matt1206

Active Member
Dec 20, 2011
41
2
58
cPanel Access Level
Root Administrator
Hi,

Had a security alert from the server this evening stating "No symlink protection detected"

I'm running Kernelcare, and have been since the server was provisioned in November last year. It's running the 'extra' patch set to protect against this, so just curious as to why cPanel isn't detecting this?

Code:
kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-862.2.3.el7
time: 2018-05-28 18:44:24



kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
kpatch-patch-url:

kpatch-name: 3.10.0/paravirt-asm-definition.patch
kpatch-description:
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url:
kpatch-patch-url:

kpatch-name: 3.10.0/symlink-protection-ge-862.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7

uname: 3.10.0-862.3.2.el7
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,980
156
368
SLC
cPanel Access Level
DataCenter Provider
have you added

Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
 

matt1206

Active Member
Dec 20, 2011
41
2
58
cPanel Access Level
Root Administrator
have you added

Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

Execute:

sysctl -w fs.enforce_symlinksifowner=1
sysctl -w fs.symlinkown_gid=99
I haven't, as I was under the impression this was only needed on the free patch they provide. I have paid kernelcare on all my servers.

Edit: seems I was incorrect......will add those values now.
 

keat63

Well-Known Member
Nov 20, 2014
1,908
256
113
cPanel Access Level
Root Administrator
I'm no expert, so I could be talking rubbish.

When I updated to V70 recently, I saw a message about the patched kernel being no longer relevent
I don't recall the exact specifics, but I do recall that I ran 'Security Advisor' and just followed the links, to remove the patched kernel and install a new one.
It was pretty seemless.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
I haven't, as I was under the impression this was only needed on the free patch they provide. I have paid kernelcare on all my servers.

Edit: seems I was incorrect......will add those values now.
Hello Matt,

Can you confirm the warning no longer appears in WHM >> Security Advisor after applying those values? Note that CloudLinux documents those values at:

CloudLinux Documentation

I'm no expert, so I could be talking rubbish.

When I updated to V70 recently, I saw a message about the patched kernel being no longer relevent
I don't recall the exact specifics, but I do recall that I ran 'Security Advisor' and just followed the links, to remove the patched kernel and install a new one.
It was pretty seemless.
Hi @keat63,

The message you are referring to relates to the cPanel-hardened kernel that we offered in the past. We now recommend using KernelCare (they offer a free patch) in lieu of the cPanel-hardened kernel. You can read more about this at:

70 Release Notes - Version 70 Documentation - cPanel Documentation

Thank you.