SOLVED Security Advisor "No symlink protection detected" Message When KernelCare + Extras Is Installed

[zeeb0t]

I have installed KernelCare + Extras, but I am still being told by Security Advisor that Symlink protection is not enabled.

# sysctl -p
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

# kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-693.17.1.el7
time: 2018-01-27 11:54:28

kpatch-name: 3.10.0/CVE-2017-14140-0001-Sanitize-move_pages-permission-checks.patch
kpatch-description: Sanitize 'move_pages()' permission checks
kpatch-kernel: >3.10.0-693.5.2.el7
kpatch-cve: CVE-2017-14140
kpatch-cvss: 3.3
kpatch-cve-url: CVE-2017-14140 - Red Hat Customer Portal
kpatch-patch-url: kernel/git/torvalds/linux.git - Linux kernel source tree

kpatch-name: 3.10.0/dccp-fix-use-after-free.patch
kpatch-description: dccp: fix use-after-free (CVE-2017-8824)
kpatch-kernel: kernel-3.10.0-714.10.2.lve1.4.77.el7
kpatch-cve: CVE-2017-8824
kpatch-cvss: 7.8
kpatch-cve-url: CVE-2017-8824 - Red Hat Customer Portal
kpatch-patch-url: kernel/git/davem/net.git - David Miller's networking tree

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges
kpatch-patch-url:

kpatch-name: 3.10.0/symlink-protection-ge-693.patch
kpatch-description: symlink protection
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

kpatch-name: 3.10.0/symlink-protection-ge-693.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-3.10.0-514.el7
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: Gerrit Code Review

uname: 3.10.0-693.17.1.el7

However, I still receive this notice:

No symlink protection detected
You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

Thank you for your help!

Anthony

 

[zeeb0t]

Update. I got a reply from cPanel support:

While the kernel care symbolic link protection patch is encouraged, Security Advisor does not yet have the capability to detect that it is in play. Per < 70 Change Log - Change Logs - cPanel Documentation >, for 69.9999.122:

Implemented case CPANEL-17016: Add support for detecting and installing KernelCare's free patch set.

The ability to detect the patch is available in the non-production-recommended version of cPanel.

 

[cPanelMichael]

Hello,

I'm glad to see our Technical Support team was able to answer your inquiry. Thank you for sharing the outcome.