To enable the symlink protection, perform the following steps:
First, install KernelCare client:
yum -y install pyOpenSSL <code>curl -s <a href="https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh">https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh</a> | bash</code>
Enable free patch type, this patch type doesn't require a license
<code>kcarectl --set-patch-type free</code>
The ‘free’ patch will be applied on the next update.
. . .
During the installation, you should see something similar to:
<code> OS: CentOS6<br> kernel: kernel-2.6.32-696.el6<br> time: 2017-06-22 16:13:40<br> uname: 2.6.32-642.15.1.el6<br><br> kpatch-name: 2.6.32/symlink-protection.patch<br> kpatch-description: symlink protection // If you see this patch, it mean that you can enable symlink protection.<br> kpatch-kernel: kernel-2.6.32-279.2.1.el6<br> kpatch-cve: N/A<br> kpatch-cvss: N/A<br> kpatch-cve-url: N/A<br> kpatch-patch-url: <a href="https://gerrit.cloudlinux.com/#/c/16508/<br">https://gerrit.cloudlinux.com/#/c/16508/<br</a>><br> kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch<br> kpatch-description: symlink protection (kpatch adaptation)<br> kpatch-kernel: kernel-2.6.32-279.2.1.el6<br> kpatch-cve: N/A<br> kpatch-cvss: N/A<br> kpatch-cve-url: N/A<br> kpatch-patch-url: <a href="https://gerrit.cloudlinux.com/#/c/16508/</code">https://gerrit.cloudlinux.com/#/c/16508/</code</a>>
Edit the file /etc/sysconfig/kcare/sysctl.conf add the lines:
fs.enforce_symlinksifowner = 1
Execute:
sysctl -w fs.enforce_symlinksifowner=1
taken from: https://www.cloudlinux.com/kernelcare-blog/entry/symlink-protection-patchset-centos-6-7-kernelcare