123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592 |
- {% if ansible_prolog -%}
- {% from 'templates/ansible/prolog.j2' import prolog with context %}
- {{ prolog() }}
- {% endif -%}
- #
- # This is the configuration file for Rootkit Hunter.
- #
- # Please modify it to your own requirements.
- # Please review the documentation before posting bug reports or questions.
- # To report bugs, obtain updates, or provide patches or comments, please go to:
- # http://rkhunter.sourceforge.net
- #
- # To ask questions about rkhunter, please use the rkhunter-users mailing list.
- # Note this is a moderated list: please subscribe before posting.
- #
- # Lines beginning with a hash (#), and blank lines, will be ignored.
- #
- # Most of the following options need only be specified once. If
- # they appear more than once, then the last one seen will be used.
- # Some options are allowed to appear more than once, and the text
- # describing the option will say if this is so.
- #
- #
- # If this option is set to 1, it specifies that the mirrors file, which
- # is used when the '--update' and '--versioncheck' options are used, is
- # to be rotated. Rotating the entries in the file allows a basic form
- # of load-balancing between the mirror sites whenever the above options
- # are used.
- # If the option is set to 0, then the mirrors will be treated as if in
- # a priority list. That is, the first mirror will always be used. The
- # second mirror will only be used if the first mirror fails, then the
- # third mirror will be used if the second fails and so on.
- #
- ROTATE_MIRRORS=1
- #
- # If this option is set to 1, it specifies that when the '--update'
- # option is used, then the mirrors file is to be checked for updates
- # as well. If the current mirrors file contains any local mirrors,
- # these will be prepended to the updated file.
- # If this option is set to 0, the mirrors file can only be updated
- # manually. This may be useful if only using local mirrors.
- #
- UPDATE_MIRRORS=1
- #
- # The MIRRORS_MODE option tells rkhunter which mirrors are to be
- # used when the '--update' or '--versioncheck' command-line options
- # are given. Possible values are:
- # 0 - use any mirror (the default)
- # 1 - only use local mirrors
- # 2 - only use remote mirrors
- #
- # Local and remote mirrors can be defined in the mirrors.dat file
- # by using the 'local=' and 'remote=' keywords respectively.
- #
- MIRRORS_MODE=0
- #
- # Email a message to this address if a warning is found when the
- # system is being checked. Multiple addresses may be specified
- # simply be separating them with a space.
- #
- #MAIL-ON-WARNING=me@mydomain root@mydomain
- #
- # Specify the mail command to use if MAIL-ON-WARNING is set.
- # NOTE: Double quotes are not required around the command, but
- # are required around the subject line if it contains spaces.
- #
- MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
- #
- # Specify the temporary directory to use.
- #
- # NOTE: Do not use /tmp as your temporary directory. Some
- # important files will be written to this directory, so be
- # sure that the directory permissions are tight.
- #
- TMPDIR=/var/lib/rkhunter/tmp
- #
- # Specify the database directory to use.
- #
- DBDIR=/var/lib/rkhunter/db
- #
- # Specify the script directory to use.
- #
- SCRIPTDIR=/usr/share/rkhunter/scripts
- #
- # Specify the root directory to use.
- #
- #ROOTDIR=""
- #
- # Specify the command directories to be checked. This is a
- # space-separated list of directories.
- #
- BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
- #
- # Specify the language to use. This should be similar
- # to the ISO 639 language code.
- #
- # NOTE: Please ensure that the language you specify is supported.
- # For a list of supported languages use the following command:
- #
- # rkhunter --lang en --list languages
- #
- #LANGUAGE=en
- #
- # Specify the log file pathname.
- #
- LOGFILE=/var/log/rkhunter.log
- #
- # Set the following option to 1 if the log file is to be appended to
- # whenever rkhunter is run.
- #
- APPEND_LOG=0
- #
- # Set the following option to enable the rkhunter check start and finish
- # times to be logged by syslog. Warning messages will also be logged.
- # The value of the option must be a standard syslog facility and
- # priority, separated by a dot.
- #
- # For example: USE_SYSLOG=authpriv.warning
- #
- # Setting the value to 'none', or just leaving the option commented out,
- # disables the use of syslog.
- #
- #USE_SYSLOG=authpriv.notice
- #
- # Set the following option to 1 if the second colour set is to be used.
- # This can be useful if your screen uses black characters on a white
- # background (for example, a PC instead of a server).
- #
- COLOR_SET2=0
- #
- # Set the following option to 0 if rkhunter should not detect if X is
- # being used. If X is detected as being used, then the second colour
- # set will automatically be used.
- #
- AUTO_X_DETECT=1
- #
- # The following option is checked against the SSH configuration file
- # 'PermitRootLogin' option. A warning will be displayed if they do not
- # match. However, if a value has not been set in the SSH configuration
- # file, then a value here of 'yes' or 'unset' will not cause a warning.
- # This option has a default value of 'no'.
- #
- ALLOW_SSH_ROOT_USER=without-password
- #
- # Set this option to '1' to allow the use of the SSH-1 protocol, but note
- # that theoretically it is weaker, and therefore less secure, than the
- # SSH-2 protocol. Do not modify this option unless you have good reasons
- # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
- # authentication). If the 'Protocol' option has not been set in the SSH
- # configuration file, then a value of '2' may be set here in order to
- # suppress a warning message. This option has a default value of '0'.
- #
- ALLOW_SSH_PROT_V1=0
- #
- # This setting tells rkhunter the directory containing the SSH configuration
- # file. This setting will be worked out by rkhunter, and so should not
- # usually need to be set.
- #
- #SSH_CONFIG_DIR=/etc/ssh
- #
- # These two options determine which tests are to be performed.
- # The ENABLE_TESTS option can use the word 'all' to refer to all the
- # available tests. The DISABLE_TESTS option can use the word 'none' to
- # mean that no tests are disabled. The list of disabled tests is applied to
- # the list of enabled tests. Both options are space-separated lists of test
- # names. The currently available test names can be seen by using the command
- # 'rkhunter --list tests'.
- #
- # The program defaults are to enable all tests and disable none. However, if
- # either option is specified in this file, then it overrides the program
- # default. The supplied rkhunter.conf file has some tests already disabled,
- # and these are tests that will be used only incidentally, can be considered
- # "advanced" or those that are prone to produce more than the "average" number
- # of "false positives".
- #
- # Please read the README file for more details about enabling and disabling
- # tests, the test names, and how rkhunter behaves when these options are used.
- #
- # hidden_procs test requires the unhide command which is part of the unhide
- # package in Debian.
- ENABLE_TESTS="all"
- {% set disable_tests = [] %}
- {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' -%}
- {% if disable_tests.append('os_specific') %}{% endif %}
- {%- endif %}
- {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' -%}
- {% if disable_tests.append('promisc') %}{% endif %}
- {%- endif %}
- DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
- #
- # The HASH_FUNC option can be used to specify the command to use
- # for the file hash value check. It can be specified as just
- # the command name or the full pathname. Systems using prelinking
- # are restricted to using either SHA1 or MD5 functions. To get rkhunter
- # to look for the sha1(sum)/md5(sum) command, or to use the supplied
- # perl scripts, simply specify this option as 'SHA1' or 'MD5' in
- # uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
- #
- # A value of 'NONE' (in uppercase) can be specified to indicate that
- # no hash function should be used. Rootkit Hunter will detect this and
- # automatically disable the file hash checks.
- #
- # Examples:
- # For Solaris 9 : HASH_FUNC=gmd5sum
- # For Solaris 10: HASH_FUNC=sha1sum
- # For AIX (>5.2): HASH_FUNC="csum -hMD5"
- # For NetBSD : HASH_FUNC="cksum -a sha512"
- #
- # NOTE: If the hash function is changed then you MUST run rkhunter with
- # the '--propupd' option to rebuild the file properties database.
- #
- #HASH_FUNC=sha1sum
- #
- # The HASH_FLD_IDX option specifies which field from the HASH_FUNC
- # command output contains the hash value. The fields are assumed to
- # be space-separated. The default value is one, but for *BSD users
- # rkhunter will, by default, use a value of 4 if the HASH_FUNC option
- # has not been set. The option value must be a positive integer.
- #
- #HASH_FLD_IDX=4
- #
- # The PKGMGR option tells rkhunter to use the specified package manager
- # to obtain the file property information. This is used when updating
- # the file properties file 'rkhunter.dat', and when running the file
- # properties check. For RedHat/RPM-based systems, 'RPM' can be used
- # to get information from the RPM database. For Debian-based systems
- # 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
- # No value, or a value of 'NONE', indicates that no package manager
- # is to be used. The default is 'NONE'.
- #
- # The current package managers store the file hash values using an
- # MD5 hash function.
- #
- # The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
- # The 'RPM' package manager additionally provides values for the inode,
- # file permissions, uid, gid and other values.
- #
- # For any file not part of a package, rkhunter will revert to using
- # the HASH_FUNC hash function instead.
- #
- # NONE is the default for Debian as well, as running --propupd takes
- # about 4 times longer when it's set to DPKG
- #
- #PKGMGR=NONE
- #
- # Whitelist various attributes of the specified files.
- # The attributes are those of the 'attributes' test.
- # Specifying a file name here does not include it being
- # whitelisted for the write permission test below.
- # One command per line (use multiple ATTRWHITELIST lines).
- #
- #ATTRWHITELIST=/bin/ps
- #
- # Allow the specified commands to have the 'others'
- # (world) permission have the write-bit set.
- #
- # For example, files with permissions r-xr-xrwx
- # or rwxrwxrwx.
- #
- # One command per line (use multiple WRITEWHITELIST lines).
- #
- #WRITEWHITELIST=/bin/ps
- #
- # Allow the specified commands to be scripts.
- # One command per line (use multiple SCRIPTWHITELIST lines).
- #
- SCRIPTWHITELIST=/bin/egrep
- SCRIPTWHITELIST=/bin/fgrep
- SCRIPTWHITELIST=/bin/which
- SCRIPTWHITELIST=/usr/bin/groups
- SCRIPTWHITELIST=/usr/bin/ldd
- SCRIPTWHITELIST=/usr/bin/lwp-request
- SCRIPTWHITELIST=/usr/sbin/adduser
- SCRIPTWHITELIST=/usr/sbin/prelink
- #
- # Allow the specified commands to have the immutable attribute set.
- # One command per line (use multiple IMMUTWHITELIST lines).
- #
- #IMMUTWHITELIST=/sbin/ifup
- #
- # Allow the specified hidden directories.
- # One directory per line (use multiple ALLOWHIDDENDIR lines).
- #
- #ALLOWHIDDENDIR=/etc/.java
- #ALLOWHIDDENDIR=/dev/.udev
- #ALLOWHIDDENDIR=/dev/.udevdb
- #ALLOWHIDDENDIR=/dev/.udev.tdb
- #ALLOWHIDDENDIR=/dev/.static
- #ALLOWHIDDENDIR=/dev/.initramfs
- #ALLOWHIDDENDIR=/dev/.SRC-unix
- ALLOWHIDDENDIR=/dev/.mdadm
- ALLOWHIDDENDIR=/dev/.git
- #
- # Allow the specified hidden files.
- # One file per line (use multiple ALLOWHIDDENFILE lines).
- #
- #ALLOWHIDDENFILE=/etc/.java
- #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
- #ALLOWHIDDENFILE=/etc/.pwd.lock
- #ALLOWHIDDENFILE=/etc/.init.state
- ALLOWHIDDENFILE=/etc/.etckeeper
- ALLOWHIDDENFILE=/etc/.gitignore
- #
- # Allow the specified processes to use deleted files.
- # One process per line (use multiple ALLOWPROCDELFILE lines).
- #
- #ALLOWPROCDELFILE=/sbin/cardmgr
- #ALLOWPROCDELFILE=/usr/sbin/gpm
- #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
- #ALLOWPROCDELFILE=/usr/sbin/mysqld
- #ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
- #ALLOWPROCDELFILE=/usr/bin/file-roller
- #
- # Allow the specified processes to listen on any network interface.
- # One process per line (use multiple ALLOWPROCLISTEN lines).
- #
- #ALLOWPROCLISTEN=/sbin/dhclient
- #ALLOWPROCLISTEN=/sbin/dhclient3
- #ALLOWPROCLISTEN=/sbin/dhcpcd
- #ALLOWPROCLISTEN=/usr/sbin/pppoe
- #ALLOWPROCLISTEN=/usr/sbin/tcpdump
- #ALLOWPROCLISTEN=/usr/sbin/snort-plain
- #ALLOWPROCLISTEN=/sbin/wpa_supplicant
- #
- # SCAN_MODE_DEV governs how we scan /dev for suspicious files.
- # The two allowed options are: THOROUGH or LAZY.
- # If commented out we do a THOROUGH scan which will increase the runtime.
- # Even though this adds to the running time it is highly recommended to
- # leave it like this.
- #
- #SCAN_MODE_DEV=THOROUGH
- #
- # Allow the specified files to be present in the /dev directory,
- # and not regarded as suspicious. One file per line (use multiple
- # ALLOWDEVFILE lines).
- #
- #ALLOWDEVFILE=/dev/abc
- #ALLOWDEVFILE=/dev/shm/pulse-shm-*
- ALLOWDEVFILE=/dev/shm/network/ifstate
- #
- # This setting tells rkhunter where the inetd configuration
- # file is located.
- #
- #INETD_CONF_PATH=/etc/inetd.conf
- #
- # Allow the following enabled inetd services.
- # Only one service per line (use multiple INETD_ALLOWED_SVC lines).
- #
- # Below are some Solaris 9 and 10 services that may want to be whitelisted.
- #
- #INETD_ALLOWED_SVC=echo
- #INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
- #INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
- #INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
- #INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
- #INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
- #INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
- #INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
- #INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
- #INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
- #INETD_ALLOWED_SVC=/usr/lib/gss/gssd
- #INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
- #INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
- #INETD_ALLOWED_SVC=/network/rpc/mdcomm
- #INETD_ALLOWED_SVC=/network/rpc/meta
- #INETD_ALLOWED_SVC=/network/rpc/metamed
- #INETD_ALLOWED_SVC=/network/rpc/metamh
- #INETD_ALLOWED_SVC=/network/security/ktkt_warn
- #INETD_ALLOWED_SVC=/application/x11/xfs
- #INETD_ALLOWED_SVC=/application/print/rfc1179
- #INETD_ALLOWED_SVC=/application/font/stfsloader
- #INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
- #INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
- #INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
- #INETD_ALLOWED_SVC=/usr/sbin/tcpd
- #
- # This setting tells rkhunter where the xinetd configuration
- # file is located.
- #
- #XINETD_CONF_PATH=/etc/xinetd.conf
- #
- # Allow the following enabled xinetd services. Whilst it would be
- # nice to use the service names themselves, at the time of testing
- # we only have the pathname available. As such, these entries are
- # the xinetd file pathnames.
- # Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
- #
- #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
- #
- # This setting tells rkhunter the local system startup file pathnames.
- # More than one file may be present on the system, and so this option
- # can be a space-separated list. This setting will be worked out by
- # rkhunter, and so should not usually need to be set.
- #
- # If the system uses a directory of local startup scripts, then rather
- # that setting all the file names here, leave this setting blank, and
- # specify the directory name in SYSTEM_RC_DIR instead.
- #
- # If the system does not use a local startup script at all, then this
- # setting can be set to 'none'. Without this, rkhunter would give a
- # warning that no local startup script could be found.
- #
- #LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"
- #
- # This setting tells rkhunter the local system startup file directory.
- # This setting will be worked out by rkhunter, and so should not usually
- # need to be set.
- #
- #SYSTEM_RC_DIR=/etc/rc.d
- #
- # This setting tells rkhunter the pathname to the file containing the
- # user account passwords. This setting will be worked out by rkhunter,
- # and so should not usually need to be set.
- #
- #PASSWORD_FILE=/etc/shadow
- #
- # Allow the following accounts to be root equivalent. These accounts
- # will have a UID value of zero. This option is a space-separated list
- # of account names. The 'root' account does not need to be listed as it
- # is automatically whitelisted.
- #
- # Note: For *BSD systems you may need to enable this for the 'toor' account.
- #
- #UID0_ACCOUNTS="toor rooty sashroot"
- #
- # Allow the following accounts to have no password. This option is a
- # space-separated list of account names. NIS/YP entries do not need to
- # be listed as they are automatically whitelisted.
- #
- #PWDLESS_ACCOUNTS="abc"
- #
- # This setting tells rkhunter the pathname to the syslog configuration
- # file. This setting will be worked out by rkhunter, and so should not
- # usually need to be set.
- #
- #SYSLOG_CONFIG_FILE=/etc/syslog.conf
- #
- # This option permits the use of syslog remote logging.
- #
- ALLOW_SYSLOG_REMOTE_LOGGING=0
- #
- # Allow the following applications, or a specific version of an application,
- # to be whitelisted. This option is a space-separated list consisting of the
- # application names. If a specific version is to be whitelisted, then the
- # name must be followed by a colon and then the version number.
- #
- # For example: APP_WHITELIST="openssl:0.9.7d gpg"
- #
- #APP_WHITELIST=""
- #
- # Scan for suspicious files in directories containing temporary files and
- # directories posing a relatively higher risk due to user write access.
- # Please do not enable by default as suspscan is CPU and I/O intensive and prone to
- # producing false positives. Do review all settings before usage.
- # Also be aware that running suspscan in combination with verbose logging on,
- # RKH's default, will show all ignored files.
- # Please consider adding all directories the user the (web)server runs as has
- # write access to including the document root (example: "/var/www") and log
- # directories (example: "/var/log/httpd").
- #
- # A space-separated list of directories to scan.
- #
- SUSPSCAN_DIRS="/tmp /var/tmp"
- #
- # Directory for temporary files. A memory-based one is better (faster).
- # Do not use a directory name that is listed in SUSPSCAN_DIRS.
- # Please make sure you have a tempfs mounted and the directory exists.
- #
- SUSPSCAN_TEMP=/dev/shm
- #
- # Maximum filesize in bytes. Files larger than this will not be inspected.
- # Do make sure you have enough space left in your temporary files directory.
- #
- SUSPSCAN_MAXSIZE=10240000
- #
- # Score threshold. Below this value no hits will be reported.
- # A value of "200" seems "good" after testing on malware. Please adjust
- # locally if necessary.
- #
- SUSPSCAN_THRESH=200
- #
- # The following option can be used to whitelist network ports which
- # are known to have been used by malware. The option is a space-
- # separated list of one or more of three types of whitelisting.
- # These are:
- #
- # 1) a 'protocol:port' pair (e.g. TCP:25)
- # 2) a pathname to an executable (e.g. /usr/sbin/squid)
- # 3) an asterisk ('*')
- #
- # Only the UDP or TCP protocol may be specified, and the port number
- # must be between 1 and 65535 inclusive.
- #
- # The asterisk can be used to indicate that any executable in a trusted
- # path directory will be whitelisted. A trusted path directory is one which
- # rkhunter uses to locate commands. It is composed of the root PATH
- # environment variable, and the BINDIR command-line or configuration
- # file option.
- #
- # For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
- #
- #PORT_WHITELIST=""
- #
- # The following option can be used to tell rkhunter where the operating
- # system 'release' file is located. This file contains information
- # specifying the current O/S version. RKH will store this information
- # itself, and check to see if it has changed between each run. If it has
- # changed, then the user is warned that RKH may issue warning messages
- # until RKH has been run with the '--propupd' option.
- #
- # Since the contents of the file vary according to the O/S distribution,
- # RKH will perform different actions when it detects the file itself. As
- # such, this option should not be set unless necessary. If this option is
- # specified, then RKH will assume the O/S release information is on the
- # first non-blank line of the file.
- #
- #OS_VERSION_FILE="/etc/release"
- #
- # The following two options can be used to whitelist files and directories
- # that would normally be flagged with a warning during the rootkit checks.
- # If the file or directory name contains a space, then the percent character
- # ('%') must be used instead. Only existing files and directories can be
- # specified.
- #
- #RTKT_DIR_WHITELIST=""
- #RTKT_FILE_WHITELIST=""
- #
- # To force rkhunter to use the supplied script for the 'stat' or 'readlink'
- # command, then the following two options can be used. The value must be
- # set to 'BUILTIN'.
- #
- # NOTE: IRIX users will probably need to enable STAT_CMD.
- #
- #STAT_CMD=BUILTIN
- #READLINK_CMD=BUILTIN
- INSTALLDIR="/usr"
|