summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/common/files/etc/rkhunter.conf1355
-rw-r--r--roles/common/tasks/rkhunter.yml2
2 files changed, 802 insertions, 555 deletions
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf
index 542fcfd..9306631 100644
--- a/roles/common/files/etc/rkhunter.conf
+++ b/roles/common/files/etc/rkhunter.conf
@@ -1,220 +1,309 @@
#
# This is the main configuration file for Rootkit Hunter.
#
-# You can either modify this file directly, or you can create a local
-# configuration file. The local file must be named 'rkhunter.conf.local',
-# and must reside in the same directory as this file. Please modify one
-# or both files to your own requirements. It is suggested that the
-# command 'rkhunter -C' is run after any changes have been made.
+# You can modify this file directly, or you can create a local configuration
+# file. The local file must be named 'rkhunter.conf.local', and must reside
+# in the same directory as this file. Alternatively you can create a directory,
+# named 'rkhunter.d', which also must be in the same directory as this
+# configuration file. Within the 'rkhunter.d' directory you can place further
+# configuration files. There is no restriction on the file names used, other
+# than they must end in '.conf'.
+#
+# Please modify the configuration file(s) to your own requirements. It is
+# recommended that the command 'rkhunter -C' is run after any changes have
+# been made.
#
# Please review the documentation before posting bug reports or questions.
-# To report bugs, obtain updates, or provide patches or comments, please go to:
-# http://rkhunter.sourceforge.net
+# To report bugs, obtain updates, or provide patches or comments, please go
+# to: http://rkhunter.sourceforge.net
#
-# To ask questions about rkhunter, please use the rkhunter-users mailing list.
-# Note this is a moderated list: please subscribe before posting.
+# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
+# Note that this is a moderated list, so please subscribe before posting.
#
-# Lines beginning with a hash (#), and blank lines, are ignored.
-# End-of-line comments are not supported.
+# In the configuration files, lines beginning with a hash (#), and blank lines,
+# are ignored. Also, end-of-line comments are not supported.
#
-# Most of the following options need only be specified once. If
-# they appear more than once, then the last one seen will be used.
-# Some options are allowed to appear more than once, and the text
-# describing the option will say if this is so.
+# Any of the configuration options may appear more than once. However, several
+# options only take one value, and so the last one seen will be used. Some
+# options are allowed to appear more than once, and the text describing the
+# option will say if this is so. These configuration options will, in effect,
+# have their values concatenated together. To delete a previously specified
+# option list, specify the option with no value (that is, a null string).
#
-# Some of the options are space-separated lists of pathnames. If
-# wildcard characters (globbing) are allowed in the list, then the
+# Some of the options are space-separated lists, others, typically those
+# specifying pathnames, are newline-separated lists. These must be entered
+# as one item per line. Quotes must not be used to surround the pathname.
+#
+# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
+# option: XXX=/tmp/abc (correct)
+# XXX=/tmp/xyz
+#
+# XXX="/tmp/abc" (incorrect)
+# XXX="/tmp/xyz"
+#
+# XXX=/tmp/abc /tmp/xyz (incorrect)
+# or XXX="/tmp/abc /tmp/xyz" (incorrect)
+# or XXX="/tmp/abc" "/tmp/xyz" (incorrect)
+#
+# The last three examples are being configured as space-separated lists,
+# which is incorrect, generally, for options specifying pathnames. They
+# should be configured with one entry per line as in the first example.
+#
+# If wildcard characters (globbing) are allowed for an option, then the
# text describing the option will say so.
#
-# Space-separated lists may be enclosed by quotes, but these must only
-# appear at the start and end of the list, not in the middle.
+# Space-separated lists may be enclosed by quotes, although they are not
+# required. If they are used, then they must only appear at the start and
+# end of the list, not in the middle.
+#
+# For example: XXX=abc def gh (correct)
+# XXX="abc def gh" (correct)
+# XXX="abc" "def" "gh" (incorrect)
#
-# For example: XXX="abc def gh" (correct)
-# XXX="abc" "def" "gh" (incorrect)
+# Space-separated lists may also be entered simply as one entry per line.
+#
+# For example: XXX=abc (correct)
+# XXX=def
+# XXX="gh"
+#
+# If a configuration option is never set, then the program will assume a
+# default value. The text describing the option will state the default value.
+# If there is no default, then rkhunter will calculate a value or pathname
+# to use.
#
#
-# If this option is set to 1, it specifies that the mirrors file
+# If this option is set to '1', it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
-# options are used, is to be rotated. Rotating the entries in the file
-# allows a basic form of load-balancing between the mirror sites whenever
-# the above options are used.
-# If the option is set to 0, then the mirrors will be treated as if in
-# a priority list. That is, the first mirror listed will always be used
-# first. The second mirror will only be used if the first mirror fails,
-# the third mirror will only be used if the second mirror fails, and so on.
+# options are used, is to be rotated. Rotating the entries in the file allows
+# a basic form of load-balancing between the mirror sites whenever the above
+# options are used.
+#
+# If the option is set to '0', then the mirrors will be treated as if in a
+# priority list. That is, the first mirror listed will always be used first.
+# The second mirror will only be used if the first mirror fails, the third
+# mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
-# option can only be used if this option is set to 0.
+# option can only be used if this option is set to '0'.
+#
+# The default value is '1'.
#
-ROTATE_MIRRORS=1
+#ROTATE_MIRRORS=1
#
-# If this option is set to 1, it specifies that when the '--update'
-# option is used, then the mirrors file is to be checked for updates
-# as well. If the current mirrors file contains any local mirrors,
-# these will be prepended to the updated file.
-# If this option is set to 0, the mirrors file can only be updated
-# manually. This may be useful if only using local mirrors.
+# If this option is set to '1', it specifies that when the '--update' option is
+# used, then the mirrors file is to be checked for updates as well. If the
+# current mirrors file contains any local mirrors, these will be prepended to
+# the updated file. If this option is set to '0', the mirrors file can only be
+# updated manually. This may be useful if only using local mirrors.
+#
+# The default value is '1'.
#
-UPDATE_MIRRORS=1
+#UPDATE_MIRRORS=1
#
-# The MIRRORS_MODE option tells rkhunter which mirrors are to be
-# used when the '--update' or '--versioncheck' command-line options
-# are given. Possible values are:
-# 0 - use any mirror (the default)
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
+# the '--update' or '--versioncheck' command-line options are given.
+# Possible values are:
+# 0 - use any mirror
# 1 - only use local mirrors
# 2 - only use remote mirrors
#
-# Local and remote mirrors can be defined in the mirrors file
-# by using the 'local=' and 'remote=' keywords respectively.
+# Local and remote mirrors can be defined in the mirrors file by using the
+# 'local=' and 'remote=' keywords respectively.
+#
+# The default value is '0'.
#
-MIRRORS_MODE=0
+#MIRRORS_MODE=0
#
-# Email a message to this address if a warning is found when the
-# system is being checked. Multiple addresses may be specified
-# simply be separating them with a space. Setting this option to
-# null disables the option.
+# Email a message to this address if a warning is found when the system is
+# being checked. Multiple addresses may be specified simply be separating
+# them with a space. To disable the option, simply set it to the null string
+# or comment it out.
#
-# NOTE: This option should be present in the configuration file.
+# The option may be specified more than once.
+#
+# The default value is the null string.
+#
+# Also see the MAIL_CMD option.
#
-#MAIL-ON-WARNING=me@mydomain root@mydomain
MAIL-ON-WARNING=admin@fripost.org
#
-# Specify the mail command to use if MAIL-ON-WARNING is set.
+# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
-# NOTE: Double quotes are not required around the command, but
-# are required around the subject line if it contains spaces.
+# NOTE: Double quotes are not required around the command, but are required
+# around the subject line if it contains spaces.
#
-MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+# The default is to use the 'mail' command, with a subject line
+# of '[rkhunter] Warnings found for ${HOST_NAME}'.
+#
+#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
#
-# Specify the temporary directory to use.
+# This option specifies the directory to use for temporary files.
+#
+# NOTE: Do not use '/tmp' as your temporary directory. Some important files
+# will be written to this directory, so be sure that the directory permissions
+# are secure.
#
-# NOTE: Do not use /tmp as your temporary directory. Some
-# important files will be written to this directory, so be
-# sure that the directory permissions are tight.
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will assume a
+# default directory beneath the installation directory.
#
TMPDIR=/var/lib/rkhunter/tmp
#
-# Specify the database directory to use.
+# This option specifies the database directory to use.
+#
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will assume a
+# default directory beneath the installation directory.
#
DBDIR=/var/lib/rkhunter/db
#
-# Specify the script directory to use.
+# This option specifies the script directory to use.
+#
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will not run.
#
SCRIPTDIR=/usr/share/rkhunter/scripts
#
-# This option can be used to modify the command directory list used
-# by rkhunter to locate commands (that is, its PATH). By default
-# this will be the root PATH, and an internal list of some common
-# command directories.
+# This option can be used to modify the command directory list used by rkhunter
+# to locate commands (that is, its PATH). By default this will be the root PATH,
+# and an internal list of some common command directories.
+#
+# Any directories specified here will, by default, be appended to the default
+# list. However, if a directory name begins with the '+' character, then that
+# directory will be prepended to the list (that is, it will be put at the start
+# of the list).
#
-# Any directories specified here will, by default, be appended to the
-# default list. However, if a directory name begins with the '+'
-# character, then that directory will be prepended to the list (that
-# is, it will be put at the start of the list).
+# This is a space-separated list of directory names. The option may be
+# specified more than once.
#
-# This is a space-separated list of directory names. The option may
-# be specified more than once.
+# The default value is based on the root account PATH environment variable.
#
-#BINDIR="/bin /usr/bin /sbin /usr/sbin"
-#BINDIR="+/usr/local/bin +/usr/local/sbin"
+#BINDIR=/bin /usr/bin /sbin /usr/sbin
+#BINDIR=+/usr/local/bin +/usr/local/sbin
#
-# Specify the default language to use. This should be similar
-# to the ISO 639 language code.
+# This option specifies the default language to use. This should be similar to
+# the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
# rkhunter --lang en --list languages
#
+# The default language is 'en' (English).
+#
#LANGUAGE=en
#
-# This option is a space-separated list of the languages that are to
-# be updated when the '--update' option is used. If unset, then all
-# the languages will be updated. If none of the languages are to be
-# updated, then set this option to just 'en'.
+# This option is a space-separated list of the languages that are to be updated
+# when the '--update' option is used. If unset, then all the languages will be
+# updated. If none of the languages are to be updated, then set this option to
+# just 'en'.
+#
+# The default language, specified by the LANGUAGE option, and the English (en)
+# language file will always be updated regardless of this option.
+#
+# This option may be specified more than once.
#
-# The default is for all the languages to be updated. The default
-# language, specified above, and the English (en) language file will
-# always be updated regardless of this option.
+# The default value is the null string, indicating that all the language files
+# will be updated.
#
-UPDATE_LANG=""
+#UPDATE_LANG=""
#
-# Specify the log file pathname.
+# This option specifies the log file pathname. The file will be created if it
+# does not initially exist. If the option is unset, then the program will
+# display a message each time it is run saying that the default value is being
+# used.
#
-# NOTE: This option should be present in the configuration file.
+# The default value is '/var/log/rkhunter.log'.
#
LOGFILE=/var/log/rkhunter.log
#
-# Set the following option to 1 if the log file is to be appended to
-# whenever rkhunter is run.
+# Set this option to '1' if the log file is to be appended to whenever rkhunter
+# is run. A value of '0' will cause a new log file to be created whenever the
+# program is run.
#
-APPEND_LOG=0
+# The default value is '0'.
+#
+#APPEND_LOG=0
#
-# Set the following option to 1 if the log file is to be copied when
-# rkhunter finishes and an error or warning has occurred. The copied
-# log file name will be appended with the current date and time
-# (in YYYY-MM-DD_HH:MM:SS format).
+# Set the following option to '1' if the log file is to be copied when rkhunter
+# finishes and an error or warning has occurred. The copied log file name will
+# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
+# If the option value is '0', then the log file will not be copied regardless
+# of whether any errors or warnings occurred.
+#
+# The default value is '0'.
#
-COPY_LOG_ON_ERROR=0
+#COPY_LOG_ON_ERROR=0
#
-# Set the following option to enable the rkhunter check start and finish
-# times to be logged by syslog. Warning messages will also be logged.
-# The value of the option must be a standard syslog facility and
-# priority, separated by a dot. For example:
+# Set the following option to enable the rkhunter check start and finish times
+# to be logged by syslog. Warning messages will also be logged. The value of
+# the option must be a standard syslog facility and priority, separated by a
+# dot. For example:
#
# USE_SYSLOG=authpriv.warning
#
-# Setting the value to 'none', or just leaving the option commented out,
+# Setting the value to 'NONE', or just leaving the option commented out,
# disables the use of syslog.
#
+# The default value is not to use syslog.
+#
#USE_SYSLOG=authpriv.notice
#
-# Set the following option to 1 if the second colour set is to be used.
-# This can be useful if your screen uses black characters on a white
-# background (for example, a PC instead of a server).
+# Set the following option to '1' if the second colour set is to be used. This
+# can be useful if your screen uses black characters on a white background
+# (for example, a PC instead of a server). A value of '0' will cause the default
+# colour set to be used.
#
-COLOR_SET2=0
+# The default value is '0'.
+#
+#COLOR_SET2=0
#
-# Set the following option to 0 if rkhunter should not detect if X is
-# being used. If X is detected as being used, then the second colour
-# set will automatically be used.
+# Set the following option to '0' if rkhunter should not detect if X is being
+# used. If X is detected as being used, then the second colour set will
+# automatically be used. If set to '1', then the use of X will be detected.
+#
+# The default value is '0'.
#
AUTO_X_DETECT=1
#
-# Set the following option to 1 if it is wanted that any 'Whitelisted'
-# results are shown in white rather than green. For colour set 2 users,
-# setting this option will cause the result to be shown in black.
+# Set the following option to '1' if it is wanted that any 'Whitelisted' results
+# are shown in white rather than green. For colour set 2 users, setting this
+# option will cause the result to be shown in black. Setting the option to '0'
+# causes whitelisted results to be displayed in green.
+#
+# The default value is '0'.
#
-WHITELISTED_IS_WHITE=0
+#WHITELISTED_IS_WHITE=0
#
# The following option is checked against the SSH configuration file
-# 'PermitRootLogin' option. A warning will be displayed if they do not
-# match. However, if a value has not been set in the SSH configuration
-# file, then a value here of 'unset' can be used to avoid warning messages.
-# This option has a default value of 'no'.
+# 'PermitRootLogin' option. A warning will be displayed if they do not match.
+# However, if a value has not been set in the SSH configuration file, then a
+# value here of 'unset' can be used to avoid warning messages.
#
-ALLOW_SSH_ROOT_USER=no
+# The default value is 'no'.
+#
+#ALLOW_SSH_ROOT_USER=no
#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
@@ -223,103 +312,107 @@ ALLOW_SSH_ROOT_USER=no
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
-# suppress a warning message. This option has a default value of '0'.
+# suppress a warning message. A value of '0' indicates that the use of
+# SSH-1 is not allowed.
+#
+# The default value is '0'.
#
-ALLOW_SSH_PROT_V1=0
+#ALLOW_SSH_PROT_V1=0
#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
+# This option has no default value.
+#
#SSH_CONFIG_DIR=/etc/ssh
#
-# These two options determine which tests are to be performed.
-# The ENABLE_TESTS option can use the word 'all' to refer to all the
-# available tests. The DISABLE_TESTS option can use the word 'none' to
-# mean that no tests are disabled. The list of disabled tests is applied to
-# the list of enabled tests. Both options are space-separated lists of test
-# names. The currently available test names can be seen by using the command
-# 'rkhunter --list tests'.
+# These two options determine which tests are to be performed. The ENABLE_TESTS
+# option can use the word 'ALL' to refer to all of the available tests. The
+# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
+# disabled. The list of disabled tests is applied to the list of enabled tests.
#
-# The program defaults are to enable all tests and disable none. However, if
-# either of the options below are specified, then they will override the
-# program defaults.
+# Both options are space-separated lists of test names, and both options may
+# be specified more than once. The currently available test names can be seen
+# by using the command 'rkhunter --list tests'.
#
# The supplied configuration file has some tests already disabled, and these
-# are tests that will be used only occasionally, can be considered
-# "advanced" or that are prone to produce more than the average number of
-# false-positives.
+# are tests that will be used only occasionally, can be considered 'advanced'
+# or that are prone to produce more than the average number of false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
-# hidden_procs test requires the unhide command which is part of the unhide
-# package in Debian.
+# The default values are to enable all tests and to disable none. However, if
+# either of the options below are specified, then they will override the
+# program defaults.
+#
+# hidden_procs test requires the unhide and/or unhide.rb commands which are
+# part of the unhide respectively unhide.rb packages in Debian.
#
-# apps test is disabled by default as it triggers warnings about outdated
+# apps test is disabled by default as it triggers warnings about outdated
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
-ENABLE_TESTS="all"
-DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+ENABLE_TESTS=ALL
+DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
-# The HASH_FUNC option can be used to specify the command to use
-# for the file hash value check. It can be specified as just the
-# command name or the full pathname. If just the command name is
-# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
-# SHA512, then rkhunter will first look for the relevant command,
-# such as 'sha256sum', and then for 'sha256'. If neither of these
-# are found, it will then look to see if a perl module has been
-# installed which will support the relevant hash function. To see
-# which perl modules have been installed use the command
-# 'rkhunter --list perl'.
-#
-# The default is SHA1, or MD5 if SHA1 cannot be found.
+# The HASH_CMD option can be used to specify the command to use for the file
+# properties hash value check. It can be specified as just the command name or
+# the full pathname. If just the command name is given, and it is one of MD5,
+# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
+# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
+# these are found, it will then look to see if a perl module has been installed
+# which will support the relevant hash function. To see which perl modules have
+# been installed use the command 'rkhunter --list perl'.
#
-# Systems using prelinking are restricted to using either the
-# SHA1 or MD5 function.
+# Systems using prelinking are restricted to using either the SHA1 or MD5
+# function.
#
-# A value of 'NONE' (in uppercase) can be specified to indicate that
-# no hash function should be used. Rootkit Hunter will detect this and
-# automatically disable the file hash checks.
+# A value of 'NONE' (in uppercase) can be specified to indicate that no hash
+# function should be used. Rkhunter will detect this, and automatically disable
+# the file properties hash check test.
#
# Examples:
-# For Solaris 9 : HASH_FUNC=gmd5sum
-# For Solaris 10: HASH_FUNC=sha1sum
-# For AIX (>5.2): HASH_FUNC="csum -hMD5"
-# For NetBSD : HASH_FUNC="cksum -a sha512"
+# For Solaris 9 : HASH_CMD=gmd5sum
+# For Solaris 10: HASH_CMD=sha1sum
+# For AIX (>5.2): HASH_CMD="csum -hMD5"
+# For NetBSD : HASH_CMD="cksum -a sha512"
#
-# NOTE: If the hash function is changed then you MUST run rkhunter with
-# the '--propupd' option to rebuild the file properties database.
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
-HASH_FUNC=sha512sum
+# The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
+#
+# Also see the HASH_FLD_IDX option.
+#
+HASH_CMD=sha512sum
#
-# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
-# command output contains the hash value. The fields are assumed to
-# be space-separated. The default value is 1, but for *BSD users
-# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
-# has not been set. The option value must be an integer greater
-# than zero.
+# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
+# output contains the hash value. The fields are assumed to be space-separated.
+#
+# The option value must be an integer greater than zero.
+#
+# The default value is '1', but for *BSD users rkhunter will, by default, use a
+# value of '4' if the HASH_CMD option has not been set.
#
#HASH_FLD_IDX=4
#
-# The PKGMGR option tells rkhunter to use the specified package manager
-# to obtain the file property information. This is used when updating
-# the file properties file ('rkhunter.dat'), and when running the file
-# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
-# get information from the RPM database. For Debian-based systems 'DPKG'
-# can be used, for *BSD systems 'BSD' can be used, and for Solaris
-# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
-# indicates that no package manager is to be used. The default is 'NONE'.
+# The PKGMGR option tells rkhunter to use the specified package manager to
+# obtain the file property information. This is used when updating the file
+# properties file ('rkhunter.dat'), and when running the file properties check.
+# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
+# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
+# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
+# or a value of 'NONE', indicates that no package manager is to be used.
#
-# The current package managers, except 'SOLARIS', store the file hash
-# values using an MD5 hash function. The Solaris package manager includes
-# a checksum value, but this is not used by default (see USE_SUNSUM below).
+# The current package managers, except 'SOLARIS', store the file hash values
+# using an MD5 hash function. The Solaris package manager includes a checksum
+# value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
@@ -327,9 +420,13 @@ HASH_FUNC=sha512sum
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
-# HASH_FUNC hash function instead.
+# HASH_CMD hash function instead.
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is 'NONE'.
#
-# Whenever this option is changed 'rkhunter --propupd' must be run.
+# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
#
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
@@ -337,286 +434,303 @@ HASH_FUNC=sha512sum
#PKGMGR=NONE
#
-# It is possible that a file which is part of a package may be modified
-# by the administrator. Typically this occurs for configuration files.
-# However, the package manager may list the file as being modified. For
-# the RPM package manager this may well depend on how the package was
-# built. This option specifies those pathnames which are to be exempt
-# from the package manager verification process, and which will be treated
-# as non-packaged files. As such, the file properties are still checked.
+# It is possible that a file, which is part of a package, may have been
+# modified by the administrator. Typically this occurs for configuration
+# files. However, the package manager may list the file as being modified.
+# For the RPM package manager this may well depend on how the package was
+# built. This option specifies a pathname which is to be exempt from the
+# package manager verification process, and which will be treated
+# as a non-packaged file. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
-# This is a space-separated list of pathnames. The option may
-# be specified more than once.
+# This option may be specified more than once.
#
-# Whenever this option is changed 'rkhunter --propupd' must be run.
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is the null string.
#
#PKGMGR_NO_VRFY=""
#
-# This option can be used to tell rkhunter to ignore any prelink
-# dependency errors for the given commands. However, a warning will also
-# be issued if the error does not occur for a given command. As such
-# this option must only be used on commands which experience a persistent
-# problem.
+# If the 'SOLARIS' package manager is used, then it is possible to use the
+# checksum (hash) value stored for a file. However, this is only a 16-bit
+# checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
+# If the option is set to '0', then the checksum is not used and the hash
+# function given by HASH_CMD is used instead. To enable this option, set its
+# value to '1'. The Solaris 'sum' command must be present on the system if this
+# option is used.
+#
+# The default value is '0'.
+#
+#USE_SUNSUM=0
+
+#
+# This option can be used to tell rkhunter to ignore any prelink dependency
+# errors for the given commands. However, a warning will also be issued if the
+# error does not occur for a given command. As such this option must only be
+# used on commands which experience a persistent problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
-# NOTE: The command 'rkhunter --propupd' must be run whenever this option
-# is changed.
-#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
-#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
-
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
-# If the 'SOLARIS' package manager is used, then it is possible to use
-# the checksum (hash) value stored for a file. However, this is only a
-# 16-bit checksum, and as such is not nearly as secure as, for example,
-# a SHA-2 value. For that reason, the checksum is not used by default,
-# and the hash function given by HASH_FUNC is used instead. To enable
-# this option, set its value to 1. The Solaris 'sum' command must be
-# present on the system if this option is used.
+# The default value is the null string.
#
-#USE_SUNSUM=0
+#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
#
-# This option is a space-separated list of commands, directories and file
-# pathnames which will be included in the file properties checks.
-# This option can be specified more than once.
+# These options specify a command, directory or file pathname which will be
+# included or excluded in the file properties checks.
+#
+# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
+# 'top' - and directory names are added to the internal list of directories to
+# be searched for each of the command names in the command list. Additionally,
+# full pathnames to files, which need not be commands, may be given. Any files
+# or directories which are already part of the internal lists will be silently
+# ignored from the configuration.
+#
+# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
+# simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
+# option. Wildcards may be used with this option.
+#
+# By combining these two options, and using wildcards, whole directories can be
+# excluded. For example:
#
-# Whenever this option is changed, 'rkhunter --propupd' must be run.
+# USER_FILEPROP_FILES_DIRS=/etc/*
+# USER_FILEPROP_FILES_DIRS=/etc/*/*
+# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
#
-# Simple command names - for example, 'top' - and directory names are
-# added to the internal list of directories to be searched for each of
-# the command names in the command list. Additionally, full pathnames
-# to files, which need not be commands, may be given. Any files or
-# directories which are already part of the internal lists will be
+# This will look for files in the first two directory levels of '/etc'. However,
+# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
+# excluded.
+#
+# NOTE: Only files and directories which have been added by the user, and are
+# not part of the internal lists, can be excluded. So, for example, it is not
+# possible to exclude the 'ps' command by using '/bin/ps'. These will be
# silently ignored from the configuration.
#
-# Normal globbing wildcards are allowed, except for simple command names.
-# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+# Both options can be specified more than once.
+#
+# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
+#
+# The default value for both options is the null string.
+#
+#USER_FILEPROP_FILES_DIRS=top
+#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
+#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
+#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
+
#
-# Specific files may be excluded by preceding their name with an
-# exclamation mark (!). For example, '!/opt/top'. By combining this
-# with wildcarding, whole directories can be excluded. For example,
-# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
-# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
-# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
-#
-# NOTE: Only files and directories which have been added by the user,
-# and are not part of the internal lists, can be excluded. So, for
-# example, it is not possible to exclude the 'ps' command by using
-# '!/bin/ps'. These will be silently ignored from the configuration.
-#
-#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
-#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
-#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
-#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
-#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
-#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
-#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
-
-#
-# This option whitelists files and directories from existing,
-# or not existing, on the system at the time of testing. This
-# option is used when the configuration file options themselves
-# are checked, and during the file properties check, the hidden
-# files and directories checks, and the filesystem check of the
-# '/dev' directory.
-#
-# This is a space-separated list of pathnames. The option may be
-# specified more than once. The option may use wildcard characters,
-# but be aware that this is probably not what you want to do as the
-# wildcarding will be expanded after files have been deleted. As
-# such deleted files won't be whitelisted if wildcarded.
-#
-# NOTE: The user must take into consideration how often the file will
-# appear and disappear from the system in relation to how often
-# rkhunter is run. If the file appears, and disappears, too often
-# then rkhunter may not notice this. All it will see is that the file
-# has changed. The inode-number and DTM will certainly be different
-# for each new file, and rkhunter will report this.
+# This option whitelists files and directories from existing, or not existing,
+# on the system at the time of testing. This option is used when the
+# configuration file options themselves are checked, and during the file
+# properties check, the hidden files and directories checks, and the filesystem
+# check of the '/dev' directory.
+#
+# This option may be specified more than once, and may use wildcards.
+# Be aware though that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As such
+# deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will appear
+# and disappear from the system in relation to how often rkhunter is run. If
+# the file appears, and disappears, too often then rkhunter may not notice
+# this. All it will see is that the file has changed. The inode-number and DTM
+# will certainly be different for each new file, and rkhunter will report this.
+#
+# The default value is the null string.
#
#EXISTWHITELIST=""
#
-# Whitelist various attributes of the specified files.
-# The attributes are those of the 'attributes' test.
-# Specifying a file name here does not include it being
-# whitelisted for the write permission test (see below).
+# Whitelist various attributes of the specified file. The attributes are those
+# of the 'attributes' test. Specifying a file name here does not include it
+# being whitelisted for the write permission test (see below).
#
-# This is a space-separated list of filenames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# This option may be specified more than once, and may use wildcard characters.
#
-#ATTRWHITELIST="/bin/ps /usr/bin/date"
+# The default value is the null string.
+#
+#ATTRWHITELIST=/usr/bin/date
#
-# Allow the specified commands to have the 'others'
-# (world) permission have the write-bit set.
+# Allow the specified file to have the 'others' (world) permission have the
+# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
#
-# For example, files with permissions r-xr-xrwx
-# or rwxrwxrwx.
+# This option may be specified more than once, and may use wildcard characters.
#
-# This is a space-separated list of filenames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# The default value is the null string.
#
-#WRITEWHITELIST="/bin/ps /usr/bin/date"
+#WRITEWHITELIST=/usr/bin/date
#
-# Allow the specified commands to be scripts.
+# Allow the specified file to be a script.
+#
+# This option may be specified more than once, and may use wildcard characters.
#
-# This is a space-separated list of filenames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# The default value is the null string.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
-SCRIPTWHITELIST=/usr/bin/lwp-request
+#SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
-SCRIPTWHITELIST=/usr/sbin/prelink
+#SCRIPTWHITELIST=/usr/sbin/prelink
+#SCRIPTWHITELIST=/usr/bin/unhide.rb
#
-# Allow the specified commands to have the immutable attribute set.
+# Allow the specified file to have the immutable attribute set.
#
-# This is a space-separated list of filenames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# This option may be specified more than once, and may use wildcard characters.
#
-#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
+# The default value is the null string.
+#
+#IMMUTWHITELIST=/sbin/ifdown
#
-# If this option is set to 1, then the immutable-bit test is
-# reversed. That is, the files are expected to have the bit set.
+# If this option is set to '1', then the immutable-bit test is reversed. That
+# is, the files are expected to have the bit set. A value of '0' means that the
+# immutable-bit should not be set.
+#
+# The default value is '0'.
#
-IMMUTABLE_SET=0
+#IMMUTABLE_SET=0
#
-# Allow the specified hidden directories to be whitelisted.
+# Allow the specified hidden directory to be whitelisted.
+#
+# This option may be specified more than once, and may use wildcard characters.
#
-# This is a space-separated list of directory pathnames.
-# The option may be specified more than once. The option
-# may use wildcard characters.
+# The default value is the null string.
#
-ALLOWHIDDENDIR="/etc/.java"
-#ALLOWHIDDENDIR="/dev/.static"
-#ALLOWHIDDENDIR="/dev/.SRC-unix"
-ALLOWHIDDENDIR="/etc/.git"
+#ALLOWHIDDENDIR=/etc/.java
+ALLOWHIDDENDIR=/etc/.git
#
-# Allow the specified hidden files to be whitelisted.
+# Allow the specified hidden file to be whitelisted.
#
-# This is a space-separated list of filenames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
#
-#ALLOWHIDDENFILE="/etc/.java"
-#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
-#ALLOWHIDDENFILE="/etc/.pwd.lock"
-#ALLOWHIDDENFILE="/etc/.init.state"
-#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
-#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
-#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
-#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
-#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
-#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
-#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
-#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
-#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
-#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
-#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
-#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
-#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
-ALLOWHIDDENFILE="/etc/.gitignore"
-ALLOWHIDDENFILE="/etc/.etckeeper"
-#ALLOWHIDDENFILE="/etc/.bzrignore"
-
-#
-# Allow the specified processes to use deleted files. The
-# process name may be followed by a colon-separated list of
-# full pathnames. The process will then only be whitelisted
-# if it is using one of the given files. For example:
-#
-# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
-#
-# This is a space-separated list of process names. The option
-# may be specified more than once. The option may use wildcard
-# characters, but only in the file names.
-#
-#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
-#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
-#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
-#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
-#ALLOWPROCDELFILE="/usr/bin/file-roller"
-
-#
-# Allow the specified processes to listen on any network interface.
-#
-# This is a space-separated list of process names. The option
-# may be specified more than once.
-#
-#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
-#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
-#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
+#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
+#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
+#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
+#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
+ALLOWHIDDENFILE=/etc/.etckeeper
+ALLOWHIDDENFILE=/etc/.gitignore
+#ALLOWHIDDENFILE=/etc/.bzrignore
+
+
+#
+# Allow the specified process to use deleted files. The process name may be
+# followed by a colon-separated list of full pathnames. The process will then
+# only be whitelisted if it is using one of the given files. For example:
+#
+# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
+#
+# This option may be specified more than once. It may also use wildcards, but
+# only in the file names.
+#
+# The default value is the null string.
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
+#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
+#ALLOWPROCDELFILE=/usr/bin/file-roller
+
+#
+# Allow the specified process to listen on any network interface.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWPROCLISTEN=/sbin/dhclient
+#ALLOWPROCLISTEN=/usr/bin/dhcpcd
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#
# Allow the specified network interfaces to be in promiscuous mode.
#
-# This is a space-separated list of interface names. The option may
-# be specified more than once.
+# This is a space-separated list of interface names. The option may be
+# specified more than once.
+#
+# The default value is the null string.
#
-#ALLOWPROMISCIF="eth0"
+#ALLOWPROMISCIF=eth0
#
-# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
-# The two allowed options are: THOROUGH or LAZY.
-# If commented out we do a THOROUGH scan which will increase the runtime.
-# Even though this adds to the running time it is highly recommended to
-# leave it like this.
+# This option specifies how rkhunter should scan the '/dev' directory for
+# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
+#
+# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
+# it is highly recommended that this value is used.
+#
+# The default value is 'THOROUGH'.
+#
+# Also see the ALLOWDEVFILE option.
#
#SCAN_MODE_DEV=THOROUGH
#
-# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
-# perform a basic check, or a more thorough check. If the option is set to 0,
-# then a basic check is performed. If it is set to 1, then all the directries
-# in the /etc and /usr directories are scanned. The default value is 0. Users
-# should note that setting this option to 1 will cause the test to take longer
-# to complete.
+# Allow the specified file to be present in the '/dev' directory, and not
+# regarded as suspicious.
+#
+# This option may be specified more than once, and may use wildcard characters.
#
-PHALANX2_DIRTEST=0
+# The default value is the null string.
+#
+#ALLOWDEVFILE=/dev/shm/pulse-shm-*
+#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
#
-# Allow the specified files to be present in the /dev directory,
-# and not regarded as suspicious.
+# This option is used to indicate if the Phalanx2 test is to perform a basic
+# check, or a more thorough check. If the option is set to '0', then a basic
+# check is performed. If it is set to '1', then all the directories in the
+# '/etc' and '/usr' directories are scanned.
+#
+# NOTE: Setting this option to '1' will cause the test to take longer
+# to complete.
#
-# This is a space-separated list of pathnames. The option may
-# be specified more than once. The option may use wildcard
-# characters.
+# The default value is '0'.
#
-#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
-#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
+#PHALANX2_DIRTEST=0
#
-# This setting tells rkhunter where the inetd configuration
-# file is located.
+# This option tells rkhunter where the inetd configuration file is located.
+#
+# The default value is the null string.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
-# Allow the following enabled inetd services.
+# This option allows the specified enabled inetd services.
#
-# This is a space-separated list of service names. The option may
-# be specified more than once.
+# This is a space-separated list of service names. The option may be specified
+# more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
@@ -628,7 +742,7 @@ PHALANX2_DIRTEST=0
# For example:
#
# INETD_ALLOWED_SVC=imaps
-# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
+# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
@@ -637,207 +751,280 @@ PHALANX2_DIRTEST=0
# INETD_ALLOWED_SVC=/application/font/stfsloader
# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
+# The default value is the null string.
+#
#INETD_ALLOWED_SVC=echo
#
-# This setting tells rkhunter where the xinetd configuration
-# file is located.
+# This option tells rkhunter where the xinetd configuration file is located.
+#
+# The default value is the null string.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
-# Allow the following enabled xinetd services. Whilst it would be
-# nice to use the service names themselves, at the time of testing
-# we only have the pathname available. As such, these entries are
-# the xinetd file pathnames.
+# This option allows the specified enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing we only have
+# the pathname available. As such, these entries are the xinetd file pathnames.
#
-# This is a space-separated list of service names. The option may
-# be specified more than once.
+# This is a space-separated list of service names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
#
-# This option tells rkhunter the local system startup file pathnames.
-# The directories will be searched for files. By default rkhunter
-# will use certain filenames and directories. If the option is set
-# to 'none', then certain tests will be skipped.
+# This option tells rkhunter the local system startup file pathnames. The
+# directories will be searched for files. By default rkhunter will try and
+# determine were the startup files are located. If the option is set to 'NONE',
+# then certain tests will be skipped.
+#
+# This is a space-separated list of file and directory pathnames. The option
+# may be specified more than once, and may use wildcard characters.
#
-# This is a space-separated list of file and directory pathnames.
-# The option may be specified more than once. The option may use
-# wildcard characters.
+# This option has no default value.
#
-#STARTUP_PATHS="/etc/init.d /etc/rc.local"
+#STARTUP_PATHS=/etc/init.d /etc/rc.local
#
-# This setting tells rkhunter the pathname to the file containing the
-# user account passwords. This setting will be worked out by rkhunter,
-# and so should not usually need to be set. Users of TCB shadow files
-# should not set this option.
+# This option tells rkhunter the pathname to the file containing the user
+# account passwords. This setting will be worked out by rkhunter, and so
+# should not usually need to be set. Users of TCB shadow files should not
+# set this option.
+#
+# This option has no default value.
#
#PASSWORD_FILE=/etc/shadow
#
-# Allow the following accounts to be root equivalent. These accounts
-# will have a UID value of zero. The 'root' account does not need to
-# be listed as it is automatically whitelisted.
+# This option allows the specified accounts to be root equivalent. These
+# accounts will have a UID value of zero. The 'root' account does not need
+# to be listed as it is automatically whitelisted.
#
-# This is a space-separated list of account names. The option may
-# be specified more than once.
+# This is a space-separated list of account names. The option may be specified
+# more than once.
#
-# NOTE: For *BSD systems you will probably need to use this option
-# for the 'toor' account.
+# NOTE: For *BSD systems you will probably need to use this option for the
+# 'toor' account.
#
-#UID0_ACCOUNTS="toor rooty sashroot"
+# The default value is the null string.
+#
+#UID0_ACCOUNTS=toor rooty sashroot
#
-# Allow the following accounts to have no password. NIS/YP entries do
-# not need to be listed as they are automatically whitelisted.
+# This option allows the specified accounts to have no password. NIS/YP entries
+# do not need to be listed as they are automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
#
-# This is a space-separated list of account names. The option may
-# be specified more than once.
+# The default value is the null string.
#
-#PWDLESS_ACCOUNTS="abc"
+#PWDLESS_ACCOUNTS=abc
#
-# This setting tells rkhunter the pathname to the syslog configuration
-# file. This setting will be worked out by rkhunter, and so should not
-# usually need to be set. A value of 'NONE' can be used to indicate
-# that there is no configuration file, but that the syslog daemon process
-# may be running.
+# This option tells rkhunter the pathname to the syslog configuration file.
+# This setting will be worked out by rkhunter, and so should not usually need
+# to be set. A value of 'NONE' can be used to indicate that there is no
+# configuration file, but that the syslog daemon process may be running.
#
-# This is a space-separated list of pathnames. The option may
-# be specified more than once.
+# This is a space-separated list of pathnames. The option may be specified
+# more than once.
+#
+# This option has no default value.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
-# This option permits the use of syslog remote logging.
+# If this option is set to '1', then the use of syslog remote logging is
+# permitted. A value of '0' disallows the use of remote logging.
+#
+# The default value is '0'.
#
-ALLOW_SYSLOG_REMOTE_LOGGING=0
+#ALLOW_SYSLOG_REMOTE_LOGGING=0
#
-# Allow the following applications, or a specific version of an application,
-# to be whitelisted. This option may be specified more than once, and is a
-# space-separated list consisting of the application names. If a specific
-# version is to be whitelisted, then the name must be followed by a colon
-# and then the version number. For example:
+# This option allows the specified applications, or a specific version of an
+# application, to be whitelisted. If a specific version is to be whitelisted,
+# then the name must be followed by a colon and then the version number.
+# For example:
+#
+# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
#
-# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
+# This is a space-separated list of pathnames. The option may be specified
+# more than once.
#
-# Note above that for the Apache web server, the name 'httpd' is used.
+# The default value is the null string.
#
#APP_WHITELIST=""
#
-# Scan for suspicious files in directories containing temporary files and
-# directories posing a relatively higher risk due to user write access.
-# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
-# producing false positives. Do review all settings before usage.
-# Also be aware that running suspscan in combination with verbose logging on,
-# RKH's default, will show all ignored files.
-# Please consider adding all directories the user the (web)server runs as has
-# write access to including the document root (example: "/var/www") and log
-# directories (example: "/var/log/httpd").
-#
-# This is a space-separated list of directory pathnames.
-# The option may be specified more than once.
+# Set this option to scan for suspicious files in directories which pose a
+# relatively higher risk due to user write access.
+#
+# Please do not enable the 'suspscan' test by default as it is CPU and I/O
+# intensive, and prone to producing false positives. Do review all settings
+# before usage. Also be aware that running 'suspscan' in combination with
+# verbose logging on, rkhunter's default, will show all ignored files.
#
-#SUSPSCAN_DIRS="/tmp /var/tmp"
+# Please consider adding all directories the user the (web)server runs as,
+# and has write access to, including the document root (e.g: '/var/www') and
+# log directories (e.g: '/var/log/httpd').
+#
+# This is a space-separated list of directory pathnames. The option may be
+# specified more than once.
+#
+# The default value is the '/tmp' and '/var/tmp' directories.
+#
+#SUSPSCAN_DIRS=/tmp /var/tmp
#
-# Directory for temporary files. A memory-based one is better (faster).
-# Do not use a directory name that is listed in SUSPSCAN_DIRS.
-# Please make sure you have a tempfs mounted and the directory exists.
+# This option specifies the directory for temporary files used by the
+# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
+# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
+# as that is highly likely to cause false-positive results.
+#
+# The default value is '/dev/shm'.
#
-SUSPSCAN_TEMP=/dev/shm
+#SUSPSCAN_TEMP=/dev/shm
#
-# Maximum filesize in bytes. Files larger than this will not be inspected.
-# Do make sure you have enough space left in your temporary files directory.
+# This option specifies the 'suspscan' test maximum filesize in bytes. Files
+# larger than this will not be inspected. Do make sure you have enough space
+# available in your temporary files directory.
+#
+# The default value is '1024000'.
#
-SUSPSCAN_MAXSIZE=10240000
+#SUSPSCAN_MAXSIZE=10240000
#
-# Score threshold. Below this value no hits will be reported.
-# A value of "200" seems "good" after testing on malware. Please adjust
-# locally if necessary.
+# This option specifies the 'suspscan' test score threshold. Below this value
+# no hits will be reported.
#
-SUSPSCAN_THRESH=200
+# The default value is '200'.
+#
+#SUSPSCAN_THRESH=200
#
-# The following option can be used to whitelist network ports which
-# are known to have been used by malware. This option may be specified
-# more than once. The option is a space-separated list of one or more
-# of four types of whitelisting. These are:
+# The following options can be used to whitelist network ports which are known
+# to have been used by malware.
#
-# 1) a 'protocol:port' pair (e.g. TCP:25)
-# 2) a pathname to an executable (e.g. /usr/sbin/squid)
-# 3) a combined pathname, protocol and port
-# (e.g. /usr/sbin/squid:TCP:3801)
-# 4) an asterisk ('*')
+# The PORT_WHITELIST option is a space-separated list of one or more of two
+# types of whitelisting. These are:
#
-# Only the UDP or TCP protocol may be specified, and the port number
-# must be between 1 and 65535 inclusive.
+# 1) a 'protocol:port' pair
+# 2) an asterisk ('*')
#
-# The asterisk can be used to indicate that any executable which rkhunter
-# can locate as a command, is whitelisted. (See BINDIR in this file.)
+# Only the UDP or TCP protocol may be specified, and the port number must be
+# between 1 and 65535 inclusive.
#
-# For example:
+# The asterisk can be used to indicate that any executable which rkhunter can
+# locate as a command, is whitelisted. (Also see BINDIR)
+#
+# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
+# These are:
+#
+# 1) a pathname to an executable
+# 2) a combined pathname, protocol and port
+#
+# As above, the protocol can only be TCP or UDP, and the port number must be
+# between 1 and 65535 inclusive.
+#
+# Examples:
+#
+# PORT_WHITELIST=TCP:2001 UDP:32011
+# PORT_PATH_WHITELIST=/usr/sbin/squid
+# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option, the
+# 'lsof' command must be present.
#
-# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+# Both options may be specified more than once.
#
-# NOTE: In order to whitelist a pathname, or use the asterisk option,
-# the 'lsof' command must be present.
+# The default value for both options is the null string.
#
#PORT_WHITELIST=""
+#PORT_PATH_WHITELIST=""
#
-# The following option can be used to tell rkhunter where the operating
-# system 'release' file is located. This file contains information
-# specifying the current O/S version. RKH will store this information
-# itself, and check to see if it has changed between each run. If it has
-# changed, then the user is warned that RKH may issue warning messages
-# until RKH has been run with the '--propupd' option.
+# The following option can be used to tell rkhunter where the operating system
+# 'release' file is located. This file contains information specifying the
+# current O/S version. RKH will store this information, and check to see if it
+# has changed between each run. If it has changed, then the user is warned that
+# RKH may issue warning messages until RKH has been run with the '--propupd'
+# option.
#
-# Since the contents of the file vary according to the O/S distribution,
-# RKH will perform different actions when it detects the file itself. As
-# such, this option should not be set unless necessary. If this option is
-# specified, then RKH will assume the O/S release information is on the
-# first non-blank line of the file.
+# Since the contents of the file vary according to the O/S distribution, RKH
+# will perform different actions when it detects the file itself. As such, this
+# option should not be set unless necessary. If this option is specified, then
+# RKH will assume the O/S release information is on the first non-blank line of
+# the file.
#
-#OS_VERSION_FILE="/etc/debian_version"
+# This option has no default value.
+#
+# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
+#
+#OS_VERSION_FILE=/etc/debian_version
#
-# The following two options can be used to whitelist files and directories
-# that would normally be flagged with a warning during the various rootkit
-# and malware checks. If the file or directory name contains a space, then
-# the percent character ('%') must be used instead. Only existing files and
-# directories can be specified, and these must be full pathnames not links.
+# Set the following option to '0' if you do not want to receive a warning if any
+# O/S information has changed since the last run of 'rkhunter --propupd'. The
+# warnings occur during the file properties check. Setting a value of '1' will
+# cause rkhunter to issue a warning if something has changed.
+#
+# The default value is '1'.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to '1' if you want rkhunter to automatically run a
+# file properties update ('--propupd') if the O/S has changed. Detection of an
+# O/S change occurs during the file properties check. Setting a value of '0'
+# will cause rkhunter not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply by
+# running 'rkhunter --propupd' at least once.
+#
+# The default value is '0'.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# The following two options can be used to whitelist files and directories that
+# would normally be flagged with a warning during the various rootkit and
+# malware checks. Only existing files and directories can be specified, and
+# these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
-# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
+# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
-# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
+# RTKT_FILE_WHITELIST=/etc/rc.local
+# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# To whitelist a file from the existence checks, but not from the strings
-# checks, then include the filename on its own and on its own but with
-# just a colon appended. For example:
+# checks, then include the filename on its own and on its own but with just
+# a colon appended. For example:
#
-# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
+# RTKT_FILE_WHITELIST=/etc/rc.local
+# RTKT_FILE_WHITELIST=/etc/rc.local:
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
-# These are space-separated lists of file and directory pathnames.
-# The options may be specified more than once.
+# Both of these options may be specified more than once.
+#
+# For both options the default value is the null string.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
@@ -852,18 +1039,22 @@ SUSPSCAN_THRESH=200
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
-# This is a space-separated list of library pathnames.
-# The option may be specified more than once.
+# This option is a space-separated list of library pathnames. The option may be
+# specified more than once.
+#
+# The default value is the null string.
#
-#SHARED_LIB_WHITELIST="/lib/snoopy.so"
+#SHARED_LIB_WHITELIST=/lib/snoopy.so
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
-# command, then the following two options can be used. The value must be
-# set to 'BUILTIN'.
+# command the following two options can be used. The value must be set to
+# 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
+# For both options the default value is the null string.
+#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
@@ -873,18 +1064,22 @@ SUSPSCAN_THRESH=200
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
-# 'seconds ago' options found in the GNU date command.
+# 'seconds ago' options found in the GNU 'date' command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
+# This option has no default value.
+#
#EPOCH_DATE_CMD=""
#
-# This setting tells rkhunter the directory containing the available
-# Linux kernel modules. This setting will be worked out by rkhunter,
-# and so should not usually need to be set.
+# This setting tells rkhunter the directory containing the available Linux
+# kernel modules. This setting will be worked out by rkhunter, and so should
+# not usually need to be set.
+#
+# This option has no default value.
#
#MODULES_DIR=""
@@ -905,100 +1100,152 @@ SUSPSCAN_THRESH=200
#
# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
-# *BSD users may want to use the 'ftp' command, provided that it supports
-# the HTTP protocol:
+# *BSD users may want to use the 'ftp' command, provided that it supports the
+# HTTP protocol:
#
# WEB_CMD="ftp -o -"
#
-#WEB_CMD=""
-
-#
-# Set the following option to 0 if you do not want to receive a warning if
-# any O/S information has changed since the last run of 'rkhunter --propupd'.
-# The warnings occur during the file properties check. The default is to
-# issue a warning if something has changed.
+# This option has no default value.
#
-#WARN_ON_OS_CHANGE=1
-
-#
-# Set the following option to 1 if you want rkhunter to automatically run
-# a file properties update ('--propupd') if the O/S has changed. Detection
-# of an O/S change occurs during the file properties check. The default is
-# not to do an automatic update.
-#
-# WARNING: Only set this option if you are sure that the update will work
-# correctly. That is, that the database directory is writeable, that a valid
-# hash function is available, and so on. This can usually be checked simply
-# by running 'rkhunter --propupd' at least once.
-#
-#UPDT_ON_OS_CHANGE=0
+#WEB_CMD=""
#
-# Set the following option to 1 if locking is to be used when rkhunter runs.
+# Set the following option to '1' if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
-# and then retrying the lock.
+# and then retrying the lock. A value of '0' means not to use locking.
+#
+# The default value is '0'.
#
-# The default is not to use locking.
+# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
#
-USE_LOCKING=0
+#USE_LOCKING=0
#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
-# lock or the timeout value has been reached. If no value is set, then a
-# default of 300 seconds (5 minutes) is used.
+# lock or the timeout value has been reached.
#
-LOCK_TIMEOUT=300
+# The default value is 300 seconds (5 minutes).
+#
+#LOCK_TIMEOUT=300
#
# If locking is used, then rkhunter may be doing nothing for some time if it
-# has to wait for the lock. Some simple messages are echo'd to the users screen
-# to let them know that rkhunter is waiting for the lock. Set this option to 0
-# if the messages are not to be displayed. The default is to show them.
+# has to wait for the lock. If this option is set to '1', then some simple
+# messages are echoed to the users screen to let them know that rkhunter is
+# waiting for the lock. Set this option to '0' if the messages are not to be
+# displayed.
+#
+# The default value is '1'.
#
-SHOW_LOCK_MSGS=1
+#SHOW_LOCK_MSGS=1
#
-# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
-# will search (on a per rootkit basis) for filenames in all of the directories (as defined
-# by the result of running 'find / -xdev'). While still not optimal, as it
-# still searches for only file names as opposed to file contents, this is one step away
-# from the rigidity of searching in known (evidence) or default (installation) locations.
+# If this option is set to 'THOROUGH' then rkhunter will search (on a per
+# rootkit basis) for filenames in all of the directories (as defined by the
+# result of running 'find / -xdev'). While still not optimal, as it still
+# searches for only file names as opposed to file contents, this is one step
+# away from the rigidity of searching in known (evidence) or default
+# (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
-# You should only activate this feature as part of a more thorough investigation which
-# should be based on relevant best practices and procedures.
+# You should only activate this feature as part of a more thorough
+# investigation, which should be based on relevant best practices and
+# procedures.
#
-# Enabling this feature implies you have the knowledge to interpret the results properly.
+# Enabling this feature implies you have the knowledge to interpret the
+# results properly.
+#
+# The default value is the null string.
#
#SCANROOTKITMODE=THOROUGH
#
-# The following option can be set to the name(s) of the tests the 'unhide' command is
-# to use. In order to maintain compatibility with older versions of 'unhide', this
-# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
-# will only take effect when they are seen. The test names are a space-separated list,
-# and will be executed in the order given.
+# The following option can be set to the name(s) of the tests the 'unhide'
+# command is to use. Options such as '-m' and '-v' may be specified, but will
+# only take effect when they are seen. The test names are a space-separated
+# list, and will be executed in the order given.
+#
+# This option may be specified more than once.
+#
+# The default value is 'sys' in order to maintain compatibility with older
+# versions of 'unhide'.
+#
+#UNHIDE_TESTS=sys
+
+#
+# The following option can be used to set options for the 'unhide-tcp' command.
+# The options are space-separated.
#
-#UNHIDE_TESTS="sys"
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#UNHIDETCP_OPTS=""
#
-# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
-# is possible to disable the execution of one of the programs if desired. By default
-# rkhunter will look for both programs, and execute each of them as they are found.
-# If the value of this option is 0, then both programs will be executed if they are
-# present. A value of 1 will disable execution of the C 'unhide' program, and a value
-# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
-# both programs, then disable the 'hidden_procs' test.
+# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
+# then it is possible to disable the execution of one of the programs if
+# desired. By default rkhunter will look for both programs, and execute each
+# of them as they are found. If the value of this option is '0', then both
+# programs will be executed if they are present. A value of '1' will disable
+# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
+# 'unhide.rb' program. To disable both programs, then disable the
+# 'hidden_procs' test.
+#
+# The default value is '0'.
#
-DISABLE_UNHIDE=0
+DISABLE_UNHIDE=1
-INSTALLDIR="/usr"
+INSTALLDIR=/usr
+
+#
+# This option can be set to either '0' or '1'. If set to '1' then the summary,
+# shown after rkhunter has run, will display the actual number of warnings
+# found. If it is set to '0', then the summary will simply indicate that
+# 'One or more' warnings were found. If no warnings were found, and this option
+# is set to '1', then a "0" will be shown. If the option is set to '0', then
+# the words 'No warnings' will be shown.
+#
+# The default value is '0'.
+#
+#SHOW_SUMMARY_WARNINGS_NUMBER=0
+
+#
+# This option is used to determine where, if anywhere, the summary scan time is
+# displayed. A value of '0' indicates that it should not be displayed anywhere.
+# A value of '1' indicates that the time should only appear on the screen, and a
+# value of '2' that it should only appear in the log file. A value of '3'
+# indicates that the time taken should appear both on the screen and in the log
+# file.
+#
+# The default value is '3'.
+#
+#SHOW_SUMMARY_TIME=3
+
+#
+# The two options below may be used to check if a file is missing or empty
+# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
+# if the file is missing, since that can be interpreted as a file of no size.
+# However, the file will only be reported as missing if the MISSING_LOGFILES
+# option hasn't already done this.
+#
+# Both options are space-separated lists of pathnames, and may be specified
+# more than once.
+#
+# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
+# perfectly possible for the file to be either missing or empty. As such these
+# options may produce false-positive warnings when log files are rotated.
+#
+# For both options the default value is the null string.
+#
+#EMPTY_LOGFILES=""
+#MISSING_LOGFILES=""
diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml
index d504a49..c9d26fa 100644
--- a/roles/common/tasks/rkhunter.yml
+++ b/roles/common/tasks/rkhunter.yml
@@ -3,7 +3,7 @@
with_items:
- rkhunter
- curl
- - iproute
+ - iproute2
- lsof
- unhide