diff options
-rw-r--r-- | roles/common/files/etc/rkhunter.conf | 1355 | ||||
-rw-r--r-- | roles/common/tasks/rkhunter.yml | 2 |
2 files changed, 802 insertions, 555 deletions
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf index 542fcfd..9306631 100644 --- a/roles/common/files/etc/rkhunter.conf +++ b/roles/common/files/etc/rkhunter.conf @@ -1,220 +1,309 @@ # # This is the main configuration file for Rootkit Hunter. # -# You can either modify this file directly, or you can create a local -# configuration file. The local file must be named 'rkhunter.conf.local', -# and must reside in the same directory as this file. Please modify one -# or both files to your own requirements. It is suggested that the -# command 'rkhunter -C' is run after any changes have been made. +# You can modify this file directly, or you can create a local configuration +# file. The local file must be named 'rkhunter.conf.local', and must reside +# in the same directory as this file. Alternatively you can create a directory, +# named 'rkhunter.d', which also must be in the same directory as this +# configuration file. Within the 'rkhunter.d' directory you can place further +# configuration files. There is no restriction on the file names used, other +# than they must end in '.conf'. +# +# Please modify the configuration file(s) to your own requirements. It is +# recommended that the command 'rkhunter -C' is run after any changes have +# been made. # # Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go to: -# http://rkhunter.sourceforge.net +# To report bugs, obtain updates, or provide patches or comments, please go +# to: http://rkhunter.sourceforge.net # -# To ask questions about rkhunter, please use the rkhunter-users mailing list. -# Note this is a moderated list: please subscribe before posting. +# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. +# Note that this is a moderated list, so please subscribe before posting. # -# Lines beginning with a hash (#), and blank lines, are ignored. -# End-of-line comments are not supported. +# In the configuration files, lines beginning with a hash (#), and blank lines, +# are ignored. Also, end-of-line comments are not supported. # -# Most of the following options need only be specified once. If -# they appear more than once, then the last one seen will be used. -# Some options are allowed to appear more than once, and the text -# describing the option will say if this is so. +# Any of the configuration options may appear more than once. However, several +# options only take one value, and so the last one seen will be used. Some +# options are allowed to appear more than once, and the text describing the +# option will say if this is so. These configuration options will, in effect, +# have their values concatenated together. To delete a previously specified +# option list, specify the option with no value (that is, a null string). # -# Some of the options are space-separated lists of pathnames. If -# wildcard characters (globbing) are allowed in the list, then the +# Some of the options are space-separated lists, others, typically those +# specifying pathnames, are newline-separated lists. These must be entered +# as one item per line. Quotes must not be used to surround the pathname. +# +# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an +# option: XXX=/tmp/abc (correct) +# XXX=/tmp/xyz +# +# XXX="/tmp/abc" (incorrect) +# XXX="/tmp/xyz" +# +# XXX=/tmp/abc /tmp/xyz (incorrect) +# or XXX="/tmp/abc /tmp/xyz" (incorrect) +# or XXX="/tmp/abc" "/tmp/xyz" (incorrect) +# +# The last three examples are being configured as space-separated lists, +# which is incorrect, generally, for options specifying pathnames. They +# should be configured with one entry per line as in the first example. +# +# If wildcard characters (globbing) are allowed for an option, then the # text describing the option will say so. # -# Space-separated lists may be enclosed by quotes, but these must only -# appear at the start and end of the list, not in the middle. +# Space-separated lists may be enclosed by quotes, although they are not +# required. If they are used, then they must only appear at the start and +# end of the list, not in the middle. +# +# For example: XXX=abc def gh (correct) +# XXX="abc def gh" (correct) +# XXX="abc" "def" "gh" (incorrect) # -# For example: XXX="abc def gh" (correct) -# XXX="abc" "def" "gh" (incorrect) +# Space-separated lists may also be entered simply as one entry per line. +# +# For example: XXX=abc (correct) +# XXX=def +# XXX="gh" +# +# If a configuration option is never set, then the program will assume a +# default value. The text describing the option will state the default value. +# If there is no default, then rkhunter will calculate a value or pathname +# to use. # # -# If this option is set to 1, it specifies that the mirrors file +# If this option is set to '1', it specifies that the mirrors file # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' -# options are used, is to be rotated. Rotating the entries in the file -# allows a basic form of load-balancing between the mirror sites whenever -# the above options are used. -# If the option is set to 0, then the mirrors will be treated as if in -# a priority list. That is, the first mirror listed will always be used -# first. The second mirror will only be used if the first mirror fails, -# the third mirror will only be used if the second mirror fails, and so on. +# options are used, is to be rotated. Rotating the entries in the file allows +# a basic form of load-balancing between the mirror sites whenever the above +# options are used. +# +# If the option is set to '0', then the mirrors will be treated as if in a +# priority list. That is, the first mirror listed will always be used first. +# The second mirror will only be used if the first mirror fails, the third +# mirror will only be used if the second mirror fails, and so on. # # If the mirrors file is read-only, then the '--versioncheck' command-line -# option can only be used if this option is set to 0. +# option can only be used if this option is set to '0'. +# +# The default value is '1'. # -ROTATE_MIRRORS=1 +#ROTATE_MIRRORS=1 # -# If this option is set to 1, it specifies that when the '--update' -# option is used, then the mirrors file is to be checked for updates -# as well. If the current mirrors file contains any local mirrors, -# these will be prepended to the updated file. -# If this option is set to 0, the mirrors file can only be updated -# manually. This may be useful if only using local mirrors. +# If this option is set to '1', it specifies that when the '--update' option is +# used, then the mirrors file is to be checked for updates as well. If the +# current mirrors file contains any local mirrors, these will be prepended to +# the updated file. If this option is set to '0', the mirrors file can only be +# updated manually. This may be useful if only using local mirrors. +# +# The default value is '1'. # -UPDATE_MIRRORS=1 +#UPDATE_MIRRORS=1 # -# The MIRRORS_MODE option tells rkhunter which mirrors are to be -# used when the '--update' or '--versioncheck' command-line options -# are given. Possible values are: -# 0 - use any mirror (the default) +# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when +# the '--update' or '--versioncheck' command-line options are given. +# Possible values are: +# 0 - use any mirror # 1 - only use local mirrors # 2 - only use remote mirrors # -# Local and remote mirrors can be defined in the mirrors file -# by using the 'local=' and 'remote=' keywords respectively. +# Local and remote mirrors can be defined in the mirrors file by using the +# 'local=' and 'remote=' keywords respectively. +# +# The default value is '0'. # -MIRRORS_MODE=0 +#MIRRORS_MODE=0 # -# Email a message to this address if a warning is found when the -# system is being checked. Multiple addresses may be specified -# simply be separating them with a space. Setting this option to -# null disables the option. +# Email a message to this address if a warning is found when the system is +# being checked. Multiple addresses may be specified simply be separating +# them with a space. To disable the option, simply set it to the null string +# or comment it out. # -# NOTE: This option should be present in the configuration file. +# The option may be specified more than once. +# +# The default value is the null string. +# +# Also see the MAIL_CMD option. # -#MAIL-ON-WARNING=me@mydomain root@mydomain MAIL-ON-WARNING=admin@fripost.org # -# Specify the mail command to use if MAIL-ON-WARNING is set. +# This option specifies the mail command to use if MAIL-ON-WARNING is set. # -# NOTE: Double quotes are not required around the command, but -# are required around the subject line if it contains spaces. +# NOTE: Double quotes are not required around the command, but are required +# around the subject line if it contains spaces. # -MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" +# The default is to use the 'mail' command, with a subject line +# of '[rkhunter] Warnings found for ${HOST_NAME}'. +# +#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # -# Specify the temporary directory to use. +# This option specifies the directory to use for temporary files. +# +# NOTE: Do not use '/tmp' as your temporary directory. Some important files +# will be written to this directory, so be sure that the directory permissions +# are secure. # -# NOTE: Do not use /tmp as your temporary directory. Some -# important files will be written to this directory, so be -# sure that the directory permissions are tight. +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. # TMPDIR=/var/lib/rkhunter/tmp # -# Specify the database directory to use. +# This option specifies the database directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. # DBDIR=/var/lib/rkhunter/db # -# Specify the script directory to use. +# This option specifies the script directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will not run. # SCRIPTDIR=/usr/share/rkhunter/scripts # -# This option can be used to modify the command directory list used -# by rkhunter to locate commands (that is, its PATH). By default -# this will be the root PATH, and an internal list of some common -# command directories. +# This option can be used to modify the command directory list used by rkhunter +# to locate commands (that is, its PATH). By default this will be the root PATH, +# and an internal list of some common command directories. +# +# Any directories specified here will, by default, be appended to the default +# list. However, if a directory name begins with the '+' character, then that +# directory will be prepended to the list (that is, it will be put at the start +# of the list). # -# Any directories specified here will, by default, be appended to the -# default list. However, if a directory name begins with the '+' -# character, then that directory will be prepended to the list (that -# is, it will be put at the start of the list). +# This is a space-separated list of directory names. The option may be +# specified more than once. # -# This is a space-separated list of directory names. The option may -# be specified more than once. +# The default value is based on the root account PATH environment variable. # -#BINDIR="/bin /usr/bin /sbin /usr/sbin" -#BINDIR="+/usr/local/bin +/usr/local/sbin" +#BINDIR=/bin /usr/bin /sbin /usr/sbin +#BINDIR=+/usr/local/bin +/usr/local/sbin # -# Specify the default language to use. This should be similar -# to the ISO 639 language code. +# This option specifies the default language to use. This should be similar to +# the ISO 639 language code. # # NOTE: Please ensure that the language you specify is supported. # For a list of supported languages use the following command: # # rkhunter --lang en --list languages # +# The default language is 'en' (English). +# #LANGUAGE=en # -# This option is a space-separated list of the languages that are to -# be updated when the '--update' option is used. If unset, then all -# the languages will be updated. If none of the languages are to be -# updated, then set this option to just 'en'. +# This option is a space-separated list of the languages that are to be updated +# when the '--update' option is used. If unset, then all the languages will be +# updated. If none of the languages are to be updated, then set this option to +# just 'en'. +# +# The default language, specified by the LANGUAGE option, and the English (en) +# language file will always be updated regardless of this option. +# +# This option may be specified more than once. # -# The default is for all the languages to be updated. The default -# language, specified above, and the English (en) language file will -# always be updated regardless of this option. +# The default value is the null string, indicating that all the language files +# will be updated. # -UPDATE_LANG="" +#UPDATE_LANG="" # -# Specify the log file pathname. +# This option specifies the log file pathname. The file will be created if it +# does not initially exist. If the option is unset, then the program will +# display a message each time it is run saying that the default value is being +# used. # -# NOTE: This option should be present in the configuration file. +# The default value is '/var/log/rkhunter.log'. # LOGFILE=/var/log/rkhunter.log # -# Set the following option to 1 if the log file is to be appended to -# whenever rkhunter is run. +# Set this option to '1' if the log file is to be appended to whenever rkhunter +# is run. A value of '0' will cause a new log file to be created whenever the +# program is run. # -APPEND_LOG=0 +# The default value is '0'. +# +#APPEND_LOG=0 # -# Set the following option to 1 if the log file is to be copied when -# rkhunter finishes and an error or warning has occurred. The copied -# log file name will be appended with the current date and time -# (in YYYY-MM-DD_HH:MM:SS format). +# Set the following option to '1' if the log file is to be copied when rkhunter +# finishes and an error or warning has occurred. The copied log file name will +# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). # For example: rkhunter.log.2009-04-21_00:57:51 +# If the option value is '0', then the log file will not be copied regardless +# of whether any errors or warnings occurred. +# +# The default value is '0'. # -COPY_LOG_ON_ERROR=0 +#COPY_LOG_ON_ERROR=0 # -# Set the following option to enable the rkhunter check start and finish -# times to be logged by syslog. Warning messages will also be logged. -# The value of the option must be a standard syslog facility and -# priority, separated by a dot. For example: +# Set the following option to enable the rkhunter check start and finish times +# to be logged by syslog. Warning messages will also be logged. The value of +# the option must be a standard syslog facility and priority, separated by a +# dot. For example: # # USE_SYSLOG=authpriv.warning # -# Setting the value to 'none', or just leaving the option commented out, +# Setting the value to 'NONE', or just leaving the option commented out, # disables the use of syslog. # +# The default value is not to use syslog. +# #USE_SYSLOG=authpriv.notice # -# Set the following option to 1 if the second colour set is to be used. -# This can be useful if your screen uses black characters on a white -# background (for example, a PC instead of a server). +# Set the following option to '1' if the second colour set is to be used. This +# can be useful if your screen uses black characters on a white background +# (for example, a PC instead of a server). A value of '0' will cause the default +# colour set to be used. # -COLOR_SET2=0 +# The default value is '0'. +# +#COLOR_SET2=0 # -# Set the following option to 0 if rkhunter should not detect if X is -# being used. If X is detected as being used, then the second colour -# set will automatically be used. +# Set the following option to '0' if rkhunter should not detect if X is being +# used. If X is detected as being used, then the second colour set will +# automatically be used. If set to '1', then the use of X will be detected. +# +# The default value is '0'. # AUTO_X_DETECT=1 # -# Set the following option to 1 if it is wanted that any 'Whitelisted' -# results are shown in white rather than green. For colour set 2 users, -# setting this option will cause the result to be shown in black. +# Set the following option to '1' if it is wanted that any 'Whitelisted' results +# are shown in white rather than green. For colour set 2 users, setting this +# option will cause the result to be shown in black. Setting the option to '0' +# causes whitelisted results to be displayed in green. +# +# The default value is '0'. # -WHITELISTED_IS_WHITE=0 +#WHITELISTED_IS_WHITE=0 # # The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not -# match. However, if a value has not been set in the SSH configuration -# file, then a value here of 'unset' can be used to avoid warning messages. -# This option has a default value of 'no'. +# 'PermitRootLogin' option. A warning will be displayed if they do not match. +# However, if a value has not been set in the SSH configuration file, then a +# value here of 'unset' can be used to avoid warning messages. # -ALLOW_SSH_ROOT_USER=no +# The default value is 'no'. +# +#ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note @@ -223,103 +312,107 @@ ALLOW_SSH_ROOT_USER=no # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to -# suppress a warning message. This option has a default value of '0'. +# suppress a warning message. A value of '0' indicates that the use of +# SSH-1 is not allowed. +# +# The default value is '0'. # -ALLOW_SSH_PROT_V1=0 +#ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # +# This option has no default value. +# #SSH_CONFIG_DIR=/etc/ssh # -# These two options determine which tests are to be performed. -# The ENABLE_TESTS option can use the word 'all' to refer to all the -# available tests. The DISABLE_TESTS option can use the word 'none' to -# mean that no tests are disabled. The list of disabled tests is applied to -# the list of enabled tests. Both options are space-separated lists of test -# names. The currently available test names can be seen by using the command -# 'rkhunter --list tests'. +# These two options determine which tests are to be performed. The ENABLE_TESTS +# option can use the word 'ALL' to refer to all of the available tests. The +# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are +# disabled. The list of disabled tests is applied to the list of enabled tests. # -# The program defaults are to enable all tests and disable none. However, if -# either of the options below are specified, then they will override the -# program defaults. +# Both options are space-separated lists of test names, and both options may +# be specified more than once. The currently available test names can be seen +# by using the command 'rkhunter --list tests'. # # The supplied configuration file has some tests already disabled, and these -# are tests that will be used only occasionally, can be considered -# "advanced" or that are prone to produce more than the average number of -# false-positives. +# are tests that will be used only occasionally, can be considered 'advanced' +# or that are prone to produce more than the average number of false-positives. # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # -# hidden_procs test requires the unhide command which is part of the unhide -# package in Debian. +# The default values are to enable all tests and to disable none. However, if +# either of the options below are specified, then they will override the +# program defaults. +# +# hidden_procs test requires the unhide and/or unhide.rb commands which are +# part of the unhide respectively unhide.rb packages in Debian. # -# apps test is disabled by default as it triggers warnings about outdated +# apps test is disabled by default as it triggers warnings about outdated # applications (and warns about possible security risk: we better trust # the Debian Security Team). # -ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" +ENABLE_TESTS=ALL +DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps # -# The HASH_FUNC option can be used to specify the command to use -# for the file hash value check. It can be specified as just the -# command name or the full pathname. If just the command name is -# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or -# SHA512, then rkhunter will first look for the relevant command, -# such as 'sha256sum', and then for 'sha256'. If neither of these -# are found, it will then look to see if a perl module has been -# installed which will support the relevant hash function. To see -# which perl modules have been installed use the command -# 'rkhunter --list perl'. -# -# The default is SHA1, or MD5 if SHA1 cannot be found. +# The HASH_CMD option can be used to specify the command to use for the file +# properties hash value check. It can be specified as just the command name or +# the full pathname. If just the command name is given, and it is one of MD5, +# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the +# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of +# these are found, it will then look to see if a perl module has been installed +# which will support the relevant hash function. To see which perl modules have +# been installed use the command 'rkhunter --list perl'. # -# Systems using prelinking are restricted to using either the -# SHA1 or MD5 function. +# Systems using prelinking are restricted to using either the SHA1 or MD5 +# function. # -# A value of 'NONE' (in uppercase) can be specified to indicate that -# no hash function should be used. Rootkit Hunter will detect this and -# automatically disable the file hash checks. +# A value of 'NONE' (in uppercase) can be specified to indicate that no hash +# function should be used. Rkhunter will detect this, and automatically disable +# the file properties hash check test. # # Examples: -# For Solaris 9 : HASH_FUNC=gmd5sum -# For Solaris 10: HASH_FUNC=sha1sum -# For AIX (>5.2): HASH_FUNC="csum -hMD5" -# For NetBSD : HASH_FUNC="cksum -a sha512" +# For Solaris 9 : HASH_CMD=gmd5sum +# For Solaris 10: HASH_CMD=sha1sum +# For AIX (>5.2): HASH_CMD="csum -hMD5" +# For NetBSD : HASH_CMD="cksum -a sha512" # -# NOTE: If the hash function is changed then you MUST run rkhunter with -# the '--propupd' option to rebuild the file properties database. +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # -HASH_FUNC=sha512sum +# The default value is the SHA1 function, or MD5 if SHA1 cannot be found. +# +# Also see the HASH_FLD_IDX option. +# +HASH_CMD=sha512sum # -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC -# command output contains the hash value. The fields are assumed to -# be space-separated. The default value is 1, but for *BSD users -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option -# has not been set. The option value must be an integer greater -# than zero. +# The HASH_FLD_IDX option specifies which field from the HASH_CMD command +# output contains the hash value. The fields are assumed to be space-separated. +# +# The option value must be an integer greater than zero. +# +# The default value is '1', but for *BSD users rkhunter will, by default, use a +# value of '4' if the HASH_CMD option has not been set. # #HASH_FLD_IDX=4 # -# The PKGMGR option tells rkhunter to use the specified package manager -# to obtain the file property information. This is used when updating -# the file properties file ('rkhunter.dat'), and when running the file -# properties check. For RedHat/RPM-based systems, 'RPM' can be used to -# get information from the RPM database. For Debian-based systems 'DPKG' -# can be used, for *BSD systems 'BSD' can be used, and for Solaris -# systems 'SOLARIS' can be used. No value, or a value of 'NONE', -# indicates that no package manager is to be used. The default is 'NONE'. +# The PKGMGR option tells rkhunter to use the specified package manager to +# obtain the file property information. This is used when updating the file +# properties file ('rkhunter.dat'), and when running the file properties check. +# For RedHat/RPM-based systems, 'RPM' can be used to get information from the +# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems +# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value, +# or a value of 'NONE', indicates that no package manager is to be used. # -# The current package managers, except 'SOLARIS', store the file hash -# values using an MD5 hash function. The Solaris package manager includes -# a checksum value, but this is not used by default (see USE_SUNSUM below). +# The current package managers, except 'SOLARIS', store the file hash values +# using an MD5 hash function. The Solaris package manager includes a checksum +# value, but this is not used by default (see USE_SUNSUM below). # # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. # The 'RPM' package manager additionally provides values for the inode, @@ -327,9 +420,13 @@ HASH_FUNC=sha512sum # most of the values, similar to 'RPM', but not the inode number. # # For any file not part of a package, rkhunter will revert to using the -# HASH_FUNC hash function instead. +# HASH_CMD hash function instead. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is 'NONE'. # -# Whenever this option is changed 'rkhunter --propupd' must be run. +# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. # # NONE is the default for Debian as well, as running --propupd takes # about 4 times longer when it's set to DPKG @@ -337,286 +434,303 @@ HASH_FUNC=sha512sum #PKGMGR=NONE # -# It is possible that a file which is part of a package may be modified -# by the administrator. Typically this occurs for configuration files. -# However, the package manager may list the file as being modified. For -# the RPM package manager this may well depend on how the package was -# built. This option specifies those pathnames which are to be exempt -# from the package manager verification process, and which will be treated -# as non-packaged files. As such, the file properties are still checked. +# It is possible that a file, which is part of a package, may have been +# modified by the administrator. Typically this occurs for configuration +# files. However, the package manager may list the file as being modified. +# For the RPM package manager this may well depend on how the package was +# built. This option specifies a pathname which is to be exempt from the +# package manager verification process, and which will be treated +# as a non-packaged file. As such, the file properties are still checked. # # This option only takes effect if the PKGMGR option has been set, and # is not 'NONE'. # -# This is a space-separated list of pathnames. The option may -# be specified more than once. +# This option may be specified more than once. # -# Whenever this option is changed 'rkhunter --propupd' must be run. +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the null string. # #PKGMGR_NO_VRFY="" # -# This option can be used to tell rkhunter to ignore any prelink -# dependency errors for the given commands. However, a warning will also -# be issued if the error does not occur for a given command. As such -# this option must only be used on commands which experience a persistent -# problem. +# If the 'SOLARIS' package manager is used, then it is possible to use the +# checksum (hash) value stored for a file. However, this is only a 16-bit +# checksum, and as such is not nearly as secure as, for example, a SHA-2 value. +# If the option is set to '0', then the checksum is not used and the hash +# function given by HASH_CMD is used instead. To enable this option, set its +# value to '1'. The Solaris 'sum' command must be present on the system if this +# option is used. +# +# The default value is '0'. +# +#USE_SUNSUM=0 + +# +# This option can be used to tell rkhunter to ignore any prelink dependency +# errors for the given commands. However, a warning will also be issued if the +# error does not occur for a given command. As such this option must only be +# used on commands which experience a persistent problem. # # Short-term prelink dependency errors can usually be resolved simply by # running the 'prelink' command on the given pathname. # -# NOTE: The command 'rkhunter --propupd' must be run whenever this option -# is changed. -# # This is a space-separated list of command pathnames. The option can be # specified more than once. # -#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" - +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # -# If the 'SOLARIS' package manager is used, then it is possible to use -# the checksum (hash) value stored for a file. However, this is only a -# 16-bit checksum, and as such is not nearly as secure as, for example, -# a SHA-2 value. For that reason, the checksum is not used by default, -# and the hash function given by HASH_FUNC is used instead. To enable -# this option, set its value to 1. The Solaris 'sum' command must be -# present on the system if this option is used. +# The default value is the null string. # -#USE_SUNSUM=0 +#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top # -# This option is a space-separated list of commands, directories and file -# pathnames which will be included in the file properties checks. -# This option can be specified more than once. +# These options specify a command, directory or file pathname which will be +# included or excluded in the file properties checks. +# +# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, +# 'top' - and directory names are added to the internal list of directories to +# be searched for each of the command names in the command list. Additionally, +# full pathnames to files, which need not be commands, may be given. Any files +# or directories which are already part of the internal lists will be silently +# ignored from the configuration. +# +# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for +# simple command names. +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# +# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS +# option. Wildcards may be used with this option. +# +# By combining these two options, and using wildcards, whole directories can be +# excluded. For example: # -# Whenever this option is changed, 'rkhunter --propupd' must be run. +# USER_FILEPROP_FILES_DIRS=/etc/* +# USER_FILEPROP_FILES_DIRS=/etc/*/* +# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* # -# Simple command names - for example, 'top' - and directory names are -# added to the internal list of directories to be searched for each of -# the command names in the command list. Additionally, full pathnames -# to files, which need not be commands, may be given. Any files or -# directories which are already part of the internal lists will be +# This will look for files in the first two directory levels of '/etc'. However, +# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be +# excluded. +# +# NOTE: Only files and directories which have been added by the user, and are +# not part of the internal lists, can be excluded. So, for example, it is not +# possible to exclude the 'ps' command by using '/bin/ps'. These will be # silently ignored from the configuration. # -# Normal globbing wildcards are allowed, except for simple command names. -# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# Both options can be specified more than once. +# +# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. +# +# The default value for both options is the null string. +# +#USER_FILEPROP_FILES_DIRS=top +#USER_FILEPROP_FILES_DIRS=/usr/local/sbin +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local +#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/* +#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/* +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter* + # -# Specific files may be excluded by preceding their name with an -# exclamation mark (!). For example, '!/opt/top'. By combining this -# with wildcarding, whole directories can be excluded. For example, -# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first -# two directory levels of '/etc'. However, anything in '/etc/rc0.d', -# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. -# -# NOTE: Only files and directories which have been added by the user, -# and are not part of the internal lists, can be excluded. So, for -# example, it is not possible to exclude the 'ps' command by using -# '!/bin/ps'. These will be silently ignored from the configuration. -# -#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" - -# -# This option whitelists files and directories from existing, -# or not existing, on the system at the time of testing. This -# option is used when the configuration file options themselves -# are checked, and during the file properties check, the hidden -# files and directories checks, and the filesystem check of the -# '/dev' directory. -# -# This is a space-separated list of pathnames. The option may be -# specified more than once. The option may use wildcard characters, -# but be aware that this is probably not what you want to do as the -# wildcarding will be expanded after files have been deleted. As -# such deleted files won't be whitelisted if wildcarded. -# -# NOTE: The user must take into consideration how often the file will -# appear and disappear from the system in relation to how often -# rkhunter is run. If the file appears, and disappears, too often -# then rkhunter may not notice this. All it will see is that the file -# has changed. The inode-number and DTM will certainly be different -# for each new file, and rkhunter will report this. +# This option whitelists files and directories from existing, or not existing, +# on the system at the time of testing. This option is used when the +# configuration file options themselves are checked, and during the file +# properties check, the hidden files and directories checks, and the filesystem +# check of the '/dev' directory. +# +# This option may be specified more than once, and may use wildcards. +# Be aware though that this is probably not what you want to do as the +# wildcarding will be expanded after files have been deleted. As such +# deleted files won't be whitelisted if wildcarded. +# +# NOTE: The user must take into consideration how often the file will appear +# and disappear from the system in relation to how often rkhunter is run. If +# the file appears, and disappears, too often then rkhunter may not notice +# this. All it will see is that the file has changed. The inode-number and DTM +# will certainly be different for each new file, and rkhunter will report this. +# +# The default value is the null string. # #EXISTWHITELIST="" # -# Whitelist various attributes of the specified files. -# The attributes are those of the 'attributes' test. -# Specifying a file name here does not include it being -# whitelisted for the write permission test (see below). +# Whitelist various attributes of the specified file. The attributes are those +# of the 'attributes' test. Specifying a file name here does not include it +# being whitelisted for the write permission test (see below). # -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. +# This option may be specified more than once, and may use wildcard characters. # -#ATTRWHITELIST="/bin/ps /usr/bin/date" +# The default value is the null string. +# +#ATTRWHITELIST=/usr/bin/date # -# Allow the specified commands to have the 'others' -# (world) permission have the write-bit set. +# Allow the specified file to have the 'others' (world) permission have the +# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. # -# For example, files with permissions r-xr-xrwx -# or rwxrwxrwx. +# This option may be specified more than once, and may use wildcard characters. # -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. +# The default value is the null string. # -#WRITEWHITELIST="/bin/ps /usr/bin/date" +#WRITEWHITELIST=/usr/bin/date # -# Allow the specified commands to be scripts. +# Allow the specified file to be a script. +# +# This option may be specified more than once, and may use wildcard characters. # -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. +# The default value is the null string. # SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/groups SCRIPTWHITELIST=/usr/bin/ldd -SCRIPTWHITELIST=/usr/bin/lwp-request +#SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser -SCRIPTWHITELIST=/usr/sbin/prelink +#SCRIPTWHITELIST=/usr/sbin/prelink +#SCRIPTWHITELIST=/usr/bin/unhide.rb # -# Allow the specified commands to have the immutable attribute set. +# Allow the specified file to have the immutable attribute set. # -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. +# This option may be specified more than once, and may use wildcard characters. # -#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" +# The default value is the null string. +# +#IMMUTWHITELIST=/sbin/ifdown # -# If this option is set to 1, then the immutable-bit test is -# reversed. That is, the files are expected to have the bit set. +# If this option is set to '1', then the immutable-bit test is reversed. That +# is, the files are expected to have the bit set. A value of '0' means that the +# immutable-bit should not be set. +# +# The default value is '0'. # -IMMUTABLE_SET=0 +#IMMUTABLE_SET=0 # -# Allow the specified hidden directories to be whitelisted. +# Allow the specified hidden directory to be whitelisted. +# +# This option may be specified more than once, and may use wildcard characters. # -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. The option -# may use wildcard characters. +# The default value is the null string. # -ALLOWHIDDENDIR="/etc/.java" -#ALLOWHIDDENDIR="/dev/.static" -#ALLOWHIDDENDIR="/dev/.SRC-unix" -ALLOWHIDDENDIR="/etc/.git" +#ALLOWHIDDENDIR=/etc/.java +ALLOWHIDDENDIR=/etc/.git # -# Allow the specified hidden files to be whitelisted. +# Allow the specified hidden file to be whitelisted. # -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. # -#ALLOWHIDDENFILE="/etc/.java" -#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" -#ALLOWHIDDENFILE="/etc/.pwd.lock" -#ALLOWHIDDENFILE="/etc/.init.state" -#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" -#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" -#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" -#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" -#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" -#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" -ALLOWHIDDENFILE="/etc/.gitignore" -ALLOWHIDDENFILE="/etc/.etckeeper" -#ALLOWHIDDENFILE="/etc/.bzrignore" - -# -# Allow the specified processes to use deleted files. The -# process name may be followed by a colon-separated list of -# full pathnames. The process will then only be whitelisted -# if it is using one of the given files. For example: -# -# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" -# -# This is a space-separated list of process names. The option -# may be specified more than once. The option may use wildcard -# characters, but only in the file names. -# -#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" -#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" -#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" -#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" -#ALLOWPROCDELFILE="/usr/bin/file-roller" - -# -# Allow the specified processes to listen on any network interface. -# -# This is a space-separated list of process names. The option -# may be specified more than once. -# -#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" -#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" -#ALLOWPROCLISTEN="/usr/sbin/snort-plain" +#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac +#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +ALLOWHIDDENFILE=/etc/.etckeeper +ALLOWHIDDENFILE=/etc/.gitignore +#ALLOWHIDDENFILE=/etc/.bzrignore + + +# +# Allow the specified process to use deleted files. The process name may be +# followed by a colon-separated list of full pathnames. The process will then +# only be whitelisted if it is using one of the given files. For example: +# +# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz +# +# This option may be specified more than once. It may also use wildcards, but +# only in the file names. +# +# The default value is the null string. +# +#ALLOWPROCDELFILE=/sbin/cardmgr +#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2 +#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* +#ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin +#ALLOWPROCDELFILE=/usr/bin/file-roller + +# +# Allow the specified process to listen on any network interface. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWPROCLISTEN=/sbin/dhclient +#ALLOWPROCLISTEN=/usr/bin/dhcpcd +#ALLOWPROCLISTEN=/usr/sbin/tcpdump +#ALLOWPROCLISTEN=/usr/sbin/snort-plain # # Allow the specified network interfaces to be in promiscuous mode. # -# This is a space-separated list of interface names. The option may -# be specified more than once. +# This is a space-separated list of interface names. The option may be +# specified more than once. +# +# The default value is the null string. # -#ALLOWPROMISCIF="eth0" +#ALLOWPROMISCIF=eth0 # -# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. -# The two allowed options are: THOROUGH or LAZY. -# If commented out we do a THOROUGH scan which will increase the runtime. -# Even though this adds to the running time it is highly recommended to -# leave it like this. +# This option specifies how rkhunter should scan the '/dev' directory for +# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. +# +# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, +# it is highly recommended that this value is used. +# +# The default value is 'THOROUGH'. +# +# Also see the ALLOWDEVFILE option. # #SCAN_MODE_DEV=THOROUGH # -# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to -# perform a basic check, or a more thorough check. If the option is set to 0, -# then a basic check is performed. If it is set to 1, then all the directries -# in the /etc and /usr directories are scanned. The default value is 0. Users -# should note that setting this option to 1 will cause the test to take longer -# to complete. +# Allow the specified file to be present in the '/dev' directory, and not +# regarded as suspicious. +# +# This option may be specified more than once, and may use wildcard characters. # -PHALANX2_DIRTEST=0 +# The default value is the null string. +# +#ALLOWDEVFILE=/dev/shm/pulse-shm-* +#ALLOWDEVFILE=/dev/shm/sem.ADBE_* # -# Allow the specified files to be present in the /dev directory, -# and not regarded as suspicious. +# This option is used to indicate if the Phalanx2 test is to perform a basic +# check, or a more thorough check. If the option is set to '0', then a basic +# check is performed. If it is set to '1', then all the directories in the +# '/etc' and '/usr' directories are scanned. +# +# NOTE: Setting this option to '1' will cause the test to take longer +# to complete. # -# This is a space-separated list of pathnames. The option may -# be specified more than once. The option may use wildcard -# characters. +# The default value is '0'. # -#ALLOWDEVFILE="/dev/shm/pulse-shm-*" -#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" +#PHALANX2_DIRTEST=0 # -# This setting tells rkhunter where the inetd configuration -# file is located. +# This option tells rkhunter where the inetd configuration file is located. +# +# The default value is the null string. # #INETD_CONF_PATH=/etc/inetd.conf # -# Allow the following enabled inetd services. +# This option allows the specified enabled inetd services. # -# This is a space-separated list of service names. The option may -# be specified more than once. +# This is a space-separated list of service names. The option may be specified +# more than once. # # For non-Solaris users the simple service name should be used. # For example: @@ -628,7 +742,7 @@ PHALANX2_DIRTEST=0 # For example: # # INETD_ALLOWED_SVC=imaps -# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" +# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd # # For Solaris 10 users the service/FMRI name should be used. For example: # @@ -637,207 +751,280 @@ PHALANX2_DIRTEST=0 # INETD_ALLOWED_SVC=/application/font/stfsloader # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord # +# The default value is the null string. +# #INETD_ALLOWED_SVC=echo # -# This setting tells rkhunter where the xinetd configuration -# file is located. +# This option tells rkhunter where the xinetd configuration file is located. +# +# The default value is the null string. # #XINETD_CONF_PATH=/etc/xinetd.conf # -# Allow the following enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing -# we only have the pathname available. As such, these entries are -# the xinetd file pathnames. +# This option allows the specified enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing we only have +# the pathname available. As such, these entries are the xinetd file pathnames. # -# This is a space-separated list of service names. The option may -# be specified more than once. +# This is a space-separated list of service names. The option may be specified +# more than once. +# +# The default value is the null string. # #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo # -# This option tells rkhunter the local system startup file pathnames. -# The directories will be searched for files. By default rkhunter -# will use certain filenames and directories. If the option is set -# to 'none', then certain tests will be skipped. +# This option tells rkhunter the local system startup file pathnames. The +# directories will be searched for files. By default rkhunter will try and +# determine were the startup files are located. If the option is set to 'NONE', +# then certain tests will be skipped. +# +# This is a space-separated list of file and directory pathnames. The option +# may be specified more than once, and may use wildcard characters. # -# This is a space-separated list of file and directory pathnames. -# The option may be specified more than once. The option may use -# wildcard characters. +# This option has no default value. # -#STARTUP_PATHS="/etc/init.d /etc/rc.local" +#STARTUP_PATHS=/etc/init.d /etc/rc.local # -# This setting tells rkhunter the pathname to the file containing the -# user account passwords. This setting will be worked out by rkhunter, -# and so should not usually need to be set. Users of TCB shadow files -# should not set this option. +# This option tells rkhunter the pathname to the file containing the user +# account passwords. This setting will be worked out by rkhunter, and so +# should not usually need to be set. Users of TCB shadow files should not +# set this option. +# +# This option has no default value. # #PASSWORD_FILE=/etc/shadow # -# Allow the following accounts to be root equivalent. These accounts -# will have a UID value of zero. The 'root' account does not need to -# be listed as it is automatically whitelisted. +# This option allows the specified accounts to be root equivalent. These +# accounts will have a UID value of zero. The 'root' account does not need +# to be listed as it is automatically whitelisted. # -# This is a space-separated list of account names. The option may -# be specified more than once. +# This is a space-separated list of account names. The option may be specified +# more than once. # -# NOTE: For *BSD systems you will probably need to use this option -# for the 'toor' account. +# NOTE: For *BSD systems you will probably need to use this option for the +# 'toor' account. # -#UID0_ACCOUNTS="toor rooty sashroot" +# The default value is the null string. +# +#UID0_ACCOUNTS=toor rooty sashroot # -# Allow the following accounts to have no password. NIS/YP entries do -# not need to be listed as they are automatically whitelisted. +# This option allows the specified accounts to have no password. NIS/YP entries +# do not need to be listed as they are automatically whitelisted. +# +# This is a space-separated list of account names. The option may be specified +# more than once. # -# This is a space-separated list of account names. The option may -# be specified more than once. +# The default value is the null string. # -#PWDLESS_ACCOUNTS="abc" +#PWDLESS_ACCOUNTS=abc # -# This setting tells rkhunter the pathname to the syslog configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. A value of 'NONE' can be used to indicate -# that there is no configuration file, but that the syslog daemon process -# may be running. +# This option tells rkhunter the pathname to the syslog configuration file. +# This setting will be worked out by rkhunter, and so should not usually need +# to be set. A value of 'NONE' can be used to indicate that there is no +# configuration file, but that the syslog daemon process may be running. # -# This is a space-separated list of pathnames. The option may -# be specified more than once. +# This is a space-separated list of pathnames. The option may be specified +# more than once. +# +# This option has no default value. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # -# This option permits the use of syslog remote logging. +# If this option is set to '1', then the use of syslog remote logging is +# permitted. A value of '0' disallows the use of remote logging. +# +# The default value is '0'. # -ALLOW_SYSLOG_REMOTE_LOGGING=0 +#ALLOW_SYSLOG_REMOTE_LOGGING=0 # -# Allow the following applications, or a specific version of an application, -# to be whitelisted. This option may be specified more than once, and is a -# space-separated list consisting of the application names. If a specific -# version is to be whitelisted, then the name must be followed by a colon -# and then the version number. For example: +# This option allows the specified applications, or a specific version of an +# application, to be whitelisted. If a specific version is to be whitelisted, +# then the name must be followed by a colon and then the version number. +# For example: +# +# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 # -# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" +# This is a space-separated list of pathnames. The option may be specified +# more than once. # -# Note above that for the Apache web server, the name 'httpd' is used. +# The default value is the null string. # #APP_WHITELIST="" # -# Scan for suspicious files in directories containing temporary files and -# directories posing a relatively higher risk due to user write access. -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to -# producing false positives. Do review all settings before usage. -# Also be aware that running suspscan in combination with verbose logging on, -# RKH's default, will show all ignored files. -# Please consider adding all directories the user the (web)server runs as has -# write access to including the document root (example: "/var/www") and log -# directories (example: "/var/log/httpd"). -# -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. +# Set this option to scan for suspicious files in directories which pose a +# relatively higher risk due to user write access. +# +# Please do not enable the 'suspscan' test by default as it is CPU and I/O +# intensive, and prone to producing false positives. Do review all settings +# before usage. Also be aware that running 'suspscan' in combination with +# verbose logging on, rkhunter's default, will show all ignored files. # -#SUSPSCAN_DIRS="/tmp /var/tmp" +# Please consider adding all directories the user the (web)server runs as, +# and has write access to, including the document root (e.g: '/var/www') and +# log directories (e.g: '/var/log/httpd'). +# +# This is a space-separated list of directory pathnames. The option may be +# specified more than once. +# +# The default value is the '/tmp' and '/var/tmp' directories. +# +#SUSPSCAN_DIRS=/tmp /var/tmp # -# Directory for temporary files. A memory-based one is better (faster). -# Do not use a directory name that is listed in SUSPSCAN_DIRS. -# Please make sure you have a tempfs mounted and the directory exists. +# This option specifies the directory for temporary files used by the +# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is +# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS +# as that is highly likely to cause false-positive results. +# +# The default value is '/dev/shm'. # -SUSPSCAN_TEMP=/dev/shm +#SUSPSCAN_TEMP=/dev/shm # -# Maximum filesize in bytes. Files larger than this will not be inspected. -# Do make sure you have enough space left in your temporary files directory. +# This option specifies the 'suspscan' test maximum filesize in bytes. Files +# larger than this will not be inspected. Do make sure you have enough space +# available in your temporary files directory. +# +# The default value is '1024000'. # -SUSPSCAN_MAXSIZE=10240000 +#SUSPSCAN_MAXSIZE=10240000 # -# Score threshold. Below this value no hits will be reported. -# A value of "200" seems "good" after testing on malware. Please adjust -# locally if necessary. +# This option specifies the 'suspscan' test score threshold. Below this value +# no hits will be reported. # -SUSPSCAN_THRESH=200 +# The default value is '200'. +# +#SUSPSCAN_THRESH=200 # -# The following option can be used to whitelist network ports which -# are known to have been used by malware. This option may be specified -# more than once. The option is a space-separated list of one or more -# of four types of whitelisting. These are: +# The following options can be used to whitelist network ports which are known +# to have been used by malware. # -# 1) a 'protocol:port' pair (e.g. TCP:25) -# 2) a pathname to an executable (e.g. /usr/sbin/squid) -# 3) a combined pathname, protocol and port -# (e.g. /usr/sbin/squid:TCP:3801) -# 4) an asterisk ('*') +# The PORT_WHITELIST option is a space-separated list of one or more of two +# types of whitelisting. These are: # -# Only the UDP or TCP protocol may be specified, and the port number -# must be between 1 and 65535 inclusive. +# 1) a 'protocol:port' pair +# 2) an asterisk ('*') # -# The asterisk can be used to indicate that any executable which rkhunter -# can locate as a command, is whitelisted. (See BINDIR in this file.) +# Only the UDP or TCP protocol may be specified, and the port number must be +# between 1 and 65535 inclusive. # -# For example: +# The asterisk can be used to indicate that any executable which rkhunter can +# locate as a command, is whitelisted. (Also see BINDIR) +# +# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. +# These are: +# +# 1) a pathname to an executable +# 2) a combined pathname, protocol and port +# +# As above, the protocol can only be TCP or UDP, and the port number must be +# between 1 and 65535 inclusive. +# +# Examples: +# +# PORT_WHITELIST=TCP:2001 UDP:32011 +# PORT_PATH_WHITELIST=/usr/sbin/squid +# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 +# +# NOTE: In order to whitelist a pathname, or use the asterisk option, the +# 'lsof' command must be present. # -# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" +# Both options may be specified more than once. # -# NOTE: In order to whitelist a pathname, or use the asterisk option, -# the 'lsof' command must be present. +# The default value for both options is the null string. # #PORT_WHITELIST="" +#PORT_PATH_WHITELIST="" # -# The following option can be used to tell rkhunter where the operating -# system 'release' file is located. This file contains information -# specifying the current O/S version. RKH will store this information -# itself, and check to see if it has changed between each run. If it has -# changed, then the user is warned that RKH may issue warning messages -# until RKH has been run with the '--propupd' option. +# The following option can be used to tell rkhunter where the operating system +# 'release' file is located. This file contains information specifying the +# current O/S version. RKH will store this information, and check to see if it +# has changed between each run. If it has changed, then the user is warned that +# RKH may issue warning messages until RKH has been run with the '--propupd' +# option. # -# Since the contents of the file vary according to the O/S distribution, -# RKH will perform different actions when it detects the file itself. As -# such, this option should not be set unless necessary. If this option is -# specified, then RKH will assume the O/S release information is on the -# first non-blank line of the file. +# Since the contents of the file vary according to the O/S distribution, RKH +# will perform different actions when it detects the file itself. As such, this +# option should not be set unless necessary. If this option is specified, then +# RKH will assume the O/S release information is on the first non-blank line of +# the file. # -#OS_VERSION_FILE="/etc/debian_version" +# This option has no default value. +# +# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. +# +#OS_VERSION_FILE=/etc/debian_version # -# The following two options can be used to whitelist files and directories -# that would normally be flagged with a warning during the various rootkit -# and malware checks. If the file or directory name contains a space, then -# the percent character ('%') must be used instead. Only existing files and -# directories can be specified, and these must be full pathnames not links. +# Set the following option to '0' if you do not want to receive a warning if any +# O/S information has changed since the last run of 'rkhunter --propupd'. The +# warnings occur during the file properties check. Setting a value of '1' will +# cause rkhunter to issue a warning if something has changed. +# +# The default value is '1'. +# +#WARN_ON_OS_CHANGE=1 + +# +# Set the following option to '1' if you want rkhunter to automatically run a +# file properties update ('--propupd') if the O/S has changed. Detection of an +# O/S change occurs during the file properties check. Setting a value of '0' +# will cause rkhunter not to do an automatic update. +# +# WARNING: Only set this option if you are sure that the update will work +# correctly. That is, that the database directory is writeable, that a valid +# hash function is available, and so on. This can usually be checked simply by +# running 'rkhunter --propupd' at least once. +# +# The default value is '0'. +# +#UPDT_ON_OS_CHANGE=0 + +# +# The following two options can be used to whitelist files and directories that +# would normally be flagged with a warning during the various rootkit and +# malware checks. Only existing files and directories can be specified, and +# these must be full pathnames not links. # # Additionally, the RTKT_FILE_WHITELIST option may include a string after the # file name (separated by a colon). This will then only whitelist that string # in that file (as part of the malware checks). For example: # -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm # # If the option list includes the filename on its own as well, then the file # will be whitelisted from rootkit checks of the files existence, but still # only the specific string within the file will be whitelisted. For example: # -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm # # To whitelist a file from the existence checks, but not from the strings -# checks, then include the filename on its own and on its own but with -# just a colon appended. For example: +# checks, then include the filename on its own and on its own but with just +# a colon appended. For example: # -# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local: # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # -# These are space-separated lists of file and directory pathnames. -# The options may be specified more than once. +# Both of these options may be specified more than once. +# +# For both options the default value is the null string. # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" @@ -852,18 +1039,22 @@ SUSPSCAN_THRESH=200 # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # -# This is a space-separated list of library pathnames. -# The option may be specified more than once. +# This option is a space-separated list of library pathnames. The option may be +# specified more than once. +# +# The default value is the null string. # -#SHARED_LIB_WHITELIST="/lib/snoopy.so" +#SHARED_LIB_WHITELIST=/lib/snoopy.so # # To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command, then the following two options can be used. The value must be -# set to 'BUILTIN'. +# command the following two options can be used. The value must be set to +# 'BUILTIN'. # # NOTE: IRIX users will probably need to enable STAT_CMD. # +# For both options the default value is the null string. +# #STAT_CMD=BUILTIN #READLINK_CMD=BUILTIN @@ -873,18 +1064,22 @@ SUSPSCAN_THRESH=200 # failing that the 'perl' command, to display the date and time in a # human-readable format as well. This option may be used if some other command # should be used instead. The given command must understand the '%s' and -# 'seconds ago' options found in the GNU date command. +# 'seconds ago' options found in the GNU 'date' command. # # A value of 'NONE' may be used to request that only the epoch seconds be shown. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if # it is present. # +# This option has no default value. +# #EPOCH_DATE_CMD="" # -# This setting tells rkhunter the directory containing the available -# Linux kernel modules. This setting will be worked out by rkhunter, -# and so should not usually need to be set. +# This setting tells rkhunter the directory containing the available Linux +# kernel modules. This setting will be worked out by rkhunter, and so should +# not usually need to be set. +# +# This option has no default value. # #MODULES_DIR="" @@ -905,100 +1100,152 @@ SUSPSCAN_THRESH=200 # # WEB_CMD="/opt/bin/dlfile --timeout 5m -q" # -# *BSD users may want to use the 'ftp' command, provided that it supports -# the HTTP protocol: +# *BSD users may want to use the 'ftp' command, provided that it supports the +# HTTP protocol: # # WEB_CMD="ftp -o -" # -#WEB_CMD="" - -# -# Set the following option to 0 if you do not want to receive a warning if -# any O/S information has changed since the last run of 'rkhunter --propupd'. -# The warnings occur during the file properties check. The default is to -# issue a warning if something has changed. +# This option has no default value. # -#WARN_ON_OS_CHANGE=1 - -# -# Set the following option to 1 if you want rkhunter to automatically run -# a file properties update ('--propupd') if the O/S has changed. Detection -# of an O/S change occurs during the file properties check. The default is -# not to do an automatic update. -# -# WARNING: Only set this option if you are sure that the update will work -# correctly. That is, that the database directory is writeable, that a valid -# hash function is available, and so on. This can usually be checked simply -# by running 'rkhunter --propupd' at least once. -# -#UPDT_ON_OS_CHANGE=0 +#WEB_CMD="" # -# Set the following option to 1 if locking is to be used when rkhunter runs. +# Set the following option to '1' if locking is to be used when rkhunter runs. # The lock is set just before logging starts, and is removed when the program # ends. It is used to prevent items such as the log file, and the file # properties file, from becoming corrupted if rkhunter is running more than # once. The mechanism used is to simply create a lock file in the TMPDIR # directory. If the lock file already exists, because rkhunter is already # running, then the current process simply loops around sleeping for 10 seconds -# and then retrying the lock. +# and then retrying the lock. A value of '0' means not to use locking. +# +# The default value is '0'. # -# The default is not to use locking. +# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options. # -USE_LOCKING=0 +#USE_LOCKING=0 # # If locking is used, then rkhunter may have to wait to get the lock file. # This option sets the total amount of time, in seconds, that rkhunter should # wait. It will retry the lock every 10 seconds, until either it obtains the -# lock or the timeout value has been reached. If no value is set, then a -# default of 300 seconds (5 minutes) is used. +# lock or the timeout value has been reached. # -LOCK_TIMEOUT=300 +# The default value is 300 seconds (5 minutes). +# +#LOCK_TIMEOUT=300 # # If locking is used, then rkhunter may be doing nothing for some time if it -# has to wait for the lock. Some simple messages are echo'd to the users screen -# to let them know that rkhunter is waiting for the lock. Set this option to 0 -# if the messages are not to be displayed. The default is to show them. +# has to wait for the lock. If this option is set to '1', then some simple +# messages are echoed to the users screen to let them know that rkhunter is +# waiting for the lock. Set this option to '0' if the messages are not to be +# displayed. +# +# The default value is '1'. # -SHOW_LOCK_MSGS=1 +#SHOW_LOCK_MSGS=1 # -# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function -# will search (on a per rootkit basis) for filenames in all of the directories (as defined -# by the result of running 'find / -xdev'). While still not optimal, as it -# still searches for only file names as opposed to file contents, this is one step away -# from the rigidity of searching in known (evidence) or default (installation) locations. +# If this option is set to 'THOROUGH' then rkhunter will search (on a per +# rootkit basis) for filenames in all of the directories (as defined by the +# result of running 'find / -xdev'). While still not optimal, as it still +# searches for only file names as opposed to file contents, this is one step +# away from the rigidity of searching in known (evidence) or default +# (installation) locations. # # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. # -# You should only activate this feature as part of a more thorough investigation which -# should be based on relevant best practices and procedures. +# You should only activate this feature as part of a more thorough +# investigation, which should be based on relevant best practices and +# procedures. # -# Enabling this feature implies you have the knowledge to interpret the results properly. +# Enabling this feature implies you have the knowledge to interpret the +# results properly. +# +# The default value is the null string. # #SCANROOTKITMODE=THOROUGH # -# The following option can be set to the name(s) of the tests the 'unhide' command is -# to use. In order to maintain compatibility with older versions of 'unhide', this -# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but -# will only take effect when they are seen. The test names are a space-separated list, -# and will be executed in the order given. +# The following option can be set to the name(s) of the tests the 'unhide' +# command is to use. Options such as '-m' and '-v' may be specified, but will +# only take effect when they are seen. The test names are a space-separated +# list, and will be executed in the order given. +# +# This option may be specified more than once. +# +# The default value is 'sys' in order to maintain compatibility with older +# versions of 'unhide'. +# +#UNHIDE_TESTS=sys + +# +# The following option can be used to set options for the 'unhide-tcp' command. +# The options are space-separated. # -#UNHIDE_TESTS="sys" +# This option may be specified more than once. +# +# The default value is the null string. +# +#UNHIDETCP_OPTS="" # -# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it -# is possible to disable the execution of one of the programs if desired. By default -# rkhunter will look for both programs, and execute each of them as they are found. -# If the value of this option is 0, then both programs will be executed if they are -# present. A value of 1 will disable execution of the C 'unhide' program, and a value -# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable -# both programs, then disable the 'hidden_procs' test. +# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, +# then it is possible to disable the execution of one of the programs if +# desired. By default rkhunter will look for both programs, and execute each +# of them as they are found. If the value of this option is '0', then both +# programs will be executed if they are present. A value of '1' will disable +# execution of the C 'unhide' program, and a value of '2' will disable the Ruby +# 'unhide.rb' program. To disable both programs, then disable the +# 'hidden_procs' test. +# +# The default value is '0'. # -DISABLE_UNHIDE=0 +DISABLE_UNHIDE=1 -INSTALLDIR="/usr" +INSTALLDIR=/usr + +# +# This option can be set to either '0' or '1'. If set to '1' then the summary, +# shown after rkhunter has run, will display the actual number of warnings +# found. If it is set to '0', then the summary will simply indicate that +# 'One or more' warnings were found. If no warnings were found, and this option +# is set to '1', then a "0" will be shown. If the option is set to '0', then +# the words 'No warnings' will be shown. +# +# The default value is '0'. +# +#SHOW_SUMMARY_WARNINGS_NUMBER=0 + +# +# This option is used to determine where, if anywhere, the summary scan time is +# displayed. A value of '0' indicates that it should not be displayed anywhere. +# A value of '1' indicates that the time should only appear on the screen, and a +# value of '2' that it should only appear in the log file. A value of '3' +# indicates that the time taken should appear both on the screen and in the log +# file. +# +# The default value is '3'. +# +#SHOW_SUMMARY_TIME=3 + +# +# The two options below may be used to check if a file is missing or empty +# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check +# if the file is missing, since that can be interpreted as a file of no size. +# However, the file will only be reported as missing if the MISSING_LOGFILES +# option hasn't already done this. +# +# Both options are space-separated lists of pathnames, and may be specified +# more than once. +# +# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is +# perfectly possible for the file to be either missing or empty. As such these +# options may produce false-positive warnings when log files are rotated. +# +# For both options the default value is the null string. +# +#EMPTY_LOGFILES="" +#MISSING_LOGFILES="" diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml index d504a49..c9d26fa 100644 --- a/roles/common/tasks/rkhunter.yml +++ b/roles/common/tasks/rkhunter.yml @@ -3,7 +3,7 @@ with_items: - rkhunter - curl - - iproute + - iproute2 - lsof - unhide |