Prevent false positives for PostgreSQL in chkrootkit and rkhunter

In its default configuration on recent versions of Debian, PostgreSQL creates shared memory segment files in /dev/shm/. Common rootkit detection software such as chkrootkit or rkhunter flags these as potential indicators of infection. The file names are randomly generated, which makes filtering them out a little tricky. Here’s how to avoid the system flagging them up as false positives.

chkrootkit

Open the file /etc/chkrootkit/chkrootkit.ignore and add the following line:

/dev/shm/PostgreSQL\.[0-9]+

rkhunter

Open the file /etc/rkhunter.conf.local and add the following line:

ALLOWDEVFILE=/dev/shm/PostgreSQL.*

Add new comment

CAPTCHA