Security advisor strange results

[rscalover]

Hello,

The cPanel/Whm "security advisor" feature tells me :

Important
add kernelcare's free symlink protection
Information
Use kernelcare to automate kernel security updates without reboots

I have imunify360 so the last message is strange as kernelcare is included and i did have that symlink patch installed so what is this mess ? according to kercelcare docs Extra Patchset i can just use

kcarectl --set-patch-type extra --update or
kcarectl --set-patch-type extra (no updates)

is that correct ? just worried i screw up and then have to clean the mess

 

[cPRex]

Hey hey! Could you send me the output of "uname -r" on the system so I can see the kernel that is currently in use?

 

[rscalover]

Hello,

that command returns "3.10.0-1160.24.1.el7.x86_64"

 

[cPRex]

Cool - the same as my personal machine :D

I ask because there were reports in the past of the Security Advisor giving bad information if there was a custom kernel running, but that doesn't seem to be the case here.

If you run this, does it give you version info, indicating it's installed and running?

kcarectl --version

 

[rscalover]

Hello,

That one returns "2.42-1.el7" nothing more.

 

[cPRex]

Thanks for that - could you submit a ticket to our team so we can do some additional testing? There could be an issue with the Security Advisor page, but we'd need to see that in action in order to confirm the behavior.

 

[rscalover]

Hello,

The ticket system tells me i have to create a ticket not directly to cPanel it is getting late in here will do tomorrow.

 

[cPRex]

I'm not totally sure what that message means from the ticket system, but if you can get me more details I'm happy to help. I do plan to be around tomorrow as well.

 

[rscalover]

Hello,

I just clicked that link in your signature and logged in while filling in the form at "licenced ip" a message was displayed stating i do have a valid cPanel licence but if i submit a ticket to cPanel directly it might cause delays in solving the issue.

Kernelcare is known as not being the fasted in releasing updates (and that is not criticism to them) so i think that patch is not available yet for the kernel i am running.


*edit*

or maybe kernelcare is confused the Symlink Race Condition Protection | cPanel & WHM Documentation says i had the free patch type installed but last week i purchased imunify which includes the full kernelcare service but this command

cat /etc/sysconfig/kcare/kcare.conf does have a "PREV_PATCH_TYPE = free" should i remove that ?.

 

[rscalover]

Hello,

The issue is solved the symlink patch for my kernel was not yet available yesterday it has been added by kernelcare i just did

kcarectl --set-patch-type extra --update
'extra' patch type selected
Downloading updates
Patch level 1 applied. Effective kernel version 3.10.0-1160.24.1.el7
Kernel is safe

result in whm's security advisor is attached

 

[cPRex]

Ah, that was just letting you know we were getting a lot of tickets at that point yesterday.

I'm glad the issue turned out to just be a bit of dealy from KernelCare though!

 

[rscalover]

Hello,

I spoke to soon security advisor is showing that again "add kernelcare free symlink protection" and "upgrade to kernelcare to automate kernel security updates without reboots" there is definetely something going wrong somewhere

cd /usr/local/cpanel/logs
tail error_log
Argument "unknown" isn't numeric in numeric eq (==) at /usr/local/cpanel/Cpanel/Security/Advisor/Assessors/Kernel.pm line 140.
Argument "unknown" isn't numeric in numeric eq (==) at /usr/local/cpanel/Cpanel/KernelCare.pm line 50.

 

[rscalover]

Hello,

it seems like i found a "workaround" when you type this command

kcarectl --set-patch-type extra --update

i get

'extra' patch type selected
Updates already downloaded
Patch level 1 applied. Effective kernel version 3.10.0-1160.24.1.el7
Kernel is safe

and that message in whm's security advisor is gone but it comes back after x amount of time this is not normal absolutely not you should type that command once and be protected forever.

 

[rscalover]

Hello,

it seems like i found a "workaround" when you type this command



i get



and that message in whm's security advisor is gone but it comes back after x amount of time this is not normal absolutely not you should type that command once and be protected forever.

For some reason it looks like it's getting reset or something

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 99

to verify the gid i use

ps -ef | egrep '(httpd|apache2|apache)' | grep -v `whoami` | grep -v root | head -n1 | awk '{print $1}'

i don't get this ??

 

[cPRex]

Could you submit a ticket so we can check this out?

 

[rscalover]

Could you submit a ticket so we can check this out?

done #94317875 i installed the cPaneld SSH key and cPanel (firewall whitelisting)is done to

 

[cPRex]

Thanks for that - I'm following along on that ticket now as well.

 

[rscalover]

Hello,

hmmmm could you believe it ? it looks like the issue is gone just when i reported it and asked to look into it i feel like cursing but i won't .I just leave it as it is but in case support wants information i am in Europe (Belgium) 9.32 pm here right now .

 

[cPRex]

Oh man, I hate it when that happens!

 

[cPRex]

Update - we were able to determine the license wasn't purchased through us, so it would be best to contact CloudLinux directly to ensure things are working well there with the tools and license.