I have here a new installed server with CentOS7 and a GroupOffice installation on it. After installing rkhunter and starting a rkhunter check I get:
[09:58:15] Suspicious Shared Memory segments
[09:58:15] Process: PID: 1769 Owner: apache [ Found ]
[09:58:15] Suspicious Shared Memory segments [ Warning ]
Anybody knows what the "Suspicious Shared Memory segments" means? How can I check if this is a false positive? And if so: How can I white list this error?
EDIT
If I try to list the process with the ps command the process with the PID 1769 isn't there:
# ps -p 1769
PID TTY TIME CMD
# ps aux | grep 1769
root 12777 0.0 0.0 112660 960 pts/0 S+ 10:25 0:00 grep --color=auto 1769
# ps aux | grep apache
apache 12606 0.0 0.5 537092 10224 ? S 10:15 0:00 /usr/sbin/httpd -DFOREGROUND
apache 12607 0.0 0.5 537092 10224 ? S 10:15 0:00 /usr/sbin/httpd -DFOREGROUND
apache 12608 0.0 0.5 537092 10224 ? S 10:15 0:00 /usr/sbin/httpd -DFOREGROUND
apache 12609 0.0 0.5 537092 10224 ? S 10:15 0:00 /usr/sbin/httpd -DFOREGROUND
apache 12610 0.0 0.5 537092 10224 ? S 10:15 0:00 /usr/sbin/httpd -DFOREGROUND
root 12779 0.0 0.0 112660 960 pts/0 S+ 10:26 0:00 grep --color=auto apache
From the changelog for v 1.4.4:
So to whitelist use the following
e.g.
The concept of Shared Memory Segments is explained on: http://www.csl.mtu.edu/cs4411.ck/www/NOTES/process/shm/what-is-shm.html. As the name suggests, a Shared Memory Segment is a memory segment that can be shared by multiple processes. The Apache web server process, which is the file: /usr/sbin/httpd uses shared memory. It uses shared memory in order to share data across the Apache server workers. This is explained on: Shared Object Cache in Apache HTTP Server
Accessing shared memory is a security risk because it allows a process to read and potentially modify memory used by another process. Only trusted processes should be allowed to access shared memory. Rkhunter security scanning is a bit strict since it regards the trusted process /usr/sbin/httpd as suspicious.
This warning can be safely ignored as suggested on the Plesk forum: https://support.plesk.com/hc/en-us/articles/115001160954-What-Watchdog-warnings-can-be-safely-ignored-on-a-Plesk-server.
To ignore the warning, the path to the process that is accessing the Shared Memory Segement, should be added to ALLOWIPCPROC option in the rkhunter.conf configuration file. The path to the process in this case is: /usr/sbin/httpd.
The rkhunter.conf file contains following documentation on the ALLOWIPCPROC option:
After stopping the httpd the warning is gone (like expected). After starting the httpd the warning is there again (with the same PID!). I had tried this several times (every case with the same result).
But: After rebooting the server the warning is gone. I have playing around with the server (login to GroupOffice, restarting httpd and so on) and it seems the warning is gone persistently (hopefully). However, I will observe this thing in the next days ...
I have no idea what the "Suspicious Shared Memory segments" warning means and how I can figure out if this is a false positive or not. So I will also don't mark this question/answer as "answered" ...
Thanks and regards, Steffen