Configure rkhunter.

5 files changed, 1064 insertions, 0 deletions

diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter
new file mode 100644
index 0000000..da59a73
--- /dev/null
+++ b/roles/common/files/etc/default/rkhunter
@@ -0,0 +1,34 @@
+# Defaults for rkhunter automatic tasks
+# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
+#
+# This is a POSIX shell fragment
+#
+
+# Set this to yes to enable rkhunter daily runs
+# (default: true)
+CRON_DAILY_RUN="yes"
+
+# Set this to yes to enable rkhunter weekly database updates
+# (default: true)
+CRON_DB_UPDATE="yes"
+
+# Set this to yes to enable reports of weekly database updates
+# (default: false)
+DB_UPDATE_EMAIL="false"
+
+# Set this to the email address where reports and run output should be sent
+# (default: root)
+REPORT_EMAIL="admin@fripost.org"
+
+# Set this to yes to enable automatic database updates
+# (default: false)
+APT_AUTOGEN="false"
+
+# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
+# (default: 0)
+NICE="10"
+
+# Should daily check be run when running on battery
+# powermgmt-base is required to detect if running on battery or on AC power
+# (default: false)
+RUN_CHECK_ON_BATTERY="false" 
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf
new file mode 100644
index 0000000..9e4cb14
--- /dev/null
+++ b/roles/common/files/etc/rkhunter.conf
@@ -0,0 +1,1004 @@
+#
+# This is the main configuration file for Rootkit Hunter.
+#
+# You can either modify this file directly, or you can create a local
+# configuration file. The local file must be named 'rkhunter.conf.local',
+# and must reside in the same directory as this file. Please modify one
+# or both files to your own requirements. It is suggested that the
+# command 'rkhunter -C' is run after any changes have been made.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, are ignored.
+# End-of-line comments are not supported.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
+# Some of the options are space-separated lists of pathnames. If
+# wildcard characters (globbing) are allowed in the list, then the
+# text describing the option will say so.
+#
+# Space-separated lists may be enclosed by quotes, but these must only
+# appear at the start and end of the list, not in the middle.
+#
+# For example:    XXX="abc  def  gh"        (correct)
+#                 XXX="abc"  "def"  "gh"    (incorrect)
+#
+
+
+#
+# If this option is set to 1, it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file
+# allows a basic form of load-balancing between the mirror sites whenever
+# the above options are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror listed will always be used
+# first. The second mirror will only be used if the first mirror fails,
+# the third mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to 0.
+#
+ROTATE_MIRRORS=1
+
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
+
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space. Setting this option to
+# null disables the option.
+#
+# NOTE: This option should be present in the configuration file.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+MAIL-ON-WARNING=admin@fripost.org
+
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+#
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# This option can be used to modify the command directory list used
+# by rkhunter to locate commands (that is, its PATH). By default
+# this will be the root PATH, and an internal list of some common
+# command directories.
+#
+# Any directories specified here will, by default, be appended to the
+# default list. However, if a directory name begins with the '+'
+# character, then that directory will be prepended to the list (that
+# is, it will be put at the start of the list).
+#
+# This is a space-separated list of directory names. The option may
+# be specified more than once.
+#
+#BINDIR="/bin /usr/bin /sbin /usr/sbin"
+#BINDIR="+/usr/local/bin +/usr/local/sbin"
+
+#
+# Specify the default language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+# For a list of supported languages use the following command:
+#
+#       rkhunter --lang en --list languages
+#
+#LANGUAGE=en
+
+#
+# This option is a space-separated list of the languages that are to
+# be updated when the '--update' option is used. If unset, then all
+# the languages will be updated. If none of the languages are to be
+# updated, then set this option to just 'en'.
+#
+# The default is for all the languages to be updated. The default
+# language, specified above, and the English (en) language file will
+# always be updated regardless of this option.
+#
+UPDATE_LANG=""
+
+#
+# Specify the log file pathname.
+#
+# NOTE: This option should be present in the configuration file.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=0
+
+#
+# Set the following option to 1 if the log file is to be copied when
+# rkhunter finishes and an error or warning has occurred. The copied
+# log file name will be appended with the current date and time
+# (in YYYY-MM-DD_HH:MM:SS format).
+# For example: rkhunter.log.2009-04-21_00:57:51
+#
+COPY_LOG_ON_ERROR=0
+
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.  For example:
+#
+#     USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
+
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
+
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
+
+#
+# Set the following option to 1 if it is wanted that any 'Whitelisted'
+# results are shown in white rather than green. For colour set 2 users,
+# setting this option will cause the result to be shown in black.
+#
+WHITELISTED_IS_WHITE=0
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'unset' can be used to avoid warning messages.
+# This option has a default value of 'no'.
+#
+ALLOW_SSH_ROOT_USER=no
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either of the options below are specified, then they will override the
+# program defaults.
+#
+# The supplied configuration file has some tests already disabled, and these
+# are tests that will be used only occasionally, can be considered
+# "advanced" or that are prone to produce more than the average number of
+# false-positives.
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# hidden_procs test requires the unhide command which is part of the unhide
+# package in Debian.
+#
+# apps test is disabled by default as it triggers warnings about outdated 
+# applications (and warns about possible security risk: we better trust
+# the Debian Security Team).
+#
+ENABLE_TESTS="all"
+DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just the
+# command name or the full pathname. If just the command name is
+# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
+# SHA512, then rkhunter will first look for the relevant command,
+# such as 'sha256sum', and then for 'sha256'. If neither of these
+# are found, it will then look to see if a perl module has been
+# installed which will support the relevant hash function. To see
+# which perl modules have been installed use the command
+# 'rkhunter --list perl'.
+#
+# The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# Systems using prelinking are restricted to using either the
+# SHA1 or MD5 function.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+# the '--propupd' option to rebuild the file properties database.
+#
+HASH_FUNC=sha512sum
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is 1, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be an integer greater
+# than zero.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file ('rkhunter.dat'), and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
+# get information from the RPM database. For Debian-based systems 'DPKG'
+# can be used, for *BSD systems 'BSD' can be used, and for Solaris
+# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
+# indicates that no package manager is to be used. The default is 'NONE'.
+#
+# The current package managers, except 'SOLARIS', store the file hash
+# values using an MD5 hash function. The Solaris package manager includes
+# a checksum value, but this is not used by default (see USE_SUNSUM below).
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values. The 'SOLARIS' also provides
+# most of the values, similar to 'RPM', but not the inode number.
+#
+# For any file not part of a package, rkhunter will revert to using the
+# HASH_FUNC hash function instead.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# It is possible that a file which is part of a package may be modified
+# by the administrator. Typically this occurs for configuration files.
+# However, the package manager may list the file as being modified. For
+# the RPM package manager this may well depend on how the package was
+# built. This option specifies those pathnames which are to be exempt
+# from the package manager verification process, and which will be treated
+# as non-packaged files. As such, the file properties are still checked.
+#
+# This option only takes effect if the PKGMGR option has been set, and
+# is not 'NONE'.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+# Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+#PKGMGR_NO_VRFY=""
+
+#
+# This option can be used to tell rkhunter to ignore any prelink
+# dependency errors for the given commands. However, a warning will also
+# be issued if the error does not occur for a given command. As such
+# this option must only be used on commands which experience a persistent
+# problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the 'prelink' command on the given pathname.
+#
+# NOTE: The command 'rkhunter --propupd' must be run whenever this option
+# is changed.
+#
+# This is a space-separated list of command pathnames. The option can be
+# specified more than once.
+#
+#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
+
+#
+# If the 'SOLARIS' package manager is used, then it is possible to use
+# the checksum (hash) value stored for a file. However, this is only a
+# 16-bit checksum, and as such is not nearly as secure as, for example,
+# a SHA-2 value. For that reason, the checksum is not used by default,
+# and the hash function given by HASH_FUNC is used instead. To enable
+# this option, set its value to 1. The Solaris 'sum' command must be
+# present on the system if this option is used.
+#
+#USE_SUNSUM=0
+
+#
+# This option is a space-separated list of commands, directories and file
+# pathnames which will be included in the file properties checks.
+# This option can be specified more than once.
+#
+# Whenever this option is changed, 'rkhunter --propupd' must be run.
+#
+# Simple command names - for example, 'top' - and directory names are
+# added to the internal list of directories to be searched for each of
+# the command names in the command list. Additionally, full pathnames
+# to files, which need not be commands, may be given. Any files or
+# directories which are already part of the internal lists will be
+# silently ignored from the configuration.
+#
+# Normal globbing wildcards are allowed, except for simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by preceding their name with an
+# exclamation mark (!). For example, '!/opt/top'. By combining this
+# with wildcarding, whole directories can be excluded. For example,
+# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
+# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
+# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
+#
+# NOTE: Only files and directories which have been added by the user,
+# and are not part of the internal lists, can be excluded. So, for
+# example, it is not possible to exclude the 'ps' command by using
+# '!/bin/ps'. These will be silently ignored from the configuration.
+#
+#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
+#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
+#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
+#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
+
+#
+# This option whitelists files and directories from existing,
+# or not existing, on the system at the time of testing. This
+# option is used when the configuration file options themselves
+# are checked, and during the file properties check, the hidden
+# files and directories checks, and the filesystem check of the
+# '/dev' directory.
+#
+# This is a space-separated list of pathnames. The option may be
+# specified more than once. The option may use wildcard characters,
+# but be aware that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As
+# such deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will
+# appear and disappear from the system in relation to how often
+# rkhunter is run. If the file appears, and disappears, too often
+# then rkhunter may not notice this. All it will see is that the file
+# has changed. The inode-number and DTM will certainly be different
+# for each new file, and rkhunter will report this.
+#
+#EXISTWHITELIST=""
+
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test (see below).
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#ATTRWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#WRITEWHITELIST="/bin/ps /usr/bin/date"
+
+#
+# Allow the specified commands to be scripts.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+SCRIPTWHITELIST=/usr/sbin/prelink
+
+#
+# Allow the specified commands to have the immutable attribute set.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
+
+#
+# If this option is set to 1, then the immutable-bit test is
+# reversed. That is, the files are expected to have the bit set.
+#
+IMMUTABLE_SET=0
+
+#
+# Allow the specified hidden directories to be whitelisted.
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once. The option
+# may use wildcard characters.
+#
+#ALLOWHIDDENDIR="/etc/.java"
+#ALLOWHIDDENDIR="/dev/.static"
+#ALLOWHIDDENDIR="/dev/.SRC-unix"
+ALLOWHIDDENDIR="/etc/.git"
+
+#
+# Allow the specified hidden files to be whitelisted.
+#
+# This is a space-separated list of filenames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+# 
+#ALLOWHIDDENFILE="/etc/.java"
+#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
+#ALLOWHIDDENFILE="/etc/.pwd.lock"
+#ALLOWHIDDENFILE="/etc/.init.state"
+#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
+#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
+#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
+#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
+#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
+#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
+#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
+ALLOWHIDDENFILE="/etc/.gitignore"
+ALLOWHIDDENFILE="/etc/.etckeeper"
+#ALLOWHIDDENFILE="/etc/.bzrignore"
+
+#
+# Allow the specified processes to use deleted files. The
+# process name may be followed by a colon-separated list of
+# full pathnames. The process will then only be whitelisted
+# if it is using one of the given files. For example:
+#
+#     ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once. The option may use wildcard
+# characters, but only in the file names.
+#
+#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
+#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
+#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
+#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
+#ALLOWPROCDELFILE="/usr/bin/file-roller"
+
+#
+# Allow the specified processes to listen on any network interface.
+#
+# This is a space-separated list of process names. The option
+# may be specified more than once.
+#
+#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
+#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
+#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
+
+#
+# Allow the specified network interfaces to be in promiscuous mode.
+#
+# This is a space-separated list of interface names. The option may
+# be specified more than once.
+#
+#ALLOWPROMISCIF="eth0"
+
+#
+# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
+# perform a basic check, or a more thorough check. If the option is set to 0,
+# then a basic check is performed. If it is set to 1, then all the directries
+# in the /etc and /usr directories are scanned. The default value is 0. Users
+# should note that setting this option to 1 will cause the test to take longer
+# to complete.
+#
+PHALANX2_DIRTEST=0
+
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once. The option may use wildcard
+# characters.
+#
+#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
+#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
+
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# Allow the following enabled inetd services.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+# For non-Solaris users the simple service name should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=echo
+#
+# For Solaris 9 users the simple service name should also be used, but
+# if it is an RPC service, then the executable pathname should be used.
+# For example:
+#
+#     INETD_ALLOWED_SVC=imaps
+#     INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
+#
+# For Solaris 10 users the service/FMRI name should be used. For example:
+#
+#     INETD_ALLOWED_SVC=/network/rpc/meta
+#     INETD_ALLOWED_SVC=/network/rpc/metamed
+#     INETD_ALLOWED_SVC=/application/font/stfsloader
+#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#
+#INETD_ALLOWED_SVC=echo
+
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+#
+# This is a space-separated list of service names. The option may
+# be specified more than once.
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This option tells rkhunter the local system startup file pathnames.
+# The directories will be searched for files. By default rkhunter
+# will use certain filenames and directories. If the option is set
+# to 'none', then certain tests will be skipped.
+#
+# This is a space-separated list of file and directory pathnames.
+# The option may be specified more than once. The option may use
+# wildcard characters.
+#
+#STARTUP_PATHS="/etc/init.d /etc/rc.local"
+
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files
+# should not set this option.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. The 'root' account does not need to
+# be listed as it is automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+# NOTE: For *BSD systems you will probably need to use this option
+# for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty sashroot"
+
+#
+# Allow the following accounts to have no password. NIS/YP entries do
+# not need to be listed as they are automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may
+# be specified more than once.
+#
+#PWDLESS_ACCOUNTS="abc"
+
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate
+# that there is no configuration file, but that the syslog daemon process
+# may be running.
+#
+# This is a space-separated list of pathnames. The option may
+# be specified more than once.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option may be specified more than once, and is a
+# space-separated list consisting of the application names. If a specific
+# version is to be whitelisted, then the name must be followed by a colon
+# and then the version number. For example:
+#
+#     APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
+#
+# Note above that for the Apache web server, the name 'httpd' is used.
+#
+#APP_WHITELIST=""
+
+# 
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has 
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd"). 
+#
+# This is a space-separated list of directory pathnames.
+# The option may be specified more than once.
+#
+#SUSPSCAN_DIRS="/tmp /var/tmp"
+
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
+
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
+
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary. 
+#
+SUSPSCAN_THRESH=200
+
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. This option may be specified
+# more than once. The option is a space-separated list of one or more
+# of four types of whitelisting. These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) a combined pathname, protocol and port
+#                                   (e.g. /usr/sbin/squid:TCP:3801)
+#   4) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable which rkhunter
+# can locate as a command, is whitelisted. (See BINDIR in this file.)
+#
+# For example:
+#
+#     PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option,
+# the 'lsof' command must be present.
+#
+#PORT_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+#OS_VERSION_FILE="/etc/debian_version"
+
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the various rootkit
+# and malware checks. If the file or directory name contains a space, then
+# the percent character ('%') must be used instead. Only existing files and
+# directories can be specified, and these must be full pathnames not links.
+#
+# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
+# file name (separated by a colon). This will then only whitelist that string
+# in that file (as part of the malware checks). For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
+#
+# If the option list includes the filename on its own as well, then the file
+# will be whitelisted from rootkit checks of the files existence, but still
+# only the specific string within the file will be whitelisted. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
+#
+# To whitelist a file from the existence checks, but not from the strings
+# checks, then include the filename on its own and on its own but with
+# just a colon appended. For example:
+#
+#     RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# These are space-separated lists of file and directory pathnames.
+# The options may be specified more than once.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
+# the LD_PRELOAD environment variable.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# This is a space-separated list of library pathnames.
+# The option may be specified more than once.
+#
+#SHARED_LIB_WHITELIST="/lib/snoopy.so"
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU date command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+#EPOCH_DATE_CMD=""
+
+#
+# This setting tells rkhunter the directory containing the available
+# Linux kernel modules. This setting will be worked out by rkhunter,
+# and so should not usually need to be set.
+#
+#MODULES_DIR=""
+
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+# For example:
+#
+#     WEB_CMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored. For example:
+#
+#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
+#
+# *BSD users may want to use the 'ftp' command, provided that it supports
+# the HTTP protocol:
+#
+#     WEB_CMD="ftp -o -"
+#
+#WEB_CMD=""
+
+#
+# Set the following option to 0 if you do not want to receive a warning if
+# any O/S information has changed since the last run of 'rkhunter --propupd'.
+# The warnings occur during the file properties check. The default is to
+# issue a warning if something has changed.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to 1 if you want rkhunter to automatically run
+# a file properties update ('--propupd') if the O/S has changed. Detection
+# of an O/S change occurs during the file properties check. The default is
+# not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply
+# by running 'rkhunter --propupd' at least once.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# Set the following option to 1 if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the TMPDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock.
+#
+# The default is not to use locking.
+#
+USE_LOCKING=0
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached. If no value is set, then a
+# default of 300 seconds (5 minutes) is used.
+#
+LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. Some simple messages are echo'd to the users screen
+# to let them know that rkhunter is waiting for the lock. Set this option to 0
+# if the messages are not to be displayed. The default is to show them.
+#
+SHOW_LOCK_MSGS=1
+
+#
+# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
+# will search (on a per rootkit basis) for filenames in all of the directories (as defined
+# by the result of running 'find / -xdev'). While still not optimal, as it 
+# still searches for only file names as opposed to file contents, this is one step away
+# from the rigidity of searching in known (evidence) or default (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
+#
+# You should only activate this feature as part of a more thorough investigation which
+# should be based on relevant best practices and procedures. 
+#
+# Enabling this feature implies you have the knowledge to interpret the results properly. 
+#
+#SCANROOTKITMODE=THOROUGH
+
+#
+# The following option can be set to the name(s) of the tests the 'unhide' command is
+# to use. In order to maintain compatibility with older versions of 'unhide', this
+# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
+# will only take effect when they are seen. The test names are a space-separated list,
+# and will be executed in the order given.
+#
+#UNHIDE_TESTS="sys"
+
+#
+# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
+# is possible to disable the execution of one of the programs if desired. By default
+# rkhunter will look for both programs, and execute each of them as they are found.
+# If the value of this option is 0, then both programs will be executed if they are
+# present. A value of 1 will disable execution of the C 'unhide' program, and a value
+# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
+# both programs, then disable the 'hidden_procs' test.
+#
+DISABLE_UNHIDE=1
+
+INSTALLDIR="/usr"
+
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 340e74b..17fbfb2 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -12,3 +12,6 @@
 
 - name: Reload samhain
   service: name=samhain state=reloaded
+
+- name: Update rkhunter's data file
+  command: /usr/bin/rkhunter --propupd
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index b2ec514..1d57812 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -4,3 +4,4 @@
 - include: apt.yml      tags=apt
 - include: firewall.yml tags=firewall,iptables
 - include: samhain.yml  tags=samhain
+- include: rkhunter.yml tags=rkhunter
diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml
new file mode 100644
index 0000000..144430e
--- /dev/null
+++ b/roles/common/tasks/rkhunter.yml
@@ -0,0 +1,22 @@
+- name: Install rkhunter
+  apt: pkg={{ item }}
+  with_items:
+    - rkhunter
+    - curl
+    - iproute
+    - lsof
+    - unhide
+    - unhide.rb
+
+- name: Configure rkhunter
+  copy: src=etc/{{ item }}
+        dest=/etc/{{ item }}
+        owner=root group=root
+        mode=0644
+  with_items:
+    - rkhunter.conf
+    - default/rkhunter
+  notify:
+    # This might not always be necessary, but it's not like we would
+    # change the config every day...
+    - Update rkhunter's data file