Announcement

Collapse
No announcement yet.

AlmaLinux 8.10 / cPanel/WHM and Add KernelCare’s Free Symlink Protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AlmaLinux 8.10 / cPanel/WHM and Add KernelCare’s Free Symlink Protection

    Hello,

    I have a fresh installation of AlmaLinux 8.10 running cPanel/WHM and in the WHM/cPanel Security Advisor interface I have clicked on "Add KernelCare’s Free Symlink Protection", which I think it had installed kernelcare and libcare (acording to the processes shown in top via SSH) without any confirmation, but returned a blank page. In the WHM/cPanel Security Advisor continues to suggest "Add KernelCare’s Free Symlink Protection" option.

    Below is the output from some commands that may be useful:

    Code:
    [root@host ~]# uname -a
    Linux host 4.18.0-553.el8_10.x86_64 #1 SMP Fri May 24 08:32:12 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
    
    [root@host ~]# kcarectl --uname
    4.18.0-553.el8_10.x86_64​
    
    [root@host ~]# kcarectl -i
    This kernel doesn't require any patches.
    
    [root@host ~]# kcarectl --patch-info
    This kernel doesn't require any patches.
    
    [root@host ~]# cat kcarectl.log
    2024-06-03 22:42:20,434 INFO: patchserver config override: USE_CONTENT_FILE with 0
    2024-06-03 22:42:20,434 INFO: patchserver config override: FORCE_JSON_SIG with 0
    2024-06-03 22:42:20,435 INFO: Probing patch URL: https://patches.kernelcare.com/patches/stubs/1664088f2926b8137ce97e3b26f76dd95aaabfac/0/kpatch.free.bin
    2024-06-03 22:42:20,992 INFO: https://patches.kernelcare.com/patches/stubs/1664088f2926b8137ce97e3b26f76dd95aaabfac/0/kpatch.free.bin is not available: 404
    2024-06-03 22:42:20,993 ERROR: 'free' patch type is unavailable for your kernel
    2024-06-03 22:42:31,279 INFO: patchserver config override: USE_CONTENT_FILE with 0
    2024-06-03 22:42:31,280 INFO: patchserver config override: FORCE_JSON_SIG with 0
    2024-06-03 22:42:39,315 INFO: patchserver config override: USE_CONTENT_FILE with 0
    2024-06-03 22:42:39,316 INFO: patchserver config override: FORCE_JSON_SIG with 0
    2024-06-03 22:43:46,713 INFO: patchserver config override: USE_CONTENT_FILE with 0
    
    ​
    The questions are:

    1. Should I consider that KernelCare is installed successfuly but the current kernel is not yet supported?

    2. Is it safe/sable to keep KernelCare installed on the server in these conditions or should I uninstall it?

    Thank you!

  • #2
    Hello,

    We are on a final stage to provide support for the 4.18.0-553 kernel, it could be done within a week or two.

    However, as soon as it will be released you would need to set the patch free first to get it e.g.:

    Code:
    kcarectl --set-patch-type free

    Comment


    • #3
      Originally posted by bogdan.sh View Post
      Hello,

      We are on a final stage to provide support for the 4.18.0-553 kernel, it could be done within a week or two.

      However, as soon as it will be released you would need to set the patch free first to get it e.g.:

      Code:
      kcarectl --set-patch-type free
      Hello

      The patch seems to have been released for the 4.18.0-553.5.1.el8_10 kernel, but symlink protection does not seem to be active despite the patch being applied.​

      [root@node local]# kcarectl --set-patch-type free --update
      'free' patch type selected
      Downloading updates
      Patch level 2 applied. Effective kernel version 4.18.0-553.5.1.el8_10
      Kernel is safe

      [root@node local]# cat /etc/sysconfig/kcare/sysctl.conf

      fs.enforce_symlinksifowner=1
      fs.symlinkown_gid=99

      [root@node local]# sysctl -n fs.symlinkown_gid
      1006
      [root@node local]# sysctl -n fs.enforce_symlinksifowner
      0

      Comment


      • #4
        Can you please confirm the settings were applied with the appropriate command? (they are applied on boot as well). Please do the following then check again:

        Code:
        sysctl -p

        Comment


        • #5
          [QUOTE=bogdan.sh;n40134]Can you please confirm the settings were applied with the appropriate command? (they are applied on boot as well). Please do the following then check again:

          Hello

          [root@node ~]# sysctl -p
          fs.inotify.max_user_watches = 250000
          fs.inotify.max_queued_events = 250000
          net.netfilter.nf_conntrack_max = 5000000
          fs.enforce_symlinksifowner = 1
          fs.symlinkown_gid = 99​
          [root@node ~]# sysctl -n fs.enforce_symlinksifowner
          0
          [root@node ~]# sysctl -n fs.symlinkown_gid
          1006​
          Something seems wrong.​

          ***

          Command outputs from another server with centos 7.;

          [root@ns3-host ~]# kcarectl --info
          kpatch-state: patch is applied
          kpatch-for: Linux version 3.10.0-1160.118.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Wed Apr 24 16:01:50 UTC 2024
          kpatch-build-time: Tue May 21 02:02:13 2024
          kpatch-description: 4-free:1718298101;3.10.0-1160.119.1.el7​
          [root@ns3-host ~]# sysctl -n fs.enforce_symlinksifowner
          1
          [root@ns3-host ~]# sysctl -n fs.symlinkown_gid
          99
          [root@ns3-host ~]# sysctl -p
          net.netfilter.nf_conntrack_max = 655360​

          Comment


          • #6
            Hello,

            On our server with Almalinux 8.10 and cPanel installed, when I want to activate the KernelCare free symlink protection, the patch is applied but there is an error with the "fs.enforce_symlinksifowner" and "fs.symlinkown_gid" values. The "fs.enforce_symlinksifowner" value remains 0 and the "fs.symlinkown_gid" value remains 1006. For the patch to be applied correctly, these values need to be 1 and 99.

            When I check the /etc/sysconfig/kcare/sysctl.conf file, there seems to be no problem, when I try to manually add these values to /etc/sysctl.conf, the result doesn’t change.

            [root@66-245-196-105 local]# kcarectl --set-patch-type free --update
            'free' patch type selected
            Downloading updates
            Patch level 4 applied. Effective kernel version 4.18.0-553.5.1.el8_10
            Kernel is safe

            ***

            [root@server]# kcarectl --info
            kpatch-state: patch is applied
            kpatch-for: Linux version 4.18.0-553.5.1.el8_10.x86_64 (mockbuild@x64-builder02.almalinux.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Wed Jun 5 09:12:13 EDT 2024
            kpatch-build-time: Wed Jun 19 14:41:38 2024
            kpatch-description: 4-free:1719657130;4.18.0-553.5.1.el8_10

            ***

            [root@server]# sysctl -n fs.enforce_symlinksifowner
            0
            [root@66-245-196-105 local]# sysctl -n fs.symlinkown_gid
            1006

            ***

            [root@server]# cat /etc/sysconfig/kcare/sysctl.conf
            fs.enforce_symlinksifowner=1
            fs.symlinkown_gid=99

            Comment


            • #7
              Sorry for the delay, we tried to reproduce on our test servers and was not able to do so, it have to be working on this kernel version.

              Can you please confirm you did `sysctl -p /etc/sysconfig/kcare/sysctl.conf` then check the values? Also, please check if there are no duplicates in other files:

              Code:
              grep -i symlinkown_gid /etc/sys* -Rs

              Comment


              • #8
                Originally posted by bogdan.sh View Post
                Sorry for the delay, we tried to reproduce on our test servers and was not able to do so, it have to be working on this kernel version.

                Can you please confirm you did `sysctl -p /etc/sysconfig/kcare/sysctl.conf` then check the values? Also, please check if there are no duplicates in other files:

                Code:
                grep -i symlinkown_gid /etc/sys* -Rs
                Something still seems wrong.​

                [root@server ~]# kcarectl --set-patch-type free --update
                'free' patch type selected
                Downloading updates
                Patch level 6 applied. Effective kernel version 4.18.0-553.5.1.el8_10
                Kernel is safe

                [root@server ~]# sysctl -n fs.symlinkown_gid
                1006
                [root@server ~]# sysctl -n fs.enforce_symlinksifowner
                0

                [root@server ~]# grep -i symlinkown_gid /etc/sys* -Rs
                /etc/sysconfig/kcare/sysctl.conf:fs.symlinkown_gid=99

                [root@server~]# kcarectl --info
                kpatch-state: patch is applied
                kpatch-for: Linux version 4.18.0-553.5.1.el8_10.x86_64 (mockbuild@x64-builder02.almalinux.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Wed Jun 5 09:12:13 EDT 2024
                kpatch-build-time: Wed Jun 19 17:41:38 2024
                kpatch-description: 6-free:1720524980;4.18.0-553.5.1.el8_10​

                Comment


                • #9
                  Interestingly, after running "sysctl -p /etc/sysconfig/kcare/sysctl.conf" I started seeing the correct settings.​

                  [root@server ~]# sysctl -p /etc/sysconfig/kcare/sysctl.conf
                  fs.enforce_symlinksifowner = 1
                  fs.symlinkown_gid = 99​

                  [root@server ~]# sysctl -n fs.symlinkown_gid
                  99
                  [root@84-54-13-120 ~]# sysctl -n fs.enforce_symlinksifowner
                  1​

                  ***

                  However, when I unload and activate the protection again, these settings are not automatically validated by sysctl.​

                  [root@server ~]# kcarectl --unload
                  KernelCare protection disabled. Your kernel might not be safe

                  [root@server ~]# kcarectl --set-patch-type free --update
                  'free' patch type selected
                  Updates already downloaded
                  Patch level 6 applied. Effective kernel version 4.18.0-553.5.1.el8_10
                  Kernel is safe

                  [root@server ~]# sysctl -n fs.symlinkown_gid
                  1006
                  [root@server ~]# sysctl -n fs.enforce_symlinksifowner
                  0​​

                  Comment

                  Working...
                  X