cPanel Security Advisor Questions

[AdamDresch]

I'm running a VPS using OpenVZ and I too get the Kernel unknown message

Unable to determine kernel version

Ensure that yum and rpm are working on your system.

Yum update doesn't find any updated kernels, so I assume..it's ok to ignore it?

- - - Updated - - -

Another bit of feedback, I get this in the security advisory:

Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area

I actually have Apache running in Prefork with FastCGI, rather than RUID 2, because it still says "Experimental".
But I also have all users Shell access set to disabled
So wouldn't it be better to accept such a setup as secure/aok?

 

[cPanelMichael]

Hello

1. Could you let us know the output of "uname -a" so we can see which kernel you are running?

2. The Security Advisor is intended to offer guidelines, but if you have an existing solution that works better for your own preferences then it's okay to ignore the warning.

Thank you.

 

[quizknows]

A lot of times on VZ systems the kernel modules are managed by the parent server and not your virtual server.

Prefork/FCGI is fine, just make sure you're using some sort of cross-account symlink protection if you're hosting multiple domains. Since you're not using SuPHP I'd recommend the rack911 patch as opposed to the EasyApache "Symlink race condition protection" patch. The reason for this is that the EA patch checks ownership of every file it serves, and if you're not using SuPHP, the server might refuse to serve "nobody" owned files which would be created when web applications upload or update files. The Rack911 patch, while not perfect, is usually good enough and works with any PHP handler.