What Watchdog warnings can be safely ignored on a Plesk server

Follow

Comments

8 comments

  • Avatar
    Marco Marsala (Edited )

    Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.

    [01:01:55] Info: Starting test name 'ipc_shared_mem'
    [01:01:55]   Checking for suspicious shared memory segments  [ Warning ]
    [01:01:55] Warning: The following suspicious shared memory segments have been found:
    [01:01:55]          Process:     PID: 4023    Owner: magicspam
    [01:01:55]          Process: /usr/sbin/apache2    PID: 10275    Owner: root

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    @Marco Marsala

    Thank you for noticing, Marco! I have updated the article.

    0
    Comment actions Permalink
  • Avatar
    Christian Heutger

    Why doesn't plesk then whitelist this warnings by default?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Christian Heutger

    Hello!
    These warnings are not whitelisted by default as they may be useful for troubleshooting.

    Feel free to create functionality suggestions at Plesk User Voice.

    0
    Comment actions Permalink
  • Avatar
    Aniello Martuscelli

    I got this warning

    [01:15:10]   /opt/psa/etc/modules/watchdog/rkhunter.conf     [ Warning ]
    [01:15:10] Warning: Package manager verification has failed:
    [01:15:10]          File: /opt/psa/etc/modules/watchdog/rkhunter.conf
    [01:15:10]          The file hash value has changed

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.

    0
    Comment actions Permalink
  • Avatar
    Nadir Latif (Edited )

    If you dont wish to receive the Plesk warning emails, then you need to Whitelist the false positive warnings. To Whitelist the warnings you need to set the following options in: /usr/local/psa/etc/modules/watchdog/rkhunter.conf

    # Used to suppress the warning: "Warning: Package manager verification has failed"
    PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

    # Used to suppress the warning: "Warning: Hidden file found"
    ALLOWHIDDENFILE=/etc/.updated
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

    # Used to suppress the warning: "Warning: The following suspicious shared memory segments have been found"
    ALLOWIPCPROC=/usr/sbin/httpd

    # Used to suppress the warning: "Warning: No output found from the lsmod command or the /proc/modules file"
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps os_specific

    # Used to suppress the warning: "Warning: Found enabled xinetd service"
    XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
    XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

    Since the rkhunter.conf file may be overwritten after a Plesk update, a better option is to create a file rkhunter.conf.local in the folder: /usr/local/psa/etc/modules/watchdog and add the above customized options to the file.

    After that run the RKhunter from the Plesk Watchdog. It should not send the warning email because there are no warnings to report. The "Scanning Status" box will show no warnings.

    This has been tested on Plesk Onyx 17.8.11

    3
    Comment actions Permalink
  • Avatar
    Ales

    I advise against adding os_specific to the list of disabled rkhunter tests as this disables more than just checking for kernel modules. This is the directive that works for us:

    # Add avail_modules and loaded_modules to DISABLE_TESTS to suppress:
    #  "Warning: The kernel modules directory '/lib/modules' is missing or empty."
    ENABLE_TESTS=ALL
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps avail_modules loaded_modules

    You might try to omit the avail_modules (add just loaded_modules, the rest is the default in our instalation), depending on your server configuration.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request