I am running CENTOS 6.8 x86_64 kvm – host cPanel & WHM 64.0 (build 15) with ModRUID2 and Jailed Apache enabled. When I run Security Advisor, I still get the warning:
We don't have the option of Cloudlinux or the cPanel-hardened kernel (neither are allowed on our host's VPS accounts) and the Bluehost patch doesn't provide sufficient protection, so ModRUID2 + jailed Apache has been our go-to solution.
Security Advisor does still give us green checkmarks for:
I have noticed that the ModRUID2 + jailed Apache option has been removed from the documentation for symlink ownership attack protection. Technically, it's true that our kernel doesn't support prevention of symlink ownership attacks, but aren't we still adequately protected with ModRUID2 and jailed Apache?Kernel does not support the prevention of symlink ownership attacks.
You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review the documentation to learn how to apply this protection.
We don't have the option of Cloudlinux or the cPanel-hardened kernel (neither are allowed on our host's VPS accounts) and the Bluehost patch doesn't provide sufficient protection, so ModRUID2 + jailed Apache has been our go-to solution.
Security Advisor does still give us green checkmarks for:
andJailed Apache is enabled
although we don't have the Bluehost patch enabled in Apache's global configuration.Apache Symlink Protection is enabled