stretch.conf.j2 45 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. #
  6. # This is the main configuration file for Rootkit Hunter.
  7. #
  8. # You can modify this file directly, or you can create a local configuration
  9. # file. The local file must be named 'rkhunter.conf.local', and must reside
  10. # in the same directory as this file. Alternatively you can create a directory,
  11. # named 'rkhunter.d', which also must be in the same directory as this
  12. # configuration file. Within the 'rkhunter.d' directory you can place further
  13. # configuration files. There is no restriction on the file names used, other
  14. # than they must end in '.conf'.
  15. #
  16. # Please modify the configuration file(s) to your own requirements. It is
  17. # recommended that the command 'rkhunter -C' is run after any changes have
  18. # been made.
  19. #
  20. # Please review the documentation before posting bug reports or questions.
  21. # To report bugs, obtain updates, or provide patches or comments, please go
  22. # to: http://rkhunter.sourceforge.net
  23. #
  24. # To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
  25. # Note that this is a moderated list, so please subscribe before posting.
  26. #
  27. # In the configuration files, lines beginning with a hash (#), and blank lines,
  28. # are ignored. Also, end-of-line comments are not supported.
  29. #
  30. # Any of the configuration options may appear more than once. However, several
  31. # options only take one value, and so the last one seen will be used. Some
  32. # options are allowed to appear more than once, and the text describing the
  33. # option will say if this is so. These configuration options will, in effect,
  34. # have their values concatenated together. To delete a previously specified
  35. # option list, specify the option with no value (that is, a null string).
  36. #
  37. # Some of the options are space-separated lists, others, typically those
  38. # specifying pathnames, are newline-separated lists. These must be entered
  39. # as one item per line. Quotes must not be used to surround the pathname.
  40. #
  41. # For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
  42. # option: XXX=/tmp/abc (correct)
  43. # XXX=/tmp/xyz
  44. #
  45. # XXX="/tmp/abc" (incorrect)
  46. # XXX="/tmp/xyz"
  47. #
  48. # XXX=/tmp/abc /tmp/xyz (incorrect)
  49. # or XXX="/tmp/abc /tmp/xyz" (incorrect)
  50. # or XXX="/tmp/abc" "/tmp/xyz" (incorrect)
  51. #
  52. # The last three examples are being configured as space-separated lists,
  53. # which is incorrect, generally, for options specifying pathnames. They
  54. # should be configured with one entry per line as in the first example.
  55. #
  56. # If wildcard characters (globbing) are allowed for an option, then the
  57. # text describing the option will say so.
  58. #
  59. # Space-separated lists may be enclosed by quotes, although they are not
  60. # required. If they are used, then they must only appear at the start and
  61. # end of the list, not in the middle.
  62. #
  63. # For example: XXX=abc def gh (correct)
  64. # XXX="abc def gh" (correct)
  65. # XXX="abc" "def" "gh" (incorrect)
  66. #
  67. # Space-separated lists may also be entered simply as one entry per line.
  68. #
  69. # For example: XXX=abc (correct)
  70. # XXX=def
  71. # XXX="gh"
  72. #
  73. # If a configuration option is never set, then the program will assume a
  74. # default value. The text describing the option will state the default value.
  75. # If there is no default, then rkhunter will calculate a value or pathname
  76. # to use.
  77. #
  78. #
  79. # If this option is set to '1', it specifies that the mirrors file
  80. # ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
  81. # options are used, is to be rotated. Rotating the entries in the file allows
  82. # a basic form of load-balancing between the mirror sites whenever the above
  83. # options are used.
  84. #
  85. # If the option is set to '0', then the mirrors will be treated as if in a
  86. # priority list. That is, the first mirror listed will always be used first.
  87. # The second mirror will only be used if the first mirror fails, the third
  88. # mirror will only be used if the second mirror fails, and so on.
  89. #
  90. # If the mirrors file is read-only, then the '--versioncheck' command-line
  91. # option can only be used if this option is set to '0'.
  92. #
  93. # The default value is '1'.
  94. #
  95. #ROTATE_MIRRORS=1
  96. #
  97. # If this option is set to '1', it specifies that when the '--update' option is
  98. # used, then the mirrors file is to be checked for updates as well. If the
  99. # current mirrors file contains any local mirrors, these will be prepended to
  100. # the updated file. If this option is set to '0', the mirrors file can only be
  101. # updated manually. This may be useful if only using local mirrors.
  102. #
  103. # The default value is '1'.
  104. #
  105. #UPDATE_MIRRORS=1
  106. #
  107. # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
  108. # the '--update' or '--versioncheck' command-line options are given.
  109. # Possible values are:
  110. # 0 - use any mirror
  111. # 1 - only use local mirrors
  112. # 2 - only use remote mirrors
  113. #
  114. # Local and remote mirrors can be defined in the mirrors file by using the
  115. # 'local=' and 'remote=' keywords respectively.
  116. #
  117. # The default value is '0'.
  118. #
  119. #MIRRORS_MODE=0
  120. #
  121. # Email a message to this address if a warning is found when the system is
  122. # being checked. Multiple addresses may be specified simply be separating
  123. # them with a space. To disable the option, simply set it to the null string
  124. # or comment it out.
  125. #
  126. # The option may be specified more than once.
  127. #
  128. # The default value is the null string.
  129. #
  130. # Also see the MAIL_CMD option.
  131. #
  132. #MAIL-ON-WARNING=root
  133. #
  134. # This option specifies the mail command to use if MAIL-ON-WARNING is set.
  135. #
  136. # NOTE: Double quotes are not required around the command, but are required
  137. # around the subject line if it contains spaces.
  138. #
  139. # The default is to use the 'mail' command, with a subject line
  140. # of '[rkhunter] Warnings found for ${HOST_NAME}'.
  141. #
  142. #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
  143. #
  144. # This option specifies the directory to use for temporary files.
  145. #
  146. # NOTE: Do not use '/tmp' as your temporary directory. Some important files
  147. # will be written to this directory, so be sure that the directory permissions
  148. # are secure.
  149. #
  150. # The installer program will set the default directory. If this default is
  151. # subsequently commented out or removed, then the program will assume a
  152. # default directory beneath the installation directory.
  153. #
  154. TMPDIR=/var/lib/rkhunter/tmp
  155. #
  156. # This option specifies the database directory to use.
  157. #
  158. # The installer program will set the default directory. If this default is
  159. # subsequently commented out or removed, then the program will assume a
  160. # default directory beneath the installation directory.
  161. #
  162. DBDIR=/var/lib/rkhunter/db
  163. #
  164. # This option specifies the script directory to use.
  165. #
  166. # The installer program will set the default directory. If this default is
  167. # subsequently commented out or removed, then the program will not run.
  168. #
  169. SCRIPTDIR=/usr/share/rkhunter/scripts
  170. #
  171. # This option can be used to modify the command directory list used by rkhunter
  172. # to locate commands (that is, its PATH). By default this will be the root PATH,
  173. # and an internal list of some common command directories.
  174. #
  175. # Any directories specified here will, by default, be appended to the default
  176. # list. However, if a directory name begins with the '+' character, then that
  177. # directory will be prepended to the list (that is, it will be put at the start
  178. # of the list).
  179. #
  180. # This is a space-separated list of directory names. The option may be
  181. # specified more than once.
  182. #
  183. # The default value is based on the root account PATH environment variable.
  184. #
  185. #BINDIR=/bin /usr/bin /sbin /usr/sbin
  186. #BINDIR=+/usr/local/bin +/usr/local/sbin
  187. #
  188. # This option specifies the default language to use. This should be similar to
  189. # the ISO 639 language code.
  190. #
  191. # NOTE: Please ensure that the language you specify is supported.
  192. # For a list of supported languages use the following command:
  193. #
  194. # rkhunter --lang en --list languages
  195. #
  196. # The default language is 'en' (English).
  197. #
  198. #LANGUAGE=en
  199. #
  200. # This option is a space-separated list of the languages that are to be updated
  201. # when the '--update' option is used. If unset, then all the languages will be
  202. # updated. If none of the languages are to be updated, then set this option to
  203. # just 'en'.
  204. #
  205. # The default language, specified by the LANGUAGE option, and the English (en)
  206. # language file will always be updated regardless of this option.
  207. #
  208. # This option may be specified more than once.
  209. #
  210. # The default value is the null string, indicating that all the language files
  211. # will be updated.
  212. #
  213. #UPDATE_LANG=""
  214. #
  215. # This option specifies the log file pathname. The file will be created if it
  216. # does not initially exist. If the option is unset, then the program will
  217. # display a message each time it is run saying that the default value is being
  218. # used.
  219. #
  220. # The default value is '/var/log/rkhunter.log'.
  221. #
  222. LOGFILE=/var/log/rkhunter.log
  223. #
  224. # Set this option to '1' if the log file is to be appended to whenever rkhunter
  225. # is run. A value of '0' will cause a new log file to be created whenever the
  226. # program is run.
  227. #
  228. # The default value is '0'.
  229. #
  230. #APPEND_LOG=0
  231. #
  232. # Set the following option to '1' if the log file is to be copied when rkhunter
  233. # finishes and an error or warning has occurred. The copied log file name will
  234. # be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
  235. # For example: rkhunter.log.2009-04-21_00:57:51
  236. # If the option value is '0', then the log file will not be copied regardless
  237. # of whether any errors or warnings occurred.
  238. #
  239. # The default value is '0'.
  240. #
  241. #COPY_LOG_ON_ERROR=0
  242. #
  243. # Set the following option to enable the rkhunter check start and finish times
  244. # to be logged by syslog. Warning messages will also be logged. The value of
  245. # the option must be a standard syslog facility and priority, separated by a
  246. # dot. For example:
  247. #
  248. # USE_SYSLOG=authpriv.warning
  249. #
  250. # Setting the value to 'none', or just leaving the option commented out,
  251. # disables the use of syslog.
  252. #
  253. # The default value is not to use syslog.
  254. #
  255. #USE_SYSLOG=authpriv.warning
  256. #
  257. # Set the following option to '1' if the second colour set is to be used. This
  258. # can be useful if your screen uses black characters on a white background
  259. # (for example, a PC instead of a server). A value of '0' will cause the default
  260. # colour set to be used.
  261. #
  262. # The default value is '0'.
  263. #
  264. #COLOR_SET2=0
  265. #
  266. # Set the following option to '0' if rkhunter should not detect if X is being
  267. # used. If X is detected as being used, then the second colour set will
  268. # automatically be used. If set to '1', then the use of X will be detected.
  269. #
  270. # The default value is '0'.
  271. #
  272. AUTO_X_DETECT=1
  273. #
  274. # Set the following option to '1' if it is wanted that any 'Whitelisted' results
  275. # are shown in white rather than green. For colour set 2 users, setting this
  276. # option will cause the result to be shown in black. Setting the option to '0'
  277. # causes whitelisted results to be displayed in green.
  278. #
  279. # The default value is '0'.
  280. #
  281. #WHITELISTED_IS_WHITE=0
  282. #
  283. # The following option is checked against the SSH configuration file
  284. # 'PermitRootLogin' option. A warning will be displayed if they do not match.
  285. # However, if a value has not been set in the SSH configuration file, then a
  286. # value here of 'unset' can be used to avoid warning messages.
  287. #
  288. # The default value is 'no'.
  289. #
  290. ALLOW_SSH_ROOT_USER=without-password
  291. #
  292. # Set this option to '1' to allow the use of the SSH-1 protocol, but note
  293. # that theoretically it is weaker, and therefore less secure, than the
  294. # SSH-2 protocol. Do not modify this option unless you have good reasons
  295. # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
  296. # authentication). If the 'Protocol' option has not been set in the SSH
  297. # configuration file, then a value of '2' may be set here in order to
  298. # suppress a warning message. A value of '0' indicates that the use of
  299. # SSH-1 is not allowed.
  300. #
  301. # The default value is '0'.
  302. #
  303. #ALLOW_SSH_PROT_V1=0
  304. #
  305. # This setting tells rkhunter the directory containing the SSH configuration
  306. # file. This setting will be worked out by rkhunter, and so should not
  307. # usually need to be set.
  308. #
  309. # This option has no default value.
  310. #
  311. #SSH_CONFIG_DIR=/etc/ssh
  312. #
  313. # These two options determine which tests are to be performed. The ENABLE_TESTS
  314. # option can use the word 'all' to refer to all of the available tests. The
  315. # DISABLE_TESTS option can use the word 'none' to mean that no tests are
  316. # disabled. The list of disabled tests is applied to the list of enabled tests.
  317. #
  318. # Both options are space-separated lists of test names, and both options may
  319. # be specified more than once. The currently available test names can be seen
  320. # by using the command 'rkhunter --list tests'.
  321. #
  322. # The supplied configuration file has some tests already disabled, and these
  323. # are tests that will be used only occasionally, can be considered 'advanced'
  324. # or that are prone to produce more than the average number of false-positives.
  325. #
  326. # Please read the README file for more details about enabling and disabling
  327. # tests, the test names, and how rkhunter behaves when these options are used.
  328. #
  329. # The default values are to enable all tests and to disable none. However, if
  330. # either of the options below are specified, then they will override the
  331. # program defaults.
  332. #
  333. # hidden_procs test requires the unhide and/or unhide.rb commands which are
  334. # part of the unhide respectively unhide.rb packages in Debian.
  335. #
  336. # apps test is disabled by default as it triggers warnings about outdated
  337. # applications (and warns about possible security risk: we better trust
  338. # the Debian Security Team).
  339. #
  340. ENABLE_TESTS=all
  341. {% set disable_tests = [] %}
  342. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
  343. {% if disable_tests.append('os_specific') %}{% endif %}
  344. {%- endif %}
  345. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
  346. {% if disable_tests.append('promisc') %}{% endif %}
  347. {%- endif %}
  348. DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}
  349. #
  350. # The HASH_CMD option can be used to specify the command to use for the file
  351. # properties hash value check. It can be specified as just the command name or
  352. # the full pathname. If just the command name is given, and it is one of MD5,
  353. # SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
  354. # relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
  355. # these are found, it will then look to see if a perl module has been installed
  356. # which will support the relevant hash function. To see which perl modules have
  357. # been installed use the command 'rkhunter --list perl'.
  358. #
  359. # Systems using prelinking are restricted to using either the SHA1 or MD5
  360. # function.
  361. #
  362. # A value of 'NONE' (in uppercase) can be specified to indicate that no hash
  363. # function should be used. Rkhunter will detect this, and automatically disable
  364. # the file properties hash check test.
  365. #
  366. # Examples:
  367. # For Solaris 9 : HASH_CMD=gmd5sum
  368. # For Solaris 10: HASH_CMD=sha1sum
  369. # For AIX (>5.2): HASH_CMD="csum -hMD5"
  370. # For NetBSD : HASH_CMD="cksum -a sha512"
  371. #
  372. # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
  373. #
  374. # The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
  375. #
  376. # Also see the HASH_FLD_IDX option.
  377. #
  378. HASH_CMD=sha256sum
  379. #
  380. # The HASH_FLD_IDX option specifies which field from the HASH_CMD command
  381. # output contains the hash value. The fields are assumed to be space-separated.
  382. #
  383. # The option value must be an integer greater than zero.
  384. #
  385. # The default value is '1', but for *BSD users rkhunter will, by default, use a
  386. # value of '4' if the HASH_CMD option has not been set.
  387. #
  388. #HASH_FLD_IDX=4
  389. #
  390. # The PKGMGR option tells rkhunter to use the specified package manager to
  391. # obtain the file property information. This is used when updating the file
  392. # properties file ('rkhunter.dat'), and when running the file properties check.
  393. # For RedHat/RPM-based systems, 'RPM' can be used to get information from the
  394. # RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
  395. # 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
  396. # or a value of 'NONE', indicates that no package manager is to be used.
  397. #
  398. # The current package managers, except 'SOLARIS', store the file hash values
  399. # using an MD5 hash function. The Solaris package manager includes a checksum
  400. # value, but this is not used by default (see USE_SUNSUM below).
  401. #
  402. # The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
  403. # The 'RPM' package manager additionally provides values for the inode,
  404. # file permissions, uid, gid and other values. The 'SOLARIS' also provides
  405. # most of the values, similar to 'RPM', but not the inode number.
  406. #
  407. # For any file not part of a package, rkhunter will revert to using the
  408. # HASH_CMD hash function instead.
  409. #
  410. # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
  411. #
  412. # The default value is 'NONE'.
  413. #
  414. # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
  415. #
  416. # NONE is the default for Debian as well, as running --propupd takes
  417. # about 4 times longer when it's set to DPKG
  418. #
  419. #PKGMGR=NONE
  420. #
  421. # It is possible that a file, which is part of a package, may have been
  422. # modified by the administrator. Typically this occurs for configuration
  423. # files. However, the package manager may list the file as being modified.
  424. # For the RPM package manager this may well depend on how the package was
  425. # built. This option specifies a pathname which is to be exempt from the
  426. # package manager verification process, and which will be treated
  427. # as a non-packaged file. As such, the file properties are still checked.
  428. #
  429. # This option only takes effect if the PKGMGR option has been set, and
  430. # is not 'NONE'.
  431. #
  432. # This option may be specified more than once.
  433. #
  434. # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
  435. #
  436. # The default value is the null string.
  437. #
  438. #PKGMGR_NO_VRFY=""
  439. #
  440. # If the 'SOLARIS' package manager is used, then it is possible to use the
  441. # checksum (hash) value stored for a file. However, this is only a 16-bit
  442. # checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
  443. # If the option is set to '0', then the checksum is not used and the hash
  444. # function given by HASH_CMD is used instead. To enable this option, set its
  445. # value to '1'. The Solaris 'sum' command must be present on the system if this
  446. # option is used.
  447. #
  448. # The default value is '0'.
  449. #
  450. #USE_SUNSUM=0
  451. #
  452. # This option can be used to tell rkhunter to ignore any prelink dependency
  453. # errors for the given commands. However, a warning will also be issued if the
  454. # error does not occur for a given command. As such this option must only be
  455. # used on commands which experience a persistent problem.
  456. #
  457. # Short-term prelink dependency errors can usually be resolved simply by
  458. # running the 'prelink' command on the given pathname.
  459. #
  460. # This is a space-separated list of command pathnames. The option can be
  461. # specified more than once.
  462. #
  463. # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
  464. #
  465. # The default value is the null string.
  466. #
  467. #IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
  468. #
  469. # These options specify a command, directory or file pathname which will be
  470. # included or excluded in the file properties checks.
  471. #
  472. # For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
  473. # 'top' - and directory names are added to the internal list of directories to
  474. # be searched for each of the command names in the command list. Additionally,
  475. # full pathnames to files, which need not be commands, may be given. Any files
  476. # or directories which are already part of the internal lists will be silently
  477. # ignored from the configuration.
  478. #
  479. # For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
  480. # simple command names.
  481. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
  482. #
  483. # Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
  484. # option. Wildcards may be used with this option.
  485. #
  486. # By combining these two options, and using wildcards, whole directories can be
  487. # excluded. For example:
  488. #
  489. # USER_FILEPROP_FILES_DIRS=/etc/*
  490. # USER_FILEPROP_FILES_DIRS=/etc/*/*
  491. # EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
  492. #
  493. # This will look for files in the first two directory levels of '/etc'. However,
  494. # anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
  495. # excluded.
  496. #
  497. # NOTE: Only files and directories which have been added by the user, and are
  498. # not part of the internal lists, can be excluded. So, for example, it is not
  499. # possible to exclude the 'ps' command by using '/bin/ps'. These will be
  500. # silently ignored from the configuration.
  501. #
  502. # Both options can be specified more than once.
  503. #
  504. # NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
  505. #
  506. # The default value for both options is the null string.
  507. #
  508. #USER_FILEPROP_FILES_DIRS=top
  509. #USER_FILEPROP_FILES_DIRS=/usr/local/sbin
  510. #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
  511. #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
  512. #USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
  513. #USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
  514. #EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
  515. #EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
  516. #EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
  517. #
  518. # This option whitelists files and directories from existing, or not existing,
  519. # on the system at the time of testing. This option is used when the
  520. # configuration file options themselves are checked, and during the file
  521. # properties check, the hidden files and directories checks, and the filesystem
  522. # check of the '/dev' directory.
  523. #
  524. # This option may be specified more than once, and may use wildcards.
  525. # Be aware though that this is probably not what you want to do as the
  526. # wildcarding will be expanded after files have been deleted. As such
  527. # deleted files won't be whitelisted if wildcarded.
  528. #
  529. # NOTE: The user must take into consideration how often the file will appear
  530. # and disappear from the system in relation to how often rkhunter is run. If
  531. # the file appears, and disappears, too often then rkhunter may not notice
  532. # this. All it will see is that the file has changed. The inode-number and DTM
  533. # will certainly be different for each new file, and rkhunter will report this.
  534. #
  535. # The default value is the null string.
  536. #
  537. #EXISTWHITELIST=""
  538. #
  539. # Whitelist various attributes of the specified file. The attributes are those
  540. # of the 'attributes' test. Specifying a file name here does not include it
  541. # being whitelisted for the write permission test (see below).
  542. #
  543. # This option may be specified more than once, and may use wildcard characters.
  544. #
  545. # The default value is the null string.
  546. #
  547. #ATTRWHITELIST=/usr/bin/date
  548. #
  549. # Allow the specified file to have the 'others' (world) permission have the
  550. # write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
  551. #
  552. # This option may be specified more than once, and may use wildcard characters.
  553. #
  554. # The default value is the null string.
  555. #
  556. #WRITEWHITELIST=/usr/bin/date
  557. #
  558. # Allow the specified file to be a script.
  559. #
  560. # This option may be specified more than once, and may use wildcard characters.
  561. #
  562. # The default value is the null string.
  563. #
  564. SCRIPTWHITELIST=/bin/egrep
  565. SCRIPTWHITELIST=/bin/fgrep
  566. SCRIPTWHITELIST=/bin/which
  567. SCRIPTWHITELIST=/usr/bin/ldd
  568. #SCRIPTWHITELIST=/usr/bin/lwp-request
  569. SCRIPTWHITELIST=/usr/sbin/adduser
  570. #SCRIPTWHITELIST=/usr/sbin/prelink
  571. #SCRIPTWHITELIST=/usr/sbin/unhide.rb
  572. #
  573. # Allow the specified file to have the immutable attribute set.
  574. #
  575. # This option may be specified more than once, and may use wildcard characters.
  576. #
  577. # The default value is the null string.
  578. #
  579. #IMMUTWHITELIST=/sbin/ifdown
  580. #
  581. # If this option is set to '1', then the immutable-bit test is reversed. That
  582. # is, the files are expected to have the bit set. A value of '0' means that the
  583. # immutable-bit should not be set.
  584. #
  585. # The default value is '0'.
  586. #
  587. #IMMUTABLE_SET=0
  588. #
  589. # Allow the specified hidden directory to be whitelisted.
  590. #
  591. # This option may be specified more than once, and may use wildcard characters.
  592. #
  593. # The default value is the null string.
  594. #
  595. ALLOWHIDDENDIR=/etc/.java
  596. ALLOWHIDDENDIR=/etc/.git
  597. #ALLOWHIDDENDIR=/dev/.lxc
  598. #
  599. # Allow the specified hidden file to be whitelisted.
  600. #
  601. # This option may be specified more than once, and may use wildcard characters.
  602. #
  603. # The default value is the null string.
  604. #
  605. #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
  606. #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
  607. #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
  608. #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
  609. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
  610. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
  611. #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
  612. #ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
  613. #ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
  614. ALLOWHIDDENFILE=/etc/.gitignore
  615. #ALLOWHIDDENFILE=/etc/.bzrignore
  616. ALLOWHIDDENFILE=/etc/.etckeeper
  617. #
  618. # Allow the specified process to use deleted files. The process name may be
  619. # followed by a colon-separated list of full pathnames. The process will then
  620. # only be whitelisted if it is using one of the given files. For example:
  621. #
  622. # ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
  623. #
  624. # This option may be specified more than once. It may also use wildcards, but
  625. # only in the file names.
  626. #
  627. # The default value is the null string.
  628. #
  629. #ALLOWPROCDELFILE=/sbin/cardmgr
  630. #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
  631. #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
  632. #ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel
  633. #ALLOWPROCDELFILE=/usr/bin/file-roller
  634. #
  635. # Allow the specified process to listen on any network interface.
  636. #
  637. # This option may be specified more than once, and may use wildcard characters.
  638. #
  639. # The default value is the null string.
  640. #
  641. #ALLOWPROCLISTEN=/sbin/dhclient
  642. #ALLOWPROCLISTEN=/usr/bin/dhcpcd
  643. #ALLOWPROCLISTEN=/usr/sbin/tcpdump
  644. #ALLOWPROCLISTEN=/usr/sbin/snort-plain
  645. #
  646. # Allow the specified network interfaces to be in promiscuous mode.
  647. #
  648. # This is a space-separated list of interface names. The option may be
  649. # specified more than once.
  650. #
  651. # The default value is the null string.
  652. #
  653. #ALLOWPROMISCIF=eth0
  654. #
  655. # This option specifies how rkhunter should scan the '/dev' directory for
  656. # suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
  657. #
  658. # A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
  659. # it is highly recommended that this value is used.
  660. #
  661. # The default value is 'THOROUGH'.
  662. #
  663. # Also see the ALLOWDEVFILE option.
  664. #
  665. #SCAN_MODE_DEV=THOROUGH
  666. #
  667. # Allow the specified file to be present in the '/dev' directory, and not
  668. # regarded as suspicious.
  669. #
  670. # This option may be specified more than once, and may use wildcard characters.
  671. #
  672. # The default value is the null string.
  673. #
  674. #ALLOWDEVFILE=/dev/shm/pulse-shm-*
  675. #ALLOWDEVFILE=/dev/shm/sem.ADBE_*
  676. ALLOWDEVFILE=/dev/shm/PostgreSQL.*
  677. #
  678. # This option is used to indicate if the Phalanx2 test is to perform a basic
  679. # check, or a more thorough check. If the option is set to '0', then a basic
  680. # check is performed. If it is set to '1', then all the directories in the
  681. # '/etc' and '/usr' directories are scanned.
  682. #
  683. # NOTE: Setting this option to '1' will cause the test to take longer
  684. # to complete.
  685. #
  686. # The default value is '0'.
  687. #
  688. #PHALANX2_DIRTEST=0
  689. #
  690. # This option tells rkhunter where the inetd configuration file is located.
  691. #
  692. # The default value is the null string.
  693. #
  694. #INETD_CONF_PATH=/etc/inetd.conf
  695. #
  696. # This option allows the specified enabled inetd services.
  697. #
  698. # This is a space-separated list of service names. The option may be specified
  699. # more than once.
  700. #
  701. # For non-Solaris users the simple service name should be used.
  702. # For example:
  703. #
  704. # INETD_ALLOWED_SVC=echo
  705. #
  706. # For Solaris 9 users the simple service name should also be used, but
  707. # if it is an RPC service, then the executable pathname should be used.
  708. # For example:
  709. #
  710. # INETD_ALLOWED_SVC=imaps
  711. # INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
  712. #
  713. # For Solaris 10 users the service/FMRI name should be used. For example:
  714. #
  715. # INETD_ALLOWED_SVC=/network/rpc/meta
  716. # INETD_ALLOWED_SVC=/network/rpc/metamed
  717. # INETD_ALLOWED_SVC=/application/font/stfsloader
  718. # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
  719. #
  720. # The default value is the null string.
  721. #
  722. #INETD_ALLOWED_SVC=echo
  723. #
  724. # This option tells rkhunter where the xinetd configuration file is located.
  725. #
  726. # The default value is the null string.
  727. #
  728. #XINETD_CONF_PATH=/etc/xinetd.conf
  729. #
  730. # This option allows the specified enabled xinetd services. Whilst it would be
  731. # nice to use the service names themselves, at the time of testing we only have
  732. # the pathname available. As such, these entries are the xinetd file pathnames.
  733. #
  734. # This is a space-separated list of service names. The option may be specified
  735. # more than once.
  736. #
  737. # The default value is the null string.
  738. #
  739. #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
  740. #
  741. # This option tells rkhunter the local system startup file pathnames. The
  742. # directories will be searched for files. By default rkhunter will try and
  743. # determine were the startup files are located. If the option is set to 'NONE',
  744. # then certain tests will be skipped.
  745. #
  746. # This is a space-separated list of file and directory pathnames. The option
  747. # may be specified more than once, and may use wildcard characters.
  748. #
  749. # This option has no default value.
  750. #
  751. #STARTUP_PATHS=/etc/init.d /etc/rc.local
  752. #
  753. # This option tells rkhunter the pathname to the file containing the user
  754. # account passwords. This setting will be worked out by rkhunter, and so
  755. # should not usually need to be set. Users of TCB shadow files should not
  756. # set this option.
  757. #
  758. # This option has no default value.
  759. #
  760. #PASSWORD_FILE=/etc/shadow
  761. #
  762. # This option allows the specified accounts to be root equivalent. These
  763. # accounts will have a UID value of zero. The 'root' account does not need
  764. # to be listed as it is automatically whitelisted.
  765. #
  766. # This is a space-separated list of account names. The option may be specified
  767. # more than once.
  768. #
  769. # NOTE: For *BSD systems you will probably need to use this option for the
  770. # 'toor' account.
  771. #
  772. # The default value is the null string.
  773. #
  774. #UID0_ACCOUNTS=toor rooty sashroot
  775. #
  776. # This option allows the specified accounts to have no password. NIS/YP entries
  777. # do not need to be listed as they are automatically whitelisted.
  778. #
  779. # This is a space-separated list of account names. The option may be specified
  780. # more than once.
  781. #
  782. # The default value is the null string.
  783. #
  784. #PWDLESS_ACCOUNTS=abc
  785. #
  786. # This option tells rkhunter the pathname to the syslog configuration file.
  787. # This setting will be worked out by rkhunter, and so should not usually need
  788. # to be set. A value of 'NONE' can be used to indicate that there is no
  789. # configuration file, but that the syslog daemon process may be running.
  790. #
  791. # This is a space-separated list of pathnames. The option may be specified
  792. # more than once.
  793. #
  794. # This option has no default value.
  795. #
  796. #SYSLOG_CONFIG_FILE=/etc/syslog.conf
  797. #
  798. # If this option is set to '1', then the use of syslog remote logging is
  799. # permitted. A value of '0' disallows the use of remote logging.
  800. #
  801. # The default value is '0'.
  802. #
  803. #ALLOW_SYSLOG_REMOTE_LOGGING=0
  804. #
  805. # This option allows the specified applications, or a specific version of an
  806. # application, to be whitelisted. If a specific version is to be whitelisted,
  807. # then the name must be followed by a colon and then the version number.
  808. # For example:
  809. #
  810. # APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
  811. #
  812. # This is a space-separated list of pathnames. The option may be specified
  813. # more than once.
  814. #
  815. # The default value is the null string.
  816. #
  817. #APP_WHITELIST=""
  818. #
  819. # Set this option to scan for suspicious files in directories which pose a
  820. # relatively higher risk due to user write access.
  821. #
  822. # Please do not enable the 'suspscan' test by default as it is CPU and I/O
  823. # intensive, and prone to producing false positives. Do review all settings
  824. # before usage. Also be aware that running 'suspscan' in combination with
  825. # verbose logging on, rkhunter's default, will show all ignored files.
  826. #
  827. # Please consider adding all directories the user the (web)server runs as,
  828. # and has write access to, including the document root (e.g: '/var/www') and
  829. # log directories (e.g: '/var/log/httpd').
  830. #
  831. # This is a space-separated list of directory pathnames. The option may be
  832. # specified more than once.
  833. #
  834. # The default value is the '/tmp' and '/var/tmp' directories.
  835. #
  836. #SUSPSCAN_DIRS=/tmp /var/tmp
  837. #
  838. # This option specifies the directory for temporary files used by the
  839. # 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
  840. # better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
  841. # as that is highly likely to cause false-positive results.
  842. #
  843. # The default value is '/dev/shm'.
  844. #
  845. #SUSPSCAN_TEMP=/dev/shm
  846. #
  847. # This option specifies the 'suspscan' test maximum filesize in bytes. Files
  848. # larger than this will not be inspected. Do make sure you have enough space
  849. # available in your temporary files directory.
  850. #
  851. # The default value is '1024000'.
  852. #
  853. #SUSPSCAN_MAXSIZE=10240000
  854. #
  855. # This option specifies the 'suspscan' test score threshold. Below this value
  856. # no hits will be reported.
  857. #
  858. # The default value is '200'.
  859. #
  860. #SUSPSCAN_THRESH=200
  861. #
  862. # The following options can be used to whitelist network ports which are known
  863. # to have been used by malware.
  864. #
  865. # The PORT_WHITELIST option is a space-separated list of one or more of two
  866. # types of whitelisting. These are:
  867. #
  868. # 1) a 'protocol:port' pair
  869. # 2) an asterisk ('*')
  870. #
  871. # Only the UDP or TCP protocol may be specified, and the port number must be
  872. # between 1 and 65535 inclusive.
  873. #
  874. # The asterisk can be used to indicate that any executable which rkhunter can
  875. # locate as a command, is whitelisted. (Also see BINDIR)
  876. #
  877. # The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
  878. # These are:
  879. #
  880. # 1) a pathname to an executable
  881. # 2) a combined pathname, protocol and port
  882. #
  883. # As above, the protocol can only be TCP or UDP, and the port number must be
  884. # between 1 and 65535 inclusive.
  885. #
  886. # Examples:
  887. #
  888. # PORT_WHITELIST=TCP:2001 UDP:32011
  889. # PORT_PATH_WHITELIST=/usr/sbin/squid
  890. # PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
  891. #
  892. # NOTE: In order to whitelist a pathname, or use the asterisk option, the
  893. # 'lsof' command must be present.
  894. #
  895. # Both options may be specified more than once.
  896. #
  897. # The default value for both options is the null string.
  898. #
  899. #PORT_WHITELIST=""
  900. #PORT_PATH_WHITELIST=""
  901. #
  902. # The following option can be used to tell rkhunter where the operating system
  903. # 'release' file is located. This file contains information specifying the
  904. # current O/S version. RKH will store this information, and check to see if it
  905. # has changed between each run. If it has changed, then the user is warned that
  906. # RKH may issue warning messages until RKH has been run with the '--propupd'
  907. # option.
  908. #
  909. # Since the contents of the file vary according to the O/S distribution, RKH
  910. # will perform different actions when it detects the file itself. As such, this
  911. # option should not be set unless necessary. If this option is specified, then
  912. # RKH will assume the O/S release information is on the first non-blank line of
  913. # the file.
  914. #
  915. # This option has no default value.
  916. #
  917. # Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
  918. #
  919. #OS_VERSION_FILE=/etc/debian_version
  920. #
  921. # Set the following option to '0' if you do not want to receive a warning if any
  922. # O/S information has changed since the last run of 'rkhunter --propupd'. The
  923. # warnings occur during the file properties check. Setting a value of '1' will
  924. # cause rkhunter to issue a warning if something has changed.
  925. #
  926. # The default value is '1'.
  927. #
  928. #WARN_ON_OS_CHANGE=1
  929. #
  930. # Set the following option to '1' if you want rkhunter to automatically run a
  931. # file properties update ('--propupd') if the O/S has changed. Detection of an
  932. # O/S change occurs during the file properties check. Setting a value of '0'
  933. # will cause rkhunter not to do an automatic update.
  934. #
  935. # WARNING: Only set this option if you are sure that the update will work
  936. # correctly. That is, that the database directory is writeable, that a valid
  937. # hash function is available, and so on. This can usually be checked simply by
  938. # running 'rkhunter --propupd' at least once.
  939. #
  940. # The default value is '0'.
  941. #
  942. #UPDT_ON_OS_CHANGE=0
  943. #
  944. # The following two options can be used to whitelist files and directories that
  945. # would normally be flagged with a warning during the various rootkit and
  946. # malware checks. Only existing files and directories can be specified, and
  947. # these must be full pathnames not links.
  948. #
  949. # Additionally, the RTKT_FILE_WHITELIST option may include a string after the
  950. # file name (separated by a colon). This will then only whitelist that string
  951. # in that file (as part of the malware checks). For example:
  952. #
  953. # RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
  954. #
  955. # If the option list includes the filename on its own as well, then the file
  956. # will be whitelisted from rootkit checks of the files existence, but still
  957. # only the specific string within the file will be whitelisted. For example:
  958. #
  959. # RTKT_FILE_WHITELIST=/etc/rc.local
  960. # RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
  961. #
  962. # To whitelist a file from the existence checks, but not from the strings
  963. # checks, then include the filename on its own and on its own but with just
  964. # a colon appended. For example:
  965. #
  966. # RTKT_FILE_WHITELIST=/etc/rc.local
  967. # RTKT_FILE_WHITELIST=/etc/rc.local:
  968. #
  969. # NOTE: It is recommended that if you whitelist any files, then you include
  970. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  971. # configuration option.
  972. #
  973. # Both of these options may be specified more than once.
  974. #
  975. # For both options the default value is the null string.
  976. #
  977. #RTKT_DIR_WHITELIST=""
  978. #RTKT_FILE_WHITELIST=""
  979. #
  980. # The following option can be used to whitelist shared library files that would
  981. # normally be flagged with a warning during the preloaded shared library check.
  982. # These library pathnames usually exist in the '/etc/ld.so.preload' file or in
  983. # the LD_PRELOAD environment variable.
  984. #
  985. # NOTE: It is recommended that if you whitelist any files, then you include
  986. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  987. # configuration option.
  988. #
  989. # This option is a space-separated list of library pathnames. The option may be
  990. # specified more than once.
  991. #
  992. # The default value is the null string.
  993. #
  994. #SHARED_LIB_WHITELIST=/lib/snoopy.so
  995. #
  996. # To force rkhunter to use the supplied script for the 'stat' or 'readlink'
  997. # command the following two options can be used. The value must be set to
  998. # 'BUILTIN'.
  999. #
  1000. # NOTE: IRIX users will probably need to enable STAT_CMD.
  1001. #
  1002. # For both options the default value is the null string.
  1003. #
  1004. #STAT_CMD=BUILTIN
  1005. #READLINK_CMD=BUILTIN
  1006. #
  1007. # In the file properties test any modification date/time is displayed as the
  1008. # number of epoch seconds. Rkhunter will try and use the 'date' command, or
  1009. # failing that the 'perl' command, to display the date and time in a
  1010. # human-readable format as well. This option may be used if some other command
  1011. # should be used instead. The given command must understand the '%s' and
  1012. # 'seconds ago' options found in the GNU 'date' command.
  1013. #
  1014. # A value of 'NONE' may be used to request that only the epoch seconds be shown.
  1015. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
  1016. # it is present.
  1017. #
  1018. # This option has no default value.
  1019. #
  1020. #EPOCH_DATE_CMD=""
  1021. #
  1022. # This setting tells rkhunter the directory containing the available Linux
  1023. # kernel modules. This setting will be worked out by rkhunter, and so should
  1024. # not usually need to be set.
  1025. #
  1026. # This option has no default value.
  1027. #
  1028. #MODULES_DIR=""
  1029. #
  1030. # The following option can be set to a command which rkhunter will use when
  1031. # downloading files from the Internet - that is, when the '--update' or
  1032. # '--versioncheck' option is used. The command can take options.
  1033. #
  1034. # This allows the user to use a command other than the one automatically
  1035. # selected by rkhunter, but still one which it already knows about.
  1036. # For example:
  1037. #
  1038. # WEB_CMD=curl
  1039. #
  1040. # Alternatively, the user may specify a completely new command. However, note
  1041. # that rkhunter expects the downloaded file to be written to stdout, and that
  1042. # everything written to stderr is ignored. For example:
  1043. #
  1044. # WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
  1045. #
  1046. # *BSD users may want to use the 'ftp' command, provided that it supports the
  1047. # HTTP protocol:
  1048. #
  1049. # WEB_CMD="ftp -o -"
  1050. #
  1051. # This option has no default value.
  1052. #
  1053. #WEB_CMD=""
  1054. #
  1055. # Set the following option to '1' if locking is to be used when rkhunter runs.
  1056. # The lock is set just before logging starts, and is removed when the program
  1057. # ends. It is used to prevent items such as the log file, and the file
  1058. # properties file, from becoming corrupted if rkhunter is running more than
  1059. # once. The mechanism used is to simply create a lock file in the TMPDIR
  1060. # directory. If the lock file already exists, because rkhunter is already
  1061. # running, then the current process simply loops around sleeping for 10 seconds
  1062. # and then retrying the lock. A value of '0' means not to use locking.
  1063. #
  1064. # The default value is '0'.
  1065. #
  1066. # Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
  1067. #
  1068. #USE_LOCKING=0
  1069. #
  1070. # If locking is used, then rkhunter may have to wait to get the lock file.
  1071. # This option sets the total amount of time, in seconds, that rkhunter should
  1072. # wait. It will retry the lock every 10 seconds, until either it obtains the
  1073. # lock or the timeout value has been reached.
  1074. #
  1075. # The default value is 300 seconds (5 minutes).
  1076. #
  1077. #LOCK_TIMEOUT=300
  1078. #
  1079. # If locking is used, then rkhunter may be doing nothing for some time if it
  1080. # has to wait for the lock. If this option is set to '1', then some simple
  1081. # messages are echoed to the users screen to let them know that rkhunter is
  1082. # waiting for the lock. Set this option to '0' if the messages are not to be
  1083. # displayed.
  1084. #
  1085. # The default value is '1'.
  1086. #
  1087. #SHOW_LOCK_MSGS=1
  1088. #
  1089. # If this option is set to 'THOROUGH' then rkhunter will search (on a per
  1090. # rootkit basis) for filenames in all of the directories (as defined by the
  1091. # result of running 'find / -xdev'). While still not optimal, as it still
  1092. # searches for only file names as opposed to file contents, this is one step
  1093. # away from the rigidity of searching in known (evidence) or default
  1094. # (installation) locations.
  1095. #
  1096. # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
  1097. #
  1098. # You should only activate this feature as part of a more thorough
  1099. # investigation, which should be based on relevant best practices and
  1100. # procedures.
  1101. #
  1102. # Enabling this feature implies you have the knowledge to interpret the
  1103. # results properly.
  1104. #
  1105. # The default value is the null string.
  1106. #
  1107. #SCANROOTKITMODE=THOROUGH
  1108. #
  1109. # The following option can be set to the name(s) of the tests the 'unhide'
  1110. # command is to use. Options such as '-m' and '-v' may be specified, but will
  1111. # only take effect when they are seen. The test names are a space-separated
  1112. # list, and will be executed in the order given.
  1113. #
  1114. # This option may be specified more than once.
  1115. #
  1116. # The default value is 'sys' in order to maintain compatibility with older
  1117. # versions of 'unhide'.
  1118. #
  1119. #UNHIDE_TESTS=sys
  1120. #
  1121. # The following option can be used to set options for the 'unhide-tcp' command.
  1122. # The options are space-separated.
  1123. #
  1124. # This option may be specified more than once.
  1125. #
  1126. # The default value is the null string.
  1127. #
  1128. #UNHIDETCP_OPTS=""
  1129. #
  1130. # If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
  1131. # then it is possible to disable the execution of one of the programs if
  1132. # desired. By default rkhunter will look for both programs, and execute each
  1133. # of them as they are found. If the value of this option is '0', then both
  1134. # programs will be executed if they are present. A value of '1' will disable
  1135. # execution of the C 'unhide' program, and a value of '2' will disable the Ruby
  1136. # 'unhide.rb' program. To disable both programs, then disable the
  1137. # 'hidden_procs' test.
  1138. #
  1139. # The default value is '0'.
  1140. #
  1141. DISABLE_UNHIDE=0
  1142. INSTALLDIR=/usr
  1143. #
  1144. # This option can be set to either '0' or '1'. If set to '1' then the summary,
  1145. # shown after rkhunter has run, will display the actual number of warnings
  1146. # found. If it is set to '0', then the summary will simply indicate that
  1147. # 'One or more' warnings were found. If no warnings were found, and this option
  1148. # is set to '1', then a "0" will be shown. If the option is set to '0', then
  1149. # the words 'No warnings' will be shown.
  1150. #
  1151. # The default value is '0'.
  1152. #
  1153. #SHOW_SUMMARY_WARNINGS_NUMBER=0
  1154. #
  1155. # This option is used to determine where, if anywhere, the summary scan time is
  1156. # displayed. A value of '0' indicates that it should not be displayed anywhere.
  1157. # A value of '1' indicates that the time should only appear on the screen, and a
  1158. # value of '2' that it should only appear in the log file. A value of '3'
  1159. # indicates that the time taken should appear both on the screen and in the log
  1160. # file.
  1161. #
  1162. # The default value is '3'.
  1163. #
  1164. #SHOW_SUMMARY_TIME=3
  1165. #
  1166. # The two options below may be used to check if a file is missing or empty
  1167. # (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
  1168. # if the file is missing, since that can be interpreted as a file of no size.
  1169. # However, the file will only be reported as missing if the MISSING_LOGFILES
  1170. # option hasn't already done this.
  1171. #
  1172. # Both options are space-separated lists of pathnames, and may be specified
  1173. # more than once.
  1174. #
  1175. # NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
  1176. # perfectly possible for the file to be either missing or empty. As such these
  1177. # options may produce false-positive warnings when log files are rotated.
  1178. #
  1179. # For both options the default value is the null string.
  1180. #
  1181. #EMPTY_LOGFILES=""
  1182. #MISSING_LOGFILES=""