Suspicious Rkhunter entry for /dev/shm/lttng-ust-wait-7-1000, Ubuntu 18.04.1
by RickDeckard from LinuxQuestions.org on (#55NVX)
I've been finding these entries in my Rkhunter log as early as yesterday without any idea as to why I might need them, nor any memory of installing the lttng packages:
Code:Suspicious file types found in /dev:
/dev/shm/lttng-ust-wait-7: data
/dev/shm/lttng-ust-wait-7-1000: dataA Google search to query if I have those files installed turns up nothing in my apt history, and nothing in my audit logs. But a quick lsof of the /dev/shm directory shows me this:
Code:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pwsh 542 ryank mem type 0.30 4096 5 /dev/shm/lttng-ust-wait-7-1000
pwsh 542 ryank mem type 0.30 4096 4 /dev/shm/lttng-ust-wait-7Why would the Powershell snap (7.0.2 of course) need to be accessing /dev/shm for a tool I don't have installed and a phone I have never needed to emulate, much less holding something there?
EDIT: Okay, after coming back to this and still seeing nada I decided to do a quick "lsof -Pnp 542" which showed me a lot more than the above, so, for the sake of brevity on a mobile phone:
Code:lsof -Pnp 542 | grep liblttng
lsof: WARNING: can't stat() tracefs file system /sys/kernel/debug/tracing
Output information may be incomplete.
pwsh 542 ryank mem REG 7,0 51392 659 /snap/powershell/132/usr/lib/x86_64-linux-gnu/liblttng-ust-tracepoint.so.0.0.0
pwsh 542 ryank mem REG 7,0 485752 661 /snap/powershell/132/usr/lib/x86_64-linux-gnu/liblttng-ust.so.0.0.0I'm 65/35 thinking this is just a normal PowerShell for Linux thing by this point when it's left on for a few days but I'd love a conclusive answer as to why PS uses that library file and why it picked that moment to create the SHM instance.
Code:Suspicious file types found in /dev:
/dev/shm/lttng-ust-wait-7: data
/dev/shm/lttng-ust-wait-7-1000: dataA Google search to query if I have those files installed turns up nothing in my apt history, and nothing in my audit logs. But a quick lsof of the /dev/shm directory shows me this:
Code:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pwsh 542 ryank mem type 0.30 4096 5 /dev/shm/lttng-ust-wait-7-1000
pwsh 542 ryank mem type 0.30 4096 4 /dev/shm/lttng-ust-wait-7Why would the Powershell snap (7.0.2 of course) need to be accessing /dev/shm for a tool I don't have installed and a phone I have never needed to emulate, much less holding something there?
EDIT: Okay, after coming back to this and still seeing nada I decided to do a quick "lsof -Pnp 542" which showed me a lot more than the above, so, for the sake of brevity on a mobile phone:
Code:lsof -Pnp 542 | grep liblttng
lsof: WARNING: can't stat() tracefs file system /sys/kernel/debug/tracing
Output information may be incomplete.
pwsh 542 ryank mem REG 7,0 51392 659 /snap/powershell/132/usr/lib/x86_64-linux-gnu/liblttng-ust-tracepoint.so.0.0.0
pwsh 542 ryank mem REG 7,0 485752 661 /snap/powershell/132/usr/lib/x86_64-linux-gnu/liblttng-ust.so.0.0.0I'm 65/35 thinking this is just a normal PowerShell for Linux thing by this point when it's left on for a few days but I'd love a conclusive answer as to why PS uses that library file and why it picked that moment to create the SHM instance.