Latest Kernel not Hardened?

mikefromnz · Feb 25, 2017

Bit confused as to this, I got an email from the Security Advisor telling me the following

Current kernel version is out of date. running kernel: 2.6.32-642.13.2.199.cpanel6.x86_64, most recent kernel: 2.6.32-642.15.1.el6.x86_64 Update the system’s software by running ’yum update’ from the command line and reboot the system.
Click to expand...

So I ran YUM UPDATE via SSH, and now running the latest Kernel. Although now when I check Security Advisor, I get the following...

Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
Click to expand...

I already had completed this step awhile ago by installing the cPanel hardened kernel, figuring it must have overwritten this and need update, I tried to perform the steps in the Documentation once more from the below link

How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

There appears to be no current hardened kernel, I get the following message

[root@ yum.repos.d]# yum -y update kernel
Loaded plugins: fastestmirror, universal-hooks
Setting up Update Process
Loading mirror speeds from cached hostfile
* EA4: 104.219.172.10
* base: mirror.confluxtech.com
* epel: mirror.sfo12.us.leaseweb.net
* extras: mirror.confluxtech.com
* updates: mirror.confluxtech.com
No Packages marked for Update
[root@ yum.repos.d]#
Click to expand...

sktest123 · Feb 26, 2017

Hello,
Cpanel does not have corresponding kernel version Patch.You are having the latest kernel but its not hardened like cpanel provided kernel.

mikefromnz · Feb 26, 2017

Do you have any idea when the cPanel kernel will be made available, or how I can uninstall this kernel and get the cPanel one running again?

Locali · Feb 27, 2017

Hello:

When will this page be updated? [Last modified 2017-02-23 11:34]

Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages

"cPanel Security Advisor recommends you harden your cPanel system's kernel to implement symlink race condition protection "

Thank you!

*********************************************************************

New Security Advisor notifications with High importance

Type Module Advice
High Kernel Current kernel version does not match the kernel version for boot. running kernel: 2.6.32-642.15.1.el6.x86_64, boot kernel: 2.6.32-642.13.1.199.cpanel6.x86_64 Reboot the system in the area. Check the boot configuration in grub.conf if the new kernel is not loaded after a reboot.

cPanelMichael · Feb 28, 2017

Hello,

YUM will automatically detect and install newer kernel versions if you have Operating System Package Updates enabled in "WHM >> Update Preferences". Since the latest cPanel-hardened kernel isn't always released at the same time as the OS-provided kernel, it's possible that YUM will sometimes automatically install the OS-provided kernel. However, your system won't actually boot into the newer kernel unless you manually reboot the system.

Internal case CPANEL-11581 is open to determine if this behavior is by-design, or if a change to ensure this does not happen is necessary. I'll update this thread with more information on the status of this case as it becomes available.

In the meantime, you can run the "yum update" command once the latest cPanel-hardened kernel is published to ensure it's installed. I don't have a time frame to offer on the publication of the next cPanel-hardened kernel at this time, but you can monitor the date on the available packages at the following URL to see when it's published:

Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages

Thank you.

mikefromnz · Mar 3, 2017

Thank you, do you know how I can downgrade back to the cPanel kernel?

mikefromnz · Mar 3, 2017

Ah my friends at cPanel, I love you so. I post asking how to downgrade, and I get notified there is a new hardened Kernel, hehe THANK YOU !

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Latest Kernel not Hardened?

mikefromnz Active Member

sktest123 Well-Known Member

mikefromnz Active Member

Locali Registered

cPanelMichael Forums Analyst
Staff Member

mikefromnz Active Member

mikefromnz Active Member

SOLVED Backup meta files appeared after latest upgrade to v.66

Update ioncube to latest version PHP7

Fresh install on CloudLinux 7.3 and latest cPanel

Wordpress thinks latest version, it's not

SOLVED latest.sh: line 372: ./bootstrap: Permission denied

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Latest Kernel not Hardened?

mikefromnz Active Member

sktest123 Well-Known Member

mikefromnz Active Member

Locali Registered

cPanelMichael Forums Analyst Staff Member

mikefromnz Active Member

mikefromnz Active Member

SOLVED Backup meta files appeared after latest upgrade to v.66

Update ioncube to latest version PHP7

Fresh install on CloudLinux 7.3 and latest cPanel

Wordpress thinks latest version, it's not

SOLVED latest.sh: line 372: ./bootstrap: Permission denied

Share This Page

cPanelMichael Forums Analyst
Staff Member