KernalCare install

I'm not a fan of KernalCare-like services.
Why inject absolute 0-day code into the carefully tested Enterprise kernel for Red Hat?

If it is a large number of servers you can also distrubute official kernels as Red Hat updates or other updates with Puppet or other similar solution.

No need for tools like this to update 0day code every 4 hours.
Without stress tests.

 

Yes I have three CMM VPS's and all run Kernalcare - Used Kernalcare when I had a dedicated server under cPanel as well - never ever had any problems.

 

Oja if you want to use KernelCare anyway.
You should upgrade the default 4 hour update time.
That was the KernelCare update time when I had it tested.

4 hours is very sharp.
If a bug sneaks into the patches, you won't suffer from a kernel crash.
The script kiddies don't get along very well for the first few hours.
You often only see them after a few days.

 

Someone using LibraryCare, DataBaseCare from the same supplier as KernelCare?

I have a suspicion that everyone who wants to is on KernelCare only. Because a new kernel without KernelCare is only effective after booting. This is not in full force and effect for Glibc, OpenSSL and MariaDB. Those are just live patches without a reboot.

 

As CMM uses its own compiled OpenSSL for components like Nginx.
KernalCare+ patches the 'other' OpenSSL supplied by the distro.

In other words. You still need to recompile CMM components with each new OpenSSL version. In addition, ePortal Patch Server is only interesting if you have many servers.

But then again why KernelCare? With a dedicated server you will have to test hardware regularly and/or install firmwares because of security and/or related - bugs.

Basic diagnostics you can test live but for the rest the server needs to reboot anyway.

Finally, Enterprise Linux already provides a standard and free option to In-memory kernel upgrade your OS with kexec.

And you are good to go!

 

KernelCare uses kpatch or used to use kpatch.

KernelCare automates kpatch and delivers patches as a service and installs them auttomatically. Theoretically, you could set that up yourself and install these patches yourself with kpatch. Because the KernelCare patches and Red Hat's kpatch are freely available.

KernelCare Patches
Kernel Administration Guide Red Hat Enterprise Linux 7 | Red Hat Customer Portal