Stop rebooting your SUSE Micro servers. Learn how to apply, automate, and verify kernel livepatches for moderate CVE fixes on Ubuntu, Rocky, and SUSE. Includes a no-update mitigation script.
In April 2026, SUSE released a moderate kernel livepatch (SUSE-SU-2026:21242-1) for SUSE Linux Micro 6.0 containing 10 fixes. This is a typical monthly update. But the real question is: Are you still rebooting your servers for kernel patches?
Whether you use SUSE, kernel livepatching is the standard for keeping production systems secure without downtime. Below is a reusable playbook that works today, next month, and next year.
1. How to check if your kernel is vulnerable
Run these commands to verify if a livepatch is already applied or if you need a reboot.
SUSE Linux Micro / SLES (kgraft / kpatch)
# List applied livepatches zypper patches | grep livepatch # Confirm kernel is patched uname -r grep -i livepatch /var/log/messages
2. Automation script to apply the fix
Save this as apply-livepatch.sh – it detects the distro and applies the update.
#!/bin/bash # Evergreen Livepatch Applicator – Works on Ubuntu 20.04+, Rocky 9+, SUSE Micro 6.0+ set -e echo "Checking distribution..." if [ -f /etc/os-release ]; then . /etc/os-release case $ID in ubuntu) sudo canonical-livepatch enable $(cat /etc/canonical-livepatch/token) 2>/dev/null || echo "Token required" sudo canonical-livepatch refresh ;; rocky|almalinux|centos) sudo kpatch install $(ls -t /var/lib/kpatch/*.kpatch | head -1) 2>/dev/null sudo dnf update kpatch-patch -y ;; suse|sles|microos) sudo zypper refresh sudo zypper patch --category=security --livepatch ;; *) echo "Distro not supported by script. Use manual method." ;; esac else echo "Cannot detect OS." fi echo "Livepatch applied. No reboot required."
Run with: chmod +x apply-livepatch.sh && sudo ./apply-livepatch.sh
3. Alternative mitigation if you can't update now
Mitigation using iptables (prevents remote trigger)
# Example: Block new SMB/CIFS connections (common kernel exploit vector) iptables -A INPUT -p udp --dport 137:138 -j DROP iptables -A INPUT -p tcp --dport 139 -j DROP iptables -A INPUT -p tcp --dport 445 -j DROP # Save rules iptables-save > /etc/iptables/rules.v4
AppArmor profile hardening
# Put vulnerable drivers on lockdown aa-complain /usr/bin/dmesg # Block info leaks aa-enforce /usr/bin/unshare
Warning: These are temporary bandaids. You need livepatching.
Suggested reading:
Mastering Linux Security and Hardening - Third Edition by Donald A. Tevault - Amazon
Why it solves the problem from the article:
The original evergreen content included an "Alternative mitigation if you can't update now" section with iptables rules and AppArmor commands. This book is the complete deep dive on both topics:
- Chapters 4-5 cover iptables and nftables – exactly the firewall rules used in the mitigation section
- Chapter 7 covers SELinux and AppArmor – the MAC systems mentioned in the AppArmor hardening snippet
- Includes OpenSCAP automation – takes the manual "check if vulnerable" commands and turns them into compliance-ready scans
Who needs this: Sysadmins stuck on old kernels who can't use livepatches. Instead of just temporary iptables bandaids, this book teaches permanent defense-in-depth.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).
Nenhum comentário:
Postar um comentário