Kernelcare symlink patch install and updates questions
I have Kernelcare Free patch is installed and running, per The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare but I have a few questions:
1- /etc/sysconfig/kcare/sysctl.conf does not exist until it is created, correct? I went to edit it after installing and enabling the patch and the file had to be created.
2- Updates to the patch are manual since it is manually installed, correct? If so, how often?
3- What is the effect of kernel updates? Does it need to be manually updated after each update?
4- I read posts about having to re-enable it after reboots. This should not be necessary if properly installed, correct?
5- There is no monitoring that it is active, correct? (Other than in Security Advisor, which should be accurate in version 70.)
-
Hi @PeteS, 1) Correct. 2) No, the rpm actually includes a cron job for this: # rpm -ql kernelcare|grep cron /etc/cron.d/kcare-cron # cat /etc/cron.d/kcare-cron 26 */4 * * * root /usr/bin/kcarectl --auto-update --gradual-rollout=auto
3) CloudLinux will push updates for new kernels and the above cron will pull it down. Sometimes, the update may be a bit slow, so you may see an email from the cron job; however, it's typically automatically resolved within a day or so. 4) Reboots shouldn't have any effect if properly enabled via '/etc/sysconfig/kcare/sysctl.conf' 5) I am not sure what you mean by monitoring, but there isn't any logging/alerts when the patch blocks an attempt at the symlink race condition exploit. The Security Advisor check runs on nightly maintenance, so if it detects an issue with the patch, you'll receive an email about it. Thanks,0 -
All great to hear! 3- Followup: so it checks its patch kernel version against the server's and updates (or attempts to) as necessary? And I assume notifies if they don't match, until they do... 5- "monitoring that it is active" meaning that it's installed and properly configured. None for now, but should be in v 70 via Security Advisor is my understanding. Thanks! 0 -
I new notice has showed up in Security Advisor: [quote]The system kernel is at version "", but is set to boot to version "3.10.0-693.17.1.el7.x86_64". You must take one of the following actions to ensure the system is up-to-date: - Wait a few days for KernelCare to publish a kernel patch.
- Reboot the system.
That is the correct and latest kernel, and the reboot went fine, but did not eliminate the notice. I assume it is a false finding, or else something is not quite right in Kernelcare's setup/config. Any advice on this?0 -
That is the correct and latest kernel, and the reboot went fine, but did not eliminate the notice. I assume it is a false finding, or else something is not quite right in Kernelcare's setup/config. Any advice on this?
Hello, This is fixed in cPanel verison 70 with the following case: Implemented case CPANEL-17016: Add support for detecting and installing KernelCare's free patch set. Thank you.0 -
Can you run this using mod_ruid2 and can you run this in virtual containers? 0 -
Can you run this using mod_ruid2 and can you run this in virtual containers?
Hello, Both KernelCare or KernelCare's Free Patch Set are compatible with Mod_Ruid2. As far as the supported environments, we only offer these options for systems that run CentOS 6 and CentOS 7, and we do not provide them for LXC, Amazon" Linux, or Virtozzo installations. This is documented at: 70 Release Notes - Version 70 Documentation - cPanel Documentation Thank you.0 -
Ok. Thank you. 0
Please sign in to leave a comment.
Comments
7 comments