rkhunter: "Suspicious Shared Memory segments"

Question

I have here a new installed server with CentOS7 and a GroupOffice installation on it. After installing rkhunter and starting a rkhunter check I get:

[09:58:15] Suspicious Shared Memory segments
[09:58:15]   Process:     PID: 1769    Owner: apache         [ Found ]
[09:58:15]   Suspicious Shared Memory segments               [ Warning ]

Anybody knows what the "Suspicious Shared Memory segments" means? How can I check if this is a false positive? And if so: How can I white list this error?

EDIT

If I try to list the process with the ps command the process with the PID 1769 isn't there:

# ps -p 1769
  PID TTY          TIME CMD
# ps aux | grep 1769
root     12777  0.0  0.0 112660   960 pts/0    S+   10:25   0:00 grep --color=auto 1769
# ps aux | grep apache
apache   12606  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12607  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12608  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12609  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12610  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
root     12779  0.0  0.0 112660   960 pts/0    S+   10:26   0:00 grep --color=auto apache

Answer 1

From the changelog for v 1.4.4:

Added the ALLOWIPCPROC configuration file option. This can be used to whitelist suspicious processes using shared memory segments (found during the 'ipc_shared_mem' check).

So to whitelist use the following

ALLOWIPCPROC=path/to/service

e.g.

ALLOWIPCPROC=/usr/sbin/httpd

Answer 2

The concept of Shared Memory Segments is explained on: http://www.csl.mtu.edu/cs4411.ck/www/NOTES/process/shm/what-is-shm.html. As the name suggests, a Shared Memory Segment is a memory segment that can be shared by multiple processes. The Apache web server process, which is the file: /usr/sbin/httpd uses shared memory. It uses shared memory in order to share data across the Apache server workers. This is explained on: Shared Object Cache in Apache HTTP Server

Accessing shared memory is a security risk because it allows a process to read and potentially modify memory used by another process. Only trusted processes should be allowed to access shared memory. Rkhunter security scanning is a bit strict since it regards the trusted process /usr/sbin/httpd as suspicious.

This warning can be safely ignored as suggested on the Plesk forum: https://support.plesk.com/hc/en-us/articles/115001160954-What-Watchdog-warnings-can-be-safely-ignored-on-a-Plesk-server.

To ignore the warning, the path to the process that is accessing the Shared Memory Segement, should be added to ALLOWIPCPROC option in the rkhunter.conf configuration file. The path to the process in this case is: /usr/sbin/httpd.

The rkhunter.conf file contains following documentation on the ALLOWIPCPROC option:

Allow the specified process pathnames to use shared memory segments. This option may be specified more than once, and may use wildcard characters. The default value is the null string.

Answer 3

After stopping the httpd the warning is gone (like expected). After starting the httpd the warning is there again (with the same PID!). I had tried this several times (every case with the same result).

But: After rebooting the server the warning is gone. I have playing around with the server (login to GroupOffice, restarting httpd and so on) and it seems the warning is gone persistently (hopefully). However, I will observe this thing in the next days ...

I have no idea what the "Suspicious Shared Memory segments" warning means and how I can figure out if this is a false positive or not. So I will also don't mark this question/answer as "answered" ...

Thanks and regards, Steffen