[SOLVED] RKhunter /dev warnings

May 18, 2019
231
15
38
Varies
On PVE 6, I've installed rkhunter and ran --propudp, but it sends me every day:

Code:
Warning: Suspicious file types found in /dev:
         /dev/shm/qb-1800-10101-29-di6DkD/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-10101-29-di6DkD/qb-event-pve2-header: data
         /dev/shm/qb-1800-10101-29-di6DkD/qb-response-pve2-data: data
         /dev/shm/qb-1800-10101-29-di6DkD/qb-response-pve2-header: data
         /dev/shm/qb-1800-10101-29-di6DkD/qb-request-pve2-data: data
         /dev/shm/qb-1800-10101-29-di6DkD/qb-request-pve2-header: data
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-event-pve2-header: data
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-response-pve2-data: data
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-response-pve2-header: data
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-request-pve2-data: data
         /dev/shm/qb-1800-9159-21-V4vpMK/qb-request-pve2-header: data
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-event-pve2-header: data
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-response-pve2-data: data
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-response-pve2-header: COM executable for DOS
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-request-pve2-data: data
         /dev/shm/qb-1800-29611-25-FMdA3w/qb-request-pve2-header: data
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-event-pve2-header: data
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-response-pve2-data: data
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-response-pve2-header: data
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-request-pve2-data: data
         /dev/shm/qb-1800-2057-22-PaBrgs/qb-request-pve2-header: data
         /dev/shm/qb-1800-2083-19-3UovBi/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2083-19-3UovBi/qb-event-pve2-header: data
         /dev/shm/qb-1800-2083-19-3UovBi/qb-response-pve2-data: data
         /dev/shm/qb-1800-2083-19-3UovBi/qb-response-pve2-header: data
         /dev/shm/qb-1800-2083-19-3UovBi/qb-request-pve2-data: data
         /dev/shm/qb-1800-2083-19-3UovBi/qb-request-pve2-header: data
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-event-pve2-header: data
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-response-pve2-data: data
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-response-pve2-header: data
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-request-pve2-data: data
         /dev/shm/qb-1800-2077-18-Jlx0CC/qb-request-pve2-header: data
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-event-pve2-header: data
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-response-pve2-data: data
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-response-pve2-header: data
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-request-pve2-data: data
         /dev/shm/qb-1800-2076-17-DIgRFW/qb-request-pve2-header: data
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-event-pve2-header: data
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-response-pve2-data: data
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-response-pve2-header: data
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-request-pve2-data: data
         /dev/shm/qb-1800-2075-16-nWQ7Yh/qb-request-pve2-header: data
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-event-pve2-header: data
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-response-pve2-data: data
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-response-pve2-header: data
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-request-pve2-data: data
         /dev/shm/qb-1800-2013-15-XlkJjD/qb-request-pve2-header: data
         /dev/shm/qb-1800-2051-14-bFfL02/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2051-14-bFfL02/qb-event-pve2-header: data
         /dev/shm/qb-1800-2051-14-bFfL02/qb-response-pve2-data: offset 664613997892457936451903530140172288.000000, slope 73698583039011852444890038272.000000
         /dev/shm/qb-1800-2051-14-bFfL02/qb-response-pve2-header: data
         /dev/shm/qb-1800-2051-14-bFfL02/qb-request-pve2-data: data
         /dev/shm/qb-1800-2051-14-bFfL02/qb-request-pve2-header: data
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-event-pve2-header: data
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-response-pve2-data: data
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-response-pve2-header: data
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-request-pve2-data: data
         /dev/shm/qb-1800-2016-9-R9H0Ms/qb-request-pve2-header: data

Should I `ALLOWDEVFILE=/dev/shm/qb-1800-*/qb-*-pve2-data + ALLOWDEVFILE=/dev/shm/qb-1800-*/qb-*-pve2-header` or should I `SCAN_MODE_DEV=LAZY'` or should I do something else?
 
Last edited:
  • Like
Reactions: Ciprian Tomoiaga
those are normal shm files used for ipcc between our daemons and pmxcfs, so i guess whitelisting them should be ok..
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!