Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

kernelcare symlink patch - centos 7 - cpanel 68.0.12

Discussion in 'Security' started by weblinks, Nov 12, 2017.

  1. weblinks

    weblinks Member

    Joined:
    Sep 19, 2016
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    In CENTOS 7.4 kvm v68.0.12

    uname -r
    3.10.0-693.5.2.el7.x86_64

    kcarectl --info

    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017
    kpatch-build-time: Tue Oct 24 22:49:09 2017
    kpatch-description: 2-free;3.10.0-693.5.2.el7

    But in security advisor its showing


    may i ignore that warning, pls help
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Did you apply the appropriate sysctl settings after enabling the patch?
     
  3. weblinks

    weblinks Member

    Joined:
    Sep 19, 2016
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    Yes, I applied as mentioned in details.

    Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99

    Execute:

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Ok, Good :)

    In that case you may need to wait for cpanel staff or open a ticket. With that said, If you don't get errors committing those sysctl parameters your server is probably OK.
     
  5. weblinks

    weblinks Member

    Joined:
    Sep 19, 2016
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    ok i will wait for cpanel staff reply else i will open ticket. Yes, No error was came while committing those sysctl parameters.
     
    quizknows likes this.
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case CPANEL-16877 is open to address an issue where Security Advisor reports "No symlink protection detected" despite the server using the KernelCare "Extra" Patchset. In the meantime, you can safely ignore that warning if you've followed the instructions on setting it up (see here). I'll update this thread with more information on the status of this case as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    quizknows likes this.
  7. weblinks

    weblinks Member

    Joined:
    Sep 19, 2016
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    Thanks, cPanelMichael and Yes I followed the instructions mention into blog link.
    I will wait for update from you when available.
     
  8. dvk01uk

    dvk01uk Member

    Joined:
    Oct 20, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    51
    After some Cpanel updates and after any server reboot I have to reapply this every time to get rid of the Security advisor warning

    Execute:

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99
     
  9. weblinks

    weblinks Member

    Joined:
    Sep 19, 2016
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    Yes, After vps reboot, I reapplied

    Execute:

    sysctl -w fs.enforce_symlinksifowner=1
    sysctl -w fs.symlinkown_gid=99

    But Security advisor warning still there.

    Thanks.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @weblinks and @dvk01uk,

    There's no workaround to have Security Advisor output the correct result. It's a false positive, which is what internal case CPANEL-16877 will solve. I'll update this thread with more information on the status of this case as soon as it's available.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    If the settings are in your systcl config files themselves, "sysctl -p $file" should commit them. if that is failing or is not persistent across reboots, try moving the settings to /etc/sysctl.conf itself and running just "sysctl -p" to commit them.

    You can also run "sysctl --system" to have it apply your settings which will then be echoed to your terminal. This is a good way to make sure your changes are in files that are actually being parsed by the system.

    Code:
    [root@new ~]# sysctl --system
    * Applying /etc/sysctl.conf ...
    (snip)
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99
    
     
    #11 quizknows, Nov 14, 2017
    Last edited: Nov 14, 2017
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, the resolution is planned for cPanel version 70 as part of internal case CPANEL-17016.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    quizknows and Rodrigo Gomes like this.
  13. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    365
    Likes Received:
    17
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    how do i even get this patch?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    597
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    So in v70 will be install symlink protection automatically?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    No, it's not installed automatically. The change in cPanel 70 allows for Security Advisor to detect the KernelCare free tier patch, as it does not do so in cPanel 68 and earlier.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice