Linux – rkhunter: “Suspicious Shared Memory segments”

linuxrkhunter

I have here a new installed server with CentOS7 and a GroupOffice installation on it. After installing rkhunter and starting a rkhunter check I get:

[09:58:15] Suspicious Shared Memory segments
[09:58:15]   Process:     PID: 1769    Owner: apache         [ Found ]
[09:58:15]   Suspicious Shared Memory segments               [ Warning ]

Anybody knows what the "Suspicious Shared Memory segments" means? How can I check if this is a false positive? And if so: How can I white list this error?

EDIT

If I try to list the process with the ps command the process with the PID 1769 isn't there:

# ps -p 1769
  PID TTY          TIME CMD
# ps aux | grep 1769
root     12777  0.0  0.0 112660   960 pts/0    S+   10:25   0:00 grep --color=auto 1769
# ps aux | grep apache
apache   12606  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12607  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12608  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12609  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12610  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
root     12779  0.0  0.0 112660   960 pts/0    S+   10:26   0:00 grep --color=auto apache

Best Answer

From the changelog for v 1.4.4:

Added the ALLOWIPCPROC configuration file option. This can be used to whitelist suspicious processes using shared memory segments (found during the 'ipc_shared_mem' check).

So to whitelist use the following

ALLOWIPCPROC=path/to/service

e.g.

ALLOWIPCPROC=/usr/sbin/httpd
Related Topic