I just revived my laptop (yey) after a few months of being down. I then ran a zypper update then did my usual security checks when rkhunter returned this result:
[10:56:09] Checking /dev for suspicious file types [ Warning ]
[10:56:09] Warning: Suspicious file types found in /dev:
[10:56:09] /dev/shm/sem.haveged_sem: data
Not much to see in the logs for that, but doing ls -al /dev/shm | grep -i sem returned this:
-rw-r--r-- 1 root root 32 May 24 10:40 sem.haveged_sem
I’m concerned because rkhunter flagged it as suspicious. What is that thing anyway?
May 24, 2023, 6:56am
and when it is text then
As the message reads, it is suspicious because only device files (block and character) are expected to be within /dev.
BTW, I have the same:
henk@boven:~> l /dev/shm
drwxrwxrwt 2 root root 60 May 24 08:55 ./
drwxr-xr-x 20 root root 4260 May 24 08:47 ../
-rw-r--r-- 1 root root 32 May 24 08:47 sem.haveged_sem
henk@boven:/dev/shm> file sem.haveged_sem
as your program already said.
henk@boven:/dev/shm> od sem.haveged_sem
0000000 000001 000000 000000 000000 000200 000000 000000 000000
0000020 000000 000000 000000 000000 000000 000000 000000 000000
May 24, 2023, 7:02am
Something about "shared memory?
Shared memory - Wikipedia
This is named semaphore that
haveged creates to synchronize activity between different components. The fact that it appears in
/dev/shm is more or less implementation detail.
/dev/shm is simply memory-based filesystem that has long history of being used to store various run-time data before
/run took its place.
That is the question to
Thank you for your inputs. Sounds like it’s a false positive then.