SOLVED Kernel does not support the prevention of symlink ownership attacks

PCZero

Well-Known Member
Dec 13, 2003
647
72
178
Earth
I ran security advisor tonight and it indicated a kernel update was available. As I normally do when I get this notification I SSH to my box and su - to become root, then run yum update. After I did that I ran security advisor and got the error in the title (never got that before after a yum update). So I read about the fix and choose the cPanel hardened kernel route.

cd /etc/yum.repos.d/
wget https://securedownloads.cpanel.net/cPkernel/cPkernel.repo
yum -y update kernel

When I go back to Security advisor the error/warning remains.
When I run uname -r the output does NOT include cpanel.

How do I resolve this?

  • CENTOS 6.8 x86_64 standard – morpheus
  • WHM 62.0 (build 15)
 
Last edited by a moderator:

PCZero

Well-Known Member
Dec 13, 2003
647
72
178
Earth
I AM the admin (how do you think I was able to log in and gain root access) and I rebooted the server.
 

PCZero

Well-Known Member
Dec 13, 2003
647
72
178
Earth
Michael I was away on a cruise so sorry for the delay in responding. I reran the security advisor and was notified the kernel was out of date. Went to the box and ran yum update.

Results:

================================================================================= Package Arch Version Repository Size
=================================================================================
Installing:
kernel x86_64 2.6.32-642.15.1.199.cpanel6 cPkernel 32 M
Removing:
kernel x86_64 2.6.32-642.13.2.199.cpanel6 @cPkernel 131 M

Transaction Summary
=================================================================================
Install 1 Package(s)
Remove 1 Package(s)

Total download size: 32 M
Downloading Packages:
kernel-2.6.32-642.15.1.199.cpanel6.x86_64.rpm | 32 MB 00:03 ...
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kernel-2.6.32-642.15.1.199.cpanel6.x86_64 1/2
This server is already configured for symlink protection, skipping sysctl changes
Cleanup : kernel-2.6.32-642.13.2.199.cpanel6.x86_64 2/2
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/weak-updates failed: No such file or directory
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/modules.order failed: No such file or directory
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/modules.networking failed: No such file or directory
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/modules.modesetting failed: No such file or directory
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/modules.drm failed: No such file or directory
warning: erase unlink of /lib/modules/2.6.32-642.13.2.199.cpanel6.x86_64/modules.block failed: No such file or directory
Verifying : kernel-2.6.32-642.15.1.199.cpanel6.x86_64 1/2
Verifying : kernel-2.6.32-642.13.2.199.cpanel6.x86_64 2/2

Removed:
kernel.x86_64 0:2.6.32-642.13.2.199.cpanel6

Installed:
kernel.x86_64 0:2.6.32-642.15.1.199.cpanel6

Complete!


Then performed a graceful reboot and the commands you suggested...

uname -r
2.6.32-642.15.1.199.cpanel6.x86_64

rpm -qa|grep kernel

kernel-2.6.32-642.15.1.el6.x86_64
libreport-plugin-kerneloops-2.0.9-32.el6.centos.x86_64
abrt-addon-kerneloops-2.0.8-40.el6.centos.x86_64
dracut-kernel-004-409.el6_8.2.noarch
kernel-headers-2.6.32-642.15.1.199.cpanel6.x86_64
kernel-firmware-2.6.32-642.15.1.199.cpanel6.x86_64
kernel-2.6.32-642.15.1.199.cpanel6.x86_64


A rerun of the security advisor returns no errors now.


I am deducing that the yum update that I performed after earlier following the wget described in my initial post got this resolved. As of now I believe that my server is back in shape. Thank you for your time.
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

I'm happy to see the issue is now addressed after updating to the recently published cPanel-hardened kernel. Thank you for updating us with the outcome.