Quote Originally Posted by AndreasMeyer View Post
kGraft patches your kernel only "in RAM" (with kgraft-patch_3_2_1). kGraft don't install any kernel updates "on disk".
If your machine run a supported kernel version, you can safely stay with kGraft on this kernel version until EoL (end of life).

With kGraft:
=> the running kernel is fully patched "in RAM". => receive all necessary security updates by kgraft-patch
=> Your kernel images file on hard disc don't receive any security updates (by kgraft-patch)
Does it mean that 'uname -r' would keep reporting the old kernel ? if so how can I justify Auditors that system is running on patched/updated kernel ?
Also does kGraft only address the security bugs i.e only receives the security updates ? or non-security updates too ?