rkhunter (watchdog) warnings

[PeterKi]

I have added the watchdog extension (rkhunter 1.4.4) to get more security on my server.
Alas the output contains a lot of information which obfuscates the real issues thus making it likely to miss something important.
On the help page it says that option --rwo can show warnings only.
Q1: Can I set this anywhere with plesk so that the output I get only shows the issues ?

If I run rkhunter -c --rwo I still get the output shown below which I would want to accept as safe.
Q2: Is there a way to make these warnings disappear?

I have enabled service monitoring and it always shows spamassassin is not running.
If I check with systemctl status spamassassin everything seems to be ok.
Q3: is this a bug?

Warning: The file '/etc/passwd' exists on the system, but it is not present in the 'rkhunter.dat' file.
sure it needs to exist so why isn't it in the rkhunter.dat file?

Warning: Package manager verification has failed:

File: /opt/psa/etc/modules/watchdog/rkhunter.conf

The file hash value has changed

Warning: The file properties have changed:

File: /opt/psa/etc/modules/watchdog/rkhunter.conf

Current file modification time: 1528262348 (06-Jun-2018 07:19:08)

Stored file modification time : 1528094196 (04-Jun-2018 08:36:36)
of course it has changed as I set the mail address via the GUI.
I have run rkhunter --propupd but no change.
Warning: The following suspicious shared memory segments have been found:
Process: PID: 512 Owner: magicspam

Process: /usr/sbin/apache2 PID: 4317 Owner: root

Process: PID: 697 Owner: magicspam

Process: PID: 697 Owner: magicspam

Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa

Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
how can I whitelist these services?

Warning: No output found from the lsmod command or the /proc/modules file:

/proc/modules output:

lsmod output:

Warning: Suspicious file types found in /dev:

/dev/shm/sem.ms_rl_watchdog_lock: data
I am running in a vserver host so I think those warnings can be ignored.

 

[Brujo]

please take into consider to tell the community which os and Plesk version you are running, this would be helpfull to give you some answers

perhaps this might be also helpfull but not exactly related to your detailed Questions; What Watchdog warnings can be safely ignored on a Plesk server and feel free to comment on it directly in the Thread..

Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
how can I whitelist these services?

see: Rkhunter and plesk xinetd services

 

[PeterKi]

Sorry for forgetting some details.
I am running Plesk 17.8.11 update 10 on Ubuntu 16.04 LTS on a vServer.

I have seen the thread about what watchdog warnings can be safely ignored.
My question though is: how can I get rid of the obfuscating output and just concentrate on the real issues.
One of the reasons why Tchernobyl blew up was information overload.
Thus a security tool should log everything but not send notification mails which contain 99% informational stuff.
That said the plesk configuration page should allow to set more rkhunter tuning than currently possible.

A solution I see is that I disable the rkhunter reports from plesk at all and use my own cron job for rkhunter.
I don't know though if this would interfere with other aspects of the plesk watchdog module.

The advantage of a GUI like plesk is that it offers a better configuration overview and you don't need to be an expert on every system aspect.
So I do not want to do too much administration outside of plesk.
But when it comes to security I do not want to compromise things.

 

[Brujo]

I have enabled service monitoring and it always shows spamassassin is not running.
If I check with systemctl status spamassassin everything seems to be ok.
Q3: is this a bug?

I am running Plesk 17.8.11 update 10 on Ubuntu 16.04 LTS on a vServer.

as I found this was a Bug and should be fixed in Onyx 17.8.x: Update Watchdog configuration for Spamassassin (Ubuntu 16.04)

So I do not want to do too much administration outside of plesk.

unfortunately then there isnt much I can help you :-(

 

[PeterKi]

Tnanks a lot for the quick reply.
I applied the bug fix for the spamassassin service and at least this issue is gone.

Is there also a solution to get rid of the warning about the change to rkhunter.conf?
I see the recommendation on the forum is to remove and reinstall the module but then if I change the mail address for notifications I will run into the same problem again.

 

[PeterKi]

So I disabled the setting to send reports and run rkhunter manually with -c --rwo.
I also added the xinetd services to rkhunter.conf.local and disabled the warnings about the shared memory segment.
Alas: every time I run rkhunter I still get the full report via email.
I also cannot disable the warnings about shared memory segments by magicspam as this seems to be a process invoked by plesk at runtime of rkhunter and I do not know the exact process location.
The mentioned warnings are due to plesk processes so I think it is a bug that plesk does not fllter them by itself.
The most annoying thing though is, that rkhunter always sends a full report after it has run.
What is the recommended way to avoid this?

 

[PeterKi]

As there doesn't seem to be a solution to my problems I made up my mind and removed the watchdog module as described here:
Resolved - rkhunter.conf file
I then used the tutorial at https://www.server-world.info/en/note?os=Ubuntu_16.04&p=rkhunter to install rkhunter outside of plesk to get more control.
The downside of this is that I cannot administer everything from the plesk GUI anymore and a server migration using the plesk migrator will not migrate the rkhunter package.
I also found that the plesk version has a service monitoring add on which is missing in the ubuntu version.
So I am not happy either way.
I will dig further into this to find a satisfying solution

 

[PeterKi]

The plesk watchdog module has an adapted service monitoring which I don't want to miss so I re-installed the watchdog.
To solve the issue with the nagging rkhunter messages I also installed the rkhunter module from the ubuntu archives and disabled the security scan part in plesk's watchdog extension.
Then I configured the standard rkhunter to send only notifications in case of warnings.
I have attached my rkhunter.conf.local for reference.
One issue was still showing up with the service monitoring of spam assassin.
Ubuntu uses /var/run/spamassassin.pid now whereas plesk expects /var/run/spamd.pid.
I tried to change it in /opt/psa/etc/modules/watchdog and in /opt/psa/var/modules/watchdog/data/monitrc.chk but somehow it always got automgically reset to spamd.pid.
So I ended up adapting the pid file location in /etc/default/spamassassin to match plesk.
At the moment everything works fine as expected.