The rkhunter warning about "Suspicious Shared Memory segments" typically indicates that the tool has detected shared memory segments that don't match its expected patterns of normal system behavior. In your case, it flagged a process (PID 1769) owned by the apache user that was using shared memory in a way that triggered rkhunter's suspicion.
The key finding here is that when you tried to check the process with ps -p 1769, it didn't exist. This suggests one of several possibilities:
- The process was temporary and has already terminated
- rkhunter caught the process at a very specific moment in its lifecycle
- There might be a timing issue between when rkhunter scanned and when you checked
Looking at your current Apache processes, they all have different PIDs (12606-12610), which confirms PID 1769 is no longer active.
In web server environments, false positives for shared memory warnings often occur because:
- PHP applications using shared memory for caching (APC, OPcache)
- Apache modules that utilize shared memory
- Temporary processes during high load periods
To properly investigate, you can:
# Check shared memory segments
ipcs -m
# Verify Apache's shared memory usage pattern
pmap -x $(pgrep httpd | head -1)
Also examine your Apache configuration for modules that might use shared memory:
httpd -M | grep -i shm
If you determine this is a false positive, add the following to /etc/rkhunter.conf:
ALLOWSHMPROCDIRFILE=/dev/shm/.s.PGSQL.*
ALLOWSHMPROCDIRFILE=/dev/shm/sem.*
ALLOWSHMPROCDIRFILE=/dev/shm/apache*
For more specific whitelisting, you can use:
ALLOWPROCSHAREDMEM=apache
To catch similar issues proactively, consider this monitoring script:
#!/bin/bash
rkhunter --check --sk --rwo | grep -q "Suspicious Shared Memory"
if [ $? -eq 0 ]; then
logger -t rkhunter "Suspicious shared memory segments detected"
# Add your alerting mechanism here
fi
While this appears to be a false positive, it's good practice to verify:
# Check for hidden processes
ls -la /proc | grep -E '[0-9]' | awk '{print $9}' | sort -n
# Verify Apache integrity
rpm -V httpd
When rkhunter reports "Suspicious Shared Memory segments" related to Apache processes, it typically indicates that the scanner detected shared memory segments that don't match its expected patterns. This often occurs with legitimate web server operations but could theoretically indicate malicious activity.
In your situation with CentOS 7 and GroupOffice, we see:
[09:58:15] Suspicious Shared Memory segments
[09:58:15] Process: PID: 1769 Owner: apache [ Found ]
[09:58:15] Suspicious Shared Memory segments [ Warning ]The fact that the PID (1769) isn't visible in process listings suggests it was a short-lived Apache child process that has already terminated, which is normal for web server operations.
Check current shared memory segments with:
ipcs -m
ls -la /dev/shmFor Apache-specific verification:
# Check Apache's shared memory usage
pmap $(pgrep httpd | head -1) | grep -i shm
# Verify SELinux context if enabled
ls -Z /dev/shm- PHP sessions stored in shared memory
- APC or OPcache operations
- Legitimate inter-process communication between Apache children
- GroupOffice-specific memory caching
To suppress this warning, add to /etc/rkhunter.conf:
ALLOWDEVFILE=/dev/shm/.*
ALLOWPROCDELFILE=/usr/sbin/httpdThen update and run rkhunter:
rkhunter --propupd
rkhunter --check --skFor thorough investigation, consider:
# Check for memory anomalies
grep -i shm /proc/$(pgrep httpd | head -1)/maps
# Monitor shared memory in real-time
watch -n 1 'ipcs -m | grep apache'