Adding KernelCare patch via command line

CanSpace · Sep 25, 2018

We use a script to provision new servers and one step we'd like to add is provisioning kernelcare's free symlink patch automatically.

How can this be done via the command line? Assuming this is on a brand new server with a standard kernel.

dalem · Sep 25, 2018

add a bash script to run something like this

--------------------------------
#!/bin/bash
curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
kcarectl --set-patch-type free --update
echo "fs.enforce_symlinksifowner = 1" >>/etc/sysconfig/kcare/sysctl.conf
echo "fs.symlinkown_gid = 99" >>/etc/sysconfig/kcare/sysctl.conf
sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
-----------------------------------------

CanSpace · Sep 26, 2018

Are these the exact steps that WHM takes when it is enabled via WHM?

dalem · Sep 26, 2018

You cant enable it VIA WHM it is a kernel module it has to be installed

the steps above are form the CloudLinux install instructions for cpanel servers

CanSpace · Sep 26, 2018

Actually it can be enabled via WHM. If you click the security advisor link in WHM it will warn you that symlink protection is not installed and provide you with a link to add the free kernelcare patch (which it will do for you). I want to know how to do this via teh command line.

dalem · Sep 26, 2018

Update read Wrong

Yes as stated that is the instructions from the cloudLinux website

CanSpace · Sep 26, 2018

Sigh. No you are incorrect - you can add the free kernelcare patch via WHM, and that is what I am trying to figure out how to do via the command line. Thanks for your assistance but it is not useful.

dalem · Sep 26, 2018

Updated above New feature I was not aware of
yes those are the CLI instructions direct from cloudLinux

dalem · Sep 26, 2018

Just fyi The installer in WHM does not install the extra patch set

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99

cPanelLauren · Sep 26, 2018

Hello @CanSpace

The instructions provided were correct. That is the way to add symlink protection over CLI. If you want to add it through WHM you'll need to run the security advisor at WHM>>Security Center>>Security advisor this calls a perl module:

Code:

/usr/local/cpanel/Cpanel/Security/Advisor/Assessors/Kernel.pm

Because this is a perl module with many different functions it's not available as a WHMAPI1 function and is best/easiest done using CloudLinux's instructions pending your Kernel is stock CentOS

Thanks!

Thread starter	Similar threads	Forum	Replies	Date
C	CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records.	Security	3	Jun 7, 2021
P	Adding cPanel User for sudomain webmaster	Security	3	Apr 12, 2021
	SOLVED LDAPS and adding new CA to trust store	Security	2	Jul 26, 2019
G	Adding to CSF's Temporary Deny via PHP	Security	2	Jun 5, 2019
	Adding Comodo WAF rules	Security	3	May 14, 2019

Search

Search

Adding KernelCare patch via command line

CanSpace

Well-Known Member

dalem

Well-Known Member

CanSpace

Well-Known Member

dalem

Well-Known Member

CanSpace

Well-Known Member

dalem

Well-Known Member

CanSpace

Well-Known Member

dalem

Well-Known Member

dalem

Well-Known Member

cPanelLauren

Product Owner