Introducing Oracle Linux and Securing It with Ksplice

Introducing Oracle Linux and Securing it with Ksplice

July 14 2016 Oracle Japan Global Business Unit Oracle Linux and Oracle VM Sales Principal Sales Consultant Fumiyasu Ishibashi

1 Safe Harbor Statement

The following is intended to outline our general product direcon. It is intended for informaon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funconality, and should not be relied upon in making purchasing decisions. The development, release, and ming of any features or funconality described for Oracle’s products remains at the sole discreon of Oracle.

4 Introducing Oracle Linux Oracle Linux Support

24x7 Supports exisiting RHEL and CentOS One stop Long history support Linux support from 1998 Free to download Oracle distro 2006 Free to use Completely opensource https://linux.oracle.com Includes support for many Oracle softwares

You can chose the kernel 100% Live patching for Kernel and userpace Binary UEK(Unbreakable process compatible Enterprise Kernel) Dtrace, OCFS2, Clusterware・・・

RedHat Compatible Endless support Kernel Oracle Standard 10年 1年 1年 1年無期限

Same glibc Oracle Linux Premium Support Oracle Linux Sustaining Extended Support Support Non-Oracle Hardware supported

Lifeme Sustaining Support

Ksplice support Dtrace support

Oracle OpenStack for Oracle Linux support

Spacewalk support Oracle Enterprise Manager free of use and support Oracle Clusterware free of use and support 24x7 online and phone support Oracle Linux Premier Support Downloading patch, ﬁxes, erratas Login account for ULN Oracle Linux Basic Support Oracle Linux Network Support

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 6 Oracle Linux Subscripon Pricing • Buy support for the systems you need – use the same soware with updates on everything! Level Price • Oracle only counts physical sockets; Installable binaries and errata Free Basic Limited no limit on cores or number of (24x7, unlimited support) $499 virtual guests (2 or less CPUs) Basic (24x7, unlimited support) $1,199 (More than 2 CPUs) Premier Limited (24x7, unlimited support) $1,399 (2 or less CPUs)

Premier (24x7, unlimited support) $2,299 (More than 2 CPUs)

Oracle version of RHN Portal site for Oracle Linux. Download rpm packages.

Unbreakable Linux Network User‘s Guide • How to register your server to ULN • How to setup a ULN mirror site (English) https://docs.oracle.com/cd/E37670_01/E39381/html/index.html （Japanese） https://docs.oracle.com/cd/E39368_01/b72803/index.html

Switching from RHN to ULN https://linux.oracle.com/switch.html

Free to use our public yum repo http://public-yum.oracle.com/

• Searching Erratas, CVEs – hp://linux.oracle.com/errata/ – hp://linux.oracle.com/cve/

• New erratas announced through the mailing list – hps://oss.oracle.com/mailman/lisnfo/el-errata

10 Ksplice

Zero downtime patching Rollback Patching without rebooting the OS, services. If something goes wrong with the new patch, you can rollback where the apps were fine! Not only the kernel but also the userspace application like, Also used for support, putting the debug kernel temporary. glibc and openssl

Fast errata release Proven history Since the patching data is complete under oracles control we provide the fully tested patches as fast Released from 2008 as we can Joined Oracle from 2011

Vulnerability Reducing administration work Easier to patch vulnerability issues No more maintenance plan for patching. It can also automatically patch instead of you.

Easier to solve problems Security Compliant In some case our support team will give you It will be easier to be security compliant if you don’t a Ksplice debug kernel patch so our support need wait for pathing security fixes can collect more information to find the problem you have. Of course witout reboot

• Need Oracle Linux Premiumer Support Connect your server to the ULN via Proxy ULN ULN

internet internet

Ksplice Server Ksplice Client Ksplice Server Proxy Ksplice Client

via ULN mirror Offline from the local ULN repo ULN ULN

copy internet internet

Ksplice Server ULN Mirror Ksplice Ksplice Server ULN Mirror Ksplice

(local yum) Client (local yum) Client (local yum)

Before ksplice

Bug memory

After Ksplice patching ② Insert jump to

① New Bug ⑤ memory ③

④

• Ubuntu 16.04 Xenial • Ubuntu 15.10 Wily • Ubuntu 15.04 Vivid • Ubuntu 14.04 LTS Trusty • Ubuntu 12.04 LTS Precise • Fedora 22 • Fedora 23 • Fedora 24

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 17 Ksplice 30 days trial hp://ksplice.oracle.com/try/trial • Easy register and use it for 30 days • RHEL 5,6,7 and Oracle Linux 5,6,7 supported

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 18 Easy installaon • Get ULN account(trial or Premier support) • Register your server to ULN • Add ksplice channel subscripon to your server from the ULN web site.

• Install uptrack

# yum install -y uptrack

• Done. No reboot. * You can also uninstall it

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 19 Ksplice Command Line Tools (1/4) uptrack-show • uptrack-show command • List the kernel patches that is applied # uptrack-show Installed updates: [guclwyc2] CVE-2012-0957: Information leak in uname syscall. [j4d07e02] Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery. [r8og1ec4] CVE-2013-1979: Privilege escalation with UNIX socket credentials. #

Ksplice ID

• With the –available opon, you can ﬁnd the patches that are available.

# uptrack-show --available Available updates: [fiq04xbb] CVE-2013-2237: Information leak on IPSec key socket. [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. #

• uptrack-upgrade command Command to apply all patches that are available.

# uptrack-upgrade -y The following steps will be taken: Install [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Install [j4d07e02] Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery. Install [r8og1ec4] CVE-2013-1979: Privilege escalation with UNIX socket credentials. Install [fiq04xbb] CVE-2013-2237: Information leak on IPSec key socket. Install [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. Installing [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Installing [j4d07e02] Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery. Installing [r8og1ec4] CVE-2013-1979: Privilege escalation with UNIX socket credentials. Installing [fiq04xbb] CVE-2013-2237: Information leak on IPSec key socket. Installing [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. Your kernel is fully up to date. Effective kernel version is 2.6.39-400.215.13.el6uek # • uptrack-install will make you apply to a speciﬁc patch level

# uptrack-upgrade guclwyc2 -y The following steps will be taken: Install [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Installing [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Your kernel is fully up to date. #

• uptrack-remove command You can remove all the patches applied by Ksplice.

# uptrack-remove -y The following steps will be taken: Remove [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Remove [j4d07e02] Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery. Remove [r8og1ec4] CVE-2013-1979: Privilege escalation with UNIX socket credentials. Remove [fiq04xbb] CVE-2013-2237: Information leak on IPSec key socket. Remove [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. # # uptrack-show Installed updates: None #

• uptrack-remove You can also can rollback to the level you want # uptrack-remove –y 9q4luou3 The following steps will be taken: Remove [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. #

• The uname command will output the kernel version that is on the disk. To see the Ksplice kernel patch level use uptrack-uname. Before appling any Ksplice patch # uptrack-show Installed updates: None # uname -r 2.6.39-300.26.1.el6uek.x86_64 # uptrack-uname -r 2.6.39-300.26.1.el6uek.x86_64

Aer appling Ksplice patch

# uptrack-upgrade -y The following steps will be taken: Install [guclwyc2] CVE-2012-0957: Information leak in uname syscall. Install [j4d07e02] Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery. ... Installing [fiq04xbb] CVE-2013-2237: Information leak on IPSec key socket. Installing [9q4luou3] CVE-2014-3687: Remote denial-of-service in SCTP stack. Your kernel is fully up to date. Effective kernel version is 2.6.39-400.215.13.el6uek # uname -r 2.6.39-300.26.1.el6uek.x86_64 # uptrack-uname -r 2.6.39-400.215.13.el6uek.x86_64

• /etc/uptrack/uptrack.conf

• You can set proxy server, https_proxy = https://proxy_URL:https_port

• If you want the patches automatically set yes,(default no). Ran by cron. autoinstall = yes

• If you set “yes” the kernel will be on the same patch level before the reboot(default yes) install_on_reboot = yes • If you also want the new patches automatically applied after reboot set yes,(default no) upgrade_on_reboot = yes

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 24 Uptrack API Tools • RESTful web API • The command line API tools are included with the Python bindings for the API in the python-ksplice-uptrack package. • The details are describe in our sites. – hp://ksplice.oracle.com/uptrack/api – hps://docs.oracle.com/cd/E37670_01/E39380/html/ol_kspapi.html

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 25 Ksplice Enhanced Client • New feature from 2015 • Ksplice Enhanced client can patch in-memory pages of Ksplice-aware shared libraries. • Currently for glibc and openssl user-space processes • Need addion packages to enable Ksplice Enhanced client.

# yum install -y ksplice

• Also need to update the system to install the Ksplice-aware versions of the user-space libraries:

# yum update *glibc *openssl*

Copyright © 2015 Oracle and/or its aﬃliates. All rights reserved. | 26 Ksplice Enhanced Client command (1/3) ksplice all list-targets command display the running user-space processes that the client can patch

# ksplice all list-targets User-space targets:

glibc-ISO8859-1-2.17.78.0.1.1.ksplice25.el7 └─ gnome-shell (3783)

glibc-libutil-2.17.78.0.1.1.ksplice25.el7 ├─ firewalld (680) ├─ tuned (695) ├─ libvirtd (1492) ├─ sshd (1497) ├─ httpd (1503) ├─ httpd (1706) ├─ httpd (1707) ・・・

├─ abrt-applet (3980) ├─ tracker-miner-f (4040) ├─ gvfsd-trash (4062) ├─ sshd (29328) ├─ packagekitd (29465) └─ python (29679) ... Kernel version: Linux/x86_64/3.10.0-229.el7.x86_64/#1 SMP Fri Mar 6 04:05:24 PST 2015

# ksplice all show httpd (1706) httpd (1708) httpd (1707) rsyslogd (689) chronyd (705) httpd (1503) ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp(). └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

Ksplice kernel updates installed:

Installed updates: [rfywob9d] Clear garbage data on the kernel stack when handling signals. [6w5ho5e2] Provide an interface to freeze tasks. ・・・

[89yjgn50] CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets. [g327jyvw] CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

Ksplice kernel updates installed:

Installed updates: [rfywob9d] Clear garbage data on the kernel stack when handling signals. [6w5ho5e2] Provide an interface to freeze tasks. ・・・

[89yjgn50] CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets. [g327jyvw] CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

• Demo environment

VM guest internet （Virtual Box）

Ksplice Server Oracle Linux 6.2 Ksplice Client vCPU x1 RAM 4GB

ULN This PC Linux Kernel 2.6.32-220.el6.x86_64

[email protected]

@ORCL_Linux Facebook.com/ Blogs.oracle.com/ Oracle Linux YouTube.com/ OracleLinux linux Experts Group oraclelinuxchannel

Home page: oracle.com/linux Ksplice info: ksplice.oracle.com Download: edelivery.oracle.com/linux