rkhunter: "Suspicious Shared Memory segments"

Solution 1:

From the changelog for v 1.4.4:

Added the ALLOWIPCPROC configuration file option. This can be used to whitelist suspicious processes using shared memory segments (found during the 'ipc_shared_mem' check).

So to whitelist use the following

ALLOWIPCPROC=path/to/service

e.g.

ALLOWIPCPROC=/usr/sbin/httpd

Solution 2:

The concept of Shared Memory Segments is explained on: http://www.csl.mtu.edu/cs4411.ck/www/NOTES/process/shm/what-is-shm.html. As the name suggests, a Shared Memory Segment is a memory segment that can be shared by multiple processes. The Apache web server process, which is the file: /usr/sbin/httpd uses shared memory. It uses shared memory in order to share data across the Apache server workers. This is explained on: Shared Object Cache in Apache HTTP Server

Accessing shared memory is a security risk because it allows a process to read and potentially modify memory used by another process. Only trusted processes should be allowed to access shared memory. Rkhunter security scanning is a bit strict since it regards the trusted process /usr/sbin/httpd as suspicious.

This warning can be safely ignored as suggested on the Plesk forum: https://support.plesk.com/hc/en-us/articles/115001160954-What-Watchdog-warnings-can-be-safely-ignored-on-a-Plesk-server.

To ignore the warning, the path to the process that is accessing the Shared Memory Segement, should be added to ALLOWIPCPROC option in the rkhunter.conf configuration file. The path to the process in this case is: /usr/sbin/httpd.

The rkhunter.conf file contains following documentation on the ALLOWIPCPROC option:

Allow the specified process pathnames to use shared memory segments. This option may be specified more than once, and may use wildcard characters. The default value is the null string.