KernelCare Patch Unknown Kernel Alerts

CanadaGuy

Active Member
Sep 24, 2018
38
8
8
Ottawa
cPanel Access Level
Root Administrator
I know the main topic of this has been covered in several threads as shown below, but I'm still not clear of the implications of patched vs unpatched servers. This is a followup to my thread:

Yellow Alert Bar Reason

And very likely related to these threads, so I'd like to consolidate:

Error on KernelCare Free Symlink Protection setup
kernelcare free patch not found
Pending Publication - [KCARE-1036] KernelCare Patch Error Message About Trialing

I understand that there is a delay between when a new CentOS kernel is released, and when the KernelCare (KC) free patches become available. As a consequence, emails get sent every 4 hours indicating that KC free cannot identify the installed kernel.

My question is: if I spend so much time without the KC patch, does that mean the server is vulnerable to the SymLink issue during that period? If I only have accounts for reasonably trusted users, might I be better off with the "stock" Apache SymLink protection, and just leaving the KC patch out?
 
Last edited:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
648
263
Houston
cPanel Access Level
DataCenter Provider
does that mean the server is vulnerable to the SymLink issue during that period?
The Symlink protection provided by kernelcare in this instance is not effective if the kernel is not supported.

If I only have accounts for reasonably trusted users, might I be better off with the "stock" Apache SymLink protection, and just leaving the KC patch out?
I can't answer that for you to be honest the kernelcare patch adds some protection but it's up to you if you want to use it our documentation here is informative and provides alternate solutions: Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation
 
  • Like
Reactions: CanadaGuy

CanadaGuy

Active Member
Sep 24, 2018
38
8
8
Ottawa
cPanel Access Level
Root Administrator
What are the alternatives then? To use the KernelCare patches "correctly" then you must remain in control of the kernel updates I suppose? What is required to achieve that?

What is the value of supporting symlinks and can they simply be disabled if the functionality is not required?
 

CanadaGuy

Active Member
Sep 24, 2018
38
8
8
Ottawa
cPanel Access Level
Root Administrator
So now I have experienced what another user experienced here:

Pending Publication - [KCARE-1036] KernelCare Patch Error Message About Trialing

Walking through some of the steps, I eventually ran security advisor again and it indicated that the KC patch was not installed, so I installed it again. It now reports the patch is installed and the "kernel is safe".

I'm assuming this means that perhaps when the free KC patch is available for the previously unsupported installed kernel, it reports this message about trialing because an update is available. Reinstalling the patch seems to resolve the issue. Is this something I should expect each time a kernel upgrade is applied?

The user in the other thread suggested the idea of disabling kernel updates, monitoring when a new kernel is released, and only updating when the KC free patch is available. Is there any plan to provide a nicer user experience by having cPanel detect that the KC patch is installed, and ask if you want to upgrade the kernel such that it will be unsupported by the KC free patch for a while?

In the bigger picture, is this something that will be permanently resolved at kernel level at some point, thereby eliminating the need for an external patch? Or is this a special case that only applies to cPanel installations?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
648
263
Houston
cPanel Access Level
DataCenter Provider
I'm assuming this means that perhaps when the free KC patch is available for the previously unsupported installed kernel, it reports this message about trialing because an update is available. Reinstalling the patch seems to resolve the issue. Is this something I should expect each time a kernel upgrade is applied?
That is incorrect, the message about trialing occurs when the kernel is unsupported for symlink protection and KernelCare attempts to install a trial of full KernelCare, which supports more than just stock CentOS.

To bypass this we are making changes to the Security Advisor to stop suggesting KernelCare to unsupported kernels through multiple cases internally, there is a report to KernelCare specifically on this as well.

The user in the other thread suggested the idea of disabling kernel updates, monitoring when a new kernel is released, and only updating when the KC free patch is available. Is there any plan to provide a nicer user experience by having cPanel detect that the KC patch is installed, and ask if you want to upgrade the kernel such that it will be unsupported by the KC free patch for a while?
The changes made to the SA suggestions will include NOT suggesting kernelcare for unsupported kernels including kernels that are updated past what kernelcare supports.

In the bigger picture, is this something that will be permanently resolved at kernel level at some point, thereby eliminating the need for an external patch? Or is this a special case that only applies to cPanel installations?
Meaning that is symlink protection something specific to cPanel or is it something that will be implemented in the CentOS Kernel? No this is not specific to cPanel installations only, and I can't speak for the CentOS kernel developments but I would assume that symlink race conditions will remain an issue requiring protection.
 
  • Like
Reactions: CanadaGuy

CanadaGuy

Active Member
Sep 24, 2018
38
8
8
Ottawa
cPanel Access Level
Root Administrator
To bypass this we are making changes to the Security Advisor to stop suggesting KernelCare to unsupported kernels through multiple cases internally, there is a report to KernelCare specifically on this as well.
Could control for KernelCare Free be done through other means, like a mini module which allows you to control various details about the KC patch, provide kernel support information, etc?

If the KC patch is currently one of the best mitigation methods, could a switch be added to the installer that updates the kernel to the latest one supported?

Thanks for providing follow-up details. This has been a great help.