Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

KernelCare and cPanel kernel

Discussion in 'Security' started by Jan-Paul Kleijn, Oct 6, 2017.

Tags:
  1. Jan-Paul Kleijn

    Joined:
    Jun 18, 2015
    Messages:
    14
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    Maarheeze
    cPanel Access Level:
    Root Administrator
    Sometimes people use the hardened Cpanel kernel instead of the regular CentOS kernel. And when they look in their security advisor they see that they have an option to subscribe to the services of KernelCare. To me it seemed very interesting so I subscribed and felt that again, I had improved the security of my server.

    But after a while I came to the understanding that if you do use the hardened Cpanel kernel, KernelCare cannot function. KernelCare only functions with regular kernels. For a full list view KernelCare Directory. So now I needed to install the right kernel for my trusty CentOS system. How to do that? With the help of KernelCare ofcourse, because I always want to be sure. They helped me perfectly and I thought it is a smart move to inform you here.

    How to install the right kernel for use with KernelCare
    To install the regular CentOS kernel, use:

    # yum install kernel --disablerepo=* --enablerepo=updates

    Preventing overwriting the regular kernel with future updates
    To prevent yum from updating the regular kernel and replacing it with the cPanel hardened kernel you need disable 'cPkernel' repository (in /etc/yum.repos.d/). This can be done in the file:

    /etc/yum.repos.d/cPkernel.repo

    Edit in this file: enabled=0

    After this run:

    # yum update kernel

    You can check the changes here, before you reboot:

    # yum repolist all
    # cat /boot/grub/grub.conf
    # rpm -qa| grep kernel| sort


    If all looks OK, reboot machine.

    KernelCare active but still no kernel symlink protection
    After rebooting, KernelCare should be up and running. But after checking the security advisor in WHM you notice that symlink protection is not enabled. To enable this you need to enable the KernelCare 'extra patches' that have symlink protection built in. More information about these extra patches is found at Extra Patchset

    To enable extra patches, do the following:

    # kcarectl --update
    # kcarectl --set-patch-type extra --update


    And you're done!
    From now on KernelCare keeps a watchful eye on your kernel 24/7 and (without rebooting) you can now see that the cPanel security advisor states that kernel symlink protection is enabled.
     
    cPanelMichael likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page