summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/rkhunter.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/etc/rkhunter.conf')
-rw-r--r--roles/common/files/etc/rkhunter.conf240
1 files changed, 170 insertions, 70 deletions
diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf
index b6a7d06..ce3b2d6 100644
--- a/roles/common/files/etc/rkhunter.conf
+++ b/roles/common/files/etc/rkhunter.conf
@@ -14,8 +14,8 @@
# been made.
#
# Please review the documentation before posting bug reports or questions.
-# To report bugs, obtain updates, or provide patches or comments, please go
-# to: http://rkhunter.sourceforge.net
+# To report bugs, provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
# Note that this is a moderated list, so please subscribe before posting.
@@ -50,7 +50,8 @@
# should be configured with one entry per line as in the first example.
#
# If wildcard characters (globbing) are allowed for an option, then the
-# text describing the option will say so.
+# text describing the option will say so. Any globbing character explicitly
+# required in a pathname should be escaped.
#
# Space-separated lists may be enclosed by quotes, although they are not
# required. If they are used, then they must only appear at the start and
@@ -69,7 +70,9 @@
# If a configuration option is never set, then the program will assume a
# default value. The text describing the option will state the default value.
# If there is no default, then rkhunter will calculate a value or pathname
-# to use.
+# to use. If a value is set for a configuration option, then the default
+# value is ignored. If it is wished to keep the default value, as well as
+# any other set value, then the default must be explicitly set.
#
@@ -259,12 +262,12 @@ LOGFILE=/var/log/rkhunter.log
#
# USE_SYSLOG=authpriv.warning
#
-# Setting the value to 'none', or just leaving the option commented out,
+# Setting the value to 'NONE', or just leaving the option commented out,
# disables the use of syslog.
#
# The default value is not to use syslog.
#
-#USE_SYSLOG=authpriv.notice
+USE_SYSLOG=authpriv.warning
#
# Set the following option to '1' if the second colour set is to be used. This
@@ -317,12 +320,12 @@ AUTO_X_DETECT=1
#
# The default value is '0'.
#
-#ALLOW_SSH_PROT_V1=0
+ALLOW_SSH_PROT_V1=2
#
# This setting tells rkhunter the directory containing the SSH configuration
-# file. This setting will be worked out by rkhunter, and so should not
-# usually need to be set.
+# file. If unset, this setting will be worked out by rkhunter, and so should
+# not usually need to be set.
#
# This option has no default value.
#
@@ -330,8 +333,8 @@ AUTO_X_DETECT=1
#
# These two options determine which tests are to be performed. The ENABLE_TESTS
-# option can use the word 'all' to refer to all of the available tests. The
-# DISABLE_TESTS option can use the word 'none' to mean that no tests are
+# option can use the word 'ALL' to refer to all of the available tests. The
+# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
@@ -349,14 +352,7 @@ AUTO_X_DETECT=1
# either of the options below are specified, then they will override the
# program defaults.
#
-# hidden_procs test requires the unhide and/or unhide.rb commands which are
-# part of the unhide respectively unhide.rb packages in Debian.
-#
-# apps test is disabled by default as it triggers warnings about outdated
-# applications (and warns about possible security risk: we better trust
-# the Debian Security Team).
-#
-ENABLE_TESTS=all
+ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
@@ -384,11 +380,13 @@ DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
-# The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
+# The default value is the SHA256 function, unless prelinking is used in
+# which case it defaults to the SHA1 function.
#
-# Also see the HASH_FLD_IDX option.
+# Also see the HASH_FLD_IDX option. In addition, note the comments under
+# the PKGMGR option relating to the use of HASH_CMD.
#
-HASH_CMD=sha512sum
+HASH_CMD=SHA512
#
# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
@@ -407,20 +405,28 @@ HASH_CMD=sha512sum
# properties file ('rkhunter.dat'), and when running the file properties check.
# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
-# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
-# or a value of 'NONE', indicates that no package manager is to be used.
+# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be
+# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of
+# 'NONE', indicates that no package manager is to be used.
#
-# The current package managers, except 'SOLARIS', store the file hash values
-# using an MD5 hash function. The Solaris package manager includes a checksum
-# value, but this is not used by default (see USE_SUNSUM below).
+# The package managers obtain each file hash value using a hash function. The
+# Solaris package manager includes a 16-bit checksum value, but this is not
+# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers
+# currently use a SHA256 hash function. Other package managers will, typically,
+# use an MD5 hash function.
#
-# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
-# The 'RPM' package manager additionally provides values for the inode,
-# file permissions, uid, gid and other values. The 'SOLARIS' also provides
-# most of the values, similar to 'RPM', but not the inode number.
+# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value.
+# The 'RPM' package manager additionally provides values for the inode, file
+# permissions, uid, gid and other values. The 'SOLARIS' package manager also
+# provides most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
-# HASH_CMD hash function instead.
+# HASH_CMD hash function instead. This means that if the HASH_CMD option
+# is set, and PKGMGR is set, then the HASH_CMD hash function is only used,
+# and stored, for non-packaged files. All packaged files will use, and store,
+# whatever hash function the relevant package manager uses. So, for example,
+# with the 'RPM' package manager, packaged files will be stored with their
+# SHA256 value regardless of the value of the HASH_CMD option.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
@@ -499,6 +505,9 @@ HASH_CMD=sha512sum
# simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
+# To extend the use of wildcards to include recursive checking of directories,
+# see the GLOBSTAR configuration option.
+#
# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
# option. Wildcards may be used with this option.
#
@@ -528,11 +537,8 @@ HASH_CMD=sha512sum
#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
-#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
-#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
-#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
-#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
#
# This option whitelists files and directories from existing, or not existing,
@@ -549,7 +555,7 @@ HASH_CMD=sha512sum
# NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice
-# this. All it will see is that the file has changed. The inode-number and DTM
+# this. All it will see is that the file has changed. The inode number and DTM
# will certainly be different for each new file, and rkhunter will report this.
#
# The default value is the null string.
@@ -612,6 +618,18 @@ SCRIPTWHITELIST=/usr/sbin/adduser
#IMMUTABLE_SET=0
#
+# If this option is set to '1', then any changed inode value is ignored in
+# the file properties check. The inode test itself still runs, but it will
+# always return that no inodes have changed.
+#
+# This option may be useful for filesystems such as Btrfs, which handle inodes
+# slightly differently than other filesystems.
+#
+# The default value is '0'.
+#
+#SKIP_INODE_CHECK=0
+
+#
# Allow the specified hidden directory to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
@@ -644,13 +662,21 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# Allow the specified process to use deleted files. The process name may be
-# followed by a colon-separated list of full pathnames. The process will then
-# only be whitelisted if it is using one of the given files. For example:
+# followed by a colon-separated list of full pathnames (which have been
+# deleted). The process will then only be whitelisted if it is using one of
+# the given pathnames. For example:
#
# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
#
# This option may be specified more than once. It may also use wildcards, but
-# only in the file names.
+# only in the deleted file pathnames, not in the process name. The use of
+# extended pattern matching in pathname expansion (for example, '**') is not
+# supported for this option. However, the option itself extends globbing when
+# the '*' character is used by matching zero or more characters in the
+# pathname, including those in sub-directories. For example, the pathname
+# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz'
+# but is matched when used in this option. Similarly, using '/tmp/*' will
+# match any file found in the '/tmp' directory or any sub-directories.
#
# The default value is the null string.
#
@@ -707,6 +733,46 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
#
+# Allow the specified process pathnames to use shared memory segments.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPROC=/usr/bin/firefox
+#ALLOWIPCPROC=/usr/bin/vlc
+
+#
+# Allow the specified memory segment creator PIDs to use shared memory segments.
+#
+# This is a space-separated list of PID numbers (as given by the
+# 'ipcs -p' command). This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPID=12345 6789
+
+#
+# Allow the specified account names to use shared memory segments.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCUSER=usera userb
+
+#
+# This option can be used to set the maximum shared memory segment size
+# (in bytes) that is not considered suspicious. Any segment above this size,
+# and with 600 or 666 permissions, will be considered suspicious during the
+# shared memory check.
+#
+# The default is 1048576 (1M) bytes.
+#
+#IPC_SEG_SIZE=1048576
+
+#
# This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic
# check is performed. If it is set to '1', then all the directories in the
@@ -776,9 +842,9 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the local system startup file pathnames. The
-# directories will be searched for files. By default rkhunter will try and
-# determine were the startup files are located. If the option is set to 'NONE',
-# then certain tests will be skipped.
+# directories will be searched for files. If unset, then rkhunter will try
+# and determine were the startup files are located. If the option is set to
+# 'NONE' then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames. The option
# may be specified more than once, and may use wildcard characters.
@@ -789,9 +855,9 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the pathname to the file containing the user
-# account passwords. This setting will be worked out by rkhunter, and so
-# should not usually need to be set. Users of TCB shadow files should not
-# set this option.
+# account passwords. If unset, this setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files should
+# not set this option.
#
# This option has no default value.
#
@@ -825,9 +891,10 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This option tells rkhunter the pathname to the syslog configuration file.
-# This setting will be worked out by rkhunter, and so should not usually need
-# to be set. A value of 'NONE' can be used to indicate that there is no
-# configuration file, but that the syslog daemon process may be running.
+# If unset, this setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate that
+# there is no configuration file, but that the syslog daemon process may
+# be running.
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
@@ -896,7 +963,7 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# The default value is '1024000'.
#
-#SUSPSCAN_MAXSIZE=10240000
+#SUSPSCAN_MAXSIZE=1024000
#
# This option specifies the 'suspscan' test score threshold. Below this value
@@ -907,6 +974,18 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#SUSPSCAN_THRESH=200
#
+# This option may be used to whitelist file pathnames from the suspscan test.
+#
+# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
+# option.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#SUSPSCAN_WHITELIST=""
+
+#
# The following options can be used to whitelist network ports which are known
# to have been used by malware.
#
@@ -1076,8 +1155,8 @@ ALLOWHIDDENFILE=/etc/.etckeeper
#
# This setting tells rkhunter the directory containing the available Linux
-# kernel modules. This setting will be worked out by rkhunter, and so should
-# not usually need to be set.
+# kernel modules. If unset, this setting will be worked out by rkhunter, and
+# so should not usually need to be set.
#
# This option has no default value.
#
@@ -1114,18 +1193,33 @@ WEB_CMD="/bin/false"
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
-# once. The mechanism used is to simply create a lock file in the TMPDIR
+# once. The mechanism used is to simply create a lock file in the LOCKDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock. A value of '0' means not to use locking.
#
# The default value is '0'.
#
-# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
+# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
#
#USE_LOCKING=0
#
+# This option specifies the directory to be used when locking is enabled.
+# If the option is unset, then the directory to be used will be worked out
+# by rkhunter. In that instance the directories '/run/lock', '/var/lock',
+# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none
+# of those can be found, or are not read/writeable, then the TMPDIR directory
+# will be used.
+#
+# To avoid the lock file persisting across a server reboot, the directory
+# used should be memory-resident.
+#
+# This option has no default value.
+#
+#LOCKDIR=""
+
+#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
@@ -1191,22 +1285,6 @@ WEB_CMD="/bin/false"
#UNHIDETCP_OPTS=""
#
-# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
-# then it is possible to disable the execution of one of the programs if
-# desired. By default rkhunter will look for both programs, and execute each
-# of them as they are found. If the value of this option is '0', then both
-# programs will be executed if they are present. A value of '1' will disable
-# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
-# 'unhide.rb' program. To disable both programs, then disable the
-# 'hidden_procs' test.
-#
-# The default value is '0'.
-#
-DISABLE_UNHIDE=1
-
-INSTALLDIR=/usr
-
-#
# This option can be set to either '0' or '1'. If set to '1' then the summary,
# shown after rkhunter has run, will display the actual number of warnings
# found. If it is set to '0', then the summary will simply indicate that
@@ -1249,3 +1327,25 @@ INSTALLDIR=/usr
#EMPTY_LOGFILES=""
#MISSING_LOGFILES=""
+#
+# This option can be set to either '0' or '1'. If set to '1' then the globbing
+# characters '**' can be used to allow the recursive checking of directories.
+# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option.
+# For example:
+#
+# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf
+#
+# This will check all '.conf' files within the '/etc' directory, and any
+# sub-directories (at any level). If GLOBSTAR is not set, then the shell will
+# interpret '**' as '*' and only one level of sub-directories will be checked.
+#
+# NOTE: This option is only valid for those shells which support the 'globstar'
+# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command,
+# and 'ksh' via the 'set' command.
+#
+# The default value is '0'.
+#
+#GLOBSTAR=0
+
+INSTALLDIR=/usr
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 11:59:00 +0000