I haven't done much research into this, but my guess would be that this is a false positive. /dev/shm seems to be some strange shared memory access. lsof is claiming that those files are deleted (type = DEL).
My best guess would be that this is some kind of strange interaction between /dev/shm, the clustering stuff, and OSSEC's checks. I'd hit up support at redhat to see if they have any thoughts on the matter. On Thu, Mar 3, 2011 at 12:29 PM, carlopmart <[email protected]> wrote: > Hi all, > > Recentlly my OSSEC server fired some strange alarms like this: > > ** Alert 1299172717.237104: mail - ossec,rootcheck, > 2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > Src IP: (none) > User: (none) > Anomaly detected in file '/dev/shm/request_buffer-dAihk0'. Hidden from > stats, but showing up on readdir. Possible kernel level rootkit. > > ** Alert 1299172717.237456: mail - ossec,rootcheck, > 2011 Mar 03 18:18:37 (rhelclunode02) 172.25.50.15->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > Src IP: (none) > User: (none) > Anomaly detected in file '/dev/shm/control_buffer-ru8tPJ'. Hidden from > stats, but showing up on readdir. Possible kernel level rootkit. > > rhelclunode02 is a RHEL6 host with corosync, cman, gfs2-tools and rgmanager > utils (RedHat Cluster suite). > > using lsof output is: > > [root@rhelclunode02 shm]# lsof |grep control_buffer > corosync 1138 root DEL REG 0,15 10428 > /dev/shm/control_buffer-9fxbY1 > corosync 1138 root DEL REG 0,15 9218 > /dev/shm/control_buffer-1mXd0R > corosync 1138 root DEL REG 0,15 9113 > /dev/shm/control_buffer-mTF2Ce > corosync 1138 root DEL REG 0,15 9001 > /dev/shm/control_buffer-OVi71x > corosync 1138 root DEL REG 0,15 8809 > /dev/shm/control_buffer-o1dQ5O > corosync 1138 root DEL REG 0,15 8735 > /dev/shm/control_buffer-vBpxIn > corosync 1138 root DEL REG 0,15 8741 > /dev/shm/control_buffer-W1rVPz > fenced 1199 root DEL REG 0,15 9113 > /dev/shm/control_buffer-mTF2Ce > fenced 1199 root DEL REG 0,15 8809 > /dev/shm/control_buffer-o1dQ5O > dlm_contr 1216 root DEL REG 0,15 10428 > /dev/shm/control_buffer-9fxbY1 > dlm_contr 1216 root DEL REG 0,15 9218 > /dev/shm/control_buffer-1mXd0R > dlm_contr 1216 root DEL REG 0,15 8741 > /dev/shm/control_buffer-W1rVPz > dlm_contr 1216 root DEL REG 0,15 8735 > /dev/shm/control_buffer-vBpxIn > gfs_contr 1270 root DEL REG 0,15 9001 > /dev/shm/control_buffer-OVi71x > [root@rhelclunode02 shm]# lsof |grep control_buffer-ru8tPJ > [root@rhelclunode02 shm]# lsof |grep request_buffer- > corosync 1138 root DEL REG 0,15 10429 > /dev/shm/request_buffer-zSLv1E > corosync 1138 root DEL REG 0,15 9219 > /dev/shm/request_buffer-k633xg > corosync 1138 root DEL REG 0,15 9114 > /dev/shm/request_buffer-KjbfSx > corosync 1138 root DEL REG 0,15 9002 > /dev/shm/request_buffer-Gmeo3Q > corosync 1138 root DEL REG 0,15 8810 > /dev/shm/request_buffer-AieBL7 > corosync 1138 root DEL REG 0,15 8736 > /dev/shm/request_buffer-JI55eG > corosync 1138 root DEL REG 0,15 8742 > /dev/shm/request_buffer-DjNinS > fenced 1199 root DEL REG 0,15 9114 > /dev/shm/request_buffer-KjbfSx > fenced 1199 root DEL REG 0,15 8810 > /dev/shm/request_buffer-AieBL7 > dlm_contr 1216 root DEL REG 0,15 10429 > /dev/shm/request_buffer-zSLv1E > dlm_contr 1216 root DEL REG 0,15 9219 > /dev/shm/request_buffer-k633xg > dlm_contr 1216 root DEL REG 0,15 8742 > /dev/shm/request_buffer-DjNinS > dlm_contr 1216 root DEL REG 0,15 8736 > /dev/shm/request_buffer-JI55eG > gfs_contr 1270 root DEL REG 0,15 9002 > /dev/shm/request_buffer-Gmeo3Q > > Maybe is it a false positive?? can I configure more verbose options for > this alarm?? > > Thanks. > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
