work collaboratively with organizations and community members, creating a solution that would benefit the community. This open way of working is at the core of Red Hat’s value of subscription principles: collaboration, transparency, and a focus on improving the technology and user experience.
The official Red Hat blog
Get the latest information about our ecosystem of customers, partners, and communities.
