Package: rkhunter
Version: 1.4.6-7
Severity: important
Dear Maintainer,
* What led up to the situation?
rkhunter seem to only report the biggest shared memory segment, but not all (?)
* What exactly did you do (or not do) that was effective (or
ineffective)?
1) Start for example "terminology":
# ps ax| grep terminology
566 ? S 0:00 /bin/sh -c /usr/bin/terminology
567 ? Sl 0:49 /usr/bin/terminology
580 ? S 0:00 /bin/sh -c /usr/bin/terminology
581 ? Sl 0:22 /usr/bin/terminology
2676 ? S 0:00 /bin/sh -c /usr/bin/terminology
2678 ? S 0:00 /bin/sh -c /usr/bin/terminology
2679 ? Sl 2:44 /usr/bin/terminology
2682 ? Sl 0:00 /usr/bin/terminology
25244 ? S 0:00 /bin/sh -c /usr/bin/terminology
25245 ? Sl 0:06 /usr/bin/terminology
26838 ? S 0:00 /bin/sh -c /usr/bin/terminology
26839 ? Sl 2:03 /usr/bin/terminology
27741 pts/5 S+ 0:00 grep terminology
... and run "rkrhunter --check":
# less /var/log/rkhunter.log:
[19:09:52] Checking for suspicious (large) shared memory segments [ Warning ]
[19:09:52] Warning: The following suspicious (large) shared memory segments
have been found:
[19:09:52] Process: /usr/bin/terminology PID: 26839 Owner: ci
Size: 1.5MB (configured size allowed: 1.0MB)
2) Then start "firefox" ("terminology"(s) are still open):
# ps ax| grep firefox
27738 pts/5 S+ 0:00 grep firefox
30775 ? S 0:00 /bin/sh -c /usr/lib/firefox/firefox
30776 ? Sl 0:05 /usr/lib/firefox/firefox
30837 ? Sl 0:01 /usr/lib/firefox/firefox -contentproc -childID 1
-isForBrowser -prefsLen 1 -prefMapSize 209913 -parentBuildID 20190601044405
-greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja
-appdir /usr/lib/firefox/browser 30776 true tab
30912 ? Sl 0:04 /usr/lib/firefox/firefox -contentproc -childID 2
-isForBrowser -prefsLen 5797 -prefMapSize 209913 -parentBuildID 20190601044405
-greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja
-appdir /usr/lib/firefox/browser 30776 true tab
31018 ? Sl 0:00 /usr/lib/firefox/firefox -contentproc -childID 3
-isForBrowser -prefsLen 7308 -prefMapSize 209913 -parentBuildID 20190601044405
-greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja
-appdir /usr/lib/firefox/browser 30776 true tab
... and run again "rkhunter --check":
# less /var/log/rkhunter.log
[19:24:01] Warning: The following suspicious (large) shared memory segments
have been found:
[19:24:01] Process: /usr/lib/firefox/firefox PID: 30776 Owner:
ci Size: 1.9MB (configured size allowed: 1.0MB)
[19:24:01] Process: /usr/lib/firefox/firefox PID: 30776 Owner:
ci Size: 1.9MB (configured size allowed: 1.0MB)
3) Then close "firefox" ("terminology"(s) are still open)
# ps ax| grep terminology
566 ? S 0:00 /bin/sh -c /usr/bin/terminology
567 ? Sl 0:50 /usr/bin/terminology
580 ? S 0:00 /bin/sh -c /usr/bin/terminology
581 ? Sl 0:22 /usr/bin/terminology
2676 ? S 0:00 /bin/sh -c /usr/bin/terminology
2678 ? S 0:00 /bin/sh -c /usr/bin/terminology
2679 ? Sl 2:58 /usr/bin/terminology
2682 ? Sl 0:00 /usr/bin/terminology
25244 ? S 0:00 /bin/sh -c /usr/bin/terminology
25245 ? Sl 0:10 /usr/bin/terminology
26838 ? S 0:00 /bin/sh -c /usr/bin/terminology
26839 ? Sl 2:10 /usr/bin/terminology
31804 pts/5 S+ 0:00 grep terminology
# ps ax| grep firefox
1116 pts/5 S+ 0:00 grep firefox
...and run again "rkhunter --check":
[19:30:45] Warning: The following suspicious (large) shared memory segments
have been found:
[19:30:45] Process: /usr/bin/terminology PID: 26839 Owner: ci
Size: 1.5MB (configured size allowed: 1.0MB)
* What was the outcome of this action?
The warning on supicious (large) shared memory segments seems to be only valid
for the LARGEST one
* What outcome did you expect instead?
ALL large shared memory segments reported
Thanks in advance!
--xiscu
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rkhunter depends on:
ii binutils 2.32.51.20190727-1
ii debconf [debconf-2.0] 1.5.73
ii file 1:5.37-5
ii lsof 4.91+dfsg-1+b1
ii net-tools 1.60+git20180626.aebd88e-1
ii perl 5.28.1-6
ii ucf 3.0038+nmu1
Versions of packages rkhunter recommends:
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1+b1
ii curl 7.65.3-1
ii e2fsprogs 1.45.3-4
ii exim4-daemon-light [mail-transport-agent] 4.92.1-2
ii iproute2 5.2.0-1
pn unhide <none>
pn unhide.rb <none>
ii wget 1.20.3-1+b1
Versions of packages rkhunter suggests:
ii liburi-perl 1.76-1
ii libwww-perl 6.39-1
pn powermgmt-base <none>
-- Configuration Files:
/etc/logcheck/ignore.d.server/rkhunter [Errno 13] Permission denied:
'/etc/logcheck/ignore.d.server/rkhunter'
/etc/rkhunter.conf changed:
UPDATE_MIRRORS=0
MIRRORS_MODE=1
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
UPDATE_LANG="en"
LOGFILE=/var/log/rkhunter.log
USE_SYSLOG=authpriv.warning
AUTO_X_DETECT=1
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/sbin/adduser
ALLOWIPCPROC=/usr/bin/firefox
WEB_CMD="/bin/false"
INSTALLDIR=/usr
-- debconf information excluded
