Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

KernelCare free patch > Unknown kernel

Discussion in 'Security' started by carolainn, Mar 5, 2018.

  1. carolainn

    carolainn Member

    Joined:
    Feb 22, 2018
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    I updated to EA4 and in the Security Advisor says:

    Code:
    (x) Kernel does not support the prevention of symlink ownership attacks.
    (!) The system cannot update the kernel: Cannot update this system’s kernel.
    
    So I followed the instructions on how to instal KernelCare
    
    curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
    
    What happened:
    
    ==========================================================
     Package          Arch         Version         Repository                  Size
    ==========================================================
    Installing:
     kernelcare       x86_64       2.14-4          /kernelcare-latest-6       217 k
    
    Transaction Summary
    ==========================================================
    Install       1 Package(s)
    
    Total size: 217 k
    Installed size: 217 k
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : kernelcare-2.14-4.x86_64                                     1/1
    pyOpenSSL module is not found. To be able to validate SSL certificates of hosts with SNI support please, install pyOpenSSL >= 0.13
    Unknown Kernel (CentOS 2.6.18-028stab118.1)
      Verifying  : kernelcare-2.14-4.x86_64                                     1/1
    
    Installed:
      kernelcare.x86_64 0:2.14-4
    
    Complete!
    
    As you can see I get the "Unknown Kernel" line.
    And just in case I ran: kcarectl --set-patch-type extra

    And gave me the same "Unknown Kernel" line.

    What should I do? Explain me like a child, because I have little to no experience with command line, I always use WHM. Thank you.
     
    #1 carolainn, Mar 5, 2018
    Last edited by a moderator: Mar 5, 2018
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,676
    Likes Received:
    85
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Kernelcare won't work on an OpenVZ VPS - which is what you appear to be using.

    The free symlink protection from Kernelcare will also not work.

    With OpenVZ the kernel space is shared from the host node. Consequently, your node appears to be using a very old kernel. Perhaps your OpenVZ provider (who you are paying for your VPS service) is using Kernelcare on the hostnode, so the old kernel version would not be alarming.

    But as far as symlink protection, you're out of luck with an OpenVZ VPS.
     
  3. carolainn

    carolainn Member

    Joined:
    Feb 22, 2018
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator

    So...what would be the suggestion?
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,676
    Likes Received:
    85
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Well, I for one am on the side that says the symlink stuff has been blown way out of proportion. Understand proper file ownership and permission settings and symlink protection is less necessary (if at all).

    Additionally you might find some of the information in:

    Apache vhosts are not segmented or chroot()ed

    to be useful.

    cPanel has a jailed PHP solution, which I reference in that thread. But for whatever reason, this gets absolutely no traction. I have no answer for why cPanel won't build out it's jailshell environment and compete against CloudLinux's CageFS. cPanel's jailshell system will function in an OpenVZ environment (although you run up against bind mount limitations if you have many users).

    Perhaps someone else will chime in with a practical solution for you.
     
  5. carolainn

    carolainn Member

    Joined:
    Feb 22, 2018
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    In the Security Advisor I have this message too:

    Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

    I go to Tweak Settings and I have all my clients accounts configured with Disabled Shell, I only have the main account (mine) with Normal Shell. Would this configuration help with the symlink issue?
     
    #5 carolainn, Mar 6, 2018
    Last edited by a moderator: Mar 6, 2018
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    No, you'd need to use Mod_Ruid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option enabled in "WHM >> Tweak Settings". You can enable Ruid2 via "WHM >> EasyApache 4" after determining which PHP handler to use with it based on the information documented at:

    PHP Handlers - EasyApache 4 - cPanel Documentation

    As far as symlink protection, since this is a Virtuozzo/OpenVPS server, you'd need to use the "Symlink race condition patch with EasyApache 4" option documented at:

    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. carolainn

    carolainn Member

    Joined:
    Feb 22, 2018
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Ok, I did that and still got the same warning and a new one:

    (x) Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.

    (!) Apache Symlink Protection: the Bluehost provided Apache patch is in effectIt appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal. Please review Symlink Race Condition Protection.

    Thank you!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Those warnings are accurate and will still appear. While you do have some level of protection against symlink ownership attacks, it's not a kernel-level protection so that warning message appears.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice