wheezy.conf.j2 38 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. #
  6. # This is the main configuration file for Rootkit Hunter.
  7. #
  8. # You can either modify this file directly, or you can create a local
  9. # configuration file. The local file must be named 'rkhunter.conf.local',
  10. # and must reside in the same directory as this file. Please modify one
  11. # or both files to your own requirements. It is suggested that the
  12. # command 'rkhunter -C' is run after any changes have been made.
  13. #
  14. # Please review the documentation before posting bug reports or questions.
  15. # To report bugs, obtain updates, or provide patches or comments, please go to:
  16. # http://rkhunter.sourceforge.net
  17. #
  18. # To ask questions about rkhunter, please use the rkhunter-users mailing list.
  19. # Note this is a moderated list: please subscribe before posting.
  20. #
  21. # Lines beginning with a hash (#), and blank lines, are ignored.
  22. # End-of-line comments are not supported.
  23. #
  24. # Most of the following options need only be specified once. If
  25. # they appear more than once, then the last one seen will be used.
  26. # Some options are allowed to appear more than once, and the text
  27. # describing the option will say if this is so.
  28. #
  29. # Some of the options are space-separated lists of pathnames. If
  30. # wildcard characters (globbing) are allowed in the list, then the
  31. # text describing the option will say so.
  32. #
  33. # Space-separated lists may be enclosed by quotes, but these must only
  34. # appear at the start and end of the list, not in the middle.
  35. #
  36. # For example: XXX="abc def gh" (correct)
  37. # XXX="abc" "def" "gh" (incorrect)
  38. #
  39. #
  40. # If this option is set to 1, it specifies that the mirrors file
  41. # ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
  42. # options are used, is to be rotated. Rotating the entries in the file
  43. # allows a basic form of load-balancing between the mirror sites whenever
  44. # the above options are used.
  45. # If the option is set to 0, then the mirrors will be treated as if in
  46. # a priority list. That is, the first mirror listed will always be used
  47. # first. The second mirror will only be used if the first mirror fails,
  48. # the third mirror will only be used if the second mirror fails, and so on.
  49. #
  50. # If the mirrors file is read-only, then the '--versioncheck' command-line
  51. # option can only be used if this option is set to 0.
  52. #
  53. ROTATE_MIRRORS=1
  54. #
  55. # If this option is set to 1, it specifies that when the '--update'
  56. # option is used, then the mirrors file is to be checked for updates
  57. # as well. If the current mirrors file contains any local mirrors,
  58. # these will be prepended to the updated file.
  59. # If this option is set to 0, the mirrors file can only be updated
  60. # manually. This may be useful if only using local mirrors.
  61. #
  62. UPDATE_MIRRORS=1
  63. #
  64. # The MIRRORS_MODE option tells rkhunter which mirrors are to be
  65. # used when the '--update' or '--versioncheck' command-line options
  66. # are given. Possible values are:
  67. # 0 - use any mirror (the default)
  68. # 1 - only use local mirrors
  69. # 2 - only use remote mirrors
  70. #
  71. # Local and remote mirrors can be defined in the mirrors file
  72. # by using the 'local=' and 'remote=' keywords respectively.
  73. #
  74. MIRRORS_MODE=0
  75. #
  76. # Email a message to this address if a warning is found when the
  77. # system is being checked. Multiple addresses may be specified
  78. # simply be separating them with a space. Setting this option to
  79. # null disables the option.
  80. #
  81. # NOTE: This option should be present in the configuration file.
  82. #
  83. #MAIL-ON-WARNING=me@mydomain root@mydomain
  84. MAIL-ON-WARNING=""
  85. #
  86. # Specify the mail command to use if MAIL-ON-WARNING is set.
  87. #
  88. # NOTE: Double quotes are not required around the command, but
  89. # are required around the subject line if it contains spaces.
  90. #
  91. MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
  92. #
  93. # Specify the temporary directory to use.
  94. #
  95. # NOTE: Do not use /tmp as your temporary directory. Some
  96. # important files will be written to this directory, so be
  97. # sure that the directory permissions are tight.
  98. #
  99. TMPDIR=/var/lib/rkhunter/tmp
  100. #
  101. # Specify the database directory to use.
  102. #
  103. DBDIR=/var/lib/rkhunter/db
  104. #
  105. # Specify the script directory to use.
  106. #
  107. SCRIPTDIR=/usr/share/rkhunter/scripts
  108. #
  109. # This option can be used to modify the command directory list used
  110. # by rkhunter to locate commands (that is, its PATH). By default
  111. # this will be the root PATH, and an internal list of some common
  112. # command directories.
  113. #
  114. # Any directories specified here will, by default, be appended to the
  115. # default list. However, if a directory name begins with the '+'
  116. # character, then that directory will be prepended to the list (that
  117. # is, it will be put at the start of the list).
  118. #
  119. # This is a space-separated list of directory names. The option may
  120. # be specified more than once.
  121. #
  122. #BINDIR="/bin /usr/bin /sbin /usr/sbin"
  123. #BINDIR="+/usr/local/bin +/usr/local/sbin"
  124. #
  125. # Specify the default language to use. This should be similar
  126. # to the ISO 639 language code.
  127. #
  128. # NOTE: Please ensure that the language you specify is supported.
  129. # For a list of supported languages use the following command:
  130. #
  131. # rkhunter --lang en --list languages
  132. #
  133. #LANGUAGE=en
  134. #
  135. # This option is a space-separated list of the languages that are to
  136. # be updated when the '--update' option is used. If unset, then all
  137. # the languages will be updated. If none of the languages are to be
  138. # updated, then set this option to just 'en'.
  139. #
  140. # The default is for all the languages to be updated. The default
  141. # language, specified above, and the English (en) language file will
  142. # always be updated regardless of this option.
  143. #
  144. UPDATE_LANG=""
  145. #
  146. # Specify the log file pathname.
  147. #
  148. # NOTE: This option should be present in the configuration file.
  149. #
  150. LOGFILE=/var/log/rkhunter.log
  151. #
  152. # Set the following option to 1 if the log file is to be appended to
  153. # whenever rkhunter is run.
  154. #
  155. APPEND_LOG=0
  156. #
  157. # Set the following option to 1 if the log file is to be copied when
  158. # rkhunter finishes and an error or warning has occurred. The copied
  159. # log file name will be appended with the current date and time
  160. # (in YYYY-MM-DD_HH:MM:SS format).
  161. # For example: rkhunter.log.2009-04-21_00:57:51
  162. #
  163. COPY_LOG_ON_ERROR=0
  164. #
  165. # Set the following option to enable the rkhunter check start and finish
  166. # times to be logged by syslog. Warning messages will also be logged.
  167. # The value of the option must be a standard syslog facility and
  168. # priority, separated by a dot. For example:
  169. #
  170. # USE_SYSLOG=authpriv.warning
  171. #
  172. # Setting the value to 'none', or just leaving the option commented out,
  173. # disables the use of syslog.
  174. #
  175. #USE_SYSLOG=authpriv.notice
  176. #
  177. # Set the following option to 1 if the second colour set is to be used.
  178. # This can be useful if your screen uses black characters on a white
  179. # background (for example, a PC instead of a server).
  180. #
  181. COLOR_SET2=0
  182. #
  183. # Set the following option to 0 if rkhunter should not detect if X is
  184. # being used. If X is detected as being used, then the second colour
  185. # set will automatically be used.
  186. #
  187. AUTO_X_DETECT=1
  188. #
  189. # Set the following option to 1 if it is wanted that any 'Whitelisted'
  190. # results are shown in white rather than green. For colour set 2 users,
  191. # setting this option will cause the result to be shown in black.
  192. #
  193. WHITELISTED_IS_WHITE=0
  194. #
  195. # The following option is checked against the SSH configuration file
  196. # 'PermitRootLogin' option. A warning will be displayed if they do not
  197. # match. However, if a value has not been set in the SSH configuration
  198. # file, then a value here of 'unset' can be used to avoid warning messages.
  199. # This option has a default value of 'no'.
  200. #
  201. ALLOW_SSH_ROOT_USER=without-password
  202. #
  203. # Set this option to '1' to allow the use of the SSH-1 protocol, but note
  204. # that theoretically it is weaker, and therefore less secure, than the
  205. # SSH-2 protocol. Do not modify this option unless you have good reasons
  206. # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
  207. # authentication). If the 'Protocol' option has not been set in the SSH
  208. # configuration file, then a value of '2' may be set here in order to
  209. # suppress a warning message. This option has a default value of '0'.
  210. #
  211. ALLOW_SSH_PROT_V1=0
  212. #
  213. # This setting tells rkhunter the directory containing the SSH configuration
  214. # file. This setting will be worked out by rkhunter, and so should not
  215. # usually need to be set.
  216. #
  217. #SSH_CONFIG_DIR=/etc/ssh
  218. #
  219. # These two options determine which tests are to be performed.
  220. # The ENABLE_TESTS option can use the word 'all' to refer to all the
  221. # available tests. The DISABLE_TESTS option can use the word 'none' to
  222. # mean that no tests are disabled. The list of disabled tests is applied to
  223. # the list of enabled tests. Both options are space-separated lists of test
  224. # names. The currently available test names can be seen by using the command
  225. # 'rkhunter --list tests'.
  226. #
  227. # The program defaults are to enable all tests and disable none. However, if
  228. # either of the options below are specified, then they will override the
  229. # program defaults.
  230. #
  231. # The supplied configuration file has some tests already disabled, and these
  232. # are tests that will be used only occasionally, can be considered
  233. # "advanced" or that are prone to produce more than the average number of
  234. # false-positives.
  235. #
  236. # Please read the README file for more details about enabling and disabling
  237. # tests, the test names, and how rkhunter behaves when these options are used.
  238. #
  239. # hidden_procs test requires the unhide command which is part of the unhide
  240. # package in Debian.
  241. #
  242. # apps test is disabled by default as it triggers warnings about outdated
  243. # applications (and warns about possible security risk: we better trust
  244. # the Debian Security Team).
  245. #
  246. ENABLE_TESTS="all"
  247. {% set disable_tests = [] %}
  248. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
  249. {% if disable_tests.append('os_specific') %}{% endif %}
  250. {%- endif %}
  251. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
  252. {% if disable_tests.append('promisc') %}{% endif %}
  253. {%- endif %}
  254. DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
  255. #
  256. # The HASH_FUNC option can be used to specify the command to use
  257. # for the file hash value check. It can be specified as just the
  258. # command name or the full pathname. If just the command name is
  259. # given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
  260. # SHA512, then rkhunter will first look for the relevant command,
  261. # such as 'sha256sum', and then for 'sha256'. If neither of these
  262. # are found, it will then look to see if a perl module has been
  263. # installed which will support the relevant hash function. To see
  264. # which perl modules have been installed use the command
  265. # 'rkhunter --list perl'.
  266. #
  267. # The default is SHA1, or MD5 if SHA1 cannot be found.
  268. #
  269. # Systems using prelinking are restricted to using either the
  270. # SHA1 or MD5 function.
  271. #
  272. # A value of 'NONE' (in uppercase) can be specified to indicate that
  273. # no hash function should be used. Rootkit Hunter will detect this and
  274. # automatically disable the file hash checks.
  275. #
  276. # Examples:
  277. # For Solaris 9 : HASH_FUNC=gmd5sum
  278. # For Solaris 10: HASH_FUNC=sha1sum
  279. # For AIX (>5.2): HASH_FUNC="csum -hMD5"
  280. # For NetBSD : HASH_FUNC="cksum -a sha512"
  281. #
  282. # NOTE: If the hash function is changed then you MUST run rkhunter with
  283. # the '--propupd' option to rebuild the file properties database.
  284. #
  285. #HASH_FUNC=sha1sum
  286. #
  287. # The HASH_FLD_IDX option specifies which field from the HASH_FUNC
  288. # command output contains the hash value. The fields are assumed to
  289. # be space-separated. The default value is 1, but for *BSD users
  290. # rkhunter will, by default, use a value of 4 if the HASH_FUNC option
  291. # has not been set. The option value must be an integer greater
  292. # than zero.
  293. #
  294. #HASH_FLD_IDX=4
  295. #
  296. # The PKGMGR option tells rkhunter to use the specified package manager
  297. # to obtain the file property information. This is used when updating
  298. # the file properties file ('rkhunter.dat'), and when running the file
  299. # properties check. For RedHat/RPM-based systems, 'RPM' can be used to
  300. # get information from the RPM database. For Debian-based systems 'DPKG'
  301. # can be used, for *BSD systems 'BSD' can be used, and for Solaris
  302. # systems 'SOLARIS' can be used. No value, or a value of 'NONE',
  303. # indicates that no package manager is to be used. The default is 'NONE'.
  304. #
  305. # The current package managers, except 'SOLARIS', store the file hash
  306. # values using an MD5 hash function. The Solaris package manager includes
  307. # a checksum value, but this is not used by default (see USE_SUNSUM below).
  308. #
  309. # The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
  310. # The 'RPM' package manager additionally provides values for the inode,
  311. # file permissions, uid, gid and other values. The 'SOLARIS' also provides
  312. # most of the values, similar to 'RPM', but not the inode number.
  313. #
  314. # For any file not part of a package, rkhunter will revert to using the
  315. # HASH_FUNC hash function instead.
  316. #
  317. # Whenever this option is changed 'rkhunter --propupd' must be run.
  318. #
  319. # NONE is the default for Debian as well, as running --propupd takes
  320. # about 4 times longer when it's set to DPKG
  321. #
  322. #PKGMGR=NONE
  323. #
  324. # It is possible that a file which is part of a package may be modified
  325. # by the administrator. Typically this occurs for configuration files.
  326. # However, the package manager may list the file as being modified. For
  327. # the RPM package manager this may well depend on how the package was
  328. # built. This option specifies those pathnames which are to be exempt
  329. # from the package manager verification process, and which will be treated
  330. # as non-packaged files. As such, the file properties are still checked.
  331. #
  332. # This option only takes effect if the PKGMGR option has been set, and
  333. # is not 'NONE'.
  334. #
  335. # This is a space-separated list of pathnames. The option may
  336. # be specified more than once.
  337. #
  338. # Whenever this option is changed 'rkhunter --propupd' must be run.
  339. #
  340. #PKGMGR_NO_VRFY=""
  341. #
  342. # This option can be used to tell rkhunter to ignore any prelink
  343. # dependency errors for the given commands. However, a warning will also
  344. # be issued if the error does not occur for a given command. As such
  345. # this option must only be used on commands which experience a persistent
  346. # problem.
  347. #
  348. # Short-term prelink dependency errors can usually be resolved simply by
  349. # running the 'prelink' command on the given pathname.
  350. #
  351. # NOTE: The command 'rkhunter --propupd' must be run whenever this option
  352. # is changed.
  353. #
  354. # This is a space-separated list of command pathnames. The option can be
  355. # specified more than once.
  356. #
  357. #IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
  358. #
  359. # If the 'SOLARIS' package manager is used, then it is possible to use
  360. # the checksum (hash) value stored for a file. However, this is only a
  361. # 16-bit checksum, and as such is not nearly as secure as, for example,
  362. # a SHA-2 value. For that reason, the checksum is not used by default,
  363. # and the hash function given by HASH_FUNC is used instead. To enable
  364. # this option, set its value to 1. The Solaris 'sum' command must be
  365. # present on the system if this option is used.
  366. #
  367. #USE_SUNSUM=0
  368. #
  369. # This option is a space-separated list of commands, directories and file
  370. # pathnames which will be included in the file properties checks.
  371. # This option can be specified more than once.
  372. #
  373. # Whenever this option is changed, 'rkhunter --propupd' must be run.
  374. #
  375. # Simple command names - for example, 'top' - and directory names are
  376. # added to the internal list of directories to be searched for each of
  377. # the command names in the command list. Additionally, full pathnames
  378. # to files, which need not be commands, may be given. Any files or
  379. # directories which are already part of the internal lists will be
  380. # silently ignored from the configuration.
  381. #
  382. # Normal globbing wildcards are allowed, except for simple command names.
  383. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
  384. #
  385. # Specific files may be excluded by preceding their name with an
  386. # exclamation mark (!). For example, '!/opt/top'. By combining this
  387. # with wildcarding, whole directories can be excluded. For example,
  388. # '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
  389. # two directory levels of '/etc'. However, anything in '/etc/rc0.d',
  390. # '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
  391. #
  392. # NOTE: Only files and directories which have been added by the user,
  393. # and are not part of the internal lists, can be excluded. So, for
  394. # example, it is not possible to exclude the 'ps' command by using
  395. # '!/bin/ps'. These will be silently ignored from the configuration.
  396. #
  397. #USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
  398. #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
  399. #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
  400. #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
  401. #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
  402. #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
  403. #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
  404. #
  405. # This option whitelists files and directories from existing,
  406. # or not existing, on the system at the time of testing. This
  407. # option is used when the configuration file options themselves
  408. # are checked, and during the file properties check, the hidden
  409. # files and directories checks, and the filesystem check of the
  410. # '/dev' directory.
  411. #
  412. # This is a space-separated list of pathnames. The option may be
  413. # specified more than once. The option may use wildcard characters,
  414. # but be aware that this is probably not what you want to do as the
  415. # wildcarding will be expanded after files have been deleted. As
  416. # such deleted files won't be whitelisted if wildcarded.
  417. #
  418. # NOTE: The user must take into consideration how often the file will
  419. # appear and disappear from the system in relation to how often
  420. # rkhunter is run. If the file appears, and disappears, too often
  421. # then rkhunter may not notice this. All it will see is that the file
  422. # has changed. The inode-number and DTM will certainly be different
  423. # for each new file, and rkhunter will report this.
  424. #
  425. #EXISTWHITELIST=""
  426. #
  427. # Whitelist various attributes of the specified files.
  428. # The attributes are those of the 'attributes' test.
  429. # Specifying a file name here does not include it being
  430. # whitelisted for the write permission test (see below).
  431. #
  432. # This is a space-separated list of filenames. The option may
  433. # be specified more than once. The option may use wildcard
  434. # characters.
  435. #
  436. #ATTRWHITELIST="/bin/ps /usr/bin/date"
  437. #
  438. # Allow the specified commands to have the 'others'
  439. # (world) permission have the write-bit set.
  440. #
  441. # For example, files with permissions r-xr-xrwx
  442. # or rwxrwxrwx.
  443. #
  444. # This is a space-separated list of filenames. The option may
  445. # be specified more than once. The option may use wildcard
  446. # characters.
  447. #
  448. #WRITEWHITELIST="/bin/ps /usr/bin/date"
  449. #
  450. # Allow the specified commands to be scripts.
  451. #
  452. # This is a space-separated list of filenames. The option may
  453. # be specified more than once. The option may use wildcard
  454. # characters.
  455. #
  456. SCRIPTWHITELIST=/bin/egrep
  457. SCRIPTWHITELIST=/bin/fgrep
  458. SCRIPTWHITELIST=/bin/which
  459. SCRIPTWHITELIST=/usr/bin/groups
  460. SCRIPTWHITELIST=/usr/bin/ldd
  461. SCRIPTWHITELIST=/usr/bin/lwp-request
  462. SCRIPTWHITELIST=/usr/sbin/adduser
  463. SCRIPTWHITELIST=/usr/sbin/prelink
  464. #
  465. # Allow the specified commands to have the immutable attribute set.
  466. #
  467. # This is a space-separated list of filenames. The option may
  468. # be specified more than once. The option may use wildcard
  469. # characters.
  470. #
  471. #IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
  472. #
  473. # If this option is set to 1, then the immutable-bit test is
  474. # reversed. That is, the files are expected to have the bit set.
  475. #
  476. IMMUTABLE_SET=0
  477. #
  478. # Allow the specified hidden directories to be whitelisted.
  479. #
  480. # This is a space-separated list of directory pathnames.
  481. # The option may be specified more than once. The option
  482. # may use wildcard characters.
  483. #
  484. ALLOWHIDDENDIR="/etc/.java"
  485. ALLOWHIDDENDIR="/dev/.udev"
  486. #ALLOWHIDDENDIR="/dev/.static"
  487. ALLOWHIDDENDIR="/dev/.initramfs"
  488. #ALLOWHIDDENDIR="/dev/.SRC-unix"
  489. ALLOWHIDDENDIR="/dev/.mdadm"
  490. ALLOWHIDDENDIR="/etc/.git"
  491. #
  492. # Allow the specified hidden files to be whitelisted.
  493. #
  494. # This is a space-separated list of filenames. The option may
  495. # be specified more than once. The option may use wildcard
  496. # characters.
  497. #
  498. #ALLOWHIDDENFILE="/etc/.java"
  499. #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
  500. #ALLOWHIDDENFILE="/etc/.pwd.lock"
  501. #ALLOWHIDDENFILE="/etc/.init.state"
  502. #ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
  503. #ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
  504. #ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
  505. #ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
  506. #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
  507. #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
  508. #ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
  509. #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
  510. #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
  511. #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
  512. #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
  513. #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
  514. #ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
  515. #ALLOWHIDDENFILE="/etc/.gitignore"
  516. #ALLOWHIDDENFILE="/etc/.bzrignore"
  517. ALLOWHIDDENFILE="/etc/.etckeeper"
  518. ALLOWHIDDENFILE="/etc/.gitignore"
  519. #
  520. # Allow the specified processes to use deleted files. The
  521. # process name may be followed by a colon-separated list of
  522. # full pathnames. The process will then only be whitelisted
  523. # if it is using one of the given files. For example:
  524. #
  525. # ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
  526. #
  527. # This is a space-separated list of process names. The option
  528. # may be specified more than once. The option may use wildcard
  529. # characters, but only in the file names.
  530. #
  531. #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
  532. #ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
  533. #ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
  534. #ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
  535. #ALLOWPROCDELFILE="/usr/bin/file-roller"
  536. #
  537. # Allow the specified processes to listen on any network interface.
  538. #
  539. # This is a space-separated list of process names. The option
  540. # may be specified more than once.
  541. #
  542. #ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
  543. #ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
  544. #ALLOWPROCLISTEN="/usr/sbin/snort-plain"
  545. #
  546. # Allow the specified network interfaces to be in promiscuous mode.
  547. #
  548. # This is a space-separated list of interface names. The option may
  549. # be specified more than once.
  550. #
  551. #ALLOWPROMISCIF="eth0"
  552. #
  553. # SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
  554. # The two allowed options are: THOROUGH or LAZY.
  555. # If commented out we do a THOROUGH scan which will increase the runtime.
  556. # Even though this adds to the running time it is highly recommended to
  557. # leave it like this.
  558. #
  559. #SCAN_MODE_DEV=THOROUGH
  560. #
  561. # The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
  562. # perform a basic check, or a more thorough check. If the option is set to 0,
  563. # then a basic check is performed. If it is set to 1, then all the directries
  564. # in the /etc and /usr directories are scanned. The default value is 0. Users
  565. # should note that setting this option to 1 will cause the test to take longer
  566. # to complete.
  567. #
  568. PHALANX2_DIRTEST=0
  569. #
  570. # Allow the specified files to be present in the /dev directory,
  571. # and not regarded as suspicious.
  572. #
  573. # This is a space-separated list of pathnames. The option may
  574. # be specified more than once. The option may use wildcard
  575. # characters.
  576. #
  577. ALLOWDEVFILE=/dev/shm/network/ifstate
  578. #ALLOWDEVFILE="/dev/shm/pulse-shm-*"
  579. #ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
  580. #
  581. # This setting tells rkhunter where the inetd configuration
  582. # file is located.
  583. #
  584. #INETD_CONF_PATH=/etc/inetd.conf
  585. #
  586. # Allow the following enabled inetd services.
  587. #
  588. # This is a space-separated list of service names. The option may
  589. # be specified more than once.
  590. #
  591. # For non-Solaris users the simple service name should be used.
  592. # For example:
  593. #
  594. # INETD_ALLOWED_SVC=echo
  595. #
  596. # For Solaris 9 users the simple service name should also be used, but
  597. # if it is an RPC service, then the executable pathname should be used.
  598. # For example:
  599. #
  600. # INETD_ALLOWED_SVC=imaps
  601. # INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
  602. #
  603. # For Solaris 10 users the service/FMRI name should be used. For example:
  604. #
  605. # INETD_ALLOWED_SVC=/network/rpc/meta
  606. # INETD_ALLOWED_SVC=/network/rpc/metamed
  607. # INETD_ALLOWED_SVC=/application/font/stfsloader
  608. # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
  609. #
  610. #INETD_ALLOWED_SVC=echo
  611. #
  612. # This setting tells rkhunter where the xinetd configuration
  613. # file is located.
  614. #
  615. #XINETD_CONF_PATH=/etc/xinetd.conf
  616. #
  617. # Allow the following enabled xinetd services. Whilst it would be
  618. # nice to use the service names themselves, at the time of testing
  619. # we only have the pathname available. As such, these entries are
  620. # the xinetd file pathnames.
  621. #
  622. # This is a space-separated list of service names. The option may
  623. # be specified more than once.
  624. #
  625. #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
  626. #
  627. # This option tells rkhunter the local system startup file pathnames.
  628. # The directories will be searched for files. By default rkhunter
  629. # will use certain filenames and directories. If the option is set
  630. # to 'none', then certain tests will be skipped.
  631. #
  632. # This is a space-separated list of file and directory pathnames.
  633. # The option may be specified more than once. The option may use
  634. # wildcard characters.
  635. #
  636. #STARTUP_PATHS="/etc/init.d /etc/rc.local"
  637. #
  638. # This setting tells rkhunter the pathname to the file containing the
  639. # user account passwords. This setting will be worked out by rkhunter,
  640. # and so should not usually need to be set. Users of TCB shadow files
  641. # should not set this option.
  642. #
  643. #PASSWORD_FILE=/etc/shadow
  644. #
  645. # Allow the following accounts to be root equivalent. These accounts
  646. # will have a UID value of zero. The 'root' account does not need to
  647. # be listed as it is automatically whitelisted.
  648. #
  649. # This is a space-separated list of account names. The option may
  650. # be specified more than once.
  651. #
  652. # NOTE: For *BSD systems you will probably need to use this option
  653. # for the 'toor' account.
  654. #
  655. #UID0_ACCOUNTS="toor rooty sashroot"
  656. #
  657. # Allow the following accounts to have no password. NIS/YP entries do
  658. # not need to be listed as they are automatically whitelisted.
  659. #
  660. # This is a space-separated list of account names. The option may
  661. # be specified more than once.
  662. #
  663. #PWDLESS_ACCOUNTS="abc"
  664. #
  665. # This setting tells rkhunter the pathname to the syslog configuration
  666. # file. This setting will be worked out by rkhunter, and so should not
  667. # usually need to be set. A value of 'NONE' can be used to indicate
  668. # that there is no configuration file, but that the syslog daemon process
  669. # may be running.
  670. #
  671. # This is a space-separated list of pathnames. The option may
  672. # be specified more than once.
  673. #
  674. #SYSLOG_CONFIG_FILE=/etc/syslog.conf
  675. #
  676. # This option permits the use of syslog remote logging.
  677. #
  678. ALLOW_SYSLOG_REMOTE_LOGGING=0
  679. #
  680. # Allow the following applications, or a specific version of an application,
  681. # to be whitelisted. This option may be specified more than once, and is a
  682. # space-separated list consisting of the application names. If a specific
  683. # version is to be whitelisted, then the name must be followed by a colon
  684. # and then the version number. For example:
  685. #
  686. # APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
  687. #
  688. # Note above that for the Apache web server, the name 'httpd' is used.
  689. #
  690. #APP_WHITELIST=""
  691. #
  692. # Scan for suspicious files in directories containing temporary files and
  693. # directories posing a relatively higher risk due to user write access.
  694. # Please do not enable by default as suspscan is CPU and I/O intensive and prone to
  695. # producing false positives. Do review all settings before usage.
  696. # Also be aware that running suspscan in combination with verbose logging on,
  697. # RKH's default, will show all ignored files.
  698. # Please consider adding all directories the user the (web)server runs as has
  699. # write access to including the document root (example: "/var/www") and log
  700. # directories (example: "/var/log/httpd").
  701. #
  702. # This is a space-separated list of directory pathnames.
  703. # The option may be specified more than once.
  704. #
  705. SUSPSCAN_DIRS="/tmp /var/tmp"
  706. #
  707. # Directory for temporary files. A memory-based one is better (faster).
  708. # Do not use a directory name that is listed in SUSPSCAN_DIRS.
  709. # Please make sure you have a tempfs mounted and the directory exists.
  710. #
  711. SUSPSCAN_TEMP=/dev/shm
  712. #
  713. # Maximum filesize in bytes. Files larger than this will not be inspected.
  714. # Do make sure you have enough space left in your temporary files directory.
  715. #
  716. SUSPSCAN_MAXSIZE=10240000
  717. #
  718. # Score threshold. Below this value no hits will be reported.
  719. # A value of "200" seems "good" after testing on malware. Please adjust
  720. # locally if necessary.
  721. #
  722. SUSPSCAN_THRESH=200
  723. #
  724. # The following option can be used to whitelist network ports which
  725. # are known to have been used by malware. This option may be specified
  726. # more than once. The option is a space-separated list of one or more
  727. # of four types of whitelisting. These are:
  728. #
  729. # 1) a 'protocol:port' pair (e.g. TCP:25)
  730. # 2) a pathname to an executable (e.g. /usr/sbin/squid)
  731. # 3) a combined pathname, protocol and port
  732. # (e.g. /usr/sbin/squid:TCP:3801)
  733. # 4) an asterisk ('*')
  734. #
  735. # Only the UDP or TCP protocol may be specified, and the port number
  736. # must be between 1 and 65535 inclusive.
  737. #
  738. # The asterisk can be used to indicate that any executable which rkhunter
  739. # can locate as a command, is whitelisted. (See BINDIR in this file.)
  740. #
  741. # For example:
  742. #
  743. # PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
  744. #
  745. # NOTE: In order to whitelist a pathname, or use the asterisk option,
  746. # the 'lsof' command must be present.
  747. #
  748. #PORT_WHITELIST=""
  749. #
  750. # The following option can be used to tell rkhunter where the operating
  751. # system 'release' file is located. This file contains information
  752. # specifying the current O/S version. RKH will store this information
  753. # itself, and check to see if it has changed between each run. If it has
  754. # changed, then the user is warned that RKH may issue warning messages
  755. # until RKH has been run with the '--propupd' option.
  756. #
  757. # Since the contents of the file vary according to the O/S distribution,
  758. # RKH will perform different actions when it detects the file itself. As
  759. # such, this option should not be set unless necessary. If this option is
  760. # specified, then RKH will assume the O/S release information is on the
  761. # first non-blank line of the file.
  762. #
  763. #OS_VERSION_FILE="/etc/debian_version"
  764. #
  765. # The following two options can be used to whitelist files and directories
  766. # that would normally be flagged with a warning during the various rootkit
  767. # and malware checks. If the file or directory name contains a space, then
  768. # the percent character ('%') must be used instead. Only existing files and
  769. # directories can be specified, and these must be full pathnames not links.
  770. #
  771. # Additionally, the RTKT_FILE_WHITELIST option may include a string after the
  772. # file name (separated by a colon). This will then only whitelist that string
  773. # in that file (as part of the malware checks). For example:
  774. #
  775. # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
  776. #
  777. # If the option list includes the filename on its own as well, then the file
  778. # will be whitelisted from rootkit checks of the files existence, but still
  779. # only the specific string within the file will be whitelisted. For example:
  780. #
  781. # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
  782. #
  783. # To whitelist a file from the existence checks, but not from the strings
  784. # checks, then include the filename on its own and on its own but with
  785. # just a colon appended. For example:
  786. #
  787. # RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
  788. #
  789. # NOTE: It is recommended that if you whitelist any files, then you include
  790. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  791. # configuration option.
  792. #
  793. # These are space-separated lists of file and directory pathnames.
  794. # The options may be specified more than once.
  795. #
  796. #RTKT_DIR_WHITELIST=""
  797. #RTKT_FILE_WHITELIST=""
  798. #
  799. # The following option can be used to whitelist shared library files that would
  800. # normally be flagged with a warning during the preloaded shared library check.
  801. # These library pathnames usually exist in the '/etc/ld.so.preload' file or in
  802. # the LD_PRELOAD environment variable.
  803. #
  804. # NOTE: It is recommended that if you whitelist any files, then you include
  805. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  806. # configuration option.
  807. #
  808. # This is a space-separated list of library pathnames.
  809. # The option may be specified more than once.
  810. #
  811. #SHARED_LIB_WHITELIST="/lib/snoopy.so"
  812. #
  813. # To force rkhunter to use the supplied script for the 'stat' or 'readlink'
  814. # command, then the following two options can be used. The value must be
  815. # set to 'BUILTIN'.
  816. #
  817. # NOTE: IRIX users will probably need to enable STAT_CMD.
  818. #
  819. #STAT_CMD=BUILTIN
  820. #READLINK_CMD=BUILTIN
  821. #
  822. # In the file properties test any modification date/time is displayed as the
  823. # number of epoch seconds. Rkhunter will try and use the 'date' command, or
  824. # failing that the 'perl' command, to display the date and time in a
  825. # human-readable format as well. This option may be used if some other command
  826. # should be used instead. The given command must understand the '%s' and
  827. # 'seconds ago' options found in the GNU date command.
  828. #
  829. # A value of 'NONE' may be used to request that only the epoch seconds be shown.
  830. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
  831. # it is present.
  832. #
  833. #EPOCH_DATE_CMD=""
  834. #
  835. # This setting tells rkhunter the directory containing the available
  836. # Linux kernel modules. This setting will be worked out by rkhunter,
  837. # and so should not usually need to be set.
  838. #
  839. #MODULES_DIR=""
  840. #
  841. # The following option can be set to a command which rkhunter will use when
  842. # downloading files from the Internet - that is, when the '--update' or
  843. # '--versioncheck' option is used. The command can take options.
  844. #
  845. # This allows the user to use a command other than the one automatically
  846. # selected by rkhunter, but still one which it already knows about.
  847. # For example:
  848. #
  849. # WEB_CMD=curl
  850. #
  851. # Alternatively, the user may specify a completely new command. However, note
  852. # that rkhunter expects the downloaded file to be written to stdout, and that
  853. # everything written to stderr is ignored. For example:
  854. #
  855. # WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
  856. #
  857. # *BSD users may want to use the 'ftp' command, provided that it supports
  858. # the HTTP protocol:
  859. #
  860. # WEB_CMD="ftp -o -"
  861. #
  862. #WEB_CMD=""
  863. #
  864. # Set the following option to 0 if you do not want to receive a warning if
  865. # any O/S information has changed since the last run of 'rkhunter --propupd'.
  866. # The warnings occur during the file properties check. The default is to
  867. # issue a warning if something has changed.
  868. #
  869. #WARN_ON_OS_CHANGE=1
  870. #
  871. # Set the following option to 1 if you want rkhunter to automatically run
  872. # a file properties update ('--propupd') if the O/S has changed. Detection
  873. # of an O/S change occurs during the file properties check. The default is
  874. # not to do an automatic update.
  875. #
  876. # WARNING: Only set this option if you are sure that the update will work
  877. # correctly. That is, that the database directory is writeable, that a valid
  878. # hash function is available, and so on. This can usually be checked simply
  879. # by running 'rkhunter --propupd' at least once.
  880. #
  881. #UPDT_ON_OS_CHANGE=0
  882. #
  883. # Set the following option to 1 if locking is to be used when rkhunter runs.
  884. # The lock is set just before logging starts, and is removed when the program
  885. # ends. It is used to prevent items such as the log file, and the file
  886. # properties file, from becoming corrupted if rkhunter is running more than
  887. # once. The mechanism used is to simply create a lock file in the TMPDIR
  888. # directory. If the lock file already exists, because rkhunter is already
  889. # running, then the current process simply loops around sleeping for 10 seconds
  890. # and then retrying the lock.
  891. #
  892. # The default is not to use locking.
  893. #
  894. USE_LOCKING=0
  895. #
  896. # If locking is used, then rkhunter may have to wait to get the lock file.
  897. # This option sets the total amount of time, in seconds, that rkhunter should
  898. # wait. It will retry the lock every 10 seconds, until either it obtains the
  899. # lock or the timeout value has been reached. If no value is set, then a
  900. # default of 300 seconds (5 minutes) is used.
  901. #
  902. LOCK_TIMEOUT=300
  903. #
  904. # If locking is used, then rkhunter may be doing nothing for some time if it
  905. # has to wait for the lock. Some simple messages are echo'd to the users screen
  906. # to let them know that rkhunter is waiting for the lock. Set this option to 0
  907. # if the messages are not to be displayed. The default is to show them.
  908. #
  909. SHOW_LOCK_MSGS=1
  910. #
  911. # If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
  912. # will search (on a per rootkit basis) for filenames in all of the directories (as defined
  913. # by the result of running 'find / -xdev'). While still not optimal, as it
  914. # still searches for only file names as opposed to file contents, this is one step away
  915. # from the rigidity of searching in known (evidence) or default (installation) locations.
  916. #
  917. # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
  918. #
  919. # You should only activate this feature as part of a more thorough investigation which
  920. # should be based on relevant best practices and procedures.
  921. #
  922. # Enabling this feature implies you have the knowledge to interpret the results properly.
  923. #
  924. #SCANROOTKITMODE=THOROUGH
  925. #
  926. # The following option can be set to the name(s) of the tests the 'unhide' command is
  927. # to use. In order to maintain compatibility with older versions of 'unhide', this
  928. # option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
  929. # will only take effect when they are seen. The test names are a space-separated list,
  930. # and will be executed in the order given.
  931. #
  932. #UNHIDE_TESTS="sys"
  933. #
  934. # If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
  935. # is possible to disable the execution of one of the programs if desired. By default
  936. # rkhunter will look for both programs, and execute each of them as they are found.
  937. # If the value of this option is 0, then both programs will be executed if they are
  938. # present. A value of 1 will disable execution of the C 'unhide' program, and a value
  939. # of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
  940. # both programs, then disable the 'hidden_procs' test.
  941. #
  942. DISABLE_UNHIDE=1
  943. INSTALLDIR="/usr"