Skip to main content

No symlink protection detected

matt1206
Hi, Had a security alert from the server this evening stating "No symlink protection detected" I'm running Kernelcare, and have been since the server was provisioned in November last year. It's running the 'extra' patch set to protect against this, so just curious as to why cPanel isn't detecting this? kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.2.3.el7 time: 2018-05-28 18:44:24 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html kpatch-patch-url: kpatch-name: 3.10.0/paravirt-asm-definition.patch kpatch-description: kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: kpatch-patch-url: kpatch-name: 3.10.0/symlink-protection-ge-862.patch kpatch-description: symlink protection kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7 kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7 uname: 3.10.0-862.3.2.el7

Comments

5 comments

Date Votes
  • dalem
    have you added Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines: fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99
    0
  • matt1206
    have you added Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines: fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99

    I haven't, as I was under the impression this was only needed on the free patch they provide. I have paid kernelcare on all my servers. Edit: seems I was incorrect......will add those values now.
    0
  • dalem
    kernelcare dose not know how your Apache was installed or if its installed at all as kernelcare is not limited to cPanel servers.
    0
  • keat63
    I'm no expert, so I could be talking rubbish. When I updated to V70 recently, I saw a message about the patched kernel being no longer relevent I don't recall the exact specifics, but I do recall that I ran 'Security Advisor' and just followed the links, to remove the patched kernel and install a new one. It was pretty seemless.
    0
  • cPanelMichael
    I haven't, as I was under the impression this was only needed on the free patch they provide. I have paid kernelcare on all my servers. Edit: seems I was incorrect......will add those values now.

    Hello Matt, Can you confirm the warning no longer appears in WHM >> Security Advisor after applying those values? Note that CloudLinux documents those values at: CloudLinux Documentation
    I'm no expert, so I could be talking rubbish. When I updated to V70 recently, I saw a message about the patched kernel being no longer relevent I don't recall the exact specifics, but I do recall that I ran 'Security Advisor' and just followed the links, to remove the patched kernel and install a new one. It was pretty seemless.

    Hi @keat63, The message you are referring to relates to the cPanel-hardened kernel that we offered in the past. We now recommend using KernelCare (they offer a free patch) in lieu of the cPanel-hardened kernel. You can read more about this at: 70 Release Notes - Version 70 Documentation - cPanel Documentation Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post