Latest Kernel not Hardened?

mikefromnz

• February 25, 2017 16:09

Bit confused as to this, I got an email from the Security Advisor telling me the following Current kernel version is out of date. running kernel: 2.6.32-642.13.2.199.cpanel6.x86_64, most recent kernel: 2.6.32-642.15.1.el6.x86_64 Update the system"s software by running "yum update" from the command line and reboot the system.
So I ran YUM UPDATE via SSH, and now running the latest Kernel. Although now when I check Security Advisor, I get the following... Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation There appears to be no current hardened kernel, I get the following message [root@ yum.repos.d]# yum -y update kernel Loaded plugins: fastestmirror, universal-hooks Setting up Update Process Loading mirror speeds from cached hostfile * EA4: 104.219.172.10 * base: mirror.confluxtech.com * epel: mirror.sfo12.us.leaseweb.net * extras: mirror.confluxtech.com * updates: mirror.confluxtech.com No Packages marked for Update [root@ yum.repos.d]#

• 

  sktest123

  • February 26, 2017 12:28

  Hello, Cpanel does not have corresponding kernel version Patch.You are having the latest kernel but its not hardened like cpanel provided kernel.

  0
• 

  mikefromnz

  • February 26, 2017 17:59

  Do you have any idea when the cPanel kernel will be made available, or how I can uninstall this kernel and get the cPanel one running again?

  0
• 

  Locali

  • February 27, 2017 17:08

  Hello: When will this page be updated? [Last modified 2017-02-23 11:34] Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages "cPanel Security Advisor recommends you harden your cPanel system's kernel to implement symlink race condition protection " Thank you! ********************************************************************* New Security Advisor notifications with High importance Type Module Advice High Kernel Current kernel version does not match the kernel version for boot. running kernel: 2.6.32-642.15.1.el6.x86_64, boot kernel: 2.6.32-642.13.1.199.cpanel6.x86_64 Reboot the system in the area. Check the boot configuration in grub.conf if the new kernel is not loaded after a reboot.

  0
• 

  cPanelMichael

  • February 28, 2017 21:12

  Hello, YUM will automatically detect and install newer kernel versions if you have Operating System Package Updates enabled in "WHM >> Update Preferences". Since the latest cPanel-hardened kernel isn't always released at the same time as the OS-provided kernel, it's possible that YUM will sometimes automatically install the OS-provided kernel. However, your system won't actually boot into the newer kernel unless you manually reboot the system. Internal case CPANEL-11581 is open to determine if this behavior is by-design, or if a change to ensure this does not happen is necessary. I'll update this thread with more information on the status of this case as it becomes available. In the meantime, you can run the "yum update" command once the latest cPanel-hardened kernel is published to ensure it's installed. I don't have a time frame to offer on the publication of the next cPanel-hardened kernel at this time, but you can monitor the date on the available packages at the following URL to see when it's published: Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages Thank you.

  0
• 

  mikefromnz

  • March 03, 2017 07:35

  Thank you, do you know how I can downgrade back to the cPanel kernel?

  0
• 

  mikefromnz

  • March 03, 2017 10:25

  Ah my friends at cPanel, I love you so. I post asking how to downgrade, and I get notified there is a new hardened Kernel, hehe THANK YOU !

  0

Please sign in to leave a comment.