1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
|
#
# This is the main configuration file for Rootkit Hunter.
#
# You can either modify this file directly, or you can create a local
# configuration file. The local file must be named 'rkhunter.conf.local',
# and must reside in the same directory as this file. Please modify one
# or both files to your own requirements. It is suggested that the
# command 'rkhunter -C' is run after any changes have been made.
#
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, are ignored.
# End-of-line comments are not supported.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#
# Some of the options are space-separated lists of pathnames. If
# wildcard characters (globbing) are allowed in the list, then the
# text describing the option will say so.
#
# Space-separated lists may be enclosed by quotes, but these must only
# appear at the start and end of the list, not in the middle.
#
# For example: XXX="abc def gh" (correct)
# XXX="abc" "def" "gh" (incorrect)
#
#
# If this option is set to 1, it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
# options are used, is to be rotated. Rotating the entries in the file
# allows a basic form of load-balancing between the mirror sites whenever
# the above options are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror listed will always be used
# first. The second mirror will only be used if the first mirror fails,
# the third mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to 0.
#
ROTATE_MIRRORS=1
#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1
#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
# 0 - use any mirror (the default)
# 1 - only use local mirrors
# 2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0
#
# Email a message to this address if a warning is found when the
# system is being checked. Multiple addresses may be specified
# simply be separating them with a space. Setting this option to
# null disables the option.
#
# NOTE: This option should be present in the configuration file.
#
#MAIL-ON-WARNING=me@mydomain root@mydomain
MAIL-ON-WARNING=admin@fripost.org
#
# Specify the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
TMPDIR=/var/lib/rkhunter/tmp
#
# Specify the database directory to use.
#
DBDIR=/var/lib/rkhunter/db
#
# Specify the script directory to use.
#
SCRIPTDIR=/usr/share/rkhunter/scripts
#
# This option can be used to modify the command directory list used
# by rkhunter to locate commands (that is, its PATH). By default
# this will be the root PATH, and an internal list of some common
# command directories.
#
# Any directories specified here will, by default, be appended to the
# default list. However, if a directory name begins with the '+'
# character, then that directory will be prepended to the list (that
# is, it will be put at the start of the list).
#
# This is a space-separated list of directory names. The option may
# be specified more than once.
#
#BINDIR="/bin /usr/bin /sbin /usr/sbin"
#BINDIR="+/usr/local/bin +/usr/local/sbin"
#
# Specify the default language to use. This should be similar
# to the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
# rkhunter --lang en --list languages
#
#LANGUAGE=en
#
# This option is a space-separated list of the languages that are to
# be updated when the '--update' option is used. If unset, then all
# the languages will be updated. If none of the languages are to be
# updated, then set this option to just 'en'.
#
# The default is for all the languages to be updated. The default
# language, specified above, and the English (en) language file will
# always be updated regardless of this option.
#
UPDATE_LANG=""
#
# Specify the log file pathname.
#
# NOTE: This option should be present in the configuration file.
#
LOGFILE=/var/log/rkhunter.log
#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
APPEND_LOG=0
#
# Set the following option to 1 if the log file is to be copied when
# rkhunter finishes and an error or warning has occurred. The copied
# log file name will be appended with the current date and time
# (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
#
COPY_LOG_ON_ERROR=0
#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot. For example:
#
# USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
#USE_SYSLOG=authpriv.notice
#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0
#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1
#
# Set the following option to 1 if it is wanted that any 'Whitelisted'
# results are shown in white rather than green. For colour set 2 users,
# setting this option will cause the result to be shown in black.
#
WHITELISTED_IS_WHITE=0
#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. However, if a value has not been set in the SSH configuration
# file, then a value here of 'unset' can be used to avoid warning messages.
# This option has a default value of 'no'.
#
ALLOW_SSH_ROOT_USER=no
#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
ALLOW_SSH_PROT_V1=0
#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh
#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered
# "advanced" or that are prone to produce more than the average number of
# false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# hidden_procs test requires the unhide command which is part of the unhide
# package in Debian.
#
# apps test is disabled by default as it triggers warnings about outdated
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just the
# command name or the full pathname. If just the command name is
# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
# SHA512, then rkhunter will first look for the relevant command,
# such as 'sha256sum', and then for 'sha256'. If neither of these
# are found, it will then look to see if a perl module has been
# installed which will support the relevant hash function. To see
# which perl modules have been installed use the command
# 'rkhunter --list perl'.
#
# The default is SHA1, or MD5 if SHA1 cannot be found.
#
# Systems using prelinking are restricted to using either the
# SHA1 or MD5 function.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
# For Solaris 9 : HASH_FUNC=gmd5sum
# For Solaris 10: HASH_FUNC=sha1sum
# For AIX (>5.2): HASH_FUNC="csum -hMD5"
# For NetBSD : HASH_FUNC="cksum -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
# the '--propupd' option to rebuild the file properties database.
#
HASH_FUNC=sha512sum
#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is 1, but for *BSD users
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
# has not been set. The option value must be an integer greater
# than zero.
#
#HASH_FLD_IDX=4
#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file ('rkhunter.dat'), and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
# get information from the RPM database. For Debian-based systems 'DPKG'
# can be used, for *BSD systems 'BSD' can be used, and for Solaris
# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
# indicates that no package manager is to be used. The default is 'NONE'.
#
# The current package managers, except 'SOLARIS', store the file hash
# values using an MD5 hash function. The Solaris package manager includes
# a checksum value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_FUNC hash function instead.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=NONE
#
# It is possible that a file which is part of a package may be modified
# by the administrator. Typically this occurs for configuration files.
# However, the package manager may list the file as being modified. For
# the RPM package manager this may well depend on how the package was
# built. This option specifies those pathnames which are to be exempt
# from the package manager verification process, and which will be treated
# as non-packaged files. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
#PKGMGR_NO_VRFY=""
#
# This option can be used to tell rkhunter to ignore any prelink
# dependency errors for the given commands. However, a warning will also
# be issued if the error does not occur for a given command. As such
# this option must only be used on commands which experience a persistent
# problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
# NOTE: The command 'rkhunter --propupd' must be run whenever this option
# is changed.
#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
#
# If the 'SOLARIS' package manager is used, then it is possible to use
# the checksum (hash) value stored for a file. However, this is only a
# 16-bit checksum, and as such is not nearly as secure as, for example,
# a SHA-2 value. For that reason, the checksum is not used by default,
# and the hash function given by HASH_FUNC is used instead. To enable
# this option, set its value to 1. The Solaris 'sum' command must be
# present on the system if this option is used.
#
#USE_SUNSUM=0
#
# This option is a space-separated list of commands, directories and file
# pathnames which will be included in the file properties checks.
# This option can be specified more than once.
#
# Whenever this option is changed, 'rkhunter --propupd' must be run.
#
# Simple command names - for example, 'top' - and directory names are
# added to the internal list of directories to be searched for each of
# the command names in the command list. Additionally, full pathnames
# to files, which need not be commands, may be given. Any files or
# directories which are already part of the internal lists will be
# silently ignored from the configuration.
#
# Normal globbing wildcards are allowed, except for simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by preceding their name with an
# exclamation mark (!). For example, '!/opt/top'. By combining this
# with wildcarding, whole directories can be excluded. For example,
# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
#
# NOTE: Only files and directories which have been added by the user,
# and are not part of the internal lists, can be excluded. So, for
# example, it is not possible to exclude the 'ps' command by using
# '!/bin/ps'. These will be silently ignored from the configuration.
#
#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
#
# This option whitelists files and directories from existing,
# or not existing, on the system at the time of testing. This
# option is used when the configuration file options themselves
# are checked, and during the file properties check, the hidden
# files and directories checks, and the filesystem check of the
# '/dev' directory.
#
# This is a space-separated list of pathnames. The option may be
# specified more than once. The option may use wildcard characters,
# but be aware that this is probably not what you want to do as the
# wildcarding will be expanded after files have been deleted. As
# such deleted files won't be whitelisted if wildcarded.
#
# NOTE: The user must take into consideration how often the file will
# appear and disappear from the system in relation to how often
# rkhunter is run. If the file appears, and disappears, too often
# then rkhunter may not notice this. All it will see is that the file
# has changed. The inode-number and DTM will certainly be different
# for each new file, and rkhunter will report this.
#
#EXISTWHITELIST=""
#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test (see below).
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ATTRWHITELIST="/bin/ps /usr/bin/date"
#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#WRITEWHITELIST="/bin/ps /usr/bin/date"
#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
#
# Allow the specified commands to have the immutable attribute set.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
#
# If this option is set to 1, then the immutable-bit test is
# reversed. That is, the files are expected to have the bit set.
#
IMMUTABLE_SET=0
#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
ALLOWHIDDENDIR="/etc/.git"
#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
#ALLOWHIDDENFILE="/etc/.pwd.lock"
#ALLOWHIDDENFILE="/etc/.init.state"
#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
ALLOWHIDDENFILE="/etc/.gitignore"
ALLOWHIDDENFILE="/etc/.etckeeper"
#ALLOWHIDDENFILE="/etc/.bzrignore"
#
# Allow the specified processes to use deleted files. The
# process name may be followed by a colon-separated list of
# full pathnames. The process will then only be whitelisted
# if it is using one of the given files. For example:
#
# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
#
# This is a space-separated list of process names. The option
# may be specified more than once. The option may use wildcard
# characters, but only in the file names.
#
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
#ALLOWPROCDELFILE="/usr/bin/file-roller"
#
# Allow the specified processes to listen on any network interface.
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may
# be specified more than once.
#
#ALLOWPROMISCIF="eth0"
#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH
#
# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
# perform a basic check, or a more thorough check. If the option is set to 0,
# then a basic check is performed. If it is set to 1, then all the directries
# in the /etc and /usr directories are scanned. The default value is 0. Users
# should note that setting this option to 1 will cause the test to take longer
# to complete.
#
PHALANX2_DIRTEST=0
#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
# Allow the following enabled inetd services.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
# INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
# INETD_ALLOWED_SVC=imaps
# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
# INETD_ALLOWED_SVC=/network/rpc/meta
# INETD_ALLOWED_SVC=/network/rpc/metamed
# INETD_ALLOWED_SVC=/application/font/stfsloader
# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
#INETD_ALLOWED_SVC=echo
#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
#
# This option tells rkhunter the local system startup file pathnames.
# The directories will be searched for files. By default rkhunter
# will use certain filenames and directories. If the option is set
# to 'none', then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames.
# The option may be specified more than once. The option may use
# wildcard characters.
#
#STARTUP_PATHS="/etc/init.d /etc/rc.local"
#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set. Users of TCB shadow files
# should not set this option.
#
#PASSWORD_FILE=/etc/shadow
#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. The 'root' account does not need to
# be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
# NOTE: For *BSD systems you will probably need to use this option
# for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty sashroot"
#
# Allow the following accounts to have no password. NIS/YP entries do
# not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
#PWDLESS_ACCOUNTS="abc"
#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set. A value of 'NONE' can be used to indicate
# that there is no configuration file, but that the syslog daemon process
# may be running.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0
#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option may be specified more than once, and is a
# space-separated list consisting of the application names. If a specific
# version is to be whitelisted, then the name must be followed by a colon
# and then the version number. For example:
#
# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
#
# Note above that for the Apache web server, the name 'httpd' is used.
#
#APP_WHITELIST=""
#
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd").
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once.
#
#SUSPSCAN_DIRS="/tmp /var/tmp"
#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm
#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000
#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary.
#
SUSPSCAN_THRESH=200
#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. This option may be specified
# more than once. The option is a space-separated list of one or more
# of four types of whitelisting. These are:
#
# 1) a 'protocol:port' pair (e.g. TCP:25)
# 2) a pathname to an executable (e.g. /usr/sbin/squid)
# 3) a combined pathname, protocol and port
# (e.g. /usr/sbin/squid:TCP:3801)
# 4) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter
# can locate as a command, is whitelisted. (See BINDIR in this file.)
#
# For example:
#
# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
# NOTE: In order to whitelist a pathname, or use the asterisk option,
# the 'lsof' command must be present.
#
#PORT_WHITELIST=""
#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/debian_version"
#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
# the LD_PRELOAD environment variable.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This is a space-separated list of library pathnames.
# The option may be specified more than once.
#
#SHARED_LIB_WHITELIST="/lib/snoopy.so"
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU date command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
#EPOCH_DATE_CMD=""
#
# This setting tells rkhunter the directory containing the available
# Linux kernel modules. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#MODULES_DIR=""
#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
# WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports
# the HTTP protocol:
#
# WEB_CMD="ftp -o -"
#
#WEB_CMD=""
#
# Set the following option to 0 if you do not want to receive a warning if
# any O/S information has changed since the last run of 'rkhunter --propupd'.
# The warnings occur during the file properties check. The default is to
# issue a warning if something has changed.
#
#WARN_ON_OS_CHANGE=1
#
# Set the following option to 1 if you want rkhunter to automatically run
# a file properties update ('--propupd') if the O/S has changed. Detection
# of an O/S change occurs during the file properties check. The default is
# not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply
# by running 'rkhunter --propupd' at least once.
#
#UPDT_ON_OS_CHANGE=0
#
# Set the following option to 1 if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock.
#
# The default is not to use locking.
#
USE_LOCKING=0
#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached. If no value is set, then a
# default of 300 seconds (5 minutes) is used.
#
LOCK_TIMEOUT=300
#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. Some simple messages are echo'd to the users screen
# to let them know that rkhunter is waiting for the lock. Set this option to 0
# if the messages are not to be displayed. The default is to show them.
#
SHOW_LOCK_MSGS=1
#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find / -xdev'). While still not optimal, as it
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures.
#
# Enabling this feature implies you have the knowledge to interpret the results properly.
#
#SCANROOTKITMODE=THOROUGH
#
# The following option can be set to the name(s) of the tests the 'unhide' command is
# to use. In order to maintain compatibility with older versions of 'unhide', this
# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
# will only take effect when they are seen. The test names are a space-separated list,
# and will be executed in the order given.
#
#UNHIDE_TESTS="sys"
#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
# is possible to disable the execution of one of the programs if desired. By default
# rkhunter will look for both programs, and execute each of them as they are found.
# If the value of this option is 0, then both programs will be executed if they are
# present. A value of 1 will disable execution of the C 'unhide' program, and a value
# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
# both programs, then disable the 'hidden_procs' test.
#
DISABLE_UNHIDE=0
INSTALLDIR="/usr"
|