Reading Time: 4 minutes

The KernelCare Linux kernel patching service is a system offered by CloudLinux. This product provides ongoing security patches for many Linux kernel versions. Updates are installed live without requiring a system reboot, which is a tremendous incentive when running an active server. Because CloudLinux offers a free symlink (symbolic link) protection patch for servers running CentOS 6 and 7, Liquid Web is replacing existing versions of KernelCare with this free version. 

As many of us who have employed KernelCare in the past know, this service is vital for protecting servers against critical or high-priority vulnerabilities. Even if you are not running the full version of KernelCare, this critical patch protects servers running CentOS 6 or CentOS 7 against symlink race attacks. A symlink race attack is defined as follows: 

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

https://capec.mitre.org

The cross-account symlinking patch aids in preventing such attacks as these.

Here are the instructions on how to install the KernelCare patch to utilize this free service. Although the symlink protection patch is part of the KernelCare service, it does not require us to purchase a license or register with KernelCare. To enable the free symlink protection, we must take the following steps. First, install the KernelCare client.

root@host:~# curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
Note:
As a security precaution, always review any external scripts before running them, no matter the source.

Next, enable the free patch by executing the command below. While installing, you should see output similar to the following info.

root@host:~# kcarectl --set-patch-type free --update
OS: CentOS6
 kernel: kernel-2.6.32-696.el6
 time: 2017-06-22 16:13:40
 uname: 2.6.32-642.15.1.el6
kpatch-name: 2.6.32/symlink-protection.patch

kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/

The software will apply the change in the next update.

Now, edit the /etc/sysconfig/kcare/sysctl.conf file, or if it doesn't exist, create it and add the following lines.

fs.enforce_symlinksifowner = 1
fs.symlinkown_gid = 48

Finally, run the following commands.

root@host:~# sysctl -w fs.enforce_symlinksifowner=1
root@host:~# sysctl -w fs.symlinkown_gid=48
Note:
On a typical RPM-based Apache install, Apache will usually run under the Group Identifier (GID) 48. On a cPanel server, Apache runs under the user nobody, using the Group Identifier, (GID) 99. Also, this patch only includes symlink protection. It does not include the kernel security fixes available to KernelCare customers. Future kernel updates will need to be installed, and the server rebooted each time a new CentOS kernel is released.

KernelCare is also available on CentOS 8. Users can find more information about that product on their website

Upgrading KernelCare

Should you wish to upgrade from the free symlink protection patchset to the full version of KernelCare, follow the instructions below.

First, review the pricing page and purchase a license key. If you have an existing CloudLinux Network (or CLN) account, you can obtain an updated plan by logging into your CLN account. Current users who have an IP-based license require no further interaction. If you are using a key-based license, run the following command. 

root@host:~# /usr/bin/kcarectl --register KEY

To ensure the patches are applied successfully, run this command.

root@host:~# /usr/bin/kcarectl --info

The application will automatically watch for new patches every 4 hours. To perform a manual update, run this command.

root@host:~# /usr/bin/kcarectl --update
Note:
As noted above, free patches are included by default now. If we need the symlink protection, we need to apply the extra patches. These include the symlink protection, plus the security update patches for both CentOS 6 and CentOS 7.

To enable the additional patches and apply them, run this command.

root@host:~# kcarectl --set-patch-type extra --update

To enable the extra patches without an update, run the command below.

root@host:~# kcarectl --set-patch-type extra

The software will apply this extra patch in the subsequent automatic update. To view the details about the patch, run the following command. In the terminal, we should see output similar to this.

root@host:~# kcarectl --patch-info
OS: centos6
 kernel: kernel-2.6.32-696.6.3.el6
 time: 2017-07-31 22:46:22
 uname: 2.6.32-696.6.3.el6
  ...
 kpatch-name: 2.6.32/symlink-protection.patch
 kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
 kpatch-kernel: kernel-2.6.32-279.2.1.el6
 kpatch-cve: N/A
 kpatch-cvss: N/A
 kpatch-cve-url: N/A
 kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
  ...
 kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
 kpatch-description: symlink protection (kpatch adaptation)
 kpatch-kernel: kernel-2.6.32-279.2.1.el6
 kpatch-cve: N/A
 kpatch-cvss: N/A
 kpatch-cve-url: N/A
 kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
  ...
 kpatch-name: 2.6.32/ipset-fix-list-shrinking.patch
 kpatch-description: fix ipset list shrinking for no reason
 kpatch-kernel: N/A
 kpatch-cve: N/A
 kpatch-cvss:N/A
 kpatch-cve-url: N/A
 kpatch-patch-url: https://bugs.centos.org/view.php?id=13499 

To enable the Symlink Owner Match Protection, add the following line Into /etc/sysconfig/kcare/sysctl.conf file. Then, please run the following command to enable it.

root@host:~# sysctl -w fs.enforce_symlinksifowner=1

Conclusion

KernelCare is an excellent method to keep your server safe. Using its optimized system, it continually applies security updates and patches, which increases the overall security of the systems on our Linux server. Should you wish to receive more information about this product or have further questions, our Support or Solutions teams can provide additional info to help you implement this solution.

Our Support Teams are filled with talented Linux technicians and System administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article. If you own a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Managed Cloud Server, or a Dedicated server, and you are uncomfortable with performing any of the steps outlined, clients can reach us via phone at 800.580.4985, a chat, or support ticket to assisting you with this process.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article