KernelCare free patch > Unknown kernel

[carolainn]

I updated to EA4 and in the Security Advisor says:

(x) Kernel does not support the prevention of symlink ownership attacks.
(!) The system cannot update the kernel: Cannot update this system’s kernel.

So I followed the instructions on how to instal KernelCare

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

What happened:

==========================================================
 Package          Arch         Version         Repository                  Size
==========================================================
Installing:
 kernelcare       x86_64       2.14-4          /kernelcare-latest-6       217 k

Transaction Summary
==========================================================
Install       1 Package(s)

Total size: 217 k
Installed size: 217 k
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : kernelcare-2.14-4.x86_64                                     1/1
pyOpenSSL module is not found. To be able to validate SSL certificates of hosts with SNI support please, install pyOpenSSL >= 0.13
Unknown Kernel (CentOS 2.6.18-028stab118.1)
  Verifying  : kernelcare-2.14-4.x86_64                                     1/1

Installed:
  kernelcare.x86_64 0:2.14-4

Complete!

As you can see I get the "Unknown Kernel" line.
And just in case I ran: kcarectl --set-patch-type extra

And gave me the same "Unknown Kernel" line.

What should I do? Explain me like a child, because I have little to no experience with command line, I always use WHM. Thank you.

 

[sparek-3]

Kernelcare won't work on an OpenVZ VPS - which is what you appear to be using.

The free symlink protection from Kernelcare will also not work.

With OpenVZ the kernel space is shared from the host node. Consequently, your node appears to be using a very old kernel. Perhaps your OpenVZ provider (who you are paying for your VPS service) is using Kernelcare on the hostnode, so the old kernel version would not be alarming.

But as far as symlink protection, you're out of luck with an OpenVZ VPS.

 

[carolainn]

Kernelcare won't work on an OpenVZ VPS - which is what you appear to be using.

The free symlink protection from Kernelcare will also not work.

With OpenVZ the kernel space is shared from the host node. Consequently, your node appears to be using a very old kernel. Perhaps your OpenVZ provider (who you are paying for your VPS service) is using Kernelcare on the hostnode, so the old kernel version would not be alarming.

But as far as symlink protection, you're out of luck with an OpenVZ VPS.

So...what would be the suggestion?

 

[sparek-3]

Well, I for one am on the side that says the symlink stuff has been blown way out of proportion. Understand proper file ownership and permission settings and symlink protection is less necessary (if at all).

Additionally you might find some of the information in:

Apache vhosts are not segmented or chroot()ed

to be useful.

cPanel has a jailed PHP solution, which I reference in that thread. But for whatever reason, this gets absolutely no traction. I have no answer for why cPanel won't build out it's jailshell environment and compete against CloudLinux's CageFS. cPanel's jailshell system will function in an OpenVZ environment (although you run up against bind mount limitations if you have many users).

Perhaps someone else will chime in with a practical solution for you.

 

[carolainn]

In the Security Advisor I have this message too:

Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

I go to Tweak Settings and I have all my clients accounts configured with Disabled Shell, I only have the main account (mine) with Normal Shell. Would this configuration help with the symlink issue?

 

[cPanelMichael]

Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

I go to Tweak Settings and I have all my clients accounts configured with Disabled Shell, I only have the main account (mine) with Normal Shell. Would this configuration help with the symlink issue?

No, you'd need to use Mod_Ruid2 with the "EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell" option enabled in "WHM >> Tweak Settings". You can enable Ruid2 via "WHM >> EasyApache 4" after determining which PHP handler to use with it based on the information documented at:

PHP Handlers - EasyApache 4 - cPanel Documentation

As far as symlink protection, since this is a Virtuozzo/OpenVPS server, you'd need to use the "Symlink race condition patch with EasyApache 4" option documented at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Thank you.

 

[carolainn]

Ok, I did that and still got the same warning and a new one:

(x) Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.

(!) Apache Symlink Protection: the Bluehost provided Apache patch is in effectIt appears that the Bluehost provided Apache patch is being used to provide symlink protection. This is less than optimal. Please review Symlink Race Condition Protection.

Thank you!

 

[cPanelMichael]

Hello,

Those warnings are accurate and will still appear. While you do have some level of protection against symlink ownership attacks, it's not a kernel-level protection so that warning message appears.

Thank you.