Latest Kernel not Hardened?

mikefromnz

Active Member
Feb 9, 2017
32
5
8
Internet
cPanel Access Level
Root Administrator
Bit confused as to this, I got an email from the Security Advisor telling me the following

Current kernel version is out of date. running kernel: 2.6.32-642.13.2.199.cpanel6.x86_64, most recent kernel: 2.6.32-642.15.1.el6.x86_64 Update the system’s software by running ’yum update’ from the command line and reboot the system.
So I ran YUM UPDATE via SSH, and now running the latest Kernel. Although now when I check Security Advisor, I get the following...

Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
I already had completed this step awhile ago by installing the cPanel hardened kernel, figuring it must have overwritten this and need update, I tried to perform the steps in the Documentation once more from the below link

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

There appears to be no current hardened kernel, I get the following message

[[email protected] yum.repos.d]# yum -y update kernel
Loaded plugins: fastestmirror, universal-hooks
Setting up Update Process
Loading mirror speeds from cached hostfile
* EA4: 104.219.172.10
* base: mirror.confluxtech.com
* epel: mirror.sfo12.us.leaseweb.net
* extras: mirror.confluxtech.com
* updates: mirror.confluxtech.com
No Packages marked for Update
[[email protected] yum.repos.d]#
 

Locali

Registered
Feb 27, 2017
1
0
1
Las Vegas NV
cPanel Access Level
Root Administrator
Hello:

When will this page be updated? [Last modified 2017-02-23 11:34]

Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages

"cPanel Security Advisor recommends you harden your cPanel system's kernel to implement symlink race condition protection "

Thank you!


*********************************************************************

New Security Advisor notifications with High importance

Type Module Advice
High Kernel Current kernel version does not match the kernel version for boot. running kernel: 2.6.32-642.15.1.el6.x86_64, boot kernel: 2.6.32-642.13.1.199.cpanel6.x86_64 Reboot the system in the area. Check the boot configuration in grub.conf if the new kernel is not loaded after a reboot.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,261
463
Hello,

YUM will automatically detect and install newer kernel versions if you have Operating System Package Updates enabled in "WHM >> Update Preferences". Since the latest cPanel-hardened kernel isn't always released at the same time as the OS-provided kernel, it's possible that YUM will sometimes automatically install the OS-provided kernel. However, your system won't actually boot into the newer kernel unless you manually reboot the system.

Internal case CPANEL-11581 is open to determine if this behavior is by-design, or if a change to ensure this does not happen is necessary. I'll update this thread with more information on the status of this case as it becomes available.

In the meantime, you can run the "yum update" command once the latest cPanel-hardened kernel is published to ensure it's installed. I don't have a time frame to offer on the publication of the next cPanel-hardened kernel at this time, but you can monitor the date on the available packages at the following URL to see when it's published:

Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages

Thank you.
 
  • Like
Reactions: linux4me2