Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

KernelCare and cPanel kernel

Discussion in 'Security' started by Jan-Paul Kleijn, Oct 6, 2017.

  1. Jan-Paul Kleijn

    Jun 18, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Sometimes people use the hardened Cpanel kernel instead of the regular CentOS kernel. And when they look in their security advisor they see that they have an option to subscribe to the services of KernelCare. To me it seemed very interesting so I subscribed and felt that again, I had improved the security of my server.

    But after a while I came to the understanding that if you do use the hardened Cpanel kernel, KernelCare cannot function. KernelCare only functions with regular kernels. For a full list view KernelCare Directory. So now I needed to install the right kernel for my trusty CentOS system. How to do that? With the help of KernelCare ofcourse, because I always want to be sure. They helped me perfectly and I thought it is a smart move to inform you here.

    How to install the right kernel for use with KernelCare
    To install the regular CentOS kernel, use:

    # yum install kernel --disablerepo=* --enablerepo=updates

    Preventing overwriting the regular kernel with future updates
    To prevent yum from updating the regular kernel and replacing it with the cPanel hardened kernel you need disable 'cPkernel' repository (in /etc/yum.repos.d/). This can be done in the file:


    Edit in this file: enabled=0

    After this run:

    # yum update kernel

    You can check the changes here, before you reboot:

    # yum repolist all
    # cat /boot/grub/grub.conf
    # rpm -qa| grep kernel| sort

    If all looks OK, reboot machine.

    KernelCare active but still no kernel symlink protection
    After rebooting, KernelCare should be up and running. But after checking the security advisor in WHM you notice that symlink protection is not enabled. To enable this you need to enable the KernelCare 'extra patches' that have symlink protection built in. More information about these extra patches is found at Extra Patchset

    To enable extra patches, do the following:

    # kcarectl --update
    # kcarectl --set-patch-type extra --update

    And you're done!
    From now on KernelCare keeps a watchful eye on your kernel 24/7 and (without rebooting) you can now see that the cPanel security advisor states that kernel symlink protection is enabled.
    weblinks and cPanelMichael like this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice