Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Adding KernelCare patch via command line

Discussion in 'Security' started by CanSpace, Sep 25, 2018.

  1. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    53
    cPanel Access Level:
    DataCenter Provider
    We use a script to provision new servers and one step we'd like to add is provisioning kernelcare's free symlink patch automatically.

    How can this be done via the command line? Assuming this is on a brand new server with a standard kernel.
     
  2. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    add a bash script to run something like this

    --------------------------------
    #!/bin/bash
    curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
    kcarectl --set-patch-type free --update
    echo "fs.enforce_symlinksifowner = 1" >>/etc/sysconfig/kcare/sysctl.conf
    echo "fs.symlinkown_gid = 99" >>/etc/sysconfig/kcare/sysctl.conf
    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
    -----------------------------------------
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  3. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    53
    cPanel Access Level:
    DataCenter Provider
    Are these the exact steps that WHM takes when it is enabled via WHM?
     
  4. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    You cant enable it VIA WHM it is a kernel module it has to be installed

    the steps above are form the CloudLinux install instructions for cpanel servers
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    53
    cPanel Access Level:
    DataCenter Provider
    Actually it can be enabled via WHM. If you click the security advisor link in WHM it will warn you that symlink protection is not installed and provide you with a link to add the free kernelcare patch (which it will do for you). I want to know how to do this via teh command line.
     
  6. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Update read Wrong

    Yes as stated that is the instructions from the cloudLinux website
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 dalem, Sep 26, 2018
    Last edited: Sep 26, 2018
  7. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    22
    Likes Received:
    2
    Trophy Points:
    53
    cPanel Access Level:
    DataCenter Provider
    Sigh. No you are incorrect - you can add the free kernelcare patch via WHM, and that is what I am trying to figure out how to do via the command line. Thanks for your assistance but it is not useful.
     
  8. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Updated above New feature I was not aware of
    yes those are the CLI instructions direct from cloudLinux
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,908
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Just fyi The installer in WHM does not install the extra patch set

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,130
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @CanSpace

    The instructions provided were correct. That is the way to add symlink protection over CLI. If you want to add it through WHM you'll need to run the security advisor at WHM>>Security Center>>Security advisor this calls a perl module:
    Code:
    /usr/local/cpanel/Cpanel/Security/Advisor/Assessors/Kernel.pm
    Because this is a perl module with many different functions it's not available as a WHMAPI1 function and is best/easiest done using CloudLinux's instructions pending your Kernel is stock CentOS

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice