ansible-playbooks/roles/common/templates/rkhunter/stretch.conf.j2

{% if ansible_controlled is defined and ansible_controlled != "" %}
#
# {{ ansible_controlled }}
#
{% endif %}
#
# This is the main configuration file for Rootkit Hunter.
#
# You can modify this file directly, or you can create a local configuration
# file. The local file must be named 'rkhunter.conf.local', and must reside
# in the same directory as this file. Alternatively you can create a directory,
# named 'rkhunter.d', which also must be in the same directory as this
# configuration file. Within the 'rkhunter.d' directory you can place further
# configuration files. There is no restriction on the file names used, other
# than they must end in '.conf'.
#
# Please modify the configuration file(s) to your own requirements. It is
# recommended that the command 'rkhunter -C' is run after any changes have
# been made.
#
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go
# to: http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
# Note that this is a moderated list, so please subscribe before posting.
#
# In the configuration files, lines beginning with a hash (#), and blank lines,
# are ignored. Also, end-of-line comments are not supported.
#
# Any of the configuration options may appear more than once. However, several
# options only take one value, and so the last one seen will be used. Some
# options are allowed to appear more than once, and the text describing the
# option will say if this is so. These configuration options will, in effect,
# have their values concatenated together. To delete a previously specified
# option list, specify the option with no value (that is, a null string).
#
# Some of the options are space-separated lists, others, typically those
# specifying pathnames, are newline-separated lists. These must be entered
# as one item per line. Quotes must not be used to surround the pathname.
#
# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
# option:         XXX=/tmp/abc                (correct)
#                 XXX=/tmp/xyz
#
#                 XXX="/tmp/abc"              (incorrect)
#                 XXX="/tmp/xyz"
#
#                 XXX=/tmp/abc  /tmp/xyz      (incorrect)
#    or           XXX="/tmp/abc  /tmp/xyz"    (incorrect)
#    or           XXX="/tmp/abc"  "/tmp/xyz"  (incorrect)
#
# The last three examples are being configured as space-separated lists,
# which is incorrect, generally, for options specifying pathnames. They
# should be configured with one entry per line as in the first example.
#
# If wildcard characters (globbing) are allowed for an option, then the
# text describing the option will say so.
#
# Space-separated lists may be enclosed by quotes, although they are not
# required. If they are used, then they must only appear at the start and
# end of the list, not in the middle.
#
# For example:    XXX=abc  def  gh            (correct)
#                 XXX="abc  def  gh"          (correct)
#                 XXX="abc"  "def"  "gh"      (incorrect)
#
# Space-separated lists may also be entered simply as one entry per line.
#
# For example:    XXX=abc                     (correct)
#                 XXX=def
#                 XXX="gh"
#
# If a configuration option is never set, then the program will assume a
# default value. The text describing the option will state the default value.
# If there is no default, then rkhunter will calculate a value or pathname
# to use.
#


#
# If this option is set to '1', it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
# options are used, is to be rotated. Rotating the entries in the file allows
# a basic form of load-balancing between the mirror sites whenever the above
# options are used.
#
# If the option is set to '0', then the mirrors will be treated as if in a
# priority list. That is, the first mirror listed will always be used first.
# The second mirror will only be used if the first mirror fails, the third
# mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to '0'.
# 
# The default value is '1'.
#
#ROTATE_MIRRORS=1

#
# If this option is set to '1', it specifies that when the '--update' option is
# used, then the mirrors file is to be checked for updates as well. If the
# current mirrors file contains any local mirrors, these will be prepended to
# the updated file. If this option is set to '0', the mirrors file can only be
# updated manually. This may be useful if only using local mirrors.
#
# The default value is '1'.
#
#UPDATE_MIRRORS=1

#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
# the '--update' or '--versioncheck' command-line options are given.
# Possible values are:
#     0 - use any mirror
#     1 - only use local mirrors
#     2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors file by using the
# 'local=' and 'remote=' keywords respectively.
#
# The default value is '0'.
#
#MIRRORS_MODE=0

#
# Email a message to this address if a warning is found when the system is
# being checked. Multiple addresses may be specified simply be separating
# them with a space. To disable the option, simply set it to the null string
# or comment it out.
#
# The option may be specified more than once.
#
# The default value is the null string.
#
# Also see the MAIL_CMD option.
#
#MAIL-ON-WARNING=root

#
# This option specifies the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but are required
# around the subject line if it contains spaces.
#
# The default is to use the 'mail' command, with a subject line
# of '[rkhunter] Warnings found for ${HOST_NAME}'.
#
#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

#
# This option specifies the directory to use for temporary files.
#
# NOTE: Do not use '/tmp' as your temporary directory. Some important files
# will be written to this directory, so be sure that the directory permissions
# are secure.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
TMPDIR=/var/lib/rkhunter/tmp

#
# This option specifies the database directory to use.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will assume a
# default directory beneath the installation directory.
#
DBDIR=/var/lib/rkhunter/db

#
# This option specifies the script directory to use.
#
# The installer program will set the default directory. If this default is
# subsequently commented out or removed, then the program will not run.
#
SCRIPTDIR=/usr/share/rkhunter/scripts

#
# This option can be used to modify the command directory list used by rkhunter
# to locate commands (that is, its PATH). By default this will be the root PATH,
# and an internal list of some common command directories.
#
# Any directories specified here will, by default, be appended to the default
# list. However, if a directory name begins with the '+' character, then that
# directory will be prepended to the list (that is, it will be put at the start
# of the list).
#
# This is a space-separated list of directory names. The option may be
# specified more than once.
#
# The default value is based on the root account PATH environment variable.
#
#BINDIR=/bin /usr/bin /sbin /usr/sbin
#BINDIR=+/usr/local/bin +/usr/local/sbin

#
# This option specifies the default language to use. This should be similar to
# the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
#       rkhunter --lang en --list languages
#
# The default language is 'en' (English).
#
#LANGUAGE=en

#
# This option is a space-separated list of the languages that are to be updated
# when the '--update' option is used. If unset, then all the languages will be
# updated. If none of the languages are to be updated, then set this option to
# just 'en'.
#
# The default language, specified by the LANGUAGE option, and the English (en)
# language file will always be updated regardless of this option.
#
# This option may be specified more than once.
#
# The default value is the null string, indicating that all the language files
# will be updated.
#
#UPDATE_LANG=""

#
# This option specifies the log file pathname. The file will be created if it
# does not initially exist. If the option is unset, then the program will
# display a message each time it is run saying that the default value is being
# used.
#
# The default value is '/var/log/rkhunter.log'.
#
LOGFILE=/var/log/rkhunter.log

#
# Set this option to '1' if the log file is to be appended to whenever rkhunter
# is run. A value of '0' will cause a new log file to be created whenever the
# program is run.
#
# The default value is '0'.
#
#APPEND_LOG=0

#
# Set the following option to '1' if the log file is to be copied when rkhunter
# finishes and an error or warning has occurred. The copied log file name will
# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
# If the option value is '0', then the log file will not be copied regardless
# of whether any errors or warnings occurred.
#
# The default value is '0'.
#
#COPY_LOG_ON_ERROR=0

#
# Set the following option to enable the rkhunter check start and finish times
# to be logged by syslog. Warning messages will also be logged. The value of
# the option must be a standard syslog facility and priority, separated by a
# dot.  For example:
#
#     USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
# The default value is not to use syslog.
#
#USE_SYSLOG=authpriv.warning

#
# Set the following option to '1' if the second colour set is to be used. This
# can be useful if your screen uses black characters on a white background
# (for example, a PC instead of a server). A value of '0' will cause the default
# colour set to be used.
#
# The default value is '0'.
#
#COLOR_SET2=0

#
# Set the following option to '0' if rkhunter should not detect if X is being
# used. If X is detected as being used, then the second colour set will
# automatically be used. If set to '1', then the use of X will be detected.
#
# The default value is '0'.
#
AUTO_X_DETECT=1

#
# Set the following option to '1' if it is wanted that any 'Whitelisted' results
# are shown in white rather than green. For colour set 2 users, setting this
# option will cause the result to be shown in black. Setting the option to '0'
# causes whitelisted results to be displayed in green.
#
# The default value is '0'.
#
#WHITELISTED_IS_WHITE=0

#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not match.
# However, if a value has not been set in the SSH configuration file, then a
# value here of 'unset' can be used to avoid warning messages.
#
# The default value is 'no'.
#
ALLOW_SSH_ROOT_USER=without-password

#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. A value of '0' indicates that the use of
# SSH-1 is not allowed.
#
# The default value is '0'.
#
#ALLOW_SSH_PROT_V1=0

#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
# This option has no default value.
#
#SSH_CONFIG_DIR=/etc/ssh

#
# These two options determine which tests are to be performed. The ENABLE_TESTS
# option can use the word 'all' to refer to all of the available tests. The
# DISABLE_TESTS option can use the word 'none' to mean that no tests are
# disabled. The list of disabled tests is applied to the list of enabled tests.
#
# Both options are space-separated lists of test names, and both options may
# be specified more than once. The currently available test names can be seen
# by using the command 'rkhunter --list tests'.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered 'advanced'
# or that are prone to produce more than the average number of false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# The default values are to enable all tests and to disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
# hidden_procs test requires the unhide and/or unhide.rb commands which are
# part of the unhide respectively unhide.rb packages in Debian.
#
# apps test is disabled by default as it triggers warnings about outdated
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
ENABLE_TESTS=all
{% set disable_tests = [] %}
{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' %}
  {% if disable_tests.append('os_specific') %}{% endif %}
{%- endif %}
{% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' %}
    {% if disable_tests.append('promisc') %}{% endif %}
{%- endif %}
DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}

#
# The HASH_CMD option can be used to specify the command to use for the file
# properties hash value check. It can be specified as just the command name or
# the full pathname. If just the command name is given, and it is one of MD5,
# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
# these are found, it will then look to see if a perl module has been installed
# which will support the relevant hash function. To see which perl modules have
# been installed use the command 'rkhunter --list perl'.
#
# Systems using prelinking are restricted to using either the SHA1 or MD5
# function.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that no hash
# function should be used. Rkhunter will detect this, and automatically disable
# the file properties hash check test.
#
# Examples:
#   For Solaris 9 : HASH_CMD=gmd5sum
#   For Solaris 10: HASH_CMD=sha1sum
#   For AIX (>5.2): HASH_CMD="csum -hMD5"
#   For NetBSD    : HASH_CMD="cksum -a sha512"
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the SHA1 function, or MD5 if SHA1 cannot be found.
#
# Also see the HASH_FLD_IDX option.
#
HASH_CMD=sha256sum

#
# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
# output contains the hash value. The fields are assumed to be space-separated.
#
# The option value must be an integer greater than zero.
#
# The default value is '1', but for *BSD users rkhunter will, by default, use a
# value of '4' if the HASH_CMD option has not been set.
#
#HASH_FLD_IDX=4

#
# The PKGMGR option tells rkhunter to use the specified package manager to
# obtain the file property information. This is used when updating the file
# properties file ('rkhunter.dat'), and when running the file properties check.
# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
# 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value,
# or a value of 'NONE', indicates that no package manager is to be used.
#
# The current package managers, except 'SOLARIS', store the file hash values
# using an MD5 hash function. The Solaris package manager includes a checksum
# value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_CMD hash function instead.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is 'NONE'.
#
# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
#
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=NONE

#
# It is possible that a file, which is part of a package, may have been
# modified by the administrator. Typically this occurs for configuration
# files. However, the package manager may list the file as being modified.
# For the RPM package manager this may well depend on how the package was
# built. This option specifies a pathname which is to be exempt from the
# package manager verification process, and which will be treated
# as a non-packaged file. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
# This option may be specified more than once.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the null string.
#
#PKGMGR_NO_VRFY=""

#
# If the 'SOLARIS' package manager is used, then it is possible to use the
# checksum (hash) value stored for a file. However, this is only a 16-bit
# checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
# If the option is set to '0', then the checksum is not used and the hash
# function given by HASH_CMD is used instead. To enable this option, set its
# value to '1'. The Solaris 'sum' command must be present on the system if this
# option is used.
#
# The default value is '0'.
#
#USE_SUNSUM=0

#
# This option can be used to tell rkhunter to ignore any prelink dependency
# errors for the given commands. However, a warning will also be issued if the
# error does not occur for a given command. As such this option must only be
# used on commands which experience a persistent problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
#
# The default value is the null string.
#
#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top

#
# These options specify a command, directory or file pathname which will be
# included or excluded in the file properties checks.
#
# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
# 'top' - and directory names are added to the internal list of directories to
# be searched for each of the command names in the command list. Additionally,
# full pathnames to files, which need not be commands, may be given. Any files
# or directories which are already part of the internal lists will be silently
# ignored from the configuration.
#
# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
# simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
# option. Wildcards may be used with this option.
#
# By combining these two options, and using wildcards, whole directories can be
# excluded. For example:
#
#     USER_FILEPROP_FILES_DIRS=/etc/*
#     USER_FILEPROP_FILES_DIRS=/etc/*/*
#     EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
#
# This will look for files in the first two directory levels of '/etc'. However,
# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
# excluded.
#
# NOTE: Only files and directories which have been added by the user, and are
# not part of the internal lists, can be excluded. So, for example, it is not
# possible to exclude the 'ps' command by using '/bin/ps'. These will be
# silently ignored from the configuration.
#
# Both options can be specified more than once.
#
# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
#
# The default value for both options is the null string.
#
#USER_FILEPROP_FILES_DIRS=top
#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*

#
# This option whitelists files and directories from existing, or not existing,
# on the system at the time of testing. This option is used when the
# configuration file options themselves are checked, and during the file
# properties check, the hidden files and directories checks, and the filesystem
# check of the '/dev' directory.
#
# This option may be specified more than once, and may use wildcards.
# Be aware though that this is probably not what you want to do as the
# wildcarding will be expanded after files have been deleted. As such
# deleted files won't be whitelisted if wildcarded.
#
# NOTE: The user must take into consideration how often the file will appear
# and disappear from the system in relation to how often rkhunter is run. If
# the file appears, and disappears, too often then rkhunter may not notice
# this. All it will see is that the file has changed. The inode-number and DTM
# will certainly be different for each new file, and rkhunter will report this.
#
# The default value is the null string.
#
#EXISTWHITELIST=""

#
# Whitelist various attributes of the specified file. The attributes are those
# of the 'attributes' test. Specifying a file name here does not include it
# being whitelisted for the write permission test (see below).
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ATTRWHITELIST=/usr/bin/date

#
# Allow the specified file to have the 'others' (world) permission have the
# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#WRITEWHITELIST=/usr/bin/date

#
# Allow the specified file to be a script.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
#SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
#SCRIPTWHITELIST=/usr/sbin/prelink
#SCRIPTWHITELIST=/usr/sbin/unhide.rb

#
# Allow the specified file to have the immutable attribute set.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#IMMUTWHITELIST=/sbin/ifdown

#
# If this option is set to '1', then the immutable-bit test is reversed. That
# is, the files are expected to have the bit set. A value of '0' means that the
# immutable-bit should not be set.
#
# The default value is '0'.
#
#IMMUTABLE_SET=0

#
# Allow the specified hidden directory to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/etc/.git
#ALLOWHIDDENDIR=/dev/.lxc

#
# Allow the specified hidden file to be whitelisted.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
# 
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
ALLOWHIDDENFILE=/etc/.gitignore
#ALLOWHIDDENFILE=/etc/.bzrignore
ALLOWHIDDENFILE=/etc/.etckeeper

#
# Allow the specified process to use deleted files. The process name may be
# followed by a colon-separated list of full pathnames. The process will then
# only be whitelisted if it is using one of the given files. For example:
#
#     ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
#
# This option may be specified more than once. It may also use wildcards, but
# only in the file names.
#
# The default value is the null string.
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
#ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel
#ALLOWPROCDELFILE=/usr/bin/file-roller

#
# Allow the specified process to listen on any network interface.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain

#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may be
# specified more than once.
#
# The default value is the null string.
#
#ALLOWPROMISCIF=eth0

#
# This option specifies how rkhunter should scan the '/dev' directory for
# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
#
# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
# it is highly recommended that this value is used.
#
# The default value is 'THOROUGH'.
#
# Also see the ALLOWDEVFILE option.
#
#SCAN_MODE_DEV=THOROUGH

#
# Allow the specified file to be present in the '/dev' directory, and not
# regarded as suspicious.
#
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#ALLOWDEVFILE=/dev/shm/pulse-shm-*
#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
ALLOWDEVFILE=/dev/shm/PostgreSQL.*

#
# This option is used to indicate if the Phalanx2 test is to perform a basic
# check, or a more thorough check. If the option is set to '0', then a basic
# check is performed. If it is set to '1', then all the directories in the
# '/etc' and '/usr' directories are scanned.
#
# NOTE: Setting this option to '1' will cause the test to take longer
# to complete.
#
# The default value is '0'.
#
#PHALANX2_DIRTEST=0

#
# This option tells rkhunter where the inetd configuration file is located.
#
# The default value is the null string.
#
#INETD_CONF_PATH=/etc/inetd.conf

#
# This option allows the specified enabled inetd services.
#
# This is a space-separated list of service names. The option may be specified
# more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
#     INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
#     INETD_ALLOWED_SVC=imaps
#     INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
#     INETD_ALLOWED_SVC=/network/rpc/meta
#     INETD_ALLOWED_SVC=/network/rpc/metamed
#     INETD_ALLOWED_SVC=/application/font/stfsloader
#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
# The default value is the null string.
#
#INETD_ALLOWED_SVC=echo

#
# This option tells rkhunter where the xinetd configuration file is located.
#
# The default value is the null string.
#
#XINETD_CONF_PATH=/etc/xinetd.conf

#
# This option allows the specified enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing we only have
# the pathname available. As such, these entries are the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo

#
# This option tells rkhunter the local system startup file pathnames. The
# directories will be searched for files. By default rkhunter will try and
# determine were the startup files are located. If the option is set to 'NONE',
# then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames. The option
# may be specified more than once, and may use wildcard characters.
#
# This option has no default value.
#
#STARTUP_PATHS=/etc/init.d /etc/rc.local

#
# This option tells rkhunter the pathname to the file containing the user
# account passwords. This setting will be worked out by rkhunter, and so
# should not usually need to be set. Users of TCB shadow files should not
# set this option.
#
# This option has no default value.
#
#PASSWORD_FILE=/etc/shadow

#
# This option allows the specified accounts to be root equivalent. These
# accounts will have a UID value of zero. The 'root' account does not need
# to be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# NOTE: For *BSD systems you will probably need to use this option for the
# 'toor' account.
#
# The default value is the null string.
#
#UID0_ACCOUNTS=toor rooty sashroot

#
# This option allows the specified accounts to have no password. NIS/YP entries
# do not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may be specified
# more than once.
#
# The default value is the null string.
#
#PWDLESS_ACCOUNTS=abc

#
# This option tells rkhunter the pathname to the syslog configuration file.
# This setting will be worked out by rkhunter, and so should not usually need
# to be set. A value of 'NONE' can be used to indicate that there is no
# configuration file, but that the syslog daemon process may be running.
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
#
# This option has no default value.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf

#
# If this option is set to '1', then the use of syslog remote logging is
# permitted. A value of '0' disallows the use of remote logging.
#
# The default value is '0'.
#
#ALLOW_SYSLOG_REMOTE_LOGGING=0

#
# This option allows the specified applications, or a specific version of an
# application, to be whitelisted. If a specific version is to be whitelisted,
# then the name must be followed by a colon and then the version number.
# For example:
#
#     APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
#
# This is a space-separated list of pathnames. The option may be specified
# more than once.
#
# The default value is the null string.
#
#APP_WHITELIST=""

# 
# Set this option to scan for suspicious files in directories which pose a
# relatively higher risk due to user write access.
#
# Please do not enable the 'suspscan' test by default as it is CPU and I/O
# intensive, and prone to producing false positives. Do review all settings
# before usage. Also be aware that running 'suspscan' in combination with
# verbose logging on, rkhunter's default, will show all ignored files.
#
# Please consider adding all directories the user the (web)server runs as,
# and has write access to, including the document root (e.g: '/var/www') and
# log directories (e.g: '/var/log/httpd'). 
#
# This is a space-separated list of directory pathnames. The option may be
# specified more than once.
#
# The default value is the '/tmp' and '/var/tmp' directories.
#
#SUSPSCAN_DIRS=/tmp /var/tmp

#
# This option specifies the directory for temporary files used by the
# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
# as that is highly likely to cause false-positive results.
#
# The default value is '/dev/shm'.
#
#SUSPSCAN_TEMP=/dev/shm

#
# This option specifies the 'suspscan' test maximum filesize in bytes. Files
# larger than this will not be inspected. Do make sure you have enough space
# available in your temporary files directory.
#
# The default value is '1024000'.
#
#SUSPSCAN_MAXSIZE=10240000

#
# This option specifies the 'suspscan' test score threshold. Below this value
# no hits will be reported.
#
# The default value is '200'.
#
#SUSPSCAN_THRESH=200

#
# The following options can be used to whitelist network ports which are known
# to have been used by malware. 
#
# The PORT_WHITELIST option is a space-separated list of one or more of two
# types of whitelisting. These are:
#
#   1) a 'protocol:port' pair
#   2) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number must be
# between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter can
# locate as a command, is whitelisted. (Also see BINDIR)
#
# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
# These are:
#
#   1) a pathname to an executable
#   2) a combined pathname, protocol and port
#
# As above, the protocol can only be TCP or UDP, and the port number must be
# between 1 and 65535 inclusive.
#
# Examples:
#
#     PORT_WHITELIST=TCP:2001 UDP:32011
#     PORT_PATH_WHITELIST=/usr/sbin/squid
#     PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
#
# NOTE: In order to whitelist a pathname, or use the asterisk option, the
# 'lsof' command must be present.
#
# Both options may be specified more than once.
#
# The default value for both options is the null string.
#
#PORT_WHITELIST=""
#PORT_PATH_WHITELIST=""

#
# The following option can be used to tell rkhunter where the operating system
# 'release' file is located. This file contains information specifying the
# current O/S version. RKH will store this information, and check to see if it
# has changed between each run. If it has changed, then the user is warned that
# RKH may issue warning messages until RKH has been run with the '--propupd'
# option.
#
# Since the contents of the file vary according to the O/S distribution, RKH
# will perform different actions when it detects the file itself. As such, this
# option should not be set unless necessary. If this option is specified, then
# RKH will assume the O/S release information is on the first non-blank line of
# the file.
#
# This option has no default value.
#
# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
#
#OS_VERSION_FILE=/etc/debian_version

#
# Set the following option to '0' if you do not want to receive a warning if any
# O/S information has changed since the last run of 'rkhunter --propupd'. The
# warnings occur during the file properties check. Setting a value of '1' will
# cause rkhunter to issue a warning if something has changed.
#
# The default value is '1'.
#
#WARN_ON_OS_CHANGE=1

#
# Set the following option to '1' if you want rkhunter to automatically run a
# file properties update ('--propupd') if the O/S has changed. Detection of an
# O/S change occurs during the file properties check. Setting a value of '0'
# will cause rkhunter not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply by
# running 'rkhunter --propupd' at least once.
#
# The default value is '0'.
#
#UPDT_ON_OS_CHANGE=0

#
# The following two options can be used to whitelist files and directories that
# would normally be flagged with a warning during the various rootkit and
# malware checks. Only existing files and directories can be specified, and
# these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
#     RTKT_FILE_WHITELIST=/etc/rc.local
#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with just
# a colon appended. For example:
#
#     RTKT_FILE_WHITELIST=/etc/rc.local
#     RTKT_FILE_WHITELIST=/etc/rc.local:
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# Both of these options may be specified more than once.
#
# For both options the default value is the null string.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""

#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
# the LD_PRELOAD environment variable.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This option is a space-separated list of library pathnames. The option may be
# specified more than once.
#
# The default value is the null string.
#
#SHARED_LIB_WHITELIST=/lib/snoopy.so

#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command the following two options can be used. The value must be set to
# 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
# For both options the default value is the null string.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN

#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU 'date' command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
# This option has no default value.
#
#EPOCH_DATE_CMD=""

#
# This setting tells rkhunter the directory containing the available Linux
# kernel modules. This setting will be worked out by rkhunter, and so should
# not usually need to be set.
#
# This option has no default value.
#
#MODULES_DIR=""

#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
#     WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports the
# HTTP protocol:
#
#     WEB_CMD="ftp -o -"
#
# This option has no default value.
#
#WEB_CMD=""

#
# Set the following option to '1' if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock. A value of '0' means not to use locking.
#
# The default value is '0'.
#
# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
#
#USE_LOCKING=0

#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached.
#
# The default value is 300 seconds (5 minutes).
#
#LOCK_TIMEOUT=300

#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. If this option is set to '1', then some simple
# messages are echoed to the users screen to let them know that rkhunter is
# waiting for the lock. Set this option to '0' if the messages are not to be
# displayed.
#
# The default value is '1'.
#
#SHOW_LOCK_MSGS=1

#
# If this option is set to 'THOROUGH' then rkhunter will search (on a per
# rootkit basis) for filenames in all of the directories (as defined by the
# result of running 'find / -xdev'). While still not optimal, as it still
# searches for only file names as opposed to file contents, this is one step
# away from the rigidity of searching in known (evidence) or default
# (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough
# investigation, which should be based on relevant best practices and
# procedures. 
#
# Enabling this feature implies you have the knowledge to interpret the
# results properly. 
#
# The default value is the null string.
#
#SCANROOTKITMODE=THOROUGH

#
# The following option can be set to the name(s) of the tests the 'unhide'
# command is to use. Options such as '-m' and '-v' may be specified, but will
# only take effect when they are seen. The test names are a space-separated
# list, and will be executed in the order given.
#
# This option may be specified more than once.
#
# The default value is 'sys' in order to maintain compatibility with older
# versions of 'unhide'.
#
#UNHIDE_TESTS=sys

#
# The following option can be used to set options for the 'unhide-tcp' command.
# The options are space-separated.
#
# This option may be specified more than once.
#
# The default value is the null string.
#
#UNHIDETCP_OPTS=""

#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
# then it is possible to disable the execution of one of the programs if
# desired. By default rkhunter will look for both programs, and execute each
# of them as they are found. If the value of this option is '0', then both
# programs will be executed if they are present. A value of '1' will disable
# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
# 'unhide.rb' program. To disable both programs, then disable the
# 'hidden_procs' test.
#
# The default value is '0'.
#
DISABLE_UNHIDE=0

INSTALLDIR=/usr

#
# This option can be set to either '0' or '1'. If set to '1' then the summary,
# shown after rkhunter has run, will display the actual number of warnings
# found. If it is set to '0', then the summary will simply indicate that
# 'One or more' warnings were found. If no warnings were found, and this option
# is set to '1', then a "0" will be shown. If the option is set to '0', then
# the words 'No warnings' will be shown.
#
# The default value is '0'.
#
#SHOW_SUMMARY_WARNINGS_NUMBER=0

#
# This option is used to determine where, if anywhere, the summary scan time is
# displayed. A value of '0' indicates that it should not be displayed anywhere.
# A value of '1' indicates that the time should only appear on the screen, and a
# value of '2' that it should only appear in the log file. A value of '3'
# indicates that the time taken should appear both on the screen and in the log
# file.
#
# The default value is '3'.
#
#SHOW_SUMMARY_TIME=3

#
# The two options below may be used to check if a file is missing or empty
# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
# if the file is missing, since that can be interpreted as a file of no size.
# However, the file will only be reported as missing if the MISSING_LOGFILES
# option hasn't already done this.
#
# Both options are space-separated lists of pathnames, and may be specified
# more than once.
#
# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
# perfectly possible for the file to be either missing or empty. As such these
# options may produce false-positive warnings when log files are rotated.
#
# For both options the default value is the null string.
#
#EMPTY_LOGFILES=""
#MISSING_LOGFILES=""