Protecting Your Linux Systems with Oracle Ksplice

Staying Ahead of Cyberthreats: Protecting Your Linux Systems with Oracle Ksplice

The Advantages Of Zero-Downtime Patching

TABLE OF CONTENTS Introduction 2 Why Patching Matters 2 About Oracle Ksplice 3 Other Benefits 3 Conclusion 4 Learn More 4

1 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems

INTRODUCTION IT systems require regular patching for security, performance, and compliance reasons. For Linux operating system (OS) kernel updates, which include “Availability requirements important new security enhancements and bug fixes, releases happen about 1 are on the rise for once per month. These updates help keep systems current with the latest organizations undergoing innovations. However, manually patching systems has many inherent digital transformations. challenges and difficulties which tends to delay their timely application. For this Downtimes are costly, reason, zero-downtime patching solutions for Linux, like Oracle Ksplice, are with unplanned becoming essential tools. In this paper, Oracle Ksplice’s capabilities and many infrastructure downtimes advantages are explained. costing $100,000 per hour on an average. With Why Patching Matters the possibility of every organization being a Inadequate patch management can leave loopholes in the IT infrastructure leading to target for cyberattacks various security and performance issues. Ideally, patches should be applied shortly after and attackers moving very release to ensure the latest system protections. Patching typically requires downtime quickly to exploit system which, depending on operations, can require weeks or months of advanced planning. vulnerabilities, IDC Most Linux patching also traditionally happens at the disk level for file systems, which has recommends several disadvantages. First, the systems need to be taken offline in order to apply the organizations to deploy updates. These planning cycles can be time consuming, as teams need to coordinate patches as quickly as around the planned downtime. Secondly, once any patches and updates are applied, possible after the patches applications and services need to then be rebooted and brought back online. become available. In- memory patching Rebooting often entails its own set of problems and risks. For example, a rebooted system solutions like Oracle may not start up again properly. Additionally, it may cause an unintended disruption in Ksplice enable another part of the network. Not to mention, rebooting systems with numerous cores and organizations to deploy large quantities of memory could take a long time, in some case several hours, before they security patches for Linux are fully up and running again. operating system swiftly, thereby enabling the The overall time period required to manually patch and then reboot systems can be quite organizations to protect extensive, thereby negatively affecting business operations. This can make organizations their system without any reluctant to apply updates each time they are released. While postponement is a tempting system downtime or practice, it is also risky. During this lag time, Linux systems may be vulnerable to security reboots.” breaches and system crashes which could have costly consequences on several levels: -Sriram Subramanian business disruptions, data breaches, reputation damage, and possible compliance violation penalties. Unexpected disruptions are also costly in terms of IT teams who need to spend Research Director, IDC

1 “Ksplice: Zero-Downtime Updates for Oracle Linux and Oracle VM” http://www.oracle.com/us/technologies/linux/ksplice-datasheet-487388.pdf 2 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems

time troubleshooting unnecessarily as an existing path might be available to resolve the issue. "With Ksplice, we can now apply patches without About Oracle Ksplice needing to reboot the systems." In the face of increasingly sophisticated cyberthreats, protecting IT systems regularly with -Toshiaki Horio Linux updates has become vitally important. To help administrators do this more easily, Oracle Ksplice offers an automated zero-downtime solution that simplifies the patching Senior Vice President, NTT Data process. Intellilink

Customers with an Oracle Linux Premier Support subscription have access to Ksplice at no additional cost. It is available for both on premise and cloud deployments. Ksplice allows users to automate patching of the Linux kernel, both Xen and KVM hypervisors, and critical "For many years Ksplice user space libraries. 2 Ksplice is currently the only solution to offer user space patching. has enabled us to perform real-time Linux security 3 Administrators have options for how they want to make their Ksplice updates. They can patching without the need have these applied either directly from the Ksplice servers or by using yum as a delivery for costly downtime or mechanism. Using yum as the delivery mechanism for Ksplice patches allows customers to extensive resource leverage their existing yum-based management tools including Oracle Enterprise Manager planning. Ksplice has and Spacewalk. The yum tool remains responsible for updating on-disk packages, while driven higher service updates made via Ksplice (regardless of delivery mechanism) are made to server memory stability and increased and do not require a reboot. system security.” This approach is advantageous for several reasons. Namely, because Linux patches and -Jon Alessandrello updates can be applied while systems are still running. This means no downtime or Supervisor of Systems and rebooting is necessary. Secondly, Ksplice easily reduces the laborious time-consuming Telecommunication Services, planning cycles traditionally associated with patching downtime. Thirdly, Ksplice updates State University of New York (SUNY) Information Technology typically install within a few seconds or minutes. Lastly, Ksplice easily enables the Exchange Center (ITEC) application of kernel fixes and security patches as soon as these updates become available. Administrators can choose to automate this process, if desired. This makes it easier for IT administrators to keep Linux systems security and performance at optimal levels. Ksplice also allows patches to be rolled back to previous patch levels should it ever be required.

Figure 1.1 Lifecycle of a Ksplice Update

Other Customer Benefits In these short videos, hear from NTT Data Intellilink, United, and Shoe Carnival. Additional customer benefits of using Oracle Ksplice are explained below.

2 "About Ksplice: Frequently Asked Questions" https://ksplice.oracle.com/help/faq#about-ksplice 3 Oracle Ksplice User's Guide - https://docs.oracle.com/en/operating-systems/oracle-linux/ksplice-user/ 3 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems

Minimize Labor Costs Oracle Ksplice helps to minimize labor costs in several ways. Given systems no longer need to be offline, IT teams can avoid the high labor costs typically associated with manual software patching. Organizations also save on labor costs related to troubleshooting issues that may have arisen during a reboot cycle. Increase Patching Cadence Using Oracle Ksplice means that patching is a simpler process and can be done more regularly and easily, resulting in Linux systems having the latest updates and protections. Improve Security Regularly applying patches and software updates is the best practice for protecting Linux systems. Oracle Ksplice’s automated patching capability applies fixes and updates shortly after they are released. This can significantly reduce the window of vulnerability which helps protect systems from security exploits or data breaches. Improve System Availability Oracle Ksplice allows Linux systems to stay in production and up to date with the latest fixes and enhancements, helping to protect against known issues or unplanned downtime. Improve Support Diagnostic Capabilities When a Linux kernel is not performing normally, Oracle Ksplice can be applied temporarily to help with diagnostics. While applied, Ksplice can retrieve the needed debugging and logging information from the kernel. Ksplice could remain for any needed in-memory code fixes. Afterwards, if desired, Ksplice can be removed. During this entire process systems are able to continue running normally. Maintain Workload Uptime Oracle Ksplice supports only the patches and updates that do not make significant semantic changes to a kernel's data structures. This means existing workloads are not disrupted. Additionally, if an administrator wants to roll back an update for any reason, it can be easily done, also without system disruptions or needing to reboot.

CONCLUSION Given the importance of applying Linux patches and updates regularly, the Oracle Ksplice zero-downtime patching solution is the optimal tool to help organizations better protect their systems without downtime or reboot cycles. Therefore patching can happen more easily, regularly and at a lower cost. For these reasons and advantages, customers worldwide are increasingly using Ksplice with their Oracle Linux deployments.

Learn More  Oracle Ksplice https://ksplice.oracle.com/  Oracle Ksplice User's Guide https://docs.oracle.com/en/operating-systems/oracle-linux/ksplice-user/  Oracle Linux yum server https://yum.oracle.com/  Using Oracle Ksplice as a Diagnostic Tool with Oracle Support http://www.oracle.com/us/technologies/linux/using-ksplice-wp-2228962.pdf  NTT Intellilink customer video https://video.oracle.com/detail/video/5832273976001/ntt-data-intellilink-switches-to- oracle-linux

4 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems

 Shoe Carnival customer video https://video.oracle.com/detail/video/6108811481001/shoe-carnival-increases-security- and-availability-with-oracle-linux  United customer video https://video.oracle.com/detail/video/5630331985001/united- airlines-sees-zero-downtime-using-oracle-linux

5 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems

CONNECT WITH US

Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at oracle.com/contact.

blogs.oracle.com facebook.com/oracle twitter.com/oracle

Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0120

Staying Ahead of Cyberthreats: Protecting Your Linux Systems April, 2020 Author: Melody Wood