Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep security and Oracle Linux Ksplice functionality

    • Updated:
    • 28 Apr 2021
    • Product/Version:
    • Deep Security All
    • Platform:
    • Oracle Linux
Summary
Oracle had multiple discussions with security vendors who have applications or agents that load kernel modules.   There is a potential for Deep Security Agent to conflict with Oracle Ksplice patching tool.  In order to avoid some potential issues, the recommendation from Oracle team is to start security product kernel drivers after Oracle Linux and Ksplice have fully loaded. 


Ksplice will not modify any hooked functions, as it ensures that patching does not happen unless the function's code exactly matches what Ksplice expects (the original compiled code). Since an interception code hook overwrites the start of the function, Ksplice will notice this and abort application of that patch as a safety measure.  

Oracle is currently looking into providing a way for add-on kernel products to communicate with Ksplice tools and automate everything to make coexistence more user-friendly. In the short term, the following actions will ensure that the products coexist together.
Details
Public
The goal here is to provide a concise, documented way for customers on how to disable and re-enable the product easily in order to do kernel patching procedures while the system is fully running. This should basically be three steps:
 
    1. Disable the product's kernel components with <command>
    2. Perform the Ksplice kernel patching commands provided by the operating system
    3. Re-enable the product with <command>
 
Once Ksplice does additional live patching, the function address list (kallsyms) is updated for the patched function(s), so the product should be able to patch the fixed version of the function fine, just as it did for the original version. The disable/enable commands only need to do what's necessary to restore the function code that was modified with the interception hooks.
 

In Deep Security perform the following action.

1. Stop the Deep Security Agent service.
  • service ds_agent stop

Run these commands to confirm the following kernel modules have been unloaded.   We should no longer see these kernel drivers in a loaded state.  (gsch, redirfs, tmhook, dsa_filter)
  • lsmod | grep gsch
  • lsmod | grep ds

2. Perform the Ksplice kernel patching commands.

3. Start the Deep Security Agent service.
  • service ds_agent start
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000286411
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.