Applicable to:
- Plesk for Linux
Question
What Watchdog warnings can be safely ignored?
Answer
The following list of warnings can be safely ignored:
-
"The file has changed": This warning appears in the log, when Watchdog configuration has been changed via Plesk:
CONFIG_TEXT: [16:34:46] Warning:  Package manager verification has failed:
[16:34:46] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
[16:34:46] The file hash value has changed
[16:34:46] The file size has changed
[16:34:46] The file modification time has changed -
"Suspicious shared memory segments": Shared memory segments below are owned by Apache, Plesk and Postgres:
CONFIG_TEXT: [16:35:32] Warning: The following suspicious shared memory segments have been found:
[16:35:32] Process: /usr/sbin/httpd PID: 9522 Owner: root
[16:35:32] Process: PID: 25000 Owner: psaadm
[16:35:32] Process: /usr/bin/postgres PID: 9759 Owner: postgres -
"Suspicious shared memory segments": Shared memory segments below are owned by Apache and MagicSpam:
CONFIG_TEXT: [01:01:55] Checking for suspicious shared memory segments [ Warning ] [01:01:55] Warning: The following suspicious shared memory segments have been found: [01:01:55] Process: PID: 4023 Owner: magicspam [01:01:55] Process: /usr/sbin/apache2 PID: 10275 Owner: root
-
"Found enabled xinetd service: The "xinetd" service is a part of the Plesk functionality.
CONFIG_TEXT: [16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[16:35:33] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa -
"Hidden file/directories found":
- The /usr/share/man/ directory is used for package manuals.
- The /dev/.udev directory is created by the "udevd" daemon and is used for system boot process.
- *.hmac files are used for messages authentication.
CONFIG_TEXT: [16:35:38] Warning: Hidden directory found: /dev/.udev
[16:35:38] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[16:35:39] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[16:35:39] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text - "Checking for file: not found". Watchdog reports that some file does not exist on disk anymore:
CONFIG_TEXT: Checking for file '/var/lib/.../sssh_pid' [ Not found ]
Additional information
For more information about Watchdog (System Monitoring) Component, see this Plesk documentation page.
For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For more information about Rootkit Hunter, visit the Rootkit Hunter developer's Web site.
Comments
7 comments
Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.
@Marco Marsala
Thank you for noticing, Marco! I have updated the article.
Why doesn't plesk then whitelist this warnings by default?
@Christian Heutger
Hello!
These warnings are not whitelisted by default as they may be useful for troubleshooting.
Feel free to create functionality suggestions at Plesk User Voice.
I got this warning
[01:15:10] /opt/psa/etc/modules/watchdog/rkhunter.conf [ Warning ]
[01:15:10] Warning: Package manager verification has failed:
[01:15:10] File: /opt/psa/etc/modules/watchdog/rkhunter.conf
[01:15:10] The file hash value has changed
@Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.
If you dont wish to receive the Plesk warning emails, then you need to Whitelist the false positive warnings. To Whitelist the warnings you need to set the following options in: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
# Used to suppress the warning: "Warning: Package manager verification has failed"
PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"
# Used to suppress the warning: "Warning: Hidden file found"
ALLOWHIDDENFILE=/etc/.updated
ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
# Used to suppress the warning: "Warning: The following suspicious shared memory segments have been found"
ALLOWIPCPROC=/usr/sbin/httpd
# Used to suppress the warning: "Warning: No output found from the lsmod command or the /proc/modules file"
DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps os_specific
# Used to suppress the warning: "Warning: Found enabled xinetd service"
XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa
Since the rkhunter.conf file may be overwritten after a Plesk update, a better option is to create a file rkhunter.conf.local in the folder: /usr/local/psa/etc/modules/watchdog and add the above customized options to the file.
After that run the RKhunter from the Plesk Watchdog. It should not send the warning email because there are no warnings to report. The "Scanning Status" box will show no warnings.
This has been tested on Plesk Onyx 17.8.11
Please sign in to leave a comment.