What Is KernelCare?

Tux the Penguin with Hotpatching (KernelCare)The concept of ‘Kernel hotpatching’, sometimes called live patching, was introduced to the Linux community around 2008. Soon after groups began developing differing implementations of the concept. KernelCare, one of the more popular implementations, was originally released in March 2014 by Cloud Linux, Inc.

So, what does hot patching do? (Or: Why do I want KernelCare?)

The basic concept of Linux kernel hot patching is pretty much the same not matter what it’s called. The goal is to only update the changes rather than the whole Kernel – which normally requires a reboot. It’s much harder than it sounds though since kernel updates come as complete packages and the system is running.

Imagine trying to do an oil change on your car while driving at highway speeds; that’s kernel hot patching in a nutshell.

With a KernelCare enabled kernel updates can be processed and then applied selectively to a running server. This can mean not needing to reboot for much longer than you would normally require to stay secure.

How do I check if I have KernelCare and is it working? (Or: Checking KernelCare version)

The best way to check if your server is running with KernelCare is to look for its main CLI tool. You can do this with the following linux command:

which kcarectl

If the CLI tool is found on the server you will see output like the following, or something very similar.

# which kcarectl
/usr/bin/kcarectl

If the CLI tool is not installed you will see the following:

# which kcarectl
#
When using the Linux `which` command you will get no results if the executable is not found. In this case that means KernelCare is likely not active or installed on the server.

Assuming the test above was successful, you’ll now want to check the status of KernelCare. This will help you determine if KernelCare is active and what the effective version is. You can do this with the following command:

/usr/bin/kcarectl --info

The results will look similar to the following:

[root@host ~]# /usr/bin/kcarectl –info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.36.3.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Mon Oct 24 16:09:20 UTC 2016
kpatch-build-time: Mon Nov 7 08:20:19 2016
kpatch-description: 2;3.10.0-327.36.3.el7.x86_64

As you can see the output provides various details about the KernelCare status. Looking at the kpatch-state we can see that hot patching is working and enabled.

Monitoring your server in WHM

In this article we will briefly cover the basics of monitoring your server via WHM. By following this process you will learn how to find: service status, resource usage, and Apache stats.

  1. With WHM open in your web browser, (a) type “status” into the search box. This should sort the list to only a few items.
    Navigate to Monitoring
  2. Click “Service Status” from the list. This will open the service status page, here you can view the status of various services and server info.
    monitoring-whm-pt2

    If there is a problem the green checkmark icon will turn into a red ‘x’ icon.
  3. Now, with the same search, click “Apache Status” from the list. This will show you the current state of Apache on the server.
    monitoring-whm-pt3

By following this tutorial you should now know how to monitor your Server’s overall status and the status of various services. As always for our Liquid Web customers the dedicated Sonar Monitoring™ team is monitoring your server 24/7.

When Mod Security Attacks

One component of Liquid Web’s Server Secure service is an Apache module called Mod Security (often shortened to just “modsec”). Modsec monitors all incoming HTTP requests for malicious behavior, and does not complete requests that meet certain criteria. These criteria are spelled out in what are called “rules” or “rulesets”.

In an ideal world, only malicious requests would be caught in modsec’s trap. Unfortunately, there are some instances where legitimate requests are stopped as well. How do we determine that this is what happening, and what can we do about it?
Continue reading “When Mod Security Attacks”