What Watchdog warnings can be safely ignored on a Plesk server

Follow

Comments

10 comments

  • Avatar
    Marco Marsala (Edited )

    Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.

    [01:01:55] Info: Starting test name 'ipc_shared_mem'
    [01:01:55]   Checking for suspicious shared memory segments  [ Warning ]
    [01:01:55] Warning: The following suspicious shared memory segments have been found:
    [01:01:55]          Process:     PID: 4023    Owner: magicspam
    [01:01:55]          Process: /usr/sbin/apache2    PID: 10275    Owner: root

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    @Marco Marsala

    Thank you for noticing, Marco! I have updated the article.

    0
    Comment actions Permalink
  • Avatar
    Christian Heutger

    Why doesn't plesk then whitelist this warnings by default?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Christian Heutger

    Hello!
    These warnings are not whitelisted by default as they may be useful for troubleshooting.

    Feel free to create functionality suggestions at Plesk User Voice.

    0
    Comment actions Permalink
  • Avatar
    Aniello Martuscelli

    I got this warning

    [01:15:10]   /opt/psa/etc/modules/watchdog/rkhunter.conf     [ Warning ]
    [01:15:10] Warning: Package manager verification has failed:
    [01:15:10]          File: /opt/psa/etc/modules/watchdog/rkhunter.conf
    [01:15:10]          The file hash value has changed

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.

    0
    Comment actions Permalink
  • Avatar
    Nadir Latif (Edited )

    If you dont wish to receive the Plesk warning emails, then you need to Whitelist the false positive warnings. To Whitelist the warnings you need to set the following options in: /usr/local/psa/etc/modules/watchdog/rkhunter.conf

    # Used to suppress the warning: "Warning: Package manager verification has failed"
    PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

    # Used to suppress the warning: "Warning: Hidden file found"
    ALLOWHIDDENFILE=/etc/.updated
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

    # Used to suppress the warning: "Warning: The following suspicious shared memory segments have been found"
    ALLOWIPCPROC=/usr/sbin/httpd

    # Used to suppress the warning: "Warning: No output found from the lsmod command or the /proc/modules file"
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps os_specific

    # Used to suppress the warning: "Warning: Found enabled xinetd service"
    XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
    XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

    Since the rkhunter.conf file may be overwritten after a Plesk update, a better option is to create a file rkhunter.conf.local in the folder: /usr/local/psa/etc/modules/watchdog and add the above customized options to the file.

    After that run the RKhunter from the Plesk Watchdog. It should not send the warning email because there are no warnings to report. The "Scanning Status" box will show no warnings.

    This has been tested on Plesk Onyx 17.8.11

    3
    Comment actions Permalink
  • Avatar
    Ales

    I advise against adding os_specific to the list of disabled rkhunter tests as this disables more than just checking for kernel modules. This is the directive that works for us:

    # Add avail_modules and loaded_modules to DISABLE_TESTS to suppress:
    #  "Warning: The kernel modules directory '/lib/modules' is missing or empty."
    ENABLE_TESTS=ALL
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps avail_modules loaded_modules

    You might try to omit the avail_modules (add just loaded_modules, the rest is the default in our instalation), depending on your server configuration.

    1
    Comment actions Permalink
  • Avatar
    Graham Jones

    I have added a local rkhunter - but it is ignored. So too is the rkhunter.d directory. Unless I edit the actual rkhunter.conf file I get an error message constantly saying "Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request" If I comment out the line for lwp-request on rkhunter.conf Watchdog proceeds OK. However, that means if rkhunter.conf is updated it will need editing again.

    So there are two issues for me.

    1. Why is rkhunter.d or rkhunter.conf.local being ignored?

    2. Why is the lwp-request line happening in the first place?

    0
    Comment actions Permalink
  • Avatar
    Robert Asilbekov

    @Graham Jones,

    > 1. Why is rkhunter.d or rkhunter.conf.local being ignored?

    I was not able to reproduce the issue. Please ensure that you have followed instructions provided in the "/usr/local/psa/etc/modules/watchdog/rkhunter.conf" file and all your custom config files are named and placed accordingly. 

    =====
    You can create a local configuration file. The local file must be named 'rkhunter.conf.local', and must reside in the same directory as this file. Alternatively you can create a directory, named 'rkhunter.d', which also must be in the same directory as this configuration file. Within the 'rkhunter.d' directory you can place further configuration files. There is no restriction on the file names used, other than they must end in '.conf'
    =====

    > 2. Why is the lwp-request line happening in the first place

    The "lwp-request" is provided by "perl-libwww-perl" package that is likely missing on the server.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request