KernelCare Retirement

The KernelCare Linux kernel patching service is a system offered by CloudLinux. This product provides ongoing security patches for many Linux kernel versions. Updates are installed live without requiring a system reboot, which is a tremendous incentive when running an active server. Because CloudLinux offers a free symlink (symbolic link) protection patch for servers running CentOS 6 and 7, Liquid Web is replacing existing versions of KernelCare with this free version.
Symlink Protection
As many of us who have employed KernelCare in the past know, this service is vital for protecting servers against critical or high-priority vulnerabilities. Even if you are not running the full version of KernelCare, this critical patch protects servers running CentOS 6 or CentOS 7 against symlink race attacks. A symlink race attack is defined as follows:
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
The cross-account symlinking patch aids in preventing such attacks as these.
Install the Free Symlink Protection Patch
Here are the instructions on how to install the KernelCare patch to utilize this free service. Although the symlink protection patch is part of the KernelCare service, it does not require us to purchase a license or register with KernelCare. To enable the free symlink protection, we must take the following steps. First, install the KernelCare client.
root@host:~# curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
Next, enable the free patch by executing the command below. While installing, you should see output similar to the following info.
root@host:~# kcarectl --set-patch-type free --update
OS: CentOS6
kernel: kernel-2.6.32-696.el6
time: 2017-06-22 16:13:40
uname: 2.6.32-642.15.1.el6
kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
The software will apply the change in the next update.
Now, edit the /etc/sysconfig/kcare/sysctl.conf file, or if it doesn't exist, create it and add the following lines.
fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48
Finally, run the following commands.
root@host:~# sysctl -w fs.enforce_symlinksifowner=1
root@host:~# sysctl -w fs.symlinkown_gid=48
KernelCare is also available on CentOS 8. Users can find more information about that product on their website.
Upgrading KernelCare
Should you wish to upgrade from the free symlink protection patchset to the full version of KernelCare, follow the instructions below.
First, review the pricing page and purchase a license key. If you have an existing CloudLinux Network (or CLN) account, you can obtain an updated plan by logging into your CLN account. Current users who have an IP-based license require no further interaction. If you are using a key-based license, run the following command.
root@host:~# /usr/bin/kcarectl --register KEY
To ensure the patches are applied successfully, run this command.
root@host:~# /usr/bin/kcarectl --info
The application will automatically watch for new patches every 4 hours. To perform a manual update, run this command.
root@host:~# /usr/bin/kcarectl --update
To enable the additional patches and apply them, run this command.
root@host:~# kcarectl --set-patch-type extra --update
To enable the extra patches without an update, run the command below.
root@host:~# kcarectl --set-patch-type extra
The software will apply this extra patch in the subsequent automatic update. To view the details about the patch, run the following command. In the terminal, we should see output similar to this.
root@host:~# kcarectl --patch-info
OS: centos6
kernel: kernel-2.6.32-696.6.3.el6
time: 2017-07-31 22:46:22
uname: 2.6.32-696.6.3.el6
...
kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
...
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
...
kpatch-name: 2.6.32/ipset-fix-list-shrinking.patch
kpatch-description: fix ipset list shrinking for no reason
kpatch-kernel: N/A
kpatch-cve: N/A
kpatch-cvss:N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://bugs.centos.org/view.php?id=13499
To enable the Symlink Owner Match Protection, add the following line Into /etc/sysconfig/kcare/sysctl.conf file. Then, please run the following command to enable it.
root@host:~# sysctl -w fs.enforce_symlinksifowner=1
For further information, see the CloudLinux docs for details.
Conclusion
KernelCare is an excellent method to keep your server safe. Using its optimized system, it continually applies security updates and patches, which increases the overall security of the systems on our Linux server. Should you wish to receive more information about this product or have further questions, our Support or Solutions teams can provide additional info to help you implement this solution.
Our Support Teams are filled with talented Linux technicians and System administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article. If you own a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Managed Cloud Server, or a Dedicated server, and you are uncomfortable with performing any of the steps outlined, clients can reach us via phone at 800.580.4985, a chat, or support ticket to assisting you with this process.
Related Articles:
- 4 Methods for How to Install Yarn on Windows Server
- How to Install Bpytop Resource Monitoring Tool on AlmaLinux
- How to Fix “This Site Can’t Provide a Secure Connection” Error
- How to Install MongoDB on AlmaLinux
- How to Install PostgreSQL on AlmaLinux
- How to Use the WP Toolkit to Secure and Update WordPress
About the Author: David Singer
I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
What Is WebP and What Makes it Different from Other Image Formats?
Read ArticleTop 10 Password Security Standards
Read ArticleTop 10 Password Security Standards
Read ArticleHow to Install MongoDB on AlmaLinux
Read ArticleHow to Use the WP Toolkit to Secure and Update WordPress
Read Article