Created
August 18, 2015 18:03
-
-
Save stephdl/282ecbdf1c06125c8c80 to your computer and use it in GitHub Desktop.
rkhunter-diff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- /etc/rkhunter.conf 2015-08-18 20:01:54.966464648 +0200 | |
| +++ /etc/rkhunter.conf.original 2015-08-18 19:57:55.497170630 +0200 | |
| @@ -1,171 +1,317 @@ | |
| -#------------------------------------------------------------ | |
| -# !!DO NOT MODIFY THIS FILE!! | |
| -# | |
| -# Manual changes will be lost when this file is regenerated. | |
| -# | |
| -# Please read the developer's guide, which is available | |
| -# at http://www.contribs.org/development/ | |
| -# | |
| -# Copyright (C) 1999-2006 Mitel Networks Corporation | |
| -#------------------------------------------------------------ | |
| # | |
| -# This is the configuration file for Rootkit Hunter. | |
| +# This is the main configuration file for Rootkit Hunter. | |
| # | |
| -# Please modify it to your own requirements. | |
| +# You can modify this file directly, or you can create a local configuration | |
| +# file. The local file must be named 'rkhunter.conf.local', and must reside | |
| +# in the same directory as this file. Alternatively you can create a directory, | |
| +# named 'rkhunter.d', which also must be in the same directory as this | |
| +# configuration file. Within the 'rkhunter.d' directory you can place further | |
| +# configuration files. There is no restriction on the file names used, other | |
| +# than they must end in '.conf'. | |
| +# | |
| +# Please modify the configuration file(s) to your own requirements. It is | |
| +# recommended that the command 'rkhunter -C' is run after any changes have | |
| +# been made. | |
| # | |
| # Please review the documentation before posting bug reports or questions. | |
| -# To report bugs, obtain updates, or provide patches or comments, please go to: | |
| -# http://rkhunter.sourceforge.net | |
| +# To report bugs, obtain updates, or provide patches or comments, please go | |
| +# to: http://rkhunter.sourceforge.net | |
| # | |
| -# To ask questions about rkhunter, please use the rkhunter-users mailing list. | |
| -# Note this is a moderated list: please subscribe before posting. | |
| +# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. | |
| +# Note that this is a moderated list, so please subscribe before posting. | |
| # | |
| -# Lines beginning with a hash (#), and blank lines, are ignored. | |
| -# End-of-line comments are not supported. | |
| +# In the configuration files, lines beginning with a hash (#), and blank lines, | |
| +# are ignored. Also, end-of-line comments are not supported. | |
| # | |
| -# Most of the following options need only be specified once. If | |
| -# they appear more than once, then the last one seen will be used. | |
| -# Some options are allowed to appear more than once, and the text | |
| -# describing the option will say if this is so. | |
| +# Any of the configuration options may appear more than once. However, several | |
| +# options only take one value, and so the last one seen will be used. Some | |
| +# options are allowed to appear more than once, and the text describing the | |
| +# option will say if this is so. These configuration options will, in effect, | |
| +# have their values concatenated together. To delete a previously specified | |
| +# option list, specify the option with no value (that is, a null string). | |
| +# | |
| +# Some of the options are space-separated lists, others, typically those | |
| +# specifying pathnames, are newline-separated lists. These must be entered | |
| +# as one item per line. Quotes must not be used to surround the pathname. | |
| +# | |
| +# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an | |
| +# option: XXX=/tmp/abc (correct) | |
| +# XXX=/tmp/xyz | |
| +# | |
| +# XXX="/tmp/abc" (incorrect) | |
| +# XXX="/tmp/xyz" | |
| +# | |
| +# XXX=/tmp/abc /tmp/xyz (incorrect) | |
| +# or XXX="/tmp/abc /tmp/xyz" (incorrect) | |
| +# or XXX="/tmp/abc" "/tmp/xyz" (incorrect) | |
| +# | |
| +# The last three examples are being configured as space-separated lists, | |
| +# which is incorrect, generally, for options specifying pathnames. They | |
| +# should be configured with one entry per line as in the first example. | |
| +# | |
| +# If wildcard characters (globbing) are allowed for an option, then the | |
| +# text describing the option will say so. | |
| +# | |
| +# Space-separated lists may be enclosed by quotes, although they are not | |
| +# required. If they are used, then they must only appear at the start and | |
| +# end of the list, not in the middle. | |
| +# | |
| +# For example: XXX=abc def gh (correct) | |
| +# XXX="abc def gh" (correct) | |
| +# XXX="abc" "def" "gh" (incorrect) | |
| +# | |
| +# Space-separated lists may also be entered simply as one entry per line. | |
| +# | |
| +# For example: XXX=abc (correct) | |
| +# XXX=def | |
| +# XXX="gh" | |
| +# | |
| +# If a configuration option is never set, then the program will assume a | |
| +# default value. The text describing the option will state the default value. | |
| +# If there is no default, then rkhunter will calculate a value or pathname | |
| +# to use. | |
| # | |
| + | |
| + | |
| # | |
| -# If this option is set to 1, it specifies that the mirrors file | |
| +# If this option is set to '1', it specifies that the mirrors file | |
| # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' | |
| -# options are used, is to be rotated. Rotating the entries in the file | |
| -# allows a basic form of load-balancing between the mirror sites whenever | |
| -# the above options are used. | |
| -# If the option is set to 0, then the mirrors will be treated as if in | |
| -# a priority list. That is, the first mirror listed will always be used | |
| -# first. The second mirror will only be used if the first mirror fails, | |
| -# the third mirror will only be used if the second mirror fails, and so on. | |
| +# options are used, is to be rotated. Rotating the entries in the file allows | |
| +# a basic form of load-balancing between the mirror sites whenever the above | |
| +# options are used. | |
| +# | |
| +# If the option is set to '0', then the mirrors will be treated as if in a | |
| +# priority list. That is, the first mirror listed will always be used first. | |
| +# The second mirror will only be used if the first mirror fails, the third | |
| +# mirror will only be used if the second mirror fails, and so on. | |
| # | |
| # If the mirrors file is read-only, then the '--versioncheck' command-line | |
| -# option can only be used if this option is set to 0. | |
| +# option can only be used if this option is set to '0'. | |
| +# | |
| +# The default value is '1'. | |
| +# | |
| +#ROTATE_MIRRORS=1 | |
| + | |
| +# | |
| +# If this option is set to '1', it specifies that when the '--update' option is | |
| +# used, then the mirrors file is to be checked for updates as well. If the | |
| +# current mirrors file contains any local mirrors, these will be prepended to | |
| +# the updated file. If this option is set to '0', the mirrors file can only be | |
| +# updated manually. This may be useful if only using local mirrors. | |
| +# | |
| +# The default value is '1'. | |
| # | |
| -ROTATE_MIRRORS=1 | |
| +#UPDATE_MIRRORS=1 | |
| + | |
| # | |
| -# If this option is set to 1, it specifies that when the '--update' | |
| -# option is used, then the mirrors file is to be checked for updates | |
| -# as well. If the current mirrors file contains any local mirrors, | |
| -# these will be prepended to the updated file. | |
| -# If this option is set to 0, the mirrors file can only be updated | |
| -# manually. This may be useful if only using local mirrors. | |
| -# | |
| -UPDATE_MIRRORS=1 | |
| -# | |
| -# The MIRRORS_MODE option tells rkhunter which mirrors are to be | |
| -# used when the '--update' or '--versioncheck' command-line options | |
| -# are given. Possible values are: | |
| -# 0 - use any mirror (the default) | |
| +# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when | |
| +# the '--update' or '--versioncheck' command-line options are given. | |
| +# Possible values are: | |
| +# 0 - use any mirror | |
| # 1 - only use local mirrors | |
| # 2 - only use remote mirrors | |
| # | |
| -# Local and remote mirrors can be defined in the mirrors file | |
| -# by using the 'local=' and 'remote=' keywords respectively. | |
| +# Local and remote mirrors can be defined in the mirrors file by using the | |
| +# 'local=' and 'remote=' keywords respectively. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#MIRRORS_MODE=0 | |
| + | |
| +# | |
| +# Email a message to this address if a warning is found when the system is | |
| +# being checked. Multiple addresses may be specified simply be separating | |
| +# them with a space. To disable the option, simply set it to the null string | |
| +# or comment it out. | |
| # | |
| -MIRRORS_MODE=0 | |
| +# The option may be specified more than once. | |
| # | |
| -# Email a message to this address if a warning is found when the | |
| -# system is being checked. Multiple addresses may be specified | |
| -# simply be separating them with a space. Setting this option to | |
| -# null disables the option. | |
| +# The default value is the null string. | |
| # | |
| -# NOTE: This option should be present in the configuration file. | |
| +# Also see the MAIL_CMD option. | |
| # | |
| #MAIL-ON-WARNING=me@mydomain root@mydomain | |
| -MAIL-ON-WARNING="" | |
| # | |
| -# Specify the mail command to use if MAIL-ON-WARNING is set. | |
| -# NOTE: Double quotes are not required around the command, but | |
| -# are required around the subject line if it contains spaces. | |
| +# This option specifies the mail command to use if MAIL-ON-WARNING is set. | |
| # | |
| -MAIL_CMD=mail -s "[rkhunter] Warnings found for $HOST_NAME" | |
| +# NOTE: Double quotes are not required around the command, but are required | |
| +# around the subject line if it contains spaces. | |
| # | |
| -# Specify the temporary directory to use. | |
| +# The default is to use the 'mail' command, with a subject line | |
| +# of '[rkhunter] Warnings found for ${HOST_NAME}'. | |
| # | |
| -# NOTE: Do not use /tmp as your temporary directory. Some | |
| -# important files will be written to this directory, so be | |
| -# sure that the directory permissions are tight. | |
| +#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" | |
| + | |
| # | |
| -TMPDIR=/var/lib/rkhunter/ | |
| +# This option specifies the directory to use for temporary files. | |
| # | |
| -# Specify the database directory to use. | |
| +# NOTE: Do not use '/tmp' as your temporary directory. Some important files | |
| +# will be written to this directory, so be sure that the directory permissions | |
| +# are secure. | |
| +# | |
| +# The installer program will set the default directory. If this default is | |
| +# subsequently commented out or removed, then the program will assume a | |
| +# default directory beneath the installation directory. | |
| # | |
| -DBDIR=/var/lib/rkhunter/db | |
| +#TMPDIR=/var/lib/rkhunter/tmp | |
| +TMPDIR=/var/lib/rkhunter | |
| + | |
| # | |
| -# Specify the script directory to use. | |
| +# This option specifies the database directory to use. | |
| # | |
| -SCRIPTDIR=/usr/share/rkhunter/scripts | |
| +# The installer program will set the default directory. If this default is | |
| +# subsequently commented out or removed, then the program will assume a | |
| +# default directory beneath the installation directory. | |
| +# | |
| +#DBDIR=/var/lib/rkhunter/db | |
| +DBDIR=/var/lib/rkhunter/db | |
| + | |
| # | |
| -# Specify the root directory to use. | |
| +# This option specifies the script directory to use. | |
| # | |
| -#ROOTDIR="" | |
| +# The installer program will set the default directory. If this default is | |
| +# subsequently commented out or removed, then the program will not run. | |
| # | |
| -# Specify the command directories to be checked. This is a | |
| -# space-separated list of directories. | |
| +#SCRIPTDIR=/usr/local/lib/rkhunter/scripts | |
| +SCRIPTDIR=/usr/share/rkhunter/scripts | |
| + | |
| # | |
| -#BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" | |
| +# This option can be used to modify the command directory list used by rkhunter | |
| +# to locate commands (that is, its PATH). By default this will be the root PATH, | |
| +# and an internal list of some common command directories. | |
| +# | |
| +# Any directories specified here will, by default, be appended to the default | |
| +# list. However, if a directory name begins with the '+' character, then that | |
| +# directory will be prepended to the list (that is, it will be put at the start | |
| +# of the list). | |
| # | |
| -# This setting tells rkhunter the directory containing the available | |
| -# kernel modules. This setting will be worked out by rkhunter, and | |
| -# so should not usually need to be set. | |
| +# This is a space-separated list of directory names. The option may be | |
| +# specified more than once. | |
| # | |
| -#MODULES_DIR="" | |
| -INSTALLDIR="/usr" | |
| +# The default value is based on the root account PATH environment variable. | |
| +# | |
| +#BINDIR=/bin /usr/bin /sbin /usr/sbin | |
| +#BINDIR=+/usr/local/bin +/usr/local/sbin | |
| + | |
| # | |
| -# Specify the language to use. This should be similar | |
| -# to the ISO 639 language code. | |
| +# This option specifies the default language to use. This should be similar to | |
| +# the ISO 639 language code. | |
| # | |
| # NOTE: Please ensure that the language you specify is supported. | |
| -# For a list of supported languages use the following command: | |
| +# For a list of supported languages use the following command: | |
| # | |
| -# rkhunter --lang en --list languages | |
| +# rkhunter --lang en --list languages | |
| +# | |
| +# The default language is 'en' (English). | |
| # | |
| #LANGUAGE=en | |
| + | |
| # | |
| -# Specify the log file pathname. | |
| +# This option is a space-separated list of the languages that are to be updated | |
| +# when the '--update' option is used. If unset, then all the languages will be | |
| +# updated. If none of the languages are to be updated, then set this option to | |
| +# just 'en'. | |
| # | |
| -# NOTE: This option should be present in the configuration file. | |
| +# The default language, specified by the LANGUAGE option, and the English (en) | |
| +# language file will always be updated regardless of this option. | |
| # | |
| +# This option may be specified more than once. | |
| +# | |
| +# The default value is the null string, indicating that all the language files | |
| +# will be updated. | |
| +# | |
| +#UPDATE_LANG="" | |
| + | |
| +# | |
| +# This option specifies the log file pathname. The file will be created if it | |
| +# does not initially exist. If the option is unset, then the program will | |
| +# display a message each time it is run saying that the default value is being | |
| +# used. | |
| +# | |
| +# The default value is '/var/log/rkhunter.log'. | |
| +# | |
| +#LOGFILE=/var/log/rkhunter.log | |
| LOGFILE=/var/log/rkhunter/rkhunter.log | |
| + | |
| +# | |
| +# Set this option to '1' if the log file is to be appended to whenever rkhunter | |
| +# is run. A value of '0' will cause a new log file to be created whenever the | |
| +# program is run. | |
| # | |
| -# Set the following option to 1 if the log file is to be appended to | |
| -# whenever rkhunter is run. | |
| +# The default value is '0'. | |
| # | |
| +#APPEND_LOG=0 | |
| APPEND_LOG=1 | |
| + | |
| # | |
| -# Set the following option to enable the rkhunter check start and finish | |
| -# times to be logged by syslog. Warning messages will also be logged. | |
| -# The value of the option must be a standard syslog facility and | |
| -# priority, separated by a dot. | |
| +# Set the following option to '1' if the log file is to be copied when rkhunter | |
| +# finishes and an error or warning has occurred. The copied log file name will | |
| +# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). | |
| +# For example: rkhunter.log.2009-04-21_00:57:51 | |
| +# If the option value is '0', then the log file will not be copied regardless | |
| +# of whether any errors or warnings occurred. | |
| # | |
| -# For example: USE_SYSLOG=authpriv.warning | |
| +# The default value is '0'. | |
| # | |
| -# Setting the value to 'none', or just leaving the option commented out, | |
| +#COPY_LOG_ON_ERROR=0 | |
| + | |
| +# | |
| +# Set the following option to enable the rkhunter check start and finish times | |
| +# to be logged by syslog. Warning messages will also be logged. The value of | |
| +# the option must be a standard syslog facility and priority, separated by a | |
| +# dot. For example: | |
| +# | |
| +# USE_SYSLOG=authpriv.warning | |
| +# | |
| +# Setting the value to 'NONE', or just leaving the option commented out, | |
| # disables the use of syslog. | |
| # | |
| +# The default value is not to use syslog. | |
| +# | |
| #USE_SYSLOG=authpriv.notice | |
| +USE_SYSLOG=authpriv.notice | |
| + | |
| +# | |
| +# Set the following option to '1' if the second colour set is to be used. This | |
| +# can be useful if your screen uses black characters on a white background | |
| +# (for example, a PC instead of a server). A value of '0' will cause the default | |
| +# colour set to be used. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#COLOR_SET2=0 | |
| + | |
| +# | |
| +# Set the following option to '0' if rkhunter should not detect if X is being | |
| +# used. If X is detected as being used, then the second colour set will | |
| +# automatically be used. If set to '1', then the use of X will be detected. | |
| # | |
| -# Set the following option to 1 if the second colour set is to be used. | |
| -# This can be useful if your screen uses black characters on a white | |
| -# background (for example, a PC instead of a server). | |
| -# | |
| -COLOR_SET2=0 | |
| -# | |
| -# Set the following option to 0 if rkhunter should not detect if X is | |
| -# being used. If X is detected as being used, then the second colour | |
| -# set will automatically be used. | |
| +# The default value is '0'. | |
| # | |
| AUTO_X_DETECT=1 | |
| + | |
| +# | |
| +# Set the following option to '1' if it is wanted that any 'Whitelisted' results | |
| +# are shown in white rather than green. For colour set 2 users, setting this | |
| +# option will cause the result to be shown in black. Setting the option to '0' | |
| +# causes whitelisted results to be displayed in green. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#WHITELISTED_IS_WHITE=0 | |
| + | |
| # | |
| # The following option is checked against the SSH configuration file | |
| -# 'PermitRootLogin' option. A warning will be displayed if they do not | |
| -# match. However, if a value has not been set in the SSH configuration | |
| -# file, then a value here of 'yes' or 'unset' will not cause a warning. | |
| -# This option has a default value of 'no'. | |
| +# 'PermitRootLogin' option. A warning will be displayed if they do not match. | |
| +# However, if a value has not been set in the SSH configuration file, then a | |
| +# value here of 'unset' can be used to avoid warning messages. | |
| # | |
| -ALLOW_SSH_ROOT_USER=yes | |
| +# The default value is 'no'. | |
| +# | |
| +#ALLOW_SSH_ROOT_USER=no | |
| +ALLOW_SSH_ROOT_USER=unset | |
| + | |
| # | |
| # Set this option to '1' to allow the use of the SSH-1 protocol, but note | |
| # that theoretically it is weaker, and therefore less secure, than the | |
| @@ -173,120 +319,275 @@ | |
| # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 | |
| # authentication). If the 'Protocol' option has not been set in the SSH | |
| # configuration file, then a value of '2' may be set here in order to | |
| -# suppress a warning message. This option has a default value of '0'. | |
| +# suppress a warning message. A value of '0' indicates that the use of | |
| +# SSH-1 is not allowed. | |
| # | |
| -ALLOW_SSH_PROT_V1=0 | |
| +# The default value is '0'. | |
| +# | |
| +#ALLOW_SSH_PROT_V1=0 | |
| + | |
| # | |
| # This setting tells rkhunter the directory containing the SSH configuration | |
| # file. This setting will be worked out by rkhunter, and so should not | |
| # usually need to be set. | |
| # | |
| +# This option has no default value. | |
| +# | |
| #SSH_CONFIG_DIR=/etc/ssh | |
| + | |
| # | |
| -# These two options determine which tests are to be performed. | |
| -# The ENABLE_TESTS option can use the word 'all' to refer to all the | |
| -# available tests. The DISABLE_TESTS option can use the word 'none' to | |
| -# mean that no tests are disabled. The list of disabled tests is applied to | |
| -# the list of enabled tests. Both options are space-separated lists of test | |
| -# names. The currently available test names can be seen by using the command | |
| -# 'rkhunter --list tests'. | |
| -# | |
| -# The program defaults are to enable all tests and disable none. However, if | |
| -# either option is specified in this file, then it overrides the program | |
| -# default. The supplied rkhunter.conf file has some tests already disabled, | |
| -# and these are tests that will be used only incidentally, can be considered | |
| -# "advanced" or those that are prone to produce more than the "average" number | |
| -# of "false positives". | |
| +# These two options determine which tests are to be performed. The ENABLE_TESTS | |
| +# option can use the word 'ALL' to refer to all of the available tests. The | |
| +# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are | |
| +# disabled. The list of disabled tests is applied to the list of enabled tests. | |
| +# | |
| +# Both options are space-separated lists of test names, and both options may | |
| +# be specified more than once. The currently available test names can be seen | |
| +# by using the command 'rkhunter --list tests'. | |
| +# | |
| +# The supplied configuration file has some tests already disabled, and these | |
| +# are tests that will be used only occasionally, can be considered 'advanced' | |
| +# or that are prone to produce more than the average number of false-positives. | |
| # | |
| # Please read the README file for more details about enabling and disabling | |
| # tests, the test names, and how rkhunter behaves when these options are used. | |
| # | |
| -ENABLE_TESTS="all" | |
| -DISABLE_TESTS=apps suspscan system_commands | |
| +# The default values are to enable all tests and to disable none. However, if | |
| +# either of the options below are specified, then they will override the | |
| +# program defaults. | |
| +# | |
| +ENABLE_TESTS=ALL | |
| +DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps | |
| + | |
| # | |
| -# The HASH_FUNC option can be used to specify the command to use | |
| -# for the file hash value check. It can be specified as just | |
| -# the command name or the full pathname. Systems using prelinking | |
| -# are restricted to using either SHA1 or MD5 functions. To get rkhunter | |
| -# to look for the sha1(sum)/md5(sum) command, or to use the supplied | |
| -# perl scripts, simply specify this option as 'SHA1' or 'MD5' in | |
| -# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. | |
| -# | |
| -# A value of 'NONE' (in uppercase) can be specified to indicate that | |
| -# no hash function should be used. Rootkit Hunter will detect this and | |
| -# automatically disable the file hash checks. | |
| +# The HASH_CMD option can be used to specify the command to use for the file | |
| +# properties hash value check. It can be specified as just the command name or | |
| +# the full pathname. If just the command name is given, and it is one of MD5, | |
| +# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the | |
| +# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of | |
| +# these are found, it will then look to see if a perl module has been installed | |
| +# which will support the relevant hash function. To see which perl modules have | |
| +# been installed use the command 'rkhunter --list perl'. | |
| +# | |
| +# Systems using prelinking are restricted to using either the SHA1 or MD5 | |
| +# function. | |
| +# | |
| +# A value of 'NONE' (in uppercase) can be specified to indicate that no hash | |
| +# function should be used. Rkhunter will detect this, and automatically disable | |
| +# the file properties hash check test. | |
| # | |
| # Examples: | |
| -# For Solaris 9 : HASH_FUNC=gmd5sum | |
| -# For Solaris 10: HASH_FUNC=sha1sum | |
| -# For AIX (>5.2): HASH_FUNC="csum -hMD5" | |
| -# For NetBSD : HASH_FUNC="cksum -a sha512" | |
| -# | |
| -# NOTE: If the hash function is changed then you MUST run rkhunter with | |
| -# the '--propupd' option to rebuild the file properties database. | |
| -# | |
| -#HASH_FUNC=sha1sum | |
| -# | |
| -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC | |
| -# command output contains the hash value. The fields are assumed to | |
| -# be space-separated. The default value is one, but for *BSD users | |
| -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option | |
| -# has not been set. The option value must be a positive integer. | |
| +# For Solaris 9 : HASH_CMD=gmd5sum | |
| +# For Solaris 10: HASH_CMD=sha1sum | |
| +# For AIX (>5.2): HASH_CMD="csum -hMD5" | |
| +# For NetBSD : HASH_CMD="cksum -a sha512" | |
| # | |
| -#HASH_FLD_IDX=4 | |
| +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | |
| +# | |
| +# The default value is the SHA1 function, or MD5 if SHA1 cannot be found. | |
| # | |
| -# The PKGMGR option tells rkhunter to use the specified package manager | |
| -# to obtain the file property information. This is used when updating | |
| -# the file properties file ('rkhunter.dat'), and when running the file | |
| -# properties check. For RedHat/RPM-based systems, 'RPM' can be used | |
| -# to get information from the RPM database. For Debian-based systems | |
| -# 'DPKG' can be used, and for *BSD systems 'BSD' can be used. | |
| -# No value, or a value of 'NONE', indicates that no package manager | |
| -# is to be used. The default is 'NONE'. | |
| +# Also see the HASH_FLD_IDX option. | |
| # | |
| -# The current package managers store the file hash values using an | |
| -# MD5 hash function. | |
| +#HASH_CMD=sha1sum | |
| + | |
| +# | |
| +# The HASH_FLD_IDX option specifies which field from the HASH_CMD command | |
| +# output contains the hash value. The fields are assumed to be space-separated. | |
| +# | |
| +# The option value must be an integer greater than zero. | |
| +# | |
| +# The default value is '1', but for *BSD users rkhunter will, by default, use a | |
| +# value of '4' if the HASH_CMD option has not been set. | |
| +# | |
| +#HASH_FLD_IDX=4 | |
| + | |
| +# | |
| +# The PKGMGR option tells rkhunter to use the specified package manager to | |
| +# obtain the file property information. This is used when updating the file | |
| +# properties file ('rkhunter.dat'), and when running the file properties check. | |
| +# For RedHat/RPM-based systems, 'RPM' can be used to get information from the | |
| +# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems | |
| +# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value, | |
| +# or a value of 'NONE', indicates that no package manager is to be used. | |
| +# | |
| +# The current package managers, except 'SOLARIS', store the file hash values | |
| +# using an MD5 hash function. The Solaris package manager includes a checksum | |
| +# value, but this is not used by default (see USE_SUNSUM below). | |
| # | |
| # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. | |
| # The 'RPM' package manager additionally provides values for the inode, | |
| -# file permissions, uid, gid and other values. | |
| +# file permissions, uid, gid and other values. The 'SOLARIS' also provides | |
| +# most of the values, similar to 'RPM', but not the inode number. | |
| +# | |
| +# For any file not part of a package, rkhunter will revert to using the | |
| +# HASH_CMD hash function instead. | |
| +# | |
| +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | |
| # | |
| -# For any file not part of a package, rkhunter will revert to using | |
| -# the HASH_FUNC hash function instead. | |
| +# The default value is 'NONE'. | |
| # | |
| +# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. | |
| +# | |
| +#PKGMGR=NONE | |
| PKGMGR=RPM | |
| + | |
| # | |
| -# Whitelist the hash (content) for the specified files. Only useful | |
| -# for cases where e.g. the package manager is unable to verify the | |
| -# content, or where the content is known to change | |
| -# otherwise. Specifying a file name here does not include it being | |
| -# whitelisted for the attribute/write/script tests below. One command | |
| -# per line (use multiple HASHWHITELIST lines). | |
| -#HASHWHITELIST=/usr/bin/lsattr | |
| +# It is possible that a file, which is part of a package, may have been | |
| +# modified by the administrator. Typically this occurs for configuration | |
| +# files. However, the package manager may list the file as being modified. | |
| +# For the RPM package manager this may well depend on how the package was | |
| +# built. This option specifies a pathname which is to be exempt from the | |
| +# package manager verification process, and which will be treated | |
| +# as a non-packaged file. As such, the file properties are still checked. | |
| # | |
| -# Whitelist various attributes of the specified files. | |
| -# The attributes are those of the 'attributes' test. | |
| -# Specifying a file name here does not include it being | |
| -# whitelisted for the write permission test below. | |
| -# One command per line (use multiple ATTRWHITELIST lines). | |
| +# This option only takes effect if the PKGMGR option has been set, and | |
| +# is not 'NONE'. | |
| # | |
| -#ATTRWHITELIST=/bin/ps | |
| +# This option may be specified more than once. | |
| # | |
| -# Allow the specified commands to have the 'others' | |
| -# (world) permission have the write-bit set. | |
| +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | |
| # | |
| -# For example, files with permissions r-xr-xrwx | |
| -# or rwxrwxrwx. | |
| +# The default value is the null string. | |
| # | |
| -# One command per line (use multiple WRITEWHITELIST lines). | |
| +#PKGMGR_NO_VRFY="" | |
| + | |
| # | |
| -#WRITEWHITELIST=/bin/ps | |
| +# If the 'SOLARIS' package manager is used, then it is possible to use the | |
| +# checksum (hash) value stored for a file. However, this is only a 16-bit | |
| +# checksum, and as such is not nearly as secure as, for example, a SHA-2 value. | |
| +# If the option is set to '0', then the checksum is not used and the hash | |
| +# function given by HASH_CMD is used instead. To enable this option, set its | |
| +# value to '1'. The Solaris 'sum' command must be present on the system if this | |
| +# option is used. | |
| # | |
| -# Allow the specified commands to be scripts. | |
| -# One command per line (use multiple SCRIPTWHITELIST lines). | |
| +# The default value is '0'. | |
| +# | |
| +#USE_SUNSUM=0 | |
| + | |
| +# | |
| +# This option can be used to tell rkhunter to ignore any prelink dependency | |
| +# errors for the given commands. However, a warning will also be issued if the | |
| +# error does not occur for a given command. As such this option must only be | |
| +# used on commands which experience a persistent problem. | |
| +# | |
| +# Short-term prelink dependency errors can usually be resolved simply by | |
| +# running the 'prelink' command on the given pathname. | |
| +# | |
| +# This is a space-separated list of command pathnames. The option can be | |
| +# specified more than once. | |
| +# | |
| +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top | |
| + | |
| +# | |
| +# These options specify a command, directory or file pathname which will be | |
| +# included or excluded in the file properties checks. | |
| +# | |
| +# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, | |
| +# 'top' - and directory names are added to the internal list of directories to | |
| +# be searched for each of the command names in the command list. Additionally, | |
| +# full pathnames to files, which need not be commands, may be given. Any files | |
| +# or directories which are already part of the internal lists will be silently | |
| +# ignored from the configuration. | |
| +# | |
| +# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for | |
| +# simple command names. | |
| +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. | |
| +# | |
| +# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS | |
| +# option. Wildcards may be used with this option. | |
| +# | |
| +# By combining these two options, and using wildcards, whole directories can be | |
| +# excluded. For example: | |
| +# | |
| +# USER_FILEPROP_FILES_DIRS=/etc/* | |
| +# USER_FILEPROP_FILES_DIRS=/etc/*/* | |
| +# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* | |
| +# | |
| +# This will look for files in the first two directory levels of '/etc'. However, | |
| +# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be | |
| +# excluded. | |
| +# | |
| +# NOTE: Only files and directories which have been added by the user, and are | |
| +# not part of the internal lists, can be excluded. So, for example, it is not | |
| +# possible to exclude the 'ps' command by using '/bin/ps'. These will be | |
| +# silently ignored from the configuration. | |
| +# | |
| +# Both options can be specified more than once. | |
| +# | |
| +# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. | |
| +# | |
| +# The default value for both options is the null string. | |
| +# | |
| +#USER_FILEPROP_FILES_DIRS=top | |
| +#USER_FILEPROP_FILES_DIRS=/usr/local/sbin | |
| +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf | |
| +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local | |
| +#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/* | |
| +#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/* | |
| +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* | |
| +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat | |
| +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter* | |
| + | |
| +# | |
| +# This option whitelists files and directories from existing, or not existing, | |
| +# on the system at the time of testing. This option is used when the | |
| +# configuration file options themselves are checked, and during the file | |
| +# properties check, the hidden files and directories checks, and the filesystem | |
| +# check of the '/dev' directory. | |
| +# | |
| +# This option may be specified more than once, and may use wildcards. | |
| +# Be aware though that this is probably not what you want to do as the | |
| +# wildcarding will be expanded after files have been deleted. As such | |
| +# deleted files won't be whitelisted if wildcarded. | |
| +# | |
| +# NOTE: The user must take into consideration how often the file will appear | |
| +# and disappear from the system in relation to how often rkhunter is run. If | |
| +# the file appears, and disappears, too often then rkhunter may not notice | |
| +# this. All it will see is that the file has changed. The inode-number and DTM | |
| +# will certainly be different for each new file, and rkhunter will report this. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#EXISTWHITELIST="" | |
| +EXISTWHITELIST=/var/log/pki-ca/system | |
| +# FreeIPA Certificate Authority | |
| +EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system | |
| +# Some non default installed files we check | |
| +EXISTWHITELIST=/usr/bin/GET | |
| +EXISTWHITELIST=/usr/bin/whatis | |
| + | |
| +# | |
| +# Whitelist various attributes of the specified file. The attributes are those | |
| +# of the 'attributes' test. Specifying a file name here does not include it | |
| +# being whitelisted for the write permission test (see below). | |
| +# | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#ATTRWHITELIST=/usr/bin/date | |
| + | |
| +# | |
| +# Allow the specified file to have the 'others' (world) permission have the | |
| +# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. | |
| +# | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#WRITEWHITELIST=/usr/bin/date | |
| + | |
| +# | |
| +# Allow the specified file to be a script. | |
| +# | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| +# | |
| +# The default value is the null string. | |
| # | |
| -#SCRIPTWHITELIST=/sbin/ifup | |
| -#SCRIPTWHITELIST=/sbin/ifdown | |
| #SCRIPTWHITELIST=/usr/bin/groups | |
| SCRIPTWHITELIST=/usr/bin/whatis | |
| SCRIPTWHITELIST=/usr/bin/ldd | |
| @@ -294,270 +595,714 @@ | |
| SCRIPTWHITELIST=/usr/bin/GET | |
| SCRIPTWHITELIST=/sbin/ifup | |
| SCRIPTWHITELIST=/sbin/ifdown | |
| + | |
| # | |
| -# Allow the specified commands to have the immutable attribute set. | |
| -# One command per line (use multiple IMMUTWHITELIST lines). | |
| -# | |
| -#IMMUTWHITELIST=/sbin/ifup | |
| -# | |
| -# Allow the following applications, or a specific version of an application, | |
| -# to be whitelisted. This option is a space-separated list consisting of the | |
| -# application names. If a specific version is to be whitelisted, then the | |
| -# name must be followed by a colon and then the version number. | |
| +# Allow the specified file to have the immutable attribute set. | |
| # | |
| -# For example: APP_WHITELIST="openssl:0.9.7d gpg" | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| # | |
| -#APP_WHITELIST="" | |
| +# The default value is the null string. | |
| # | |
| -# The following option can be used to whitelist network ports which | |
| -# are known to have been used by malware. The option is a space- | |
| -# separated list of one or more of three types of whitelisting. | |
| -# These are: | |
| +#IMMUTWHITELIST=/sbin/ifdown | |
| + | |
| # | |
| -# 1) a 'protocol:port' pair (e.g. TCP:25) | |
| -# 2) a pathname to an executable (e.g. /usr/sbin/squid) | |
| -# 3) an asterisk ('*') | |
| -# | |
| -# Only the UDP or TCP protocol may be specified, and the port number | |
| -# must be between 1 and 65535 inclusive. | |
| -# | |
| -# The asterisk can be used to indicate that any executable in a trusted | |
| -# path directory will be whitelisted. A trusted path directory is one which | |
| -# rkhunter uses to locate commands. It is composed of the root PATH | |
| -# environment variable, and the BINDIR command-line or configuration | |
| -# file option. | |
| +# If this option is set to '1', then the immutable-bit test is reversed. That | |
| +# is, the files are expected to have the bit set. A value of '0' means that the | |
| +# immutable-bit should not be set. | |
| # | |
| -# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" | |
| +# The default value is '0'. | |
| # | |
| -#PORT_WHITELIST="" | |
| +#IMMUTABLE_SET=0 | |
| + | |
| # | |
| -# The following two options can be used to whitelist files and directories | |
| -# that would normally be flagged with a warning during the rootkit checks. | |
| -# If the file or directory name contains a space, then the percent character | |
| -# ('%') must be used instead. Only existing files and directories can be | |
| -# specified. | |
| +# Allow the specified hidden directory to be whitelisted. | |
| # | |
| -#RTKT_DIR_WHITELIST="" | |
| -#RTKT_FILE_WHITELIST="" | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| # | |
| -# Allow the specified hidden directories. | |
| -# One directory per line (use multiple ALLOWHIDDENDIR lines). | |
| +# The default value is the null string. | |
| # | |
| #ALLOWHIDDENDIR=/etc/.java | |
| -ALLOWHIDDENDIR=/dev/.udev | |
| +ALLOWHIDDENDIR=/etc/.java | |
| +#ALLOWHIDDENDIR=/dev/.udev | |
| #ALLOWHIDDENDIR=/dev/.udevdb | |
| -#ALLOWHIDDENDIR=/dev/.udev.tdb | |
| -#ALLOWHIDDENDIR=/dev/.static | |
| -#ALLOWHIDDENDIR=/dev/.initramfs | |
| -#ALLOWHIDDENDIR=/dev/.SRC-unix | |
| +#ALLOWHIDDENDIR=/dev/.mdadm | |
| +ALLOWHIDDENDIR=/dev/.udev | |
| +ALLOWHIDDENDIR=/dev/.udevdb | |
| +ALLOWHIDDENDIR=/dev/.udev.tdb | |
| +ALLOWHIDDENDIR=/dev/.udev/db | |
| +ALLOWHIDDENDIR=/dev/.udev/rules.d | |
| +ALLOWHIDDENDIR=/dev/.static | |
| +ALLOWHIDDENDIR=/dev/.initramfs | |
| +ALLOWHIDDENDIR=/dev/.SRC-unix | |
| +ALLOWHIDDENDIR=/dev/.mdadm | |
| +ALLOWHIDDENDIR=/dev/.systemd | |
| +ALLOWHIDDENDIR=/dev/.mount | |
| +# for etckeeper | |
| +ALLOWHIDDENDIR=/etc/.git | |
| +ALLOWHIDDENDIR=/etc/.bzr | |
| + | |
| # | |
| -# Allow the specified hidden files. | |
| -# One file per line (use multiple ALLOWHIDDENFILE lines). | |
| +# Allow the specified hidden file to be whitelisted. | |
| # | |
| -#ALLOWHIDDENFILE=/etc/.java | |
| -ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz | |
| -#ALLOWHIDDENFILE=/etc/.pwd.lock | |
| -#ALLOWHIDDENFILE=/etc/.init.state | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| # | |
| -# Allow the specified processes to use deleted files. | |
| -# One process per line (use multiple ALLOWPROCDELFILE lines). | |
| +# The default value is the null string. | |
| +# | |
| +#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz | |
| +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz | |
| +#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac | |
| +#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac | |
| +#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac | |
| +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac | |
| +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac | |
| +#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac | |
| +ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac | |
| +ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.ssh.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac | |
| +ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac | |
| +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac | |
| +ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac | |
| +ALLOWHIDDENFILE=/dev/.mdadm.map | |
| +ALLOWHIDDENFILE=/dev/.udev/queue.bin | |
| +ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz | |
| +ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz | |
| +ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac | |
| +ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac | |
| +# etckeeper | |
| +ALLOWHIDDENFILE=/etc/.etckeeper | |
| +ALLOWHIDDENFILE=/etc/.gitignore | |
| +ALLOWHIDDENFILE=/etc/.bzrignore | |
| + | |
| # | |
| -# The process name may be followed by a colon-separated list | |
| -# of full pathnames. The process will then only be whitelisted | |
| -# if it is using one of the given files. For example: | |
| +# Allow the specified process to use deleted files. The process name may be | |
| +# followed by a colon-separated list of full pathnames. The process will then | |
| +# only be whitelisted if it is using one of the given files. For example: | |
| # | |
| # ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz | |
| # | |
| +# This option may be specified more than once. It may also use wildcards, but | |
| +# only in the file names. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| #ALLOWPROCDELFILE=/sbin/cardmgr | |
| -#ALLOWPROCDELFILE=/usr/sbin/gpm | |
| -#ALLOWPROCDELFILE=/usr/libexec/gconfd-2 | |
| -#ALLOWPROCDELFILE=/usr/sbin/mysqld | |
| -ALLOWPROCDELFILE=(deleted) | |
| -ALLOWPROCDELFILE=/usr/bin/freshclam | |
| -ALLOWPROCDELFILE=/usr/bin/perl | |
| -ALLOWPROCDELFILE=/usr/bin/python | |
| -ALLOWPROCDELFILE=/usr/libexec/dovecot/imap | |
| -ALLOWPROCDELFILE=/usr/sbin/asterisk | |
| -ALLOWPROCDELFILE=/usr/sbin/httpd | |
| +#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* | |
| + | |
| +# | |
| +# Allow the specified process to listen on any network interface. | |
| # | |
| -# Allow the specified processes to listen on any network interface. | |
| -# One process per line (use multiple ALLOWPROCLISTEN lines). | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| # | |
| -ALLOWPROCLISTEN=/sbin/dhclient | |
| -ALLOWPROCLISTEN=/usr/sbin/dhcpd | |
| +# The default value is the null string. | |
| +# | |
| +#ALLOWPROCLISTEN=/sbin/dhclient | |
| #ALLOWPROCLISTEN=/usr/bin/dhcpcd | |
| -ALLOWPROCLISTEN=/usr/sbin/pppoe | |
| #ALLOWPROCLISTEN=/usr/sbin/tcpdump | |
| #ALLOWPROCLISTEN=/usr/sbin/snort-plain | |
| -#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant | |
| + | |
| # | |
| -# Allow the specified files to be present in the /dev directory, | |
| -# and not regarded as suspicious. One file per line (use multiple | |
| -# ALLOWDEVFILE lines). | |
| +# Allow the specified network interfaces to be in promiscuous mode. | |
| # | |
| -#ALLOWDEVFILE=/dev/abc | |
| -ALLOWDEVFILE=/dev/shm/pulse-shm-* | |
| +# This is a space-separated list of interface names. The option may be | |
| +# specified more than once. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#ALLOWPROMISCIF=eth0 | |
| + | |
| +# | |
| +# This option specifies how rkhunter should scan the '/dev' directory for | |
| +# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. | |
| # | |
| -# SCAN_MODE_DEV governs how we scan /dev for suspicious files. | |
| -# The two allowed options are: THOROUGH or LAZY. | |
| -# If commented out we do a THOROUGH scan which will increase the runtime. | |
| -# Even though this adds to the running time it is highly recommended to | |
| -# leave it like this. | |
| +# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, | |
| +# it is highly recommended that this value is used. | |
| +# | |
| +# The default value is 'THOROUGH'. | |
| +# | |
| +# Also see the ALLOWDEVFILE option. | |
| # | |
| #SCAN_MODE_DEV=THOROUGH | |
| + | |
| +# | |
| +# Allow the specified file to be present in the '/dev' directory, and not | |
| +# regarded as suspicious. | |
| +# | |
| +# This option may be specified more than once, and may use wildcard characters. | |
| # | |
| -# This setting tells rkhunter where the inetd configuration | |
| -# file is located. | |
| +# The default value is the null string. | |
| +# | |
| +#ALLOWDEVFILE=/dev/shm/pulse-shm-* | |
| +#ALLOWDEVFILE=/dev/shm/sem.ADBE_* | |
| +ALLOWDEVFILE=/dev/shm/pulse-shm-* | |
| +ALLOWDEVFILE=/dev/md/md-device-map | |
| +# tomboy creates this one | |
| +ALLOWDEVFILE="/dev/shm/mono.*" | |
| +# created by libv4l | |
| +ALLOWDEVFILE="/dev/shm/libv4l-*" | |
| +# created by spice video | |
| +ALLOWDEVFILE="/dev/shm/spice.*" | |
| +ALLOWDEVFILE=/dev/.mdadm.map | |
| +ALLOWDEVFILE=/dev/.udev/queue.bin | |
| +ALLOWDEVFILE=/dev/.udev/db/* | |
| +ALLOWDEVFILE=/dev/.udev/rules.d/99-root.rules | |
| +# created by mdadm | |
| +ALLOWDEVFILE="/dev/md/autorebuild.pid" | |
| +# 389 Directory Server | |
| +ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats | |
| + | |
| +# | |
| +# This option is used to indicate if the Phalanx2 test is to perform a basic | |
| +# check, or a more thorough check. If the option is set to '0', then a basic | |
| +# check is performed. If it is set to '1', then all the directories in the | |
| +# '/etc' and '/usr' directories are scanned. | |
| +# | |
| +# NOTE: Setting this option to '1' will cause the test to take longer | |
| +# to complete. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#PHALANX2_DIRTEST=0 | |
| + | |
| +# | |
| +# This option tells rkhunter where the inetd configuration file is located. | |
| +# | |
| +# The default value is the null string. | |
| # | |
| #INETD_CONF_PATH=/etc/inetd.conf | |
| + | |
| +# | |
| +# This option allows the specified enabled inetd services. | |
| +# | |
| +# This is a space-separated list of service names. The option may be specified | |
| +# more than once. | |
| +# | |
| +# For non-Solaris users the simple service name should be used. | |
| +# For example: | |
| +# | |
| +# INETD_ALLOWED_SVC=echo | |
| # | |
| -# Allow the following enabled inetd services. | |
| -# Only one service per line (use multiple INETD_ALLOWED_SVC lines). | |
| +# For Solaris 9 users the simple service name should also be used, but | |
| +# if it is an RPC service, then the executable pathname should be used. | |
| +# For example: | |
| # | |
| -# Below are some Solaris 9 and 10 services that may want to be whitelisted. | |
| +# INETD_ALLOWED_SVC=imaps | |
| +# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd | |
| +# | |
| +# For Solaris 10 users the service/FMRI name should be used. For example: | |
| +# | |
| +# INETD_ALLOWED_SVC=/network/rpc/meta | |
| +# INETD_ALLOWED_SVC=/network/rpc/metamed | |
| +# INETD_ALLOWED_SVC=/application/font/stfsloader | |
| +# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord | |
| +# | |
| +# The default value is the null string. | |
| # | |
| #INETD_ALLOWED_SVC=echo | |
| -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd | |
| -#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto | |
| -#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd | |
| -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad | |
| -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd | |
| -#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd | |
| -#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd | |
| -#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd | |
| -#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd | |
| -#INETD_ALLOWED_SVC=/usr/lib/gss/gssd | |
| -#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader | |
| -#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd | |
| -#INETD_ALLOWED_SVC=/network/rpc/mdcomm | |
| -#INETD_ALLOWED_SVC=/network/rpc/meta | |
| -#INETD_ALLOWED_SVC=/network/rpc/metamed | |
| -#INETD_ALLOWED_SVC=/network/rpc/metamh | |
| -#INETD_ALLOWED_SVC=/network/security/ktkt_warn | |
| -#INETD_ALLOWED_SVC=/application/x11/xfs | |
| -#INETD_ALLOWED_SVC=/application/print/rfc1179 | |
| -#INETD_ALLOWED_SVC=/application/font/stfsloader | |
| -#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord | |
| -#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp | |
| -#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp | |
| + | |
| # | |
| -# This setting tells rkhunter where the xinetd configuration | |
| -# file is located. | |
| +# This option tells rkhunter where the xinetd configuration file is located. | |
| +# | |
| +# The default value is the null string. | |
| # | |
| #XINETD_CONF_PATH=/etc/xinetd.conf | |
| + | |
| +# | |
| +# This option allows the specified enabled xinetd services. Whilst it would be | |
| +# nice to use the service names themselves, at the time of testing we only have | |
| +# the pathname available. As such, these entries are the xinetd file pathnames. | |
| # | |
| -# Allow the following enabled xinetd services. Whilst it would be | |
| -# nice to use the service names themselves, at the time of testing | |
| -# we only have the pathname available. As such, these entries are | |
| -# the xinetd file pathnames. | |
| -# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). | |
| +# This is a space-separated list of service names. The option may be specified | |
| +# more than once. | |
| +# | |
| +# The default value is the null string. | |
| # | |
| #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo | |
| + | |
| # | |
| -# This option tells rkhunter the local system startup file pathnames. | |
| -# It is a space-separated list of files and directories. The directories | |
| -# will be searched for files. By default rkhunter will use certain | |
| -# filenames and directories. If the option is set to 'none', then | |
| -# certain tests will be skipped. | |
| +# This option tells rkhunter the local system startup file pathnames. The | |
| +# directories will be searched for files. By default rkhunter will try and | |
| +# determine were the startup files are located. If the option is set to 'NONE', | |
| +# then certain tests will be skipped. | |
| # | |
| -#STARTUP_PATHS="/etc/rc.d /etc/rc.local" | |
| +# This is a space-separated list of file and directory pathnames. The option | |
| +# may be specified more than once, and may use wildcard characters. | |
| # | |
| -# This setting tells rkhunter the pathname to the syslog configuration | |
| -# file. This setting will be worked out by rkhunter, and so should not | |
| -# usually need to be set. | |
| +# This option has no default value. | |
| # | |
| -SYSLOG_CONFIG_FILE=/etc/rsyslog.conf | |
| +#STARTUP_PATHS=/etc/rc.d /etc/rc.local | |
| + | |
| # | |
| -# This setting tells rkhunter the pathname to the file containing the | |
| -# user account passwords. This setting will be worked out by rkhunter, | |
| -# and so should not usually need to be set. Users of TCB shadow files | |
| -# should not set this option. | |
| +# This option tells rkhunter the pathname to the file containing the user | |
| +# account passwords. This setting will be worked out by rkhunter, and so | |
| +# should not usually need to be set. Users of TCB shadow files should not | |
| +# set this option. | |
| +# | |
| +# This option has no default value. | |
| # | |
| #PASSWORD_FILE=/etc/shadow | |
| + | |
| # | |
| -# Allow the following accounts to be root equivalent. These accounts | |
| -# will have a UID value of zero. This option is a space-separated list | |
| -# of account names. The 'root' account does not need to be listed as it | |
| -# is automatically whitelisted. | |
| +# This option allows the specified accounts to be root equivalent. These | |
| +# accounts will have a UID value of zero. The 'root' account does not need | |
| +# to be listed as it is automatically whitelisted. | |
| # | |
| -# NOTE: For *BSD systems you may need to enable this for the 'toor' account. | |
| +# This is a space-separated list of account names. The option may be specified | |
| +# more than once. | |
| # | |
| -#UID0_ACCOUNTS="toor rooty" | |
| +# NOTE: For *BSD systems you will probably need to use this option for the | |
| +# 'toor' account. | |
| # | |
| -# Allow the following accounts to have no password. This option is a | |
| -# space-separated list of account names. NIS/YP entries do not need to | |
| -# be listed as they are automatically whitelisted. | |
| +# The default value is the null string. | |
| # | |
| -#PWDLESS_ACCOUNTS="abc" | |
| +#UID0_ACCOUNTS=toor rooty | |
| + | |
| # | |
| -# This setting tells rkhunter the pathname to the syslog configuration | |
| -# file. This setting will be worked out by rkhunter, and so should not | |
| -# usually need to be set. | |
| +# This option allows the specified accounts to have no password. NIS/YP entries | |
| +# do not need to be listed as they are automatically whitelisted. | |
| # | |
| -SYSLOG_CONFIG_FILE=/etc/rsyslog.conf | |
| +# This is a space-separated list of account names. The option may be specified | |
| +# more than once. | |
| # | |
| -# This option permits the use of syslog remote logging. | |
| +# The default value is the null string. | |
| # | |
| -ALLOW_SYSLOG_REMOTE_LOGGING=0 | |
| +#PWDLESS_ACCOUNTS=abc | |
| + | |
| # | |
| -# The following option can be used to tell rkhunter where the operating | |
| -# system 'release' file is located. This file contains information | |
| -# specifying the current O/S version. RKH will store this information | |
| -# itself, and check to see if it has changed between each run. If it has | |
| -# changed, then the user is warned that RKH may issue warning messages | |
| -# until RKH has been run with the '--propupd' option. | |
| +# This option tells rkhunter the pathname to the syslog configuration file. | |
| +# This setting will be worked out by rkhunter, and so should not usually need | |
| +# to be set. A value of 'NONE' can be used to indicate that there is no | |
| +# configuration file, but that the syslog daemon process may be running. | |
| # | |
| -# Since the contents of the file vary according to the O/S distribution, | |
| -# RKH will perform different actions when it detects the file itself. As | |
| -# such, this option should not be set unless necessary. If this option is | |
| -# specified, then RKH will assume the O/S release information is on the | |
| -# first non-blank line of the file. | |
| +# This is a space-separated list of pathnames. The option may be specified | |
| +# more than once. | |
| # | |
| -OS_VERSION_FILE="/etc/redhat-release" | |
| +# This option has no default value. | |
| # | |
| -# Scan for suspicious files in directories containing temporary files and | |
| -# directories posing a relatively higher risk due to user write access. | |
| -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to | |
| -# producing false positives. Do review all settings before usage. | |
| -# Also be aware that running suspscan in combination with verbose logging on, | |
| -# RKH's default, will show all ignored files. | |
| -# Please consider adding all directories the user the (web)server runs as has | |
| -# write access to including the document root (example: "/var/www") and log | |
| -# directories (example: "/var/log/httpd"). | |
| +#SYSLOG_CONFIG_FILE=/etc/syslog.conf | |
| + | |
| # | |
| -# A space-separated list of directories to scan. | |
| +# If this option is set to '1', then the use of syslog remote logging is | |
| +# permitted. A value of '0' disallows the use of remote logging. | |
| # | |
| -SUSPSCAN_DIRS="/tmp /var/tmp" | |
| +# The default value is '0'. | |
| # | |
| -# Directory for temporary files. A memory-based one is better (faster). | |
| -# Do not use a directory name that is listed in SUSPSCAN_DIRS. | |
| -# Please make sure you have a tempfs mounted and the directory exists. | |
| +#ALLOW_SYSLOG_REMOTE_LOGGING=0 | |
| + | |
| # | |
| -SUSPSCAN_TEMP=/dev/shm | |
| +# This option allows the specified applications, or a specific version of an | |
| +# application, to be whitelisted. If a specific version is to be whitelisted, | |
| +# then the name must be followed by a colon and then the version number. | |
| +# For example: | |
| # | |
| -# Maximum filesize in bytes. Files larger than this will not be inspected. | |
| -# Do make sure you have enough space left in your temporary files directory. | |
| +# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 | |
| # | |
| -SUSPSCAN_MAXSIZE=10240000 | |
| +# This is a space-separated list of pathnames. The option may be specified | |
| +# more than once. | |
| # | |
| -# Score threshold. Below this value no hits will be reported. | |
| -# A value of "200" seems "good" after testing on malware. Please adjust | |
| -# locally if necessary. | |
| +# The default value is the null string. | |
| # | |
| -SUSPSCAN_THRESH=200 | |
| +#APP_WHITELIST="" | |
| + | |
| +# | |
| +# Set this option to scan for suspicious files in directories which pose a | |
| +# relatively higher risk due to user write access. | |
| # | |
| -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' | |
| -# command, then the following two options can be used. The value must be | |
| -# set to 'BUILTIN'. | |
| +# Please do not enable the 'suspscan' test by default as it is CPU and I/O | |
| +# intensive, and prone to producing false positives. Do review all settings | |
| +# before usage. Also be aware that running 'suspscan' in combination with | |
| +# verbose logging on, rkhunter's default, will show all ignored files. | |
| # | |
| -# NOTE: IRIX users will probably need to enable STAT_CMD. | |
| +# Please consider adding all directories the user the (web)server runs as, | |
| +# and has write access to, including the document root (e.g: '/var/www') and | |
| +# log directories (e.g: '/var/log/httpd'). | |
| # | |
| -#STAT_CMD=BUILTIN | |
| +# This is a space-separated list of directory pathnames. The option may be | |
| +# specified more than once. | |
| +# | |
| +# The default value is the '/tmp' and '/var/tmp' directories. | |
| +# | |
| +#SUSPSCAN_DIRS=/tmp /var/tmp | |
| +SUSPSCAN_DIRS=/tmp /var/tmp | |
| + | |
| +# | |
| +# This option specifies the directory for temporary files used by the | |
| +# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is | |
| +# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS | |
| +# as that is highly likely to cause false-positive results. | |
| +# | |
| +# The default value is '/dev/shm'. | |
| +# | |
| +#SUSPSCAN_TEMP=/dev/shm | |
| + | |
| +# | |
| +# This option specifies the 'suspscan' test maximum filesize in bytes. Files | |
| +# larger than this will not be inspected. Do make sure you have enough space | |
| +# available in your temporary files directory. | |
| +# | |
| +# The default value is '1024000'. | |
| +# | |
| +#SUSPSCAN_MAXSIZE=10240000 | |
| + | |
| +# | |
| +# This option specifies the 'suspscan' test score threshold. Below this value | |
| +# no hits will be reported. | |
| +# | |
| +# The default value is '200'. | |
| +# | |
| +#SUSPSCAN_THRESH=200 | |
| + | |
| +# | |
| +# The following options can be used to whitelist network ports which are known | |
| +# to have been used by malware. | |
| +# | |
| +# The PORT_WHITELIST option is a space-separated list of one or more of two | |
| +# types of whitelisting. These are: | |
| +# | |
| +# 1) a 'protocol:port' pair | |
| +# 2) an asterisk ('*') | |
| +# | |
| +# Only the UDP or TCP protocol may be specified, and the port number must be | |
| +# between 1 and 65535 inclusive. | |
| +# | |
| +# The asterisk can be used to indicate that any executable which rkhunter can | |
| +# locate as a command, is whitelisted. (Also see BINDIR) | |
| +# | |
| +# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. | |
| +# These are: | |
| +# | |
| +# 1) a pathname to an executable | |
| +# 2) a combined pathname, protocol and port | |
| +# | |
| +# As above, the protocol can only be TCP or UDP, and the port number must be | |
| +# between 1 and 65535 inclusive. | |
| +# | |
| +# Examples: | |
| +# | |
| +# PORT_WHITELIST=TCP:2001 UDP:32011 | |
| +# PORT_PATH_WHITELIST=/usr/sbin/squid | |
| +# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 | |
| +# | |
| +# NOTE: In order to whitelist a pathname, or use the asterisk option, the | |
| +# 'lsof' command must be present. | |
| +# | |
| +# Both options may be specified more than once. | |
| +# | |
| +# The default value for both options is the null string. | |
| +# | |
| +#PORT_WHITELIST="" | |
| +#PORT_PATH_WHITELIST="" | |
| + | |
| +# | |
| +# The following option can be used to tell rkhunter where the operating system | |
| +# 'release' file is located. This file contains information specifying the | |
| +# current O/S version. RKH will store this information, and check to see if it | |
| +# has changed between each run. If it has changed, then the user is warned that | |
| +# RKH may issue warning messages until RKH has been run with the '--propupd' | |
| +# option. | |
| +# | |
| +# Since the contents of the file vary according to the O/S distribution, RKH | |
| +# will perform different actions when it detects the file itself. As such, this | |
| +# option should not be set unless necessary. If this option is specified, then | |
| +# RKH will assume the O/S release information is on the first non-blank line of | |
| +# the file. | |
| +# | |
| +# This option has no default value. | |
| +# | |
| +# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. | |
| +# | |
| +#OS_VERSION_FILE=/etc/release | |
| + | |
| +# | |
| +# Set the following option to '0' if you do not want to receive a warning if any | |
| +# O/S information has changed since the last run of 'rkhunter --propupd'. The | |
| +# warnings occur during the file properties check. Setting a value of '1' will | |
| +# cause rkhunter to issue a warning if something has changed. | |
| +# | |
| +# The default value is '1'. | |
| +# | |
| +#WARN_ON_OS_CHANGE=1 | |
| + | |
| +# | |
| +# Set the following option to '1' if you want rkhunter to automatically run a | |
| +# file properties update ('--propupd') if the O/S has changed. Detection of an | |
| +# O/S change occurs during the file properties check. Setting a value of '0' | |
| +# will cause rkhunter not to do an automatic update. | |
| +# | |
| +# WARNING: Only set this option if you are sure that the update will work | |
| +# correctly. That is, that the database directory is writeable, that a valid | |
| +# hash function is available, and so on. This can usually be checked simply by | |
| +# running 'rkhunter --propupd' at least once. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#UPDT_ON_OS_CHANGE=0 | |
| + | |
| +# | |
| +# The following two options can be used to whitelist files and directories that | |
| +# would normally be flagged with a warning during the various rootkit and | |
| +# malware checks. Only existing files and directories can be specified, and | |
| +# these must be full pathnames not links. | |
| +# | |
| +# Additionally, the RTKT_FILE_WHITELIST option may include a string after the | |
| +# file name (separated by a colon). This will then only whitelist that string | |
| +# in that file (as part of the malware checks). For example: | |
| +# | |
| +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm | |
| +# | |
| +# If the option list includes the filename on its own as well, then the file | |
| +# will be whitelisted from rootkit checks of the files existence, but still | |
| +# only the specific string within the file will be whitelisted. For example: | |
| +# | |
| +# RTKT_FILE_WHITELIST=/etc/rc.local | |
| +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm | |
| +# | |
| +# To whitelist a file from the existence checks, but not from the strings | |
| +# checks, then include the filename on its own and on its own but with just | |
| +# a colon appended. For example: | |
| +# | |
| +# RTKT_FILE_WHITELIST=/etc/rc.local | |
| +# RTKT_FILE_WHITELIST=/etc/rc.local: | |
| +# | |
| +# NOTE: It is recommended that if you whitelist any files, then you include | |
| +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS | |
| +# configuration option. | |
| +# | |
| +# Both of these options may be specified more than once. | |
| +# | |
| +# For both options the default value is the null string. | |
| +# | |
| +#RTKT_DIR_WHITELIST="" | |
| +#RTKT_FILE_WHITELIST="" | |
| +# FreeIPA Certificate Authority | |
| +RTKT_FILE_WHITELIST=/var/log/pki-ca/system | |
| +# FreeIPA Certificate Authority | |
| +RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system | |
| + | |
| +# | |
| +# The following option can be used to whitelist shared library files that would | |
| +# normally be flagged with a warning during the preloaded shared library check. | |
| +# These library pathnames usually exist in the '/etc/ld.so.preload' file or in | |
| +# the LD_PRELOAD environment variable. | |
| +# | |
| +# NOTE: It is recommended that if you whitelist any files, then you include | |
| +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS | |
| +# configuration option. | |
| +# | |
| +# This option is a space-separated list of library pathnames. The option may be | |
| +# specified more than once. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#SHARED_LIB_WHITELIST=/lib/snoopy.so | |
| + | |
| # | |
| # To force rkhunter to use the supplied script for the 'stat' or 'readlink' | |
| -# command, then the following two options can be used. The value must be | |
| -# set to 'BUILTIN'. | |
| +# command the following two options can be used. The value must be set to | |
| +# 'BUILTIN'. | |
| # | |
| # NOTE: IRIX users will probably need to enable STAT_CMD. | |
| # | |
| +# For both options the default value is the null string. | |
| +# | |
| #STAT_CMD=BUILTIN | |
| +#READLINK_CMD=BUILTIN | |
| + | |
| +# | |
| +# In the file properties test any modification date/time is displayed as the | |
| +# number of epoch seconds. Rkhunter will try and use the 'date' command, or | |
| +# failing that the 'perl' command, to display the date and time in a | |
| +# human-readable format as well. This option may be used if some other command | |
| +# should be used instead. The given command must understand the '%s' and | |
| +# 'seconds ago' options found in the GNU 'date' command. | |
| +# | |
| +# A value of 'NONE' may be used to request that only the epoch seconds be shown. | |
| +# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if | |
| +# it is present. | |
| +# | |
| +# This option has no default value. | |
| +# | |
| +#EPOCH_DATE_CMD="" | |
| + | |
| +# | |
| +# This setting tells rkhunter the directory containing the available Linux | |
| +# kernel modules. This setting will be worked out by rkhunter, and so should | |
| +# not usually need to be set. | |
| +# | |
| +# This option has no default value. | |
| +# | |
| +#MODULES_DIR="" | |
| + | |
| +# | |
| +# The following option can be set to a command which rkhunter will use when | |
| +# downloading files from the Internet - that is, when the '--update' or | |
| +# '--versioncheck' option is used. The command can take options. | |
| +# | |
| +# This allows the user to use a command other than the one automatically | |
| +# selected by rkhunter, but still one which it already knows about. | |
| +# For example: | |
| +# | |
| +# WEB_CMD=curl | |
| +# | |
| +# Alternatively, the user may specify a completely new command. However, note | |
| +# that rkhunter expects the downloaded file to be written to stdout, and that | |
| +# everything written to stderr is ignored. For example: | |
| +# | |
| +# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" | |
| +# | |
| +# *BSD users may want to use the 'ftp' command, provided that it supports the | |
| +# HTTP protocol: | |
| +# | |
| +# WEB_CMD="ftp -o -" | |
| +# | |
| +# This option has no default value. | |
| +# | |
| +#WEB_CMD="" | |
| + | |
| +# | |
| +# Set the following option to '1' if locking is to be used when rkhunter runs. | |
| +# The lock is set just before logging starts, and is removed when the program | |
| +# ends. It is used to prevent items such as the log file, and the file | |
| +# properties file, from becoming corrupted if rkhunter is running more than | |
| +# once. The mechanism used is to simply create a lock file in the TMPDIR | |
| +# directory. If the lock file already exists, because rkhunter is already | |
| +# running, then the current process simply loops around sleeping for 10 seconds | |
| +# and then retrying the lock. A value of '0' means not to use locking. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options. | |
| +# | |
| +#USE_LOCKING=0 | |
| + | |
| +# | |
| +# If locking is used, then rkhunter may have to wait to get the lock file. | |
| +# This option sets the total amount of time, in seconds, that rkhunter should | |
| +# wait. It will retry the lock every 10 seconds, until either it obtains the | |
| +# lock or the timeout value has been reached. | |
| +# | |
| +# The default value is 300 seconds (5 minutes). | |
| +# | |
| +#LOCK_TIMEOUT=300 | |
| + | |
| +# | |
| +# If locking is used, then rkhunter may be doing nothing for some time if it | |
| +# has to wait for the lock. If this option is set to '1', then some simple | |
| +# messages are echoed to the users screen to let them know that rkhunter is | |
| +# waiting for the lock. Set this option to '0' if the messages are not to be | |
| +# displayed. | |
| +# | |
| +# The default value is '1'. | |
| +# | |
| +#SHOW_LOCK_MSGS=1 | |
| + | |
| +# | |
| +# If this option is set to 'THOROUGH' then rkhunter will search (on a per | |
| +# rootkit basis) for filenames in all of the directories (as defined by the | |
| +# result of running 'find / -xdev'). While still not optimal, as it still | |
| +# searches for only file names as opposed to file contents, this is one step | |
| +# away from the rigidity of searching in known (evidence) or default | |
| +# (installation) locations. | |
| +# | |
| +# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. | |
| +# | |
| +# You should only activate this feature as part of a more thorough | |
| +# investigation, which should be based on relevant best practices and | |
| +# procedures. | |
| +# | |
| +# Enabling this feature implies you have the knowledge to interpret the | |
| +# results properly. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#SCANROOTKITMODE=THOROUGH | |
| + | |
| +# | |
| +# The following option can be set to the name(s) of the tests the 'unhide' | |
| +# command is to use. Options such as '-m' and '-v' may be specified, but will | |
| +# only take effect when they are seen. The test names are a space-separated | |
| +# list, and will be executed in the order given. | |
| +# | |
| +# This option may be specified more than once. | |
| +# | |
| +# The default value is 'sys' in order to maintain compatibility with older | |
| +# versions of 'unhide'. | |
| +# | |
| +#UNHIDE_TESTS=sys | |
| + | |
| +# | |
| +# The following option can be used to set options for the 'unhide-tcp' command. | |
| +# The options are space-separated. | |
| +# | |
| +# This option may be specified more than once. | |
| +# | |
| +# The default value is the null string. | |
| +# | |
| +#UNHIDETCP_OPTS="" | |
| + | |
| +# | |
| +# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, | |
| +# then it is possible to disable the execution of one of the programs if | |
| +# desired. By default rkhunter will look for both programs, and execute each | |
| +# of them as they are found. If the value of this option is '0', then both | |
| +# programs will be executed if they are present. A value of '1' will disable | |
| +# execution of the C 'unhide' program, and a value of '2' will disable the Ruby | |
| +# 'unhide.rb' program. To disable both programs, then disable the | |
| +# 'hidden_procs' test. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#DISABLE_UNHIDE=0 | |
| + | |
| +# | |
| +# This option can be set to either '0' or '1'. If set to '1' then the summary, | |
| +# shown after rkhunter has run, will display the actual number of warnings | |
| +# found. If it is set to '0', then the summary will simply indicate that | |
| +# 'One or more' warnings were found. If no warnings were found, and this option | |
| +# is set to '1', then a "0" will be shown. If the option is set to '0', then | |
| +# the words 'No warnings' will be shown. | |
| +# | |
| +# The default value is '0'. | |
| +# | |
| +#SHOW_SUMMARY_WARNINGS_NUMBER=0 | |
| + | |
| +# | |
| +# This option is used to determine where, if anywhere, the summary scan time is | |
| +# displayed. A value of '0' indicates that it should not be displayed anywhere. | |
| +# A value of '1' indicates that the time should only appear on the screen, and a | |
| +# value of '2' that it should only appear in the log file. A value of '3' | |
| +# indicates that the time taken should appear both on the screen and in the log | |
| +# file. | |
| +# | |
| +# The default value is '3'. | |
| +# | |
| +#SHOW_SUMMARY_TIME=3 | |
| + | |
| +# | |
| +# The two options below may be used to check if a file is missing or empty | |
| +# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check | |
| +# if the file is missing, since that can be interpreted as a file of no size. | |
| +# However, the file will only be reported as missing if the MISSING_LOGFILES | |
| +# option hasn't already done this. | |
| +# | |
| +# Both options are space-separated lists of pathnames, and may be specified | |
| +# more than once. | |
| +# | |
| +# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is | |
| +# perfectly possible for the file to be either missing or empty. As such these | |
| +# options may produce false-positive warnings when log files are rotated. | |
| +# | |
| +# For both options the default value is the null string. | |
| +# | |
| +#EMPTY_LOGFILES="" | |
| +#MISSING_LOGFILES="" | |
| + | |
| +INSTALLDIR="/usr" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment