Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
stylenone

Section

Overview

 This document describes how to install the cPanel hardened kernel update for the Linux® kernel on CentOS 6 servers.

If you enable both of the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, Apache becomes vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that strict OS-level permissions do not protect. The cPanel Hardened Kernel update provides Symlink Race Condition Protection.

If you need assistance, contact cPanel Technical Support.

Warning
titleWarnings:
  • We deprecated the cPanel-provided hardened kernel update in cPanel & WHM version 68. We strongly recommend that you remove the hardened kernel and consider KernelCare's symlink protection options. For more information about KernelCare, read the KernelCare documentation.
  • The cPanel-provided kernel update will not work for OpenVZ®,Virtuozzo®, LXC, or other container-based systems.
  • This document only applies to systems installed with CentOS 6 64-bit systems.
  • cPanel & WHM does not automatically update the operating system kernel. Unattended system kernel updates may cause unplanned reboots or system failures.
  • We strongly suggest that only experienced System Administrators perform this process.
  • Do not perform these steps if you use KernelCare™, KernelSplice, or similar technologies.


Harden your system's kernel

To harden your cPanel system's kernel, log in to your server as the root user via SSH and perform the following steps:


 

Section


Column
width72px


Column

Retrieve the repository from cPanel

After you log in to your server, run the following commands to download the signed kernel repository from the securedownloads.cpanel.net site. To do this, run the following command:

Code Block
languagetext
linenumberstrue
cd /etc/yum.repos.d/  
wget https://securedownloads.cpanel.net/cPkernel/cPkernel.repo

This command returns output that resembles the following example:

Code Block
languagetext
linenumberstrue
2016-04-22 12:59:10 https://securedownloads.cpanel.net/cPkernel/cPkernel.repo
Resolving securedownloads.cpanel.net... 1.2.3.4
Connecting to securedownloads.cpanel.net|1.2.3.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 221 [text/plain]
Saving to: "cPkernel.repo"
100%[=====================================>] 1,235 --.-K/s in 0s
2016-04-22 12:59:10 (28.8 MB/s) - "cPkernel.repo" saved [1235]



  


 

Section


Column
width72px


Column

Update the kernel

After you download the signed kernel repository, update the kernel on your system. To do this, run the following command:

Code Block
languagetext
yum -y update kernel

This command returns output that resembles the following example:

Code Block
languagetext
linenumberstrue
Loaded plugins: fastestmirror
Setting up Update Process
Determining fastest mirrors
epel/metalink                                            |  10 kB     00:00
 * base: repos.mia.quadranet.com
 * epel: reflector.westga.edu
 * extras: mirror.5ninesolutions.com
 * updates: mirror.us.oneandone.net
base                                                     | 3.7 kB     00:00
cPkernel                                                 | 2.9 kB     00:00 ...
cPkernel/primary_db                                      | 1.5 MB     00:01
epel                                                     | 4.3 kB     00:00
http://reflector.westga.edu/repos/Fedora-EPEL/6/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml does not match metalink for epel
Trying other mirror.
epel                                                     | 4.3 kB     00:00
epel/primary_db                                          | 5.9 MB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 2.0 MB     00:00
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:2.6.32-642.4.199.cpanel6 will be installed
--> Processing Dependency: kernel-firmware >= 2.6.32-642.4.199.cpanel6 for package: kernel-2.6.32-642.4.199.cpanel6.x86_64
--> Running transaction check
---> Package kernel-firmware.noarch 0:2.6.32-642.4.2.el6 will be updated
---> Package kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch       Version                      Repository    Size
================================================================================
Installing:
 kernel              x86_64     2.6.32-642.4.199.cpanel6     cPkernel      32 M
Updating for dependencies:
 kernel-firmware     x86_64     2.6.32-642.4.199.cpanel6     cPkernel      28 M

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       1 Package(s)

Total download size: 60 M
Downloading Packages:
(1/2): kernel-2.6.32-642.4.199.cpanel6.x86_64.rpm        |  32 MB     00:06 ...
(2/2): kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64.r |  28 MB     00:06 ...
--------------------------------------------------------------------------------
Total                                           4.8 MB/s |  60 MB     00:12
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA512 Signature, key ID 7e931c7c: NOKEY
Retrieving key from https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
Importing GPG key 0c4F842D6D:
 Userid: "user@example.com"
 From  : https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              1/3
  Installing : kernel-2.6.32-642.4.199.cpanel6.x86_64                       2/3
adding symlink protection for user: nobody
Please reboot to enable symlink protection for user: nobody
  Cleanup    : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3
  Verifying  : kernel-2.6.32-642.4.199.cpanel6.x86_64                       1/3
  Verifying  : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              2/3
  Verifying  : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3

Installed:
  kernel.x86_64 0:2.6.32-642.4.199.cpanel6

Dependency Updated:
  kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6

Complete!



 


 

Section


Column
width72px

 

 

Column

Restart the server

After you update the kernel, you must restart the system to complete the kernel update. To reboot the server, run the reboot command.

This command returns output that resembles the following example:

Code Block
languagetext
linenumberstrue
Broadcast message from user@example.com
(/dev/pts/0) at 13:02 ...
The system is going down for reboot NOW!
bash-4.1# Connection to example.com closed by remote host.



 


 

Section


Column
width72px


Column

Verify the kernel update

After you reboot your server, verify that the cPanel Hardened Kernel update succeeded. To verify that your update was successful, log in to the server as the root user via SSH and run the uname command.

This command returns output that resembles the following example:

Code Block
languagetext
linenumberstrue
[user@example.com ~]$ uname -r
*2.6.32-573.22.199.cpanel6.x86_64

If the command's output includes cpanel in the returned value, you successfully updated the kernel.


 


Additional documentation

Localtab Group


Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("php","kernel") and label = "whm" and space = currentSpace()


Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("php","kernel") and label = "cpanel" and space in (currentSpace(),"DOC")


Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("php","kernel") and label = "whm" and space in ("ALD","CKB")


Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("php","kernel") and space = "DD"