Kernel does not support the prevention of symlink ownership attacks.

fwosty

• September 08, 2017 23:32

Hello everyone, Note: I'm a beginner level user (forgive me in advance!) Security adviser keeps reporting this error. Kernel does not support the prevention of symlink ownership attacks.You do not appear to have any symlink protection enabled through a properly patched kernel on this server, which provides additional protections beyond those solutions employed in userland. Please review How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation Relevant info: Running: yum update # yum update Loaded plugins: fastestmirror, universal-hooks Setting up Update Process Loading mirror speeds from cached hostfile * EA4: 104.219.172.10 * cpanel-addons-production-feed: 104.219.172.10 * base: centos-distro.cavecreek.net * extras: mirror.lax.hugeserver.com * updates: linux.mirrors.es.net No Packages marked for Update Running: yum update kernel #yum -y update kernel Loaded plugins: fastestmirror, universal-hooks Setting up Update Process Loading mirror speeds from cached hostfile * EA4: 104.219.172.10 * cpanel-addons-production-feed: 104.219.172.10 * base: centos-distro.cavecreek.net * extras: mirror.lax.hugeserver.com * updates: linux.mirrors.es.net Package(s) kernel available, but not installed. No Packages marked for Update Running: unname -r # uname -r 2.6.32-042stab111.11 Running: rpm -qa|grep kernel # rpm -qa|grep kernel kernel-headers-2.6.32-696.299.3.2.cp6.x86_64

• 

  linux4me2

  • September 09, 2017 16:42

  When you did Step 1 of

  0
• 

  fwosty

  • September 09, 2017 16:55

  If your server otherwise meets the criteria to run a custom kernel; i.e., you're not on a containerized VPS, your host may be preventing you from installing a custom kernel

  
  Thank you for your reply. Apologies, I just figured out I'm on a containerized system. (CENTOS 6.9 virtuozzo - version 66.0.18). Per the documentation "Is there a way to get rid of the pesky error message from security adviser? To answer your question, I got the success message cPkernel.repo was saved. Thanks again for your time.

  0
• 

  linux4me2

  • September 09, 2017 17:09

  Even if you were on a non-containerized VPS like KVM, your host might not let you run a custom kernel. I ran into that myself. It's frustrating. I'm not sure how to get rid of the kernel-related message, I don't think it goes away even if you implement some other kind of symlink-race condition protection. I eventually learned to ignore it after I had another symlink-race condition solution in place.

  0
• 

  cPanelMichael

  • September 12, 2017 15:17

  Hello, It's not possible to disable that warning message, however you may want to vote and add feedback to the following feature request if you'd like to see an option to disable specific Security Advisor notifications: Disable specific Security Advisor State Change notifications Thank you.

  0

Please sign in to leave a comment.