Adding KernelCare patch via command line

CanSpace

• September 25, 2018 03:58

We use a script to provision new servers and one step we'd like to add is provisioning kernelcare's free symlink patch automatically. How can this be done via the command line? Assuming this is on a brand new server with a standard kernel.

• 

  dalem

  • September 25, 2018 23:21

  add a bash script to run something like this -------------------------------- #!/bin/bash curl -s >/etc/sysconfig/kcare/sysctl.conf echo "fs.symlinkown_gid = 99" >>/etc/sysconfig/kcare/sysctl.conf sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99 -----------------------------------------

  0
• 

  CanSpace

  • September 26, 2018 12:37

  Are these the exact steps that WHM takes when it is enabled via WHM?

  0
• 

  dalem

  • September 26, 2018 12:45

  You cant enable it VIA WHM it is a kernel module it has to be installed the steps above are form the CloudLinux install instructions for cpanel servers

  0
• 

  CanSpace

  • September 26, 2018 12:48

  Actually it can be enabled via WHM. If you click the security advisor link in WHM it will warn you that symlink protection is not installed and provide you with a link to add the free kernelcare patch (which it will do for you). I want to know how to do this via teh command line.

  0
• 

  dalem

  • September 26, 2018 12:53

  Update read Wrong Yes as stated that is the instructions from the cloudLinux website

  0
• 

  CanSpace

  • September 26, 2018 12:54

  Sigh. No you are incorrect - you can add the free kernelcare patch via WHM, and that is what I am trying to figure out how to do via the command line. Thanks for your assistance but it is not useful.

  0
• 

  dalem

  • September 26, 2018 13:00

  Updated above New feature I was not aware of yes those are the CLI instructions direct from cloudLinux

  0
• 

  dalem

  • September 26, 2018 13:56

  Just fyi The installer in WHM does not install the extra patch set sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99

  0
• 

  cPanelLauren

  • September 26, 2018 20:31

  Hello @CanSpace The instructions provided were correct. That is the way to add symlink protection over CLI. If you want to add it through WHM you'll need to run the security advisor at WHM>>Security Center>>Security advisor this calls a perl module: /usr/local/cpanel/Cpanel/Security/Advisor/Assessors/Kernel.pm
  Because this is a perl module with many different functions it's not available as a WHMAPI1 function and is best/easiest done using CloudLinux's instructions pending your Kernel is stock CentOS Thanks!

  0

Please sign in to leave a comment.