Why Waiting For Your Next Linux Reboot is Making You Insecure
You’ve just installed a kernel update, and now you need to carry out a Linux reboot. Except guess what? You don’t. Word is only just starting to get out, but times have changed, and rebooting is a thing of the past. This is a very positive development: because rebooting to patch is a hassle, companies frequently delay it for as long as they can – with damaging consequences.
Countering Linux Vulnerabilities
Performing a Linux reboot after a kernel update is one of those imperfect processes that unfortunately has become established as standard practice. Linux is awesome, but as any SysAdmin will tell you, it is complicated. And with complexity comes bugs. Every year, hundreds of Linux vulnerabilities emerge, some of them very threatening indeed. To counter such vulnerabilities, Linux vendors are constantly providing partial patch updates for the kernel.
Right now, 99% of organisations patch the same way: By initiating a Linux reboot. But: rebooting is a pain. It can take forever, and it usually has to be done in the middle of the night, to minimize the impact on peaktime services. While the servers are being rebooted, the websites they host will go down, and display an error message.
The Noncompliance Risk
Because every Linux reboot is a headache, people put if off for as long as they can. They bundle up loads of patches as they are released, and only go through with the reboot once they have piled up and can’t be ignored anymore. Perhaps that’s the place you’re at right now.
But this delay this means that patches aren’t applied as early as possible. Sometimes months go by. This gap between patch issue and patch application presents a major security risk. (It also probably makes you noncompliant.)
Kernel patching reliant on a Linux reboot is a ticking time bomb. The solution? Live kernel patching. At KernelCare, our kernel team monitors security mailing lists. When a vulnerability affecting supported kernels is announced, we prepare a patch as soon as technically possible. When a new patch is available for the active kernel, the agent downloads it and applies it to the running kernel, right away. No Linux reboot. With this process, kernel updates are applied as quickly as possible, protecting you from bad actors, and keeping you compliant. This happens without a moment of kernel downtime or any disruption of its operation.
Eliminate Your Next Linux Reboot
At KernelCare, we have 300,000 servers that haven’t needed a Linux reboot in four years. Live kernel patching might have been a mirage once. But today, it is a reality. And it should be a feature of every responsible organization’s security posture. If you are currently exploring the best way to carry out a Linux reboot, go one better, and don’t reboot at all.
To get the full lowdown on why rebooting your servers is making you insecure and noncompliant – and why it’s a matter of time until you discover this the hard way – read our full whitepaper here.
Keep reading: How to Secure Linux by Patching in Real-Time