kernelcare symlink patch - centos 7 - cpanel 68.0.12

weblinks

• November 12, 2017 02:47

In CENTOS 7.4 kvm v68.0.12 uname -r 3.10.0-693.5.2.el7.x86_64 kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-693.5.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Fri Oct 20 20:32:50 UTC 2017 kpatch-build-time: Tue Oct 24 22:49:09 2017 kpatch-description: 2-free;3.10.0-693.5.2.el7 But in security advisor its showing No symlink protection detected You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
may i ignore that warning, pls help

• 

  quizknows

  • November 12, 2017 17:30

  Did you apply the appropriate sysctl settings after enabling the patch?

  0
• 

  weblinks

  • November 12, 2017 18:28

  Yes, I applied as mentioned in details. Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines: fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99 Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99

  0
• 

  quizknows

  • November 12, 2017 18:45

  Ok, Good :) In that case you may need to wait for cpanel staff or open a ticket. With that said, If you don't get errors committing those sysctl parameters your server is probably OK.

  0
• 

  weblinks

  • November 13, 2017 04:23

  Ok, Good :) In that case you may need to wait for cpanel staff or open a ticket. With that said, If you don't get errors committing those sysctl parameters your server is probably OK.

  
  ok i will wait for cpanel staff reply else i will open ticket. Yes, No error was came while committing those sysctl parameters.

  0
• 

  cPanelMichael

  • November 13, 2017 16:19

  Hello, Internal case CPANEL-16877 is open to address an issue where Security Advisor reports "No symlink protection detected" despite the server using the KernelCare "Extra" Patchset. In the meantime, you can safely ignore that warning if you've followed the instructions on setting it up (see here). I'll update this thread with more information on the status of this case as it becomes available. Thank you.

  0
• 

  weblinks

  • November 13, 2017 16:29

  Hello, Internal case CPANEL-16877 is open to address an issue where Security Advisor reports "No symlink protection detected" despite the server using the KernelCare "Extra" Patchset. In the meantime, you can safely ignore that warning if you've followed the instructions on setting it up (see here). I'll update this thread with more information on the status of this case as it becomes available. Thank you.

  
  Thanks, cPanelMichael and Yes I followed the instructions mention into blog link. I will wait for update from you when available.

  0
• 

  dvk01uk

  • November 14, 2017 06:04

  After some Cpanel updates and after any server reboot I have to reapply this every time to get rid of the Security advisor warning Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99

  0
• 

  weblinks

  • November 14, 2017 06:47

  Yes, After vps reboot, I reapplied Execute: sysctl -w fs.enforce_symlinksifowner=1 sysctl -w fs.symlinkown_gid=99 But Security advisor warning still there. Thanks.

  0
• 

  cPanelMichael

  • November 14, 2017 14:31

  Hi @weblinks and @dvk01uk, There's no workaround to have Security Advisor output the correct result. It's a false positive, which is what internal case CPANEL-16877 will solve. I'll update this thread with more information on the status of this case as soon as it's available. Thanks!

  0
• 

  quizknows

  • November 14, 2017 18:26

  If the settings are in your systcl config files themselves, "sysctl -p $file" should commit them. if that is failing or is not persistent across reboots, try moving the settings to /etc/sysctl.conf itself and running just "sysctl -p" to commit them. You can also run "sysctl --system" to have it apply your settings which will then be echoed to your terminal. This is a good way to make sure your changes are in files that are actually being parsed by the system.
  [root@new ~]# sysctl --system * Applying /etc/sysctl.conf ... (snip) fs.enforce_symlinksifowner = 1 fs.symlinkown_gid = 99
  

  0
• 

  cPanelMichael

  • December 08, 2017 17:50

  Hello, To update, the resolution is planned for cPanel version 70 as part of internal case CPANEL-17016. Thank you.

  0
• 

  durangod

  • January 31, 2018 09:46

  how do i even get this patch?

  0
• 

  cPanelMichael

  • January 31, 2018 14:38

  how do i even get this patch?

  
  Hi, Information on how to install it is available at: The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here Thank you.

  0
• 

  Nirjonadda

  • January 31, 2018 14:44

  Hello, To update, the resolution is planned for cPanel version 70 as part of internal case CPANEL-17016. Thank you.

  
  So in v70 will be install symlink protection automatically?

  0
• 

  cPanelMichael

  • January 31, 2018 15:24

  So in v70 will be install symlink protection automatically?

  
  No, it's not installed automatically. The change in cPanel 70 allows for Security Advisor to detect the KernelCare free tier patch, as it does not do so in cPanel 68 and earlier. Thank you.

  0

Please sign in to leave a comment.