squeeze.conf.j2 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861
  1. {% if ansible_controlled is defined and ansible_controlled != "" %}
  2. #
  3. # {{ ansible_controlled }}
  4. #
  5. {% endif %}
  6. #
  7. # This is the main configuration file for Rootkit Hunter.
  8. #
  9. # You can either modify this file directly, or you can create a local
  10. # configuration file. The local file must be named 'rkhunter.conf.local',
  11. # and must reside in the same directory as this file. Please modify one
  12. # or both files to your own requirements.
  13. #
  14. # Please review the documentation before posting bug reports or questions.
  15. # To report bugs, obtain updates, or provide patches or comments, please go to:
  16. # http://rkhunter.sourceforge.net
  17. #
  18. # To ask questions about rkhunter, please use the rkhunter-users mailing list.
  19. # Note this is a moderated list: please subscribe before posting.
  20. #
  21. # Lines beginning with a hash (#), and blank lines, are ignored.
  22. # End-of-line comments are not supported.
  23. #
  24. # Most of the following options need only be specified once. If
  25. # they appear more than once, then the last one seen will be used.
  26. # Some options are allowed to appear more than once, and the text
  27. # describing the option will say if this is so.
  28. #
  29. #
  30. # If this option is set to 1, it specifies that the mirrors file
  31. # ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
  32. # options are used, is to be rotated. Rotating the entries in the file
  33. # allows a basic form of load-balancing between the mirror sites whenever
  34. # the above options are used.
  35. # If the option is set to 0, then the mirrors will be treated as if in
  36. # a priority list. That is, the first mirror listed will always be used
  37. # first. The second mirror will only be used if the first mirror fails,
  38. # the third mirror will only be used if the second mirror fails, and so on.
  39. #
  40. # If the mirrors file is read-only, then the '--versioncheck' command-line
  41. # option can only be used if this option is set to 0.
  42. #
  43. ROTATE_MIRRORS=1
  44. #
  45. # If this option is set to 1, it specifies that when the '--update'
  46. # option is used, then the mirrors file is to be checked for updates
  47. # as well. If the current mirrors file contains any local mirrors,
  48. # these will be prepended to the updated file.
  49. # If this option is set to 0, the mirrors file can only be updated
  50. # manually. This may be useful if only using local mirrors.
  51. #
  52. UPDATE_MIRRORS=1
  53. #
  54. # The MIRRORS_MODE option tells rkhunter which mirrors are to be
  55. # used when the '--update' or '--versioncheck' command-line options
  56. # are given. Possible values are:
  57. # 0 - use any mirror (the default)
  58. # 1 - only use local mirrors
  59. # 2 - only use remote mirrors
  60. #
  61. # Local and remote mirrors can be defined in the mirrors file
  62. # by using the 'local=' and 'remote=' keywords respectively.
  63. #
  64. MIRRORS_MODE=0
  65. #
  66. # Email a message to this address if a warning is found when the
  67. # system is being checked. Multiple addresses may be specified
  68. # simply be separating them with a space. Setting this option to
  69. # null disables the option.
  70. #
  71. # NOTE: This option should be present in the configuration file.
  72. #
  73. #MAIL-ON-WARNING=me@mydomain root@mydomain
  74. MAIL-ON-WARNING=""
  75. #
  76. # Specify the mail command to use if MAIL-ON-WARNING is set.
  77. # NOTE: Double quotes are not required around the command, but
  78. # are required around the subject line if it contains spaces.
  79. #
  80. MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
  81. #
  82. # Specify the temporary directory to use.
  83. #
  84. # NOTE: Do not use /tmp as your temporary directory. Some
  85. # important files will be written to this directory, so be
  86. # sure that the directory permissions are tight.
  87. #
  88. TMPDIR=/var/lib/rkhunter/tmp
  89. #
  90. # Specify the database directory to use.
  91. #
  92. DBDIR=/var/lib/rkhunter/db
  93. #
  94. # Specify the script directory to use.
  95. #
  96. SCRIPTDIR=/usr/share/rkhunter/scripts
  97. #
  98. # Specify the root directory to use.
  99. #
  100. #ROOTDIR=""
  101. #
  102. # Specify the command directories to be checked. This is a
  103. # space-separated list of directories.
  104. #
  105. BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
  106. #
  107. # Specify the default language to use. This should be similar
  108. # to the ISO 639 language code.
  109. #
  110. # NOTE: Please ensure that the language you specify is supported.
  111. # For a list of supported languages use the following command:
  112. #
  113. # rkhunter --lang en --list languages
  114. #
  115. #LANGUAGE=en
  116. #
  117. # This option is a space-separated list of the languages that are to
  118. # be updated when the '--update' option is used. If unset, then all
  119. # the languages will be updated. If none of the languages are to be
  120. # updated, then set this option to just 'en'.
  121. #
  122. # The default is for all the languages to be updated. The default
  123. # language, specified above, and the English (en) language file will
  124. # always be updated regardless of this option.
  125. #
  126. UPDATE_LANG=""
  127. #
  128. # Specify the log file pathname.
  129. #
  130. # NOTE: This option should be present in the configuration file.
  131. #
  132. LOGFILE=/var/log/rkhunter.log
  133. #
  134. # Set the following option to 1 if the log file is to be appended to
  135. # whenever rkhunter is run.
  136. #
  137. APPEND_LOG=0
  138. #
  139. # Set the following option to 1 if the log file is to be copied when
  140. # rkhunter finishes and an error or warning has occurred. The copied
  141. # log file name will be appended with the current date and time
  142. # (in YYYY-MM-DD_HH:MM:SS format).
  143. # For example: rkhunter.log.2009-04-21_00:57:51
  144. #
  145. COPY_LOG_ON_ERROR=0
  146. #
  147. # Set the following option to enable the rkhunter check start and finish
  148. # times to be logged by syslog. Warning messages will also be logged.
  149. # The value of the option must be a standard syslog facility and
  150. # priority, separated by a dot.
  151. #
  152. # For example: USE_SYSLOG=authpriv.warning
  153. #
  154. # Setting the value to 'none', or just leaving the option commented out,
  155. # disables the use of syslog.
  156. #
  157. #USE_SYSLOG=authpriv.notice
  158. #
  159. # Set the following option to 1 if the second colour set is to be used.
  160. # This can be useful if your screen uses black characters on a white
  161. # background (for example, a PC instead of a server).
  162. #
  163. COLOR_SET2=0
  164. #
  165. # Set the following option to 0 if rkhunter should not detect if X is
  166. # being used. If X is detected as being used, then the second colour
  167. # set will automatically be used.
  168. #
  169. AUTO_X_DETECT=1
  170. #
  171. # Set the following option to 1 if it is wanted that any 'Whitelisted'
  172. # results are shown in white rather than green. For colour set 2 users,
  173. # setting this option will cause the result to be shown in black.
  174. #
  175. WHITELISTED_IS_WHITE=0
  176. #
  177. # The following option is checked against the SSH configuration file
  178. # 'PermitRootLogin' option. A warning will be displayed if they do not
  179. # match. However, if a value has not been set in the SSH configuration
  180. # file, then a value here of 'yes' or 'unset' will not cause a warning.
  181. # This option has a default value of 'no'.
  182. #
  183. ALLOW_SSH_ROOT_USER=without-password
  184. #
  185. # Set this option to '1' to allow the use of the SSH-1 protocol, but note
  186. # that theoretically it is weaker, and therefore less secure, than the
  187. # SSH-2 protocol. Do not modify this option unless you have good reasons
  188. # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
  189. # authentication). If the 'Protocol' option has not been set in the SSH
  190. # configuration file, then a value of '2' may be set here in order to
  191. # suppress a warning message. This option has a default value of '0'.
  192. #
  193. ALLOW_SSH_PROT_V1=0
  194. #
  195. # This setting tells rkhunter the directory containing the SSH configuration
  196. # file. This setting will be worked out by rkhunter, and so should not
  197. # usually need to be set.
  198. #
  199. #SSH_CONFIG_DIR=/etc/ssh
  200. #
  201. # These two options determine which tests are to be performed.
  202. # The ENABLE_TESTS option can use the word 'all' to refer to all the
  203. # available tests. The DISABLE_TESTS option can use the word 'none' to
  204. # mean that no tests are disabled. The list of disabled tests is applied to
  205. # the list of enabled tests. Both options are space-separated lists of test
  206. # names. The currently available test names can be seen by using the command
  207. # 'rkhunter --list tests'.
  208. #
  209. # The program defaults are to enable all tests and disable none. However, if
  210. # either option is specified in this file, then it overrides the program
  211. # default. The supplied rkhunter.conf file has some tests already disabled,
  212. # and these are tests that will be used only incidentally, can be considered
  213. # "advanced" or those that are prone to produce more than the "average" number
  214. # of "false positives".
  215. #
  216. # Please read the README file for more details about enabling and disabling
  217. # tests, the test names, and how rkhunter behaves when these options are used.
  218. #
  219. # hidden_procs test requires the unhide command which is part of the unhide
  220. # package in Debian.
  221. #
  222. # apps test is disabled by default as it triggers warnings about outdated
  223. # applications (and warns about possible security risk: we better trust
  224. # the Debian Security Team).
  225. #
  226. ENABLE_TESTS="all"
  227. {% set disable_tests = [] %}
  228. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'guest' %}
  229. {% if disable_tests.append('os_specific') %}{% endif %}
  230. {%- endif %}
  231. {% if not ansible_virtualization_role is defined or ansible_virtualization_role != 'host' %}
  232. {% if disable_tests.append('promisc') %}{% endif %}
  233. {%- endif %}
  234. DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps {{ disable_tests|join(' ') }}"
  235. #
  236. # The HASH_FUNC option can be used to specify the command to use
  237. # for the file hash value check. It can be specified as just the
  238. # command name or the full pathname. If just the command name is
  239. # given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
  240. # SHA512, then rkhunter will first look for the relevant command,
  241. # such as 'sha256sum', and then for 'sha256'. If neither of these
  242. # are found, it will then look to see if a perl module has been
  243. # installed which will support the relevant hash function.
  244. #
  245. # The default is SHA1, or MD5 if SHA1 cannot be found.
  246. #
  247. # Systems using prelinking are restricted to using either the
  248. # SHA1 or MD5 function.
  249. #
  250. # A value of 'NONE' (in uppercase) can be specified to indicate that
  251. # no hash function should be used. Rootkit Hunter will detect this and
  252. # automatically disable the file hash checks.
  253. #
  254. # Examples:
  255. # For Solaris 9 : HASH_FUNC=gmd5sum
  256. # For Solaris 10: HASH_FUNC=sha1sum
  257. # For AIX (>5.2): HASH_FUNC="csum -hMD5"
  258. # For NetBSD : HASH_FUNC="cksum -a sha512"
  259. #
  260. # NOTE: If the hash function is changed then you MUST run rkhunter with
  261. # the '--propupd' option to rebuild the file properties database.
  262. #
  263. #HASH_FUNC=sha1sum
  264. #
  265. # The HASH_FLD_IDX option specifies which field from the HASH_FUNC
  266. # command output contains the hash value. The fields are assumed to
  267. # be space-separated. The default value is one, but for *BSD users
  268. # rkhunter will, by default, use a value of 4 if the HASH_FUNC option
  269. # has not been set. The option value must be a positive integer.
  270. #
  271. #HASH_FLD_IDX=4
  272. #
  273. # The PKGMGR option tells rkhunter to use the specified package manager
  274. # to obtain the file property information. This is used when updating
  275. # the file properties file ('rkhunter.dat'), and when running the file
  276. # properties check. For RedHat/RPM-based systems, 'RPM' can be used
  277. # to get information from the RPM database. For Debian-based systems
  278. # 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
  279. # No value, or a value of 'NONE', indicates that no package manager
  280. # is to be used. The default is 'NONE'.
  281. #
  282. # The current package managers store the file hash values using an
  283. # MD5 hash function.
  284. #
  285. # The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
  286. # The 'RPM' package manager additionally provides values for the inode,
  287. # file permissions, uid, gid and other values.
  288. #
  289. # For any file not part of a package, rkhunter will revert to using
  290. # the HASH_FUNC hash function instead.
  291. #
  292. # Whenever this option is changed 'rkhunter --propupd' must be run.
  293. #
  294. # NONE is the default for Debian as well, as running --propupd takes
  295. # about 4 times longer when it's set to DPKG
  296. #
  297. #PKGMGR=NONE
  298. #
  299. # It is possible that a file which is part of a package may be modified
  300. # by the administrator. Typically this occurs for configuration files.
  301. # However, the RPM verify function may list the file as being modified,
  302. # it does for some but not for others depending on how the package was
  303. # built. The PKGMGR_NO_VRFY option is a space-separated list of file
  304. # pathnames which are to be exempt from the package manager verification
  305. # process, and which will be treated as non-packaged files. As such, the
  306. # files properties are still checked.
  307. #
  308. # This option may be used more than once. It only takes effect if the
  309. # PKGMGR option has been set, and is not 'NONE'.
  310. #
  311. # Whenever this option is changed 'rkhunter --propupd' must be run.
  312. #
  313. #PKGMGR_NO_VRFY=""
  314. #
  315. # This option is a space-separated list of command pathnames. Rkhunter will
  316. # ignore any prelink dependency errors for the given files. However, a
  317. # warning will be issued if the error does not occur. As such this option
  318. # must only be used on commands which experience a persistent problem.
  319. #
  320. # Short-term prelink dependency errors can usually be resolved simply by
  321. # running the prelink command on the given pathname.
  322. #
  323. # NOTE: The command 'rkhunter --propupd' must be run whenever this option
  324. # is changed.
  325. #
  326. #IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
  327. #
  328. # This option is a space-separated list of commands, directories and file
  329. # pathnames. This option can be specified more than once.
  330. #
  331. # Whenever this option is changed, 'rkhunter --propupd' must be run.
  332. #
  333. # Simple command names - for example, 'top' - and directory names are
  334. # added to the internal list of directories to be searched for each of
  335. # the command names in the command list. Additionally, full pathnames
  336. # to files, which need not be commands, may be given. Any files or
  337. # directories which are already part of the internal lists will be
  338. # silently ignored from the configuration.
  339. #
  340. # Normal globbing wildcards are allowed, except for simple command names.
  341. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
  342. #
  343. # Specific files may be excluded by preceding their name with an
  344. # exclamation mark (!). For example, '!/opt/top'. By combining this
  345. # with wildcarding, whole directories can be excluded. For example,
  346. # '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
  347. # two directory levels of '/etc'. However, anything in '/etc/rc0.d',
  348. # '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
  349. #
  350. # NOTE: Only files and directories which have been added by the user,
  351. # and are not part of the internal lists, can be excluded. So, for
  352. # example, it is not possible to exclude the 'ps' command by using
  353. # '!/bin/ps'. These will be silently ignored from the configuration.
  354. #
  355. #USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
  356. #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
  357. #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
  358. #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
  359. #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
  360. #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
  361. #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
  362. #
  363. # Whitelist various attributes of the specified files.
  364. # The attributes are those of the 'attributes' test.
  365. # Specifying a file name here does not include it being
  366. # whitelisted for the write permission test below.
  367. # One command per line (use multiple ATTRWHITELIST lines).
  368. #
  369. #ATTRWHITELIST=/bin/ps
  370. #
  371. # Allow the specified commands to have the 'others'
  372. # (world) permission have the write-bit set.
  373. #
  374. # For example, files with permissions r-xr-xrwx
  375. # or rwxrwxrwx.
  376. #
  377. # One command per line (use multiple WRITEWHITELIST lines).
  378. #
  379. #WRITEWHITELIST=/bin/ps
  380. #
  381. # Allow the specified commands to be scripts.
  382. # One command per line (use multiple SCRIPTWHITELIST lines).
  383. #
  384. SCRIPTWHITELIST=/bin/egrep
  385. SCRIPTWHITELIST=/bin/fgrep
  386. SCRIPTWHITELIST=/bin/which
  387. SCRIPTWHITELIST=/usr/bin/groups
  388. SCRIPTWHITELIST=/usr/bin/ldd
  389. SCRIPTWHITELIST=/usr/bin/lwp-request
  390. SCRIPTWHITELIST=/usr/sbin/adduser
  391. SCRIPTWHITELIST=/usr/sbin/prelink
  392. #
  393. # Allow the specified commands to have the immutable attribute set.
  394. # One command per line (use multiple IMMUTWHITELIST lines).
  395. #
  396. #IMMUTWHITELIST=/sbin/ifup
  397. #
  398. # Allow the specified hidden directories.
  399. # One directory per line (use multiple ALLOWHIDDENDIR lines).
  400. #
  401. ALLOWHIDDENDIR=/etc/.java
  402. ALLOWHIDDENDIR=/dev/.udev
  403. #ALLOWHIDDENDIR=/dev/.udevdb
  404. #ALLOWHIDDENDIR=/dev/.udev.tdb
  405. #ALLOWHIDDENDIR=/dev/.static
  406. ALLOWHIDDENDIR=/dev/.initramfs
  407. #ALLOWHIDDENDIR=/dev/.SRC-unix
  408. ALLOWHIDDENDIR=/dev/.mdadm
  409. ALLOWHIDDENDIR=/dev/.git
  410. #
  411. # Allow the specified hidden files.
  412. # One file per line (use multiple ALLOWHIDDENFILE lines).
  413. #
  414. #ALLOWHIDDENFILE=/etc/.java
  415. #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
  416. #ALLOWHIDDENFILE=/etc/.pwd.lock
  417. #ALLOWHIDDENFILE=/etc/.init.state
  418. #ALLOWHIDDENFILE=/lib/.libcrypto.so.0.9.8e.hmac
  419. #ALLOWHIDDENFILE=/lib/.libcrypto.so.6.hmac
  420. #ALLOWHIDDENFILE=/lib/.libssl.so.0.9.8e.hmac
  421. #ALLOWHIDDENFILE=/lib/.libssl.so.6.hmac
  422. #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
  423. #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
  424. #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
  425. #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.hmac
  426. #ALLOWHIDDENFILE=/usr/lib/.libgcrypt.so.11.hmac
  427. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
  428. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
  429. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha384hmac.hmac
  430. #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha512hmac.hmac
  431. #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
  432. #ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
  433. ALLOWHIDDENFILE=/etc/.etckeeper
  434. ALLOWHIDDENFILE=/etc/.gitignore
  435. #
  436. # Allow the specified processes to use deleted files.
  437. # One process per line (use multiple ALLOWPROCDELFILE lines).
  438. #
  439. # The process name may be followed by a colon-separated list
  440. # of full pathnames. The process will then only be whitelisted
  441. # if it is using one of the given files. For example:
  442. #
  443. # ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
  444. #
  445. #ALLOWPROCDELFILE=/sbin/cardmgr
  446. #ALLOWPROCDELFILE=/usr/sbin/gpm
  447. #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
  448. #ALLOWPROCDELFILE=/usr/sbin/mysqld
  449. #ALLOWPROCDELFILE=/usr/lib/iceweasel/firefox-bin
  450. #ALLOWPROCDELFILE=/usr/bin/file-roller
  451. #
  452. # Allow the specified network interfaces to be in promiscuous mode.
  453. # This is a space-separated list of interface names.
  454. #
  455. #ALLOWPROMISCIF="eth0"
  456. #
  457. # Allow the specified processes to listen on any network interface.
  458. # One process per line (use multiple ALLOWPROCLISTEN lines).
  459. #
  460. #ALLOWPROCLISTEN=/usr/sbin/pppoe
  461. #ALLOWPROCLISTEN=/usr/sbin/tcpdump
  462. #ALLOWPROCLISTEN=/usr/sbin/snort-plain
  463. #ALLOWPROCLISTEN=/sbin/dhclient3
  464. #ALLOWPROCLISTEN=/sbin/dhcpcd
  465. #
  466. # SCAN_MODE_DEV governs how we scan /dev for suspicious files.
  467. # The two allowed options are: THOROUGH or LAZY.
  468. # If commented out we do a THOROUGH scan which will increase the runtime.
  469. # Even though this adds to the running time it is highly recommended to
  470. # leave it like this.
  471. #
  472. #SCAN_MODE_DEV=THOROUGH
  473. #
  474. # The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
  475. # perform a basic check, or a more thorough check. If the option is set to 0,
  476. # then a basic check is performed. If it is set to 1, then all the directries
  477. # in the /etc and /usr directories are scanned. The default value is 0. Users
  478. # should note that setting this option to 1 will cause the test to take longer
  479. # to complete.
  480. #
  481. #PHALANX2_DIRTEST=0
  482. #
  483. # Allow the specified files to be present in the /dev directory,
  484. # and not regarded as suspicious. One file per line (use multiple
  485. # ALLOWDEVFILE lines).
  486. #
  487. ALLOWDEVFILE=/dev/shm/network/ifstate
  488. #ALLOWDEVFILE=/dev/abc
  489. #ALLOWDEVFILE=/dev/shm/pulse-shm-*
  490. #ALLOWDEVFILE=/dev/shm/sem.ADBE_ReadPrefs_*
  491. #ALLOWDEVFILE=/dev/shm/sem.ADBE_REL_*
  492. #ALLOWDEVFILE=/dev/shm/sem.ADBE_WritePrefs_*
  493. #
  494. # This setting tells rkhunter where the inetd configuration
  495. # file is located.
  496. #
  497. #INETD_CONF_PATH=/etc/inetd.conf
  498. #
  499. # Allow the following enabled inetd services.
  500. # Only one service per line (use multiple INETD_ALLOWED_SVC lines).
  501. #
  502. # For non-Solaris users the simple service name should be used.
  503. # For example:
  504. #
  505. # INETD_ALLOWED_SVC=echo
  506. #
  507. # For Solaris 9 users the simple service name should also be used, but
  508. # if it is an RPC service, then the executable pathname should be used.
  509. # For example:
  510. #
  511. # INETD_ALLOWED_SVC=imaps
  512. # INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
  513. # INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
  514. #
  515. # For Solaris 10 users the service/FMRI name should be used. For example:
  516. #
  517. # INETD_ALLOWED_SVC=/network/rpc/meta
  518. # INETD_ALLOWED_SVC=/network/rpc/metamed
  519. # INETD_ALLOWED_SVC=/application/font/stfsloader
  520. # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
  521. #
  522. #INETD_ALLOWED_SVC=echo
  523. #INETD_ALLOWED_SVC=/usr/sbin/tcpd
  524. #
  525. # This setting tells rkhunter where the xinetd configuration
  526. # file is located.
  527. #
  528. #XINETD_CONF_PATH=/etc/xinetd.conf
  529. #
  530. # Allow the following enabled xinetd services. Whilst it would be
  531. # nice to use the service names themselves, at the time of testing
  532. # we only have the pathname available. As such, these entries are
  533. # the xinetd file pathnames.
  534. # Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
  535. #
  536. #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
  537. #
  538. # This option tells rkhunter the local system startup file pathnames.
  539. # It is a space-separated list of files and directories. The directories
  540. # will be searched for files. By default rkhunter will use certain
  541. # filenames and directories. If the option is set to 'none', then
  542. # certain tests will be skipped.
  543. #
  544. #STARTUP_PATHS="/etc/init.d /etc/rc.local"
  545. #
  546. # This setting tells rkhunter the pathname to the file containing the
  547. # user account passwords. This setting will be worked out by rkhunter,
  548. # and so should not usually need to be set. Users of TCB shadow files
  549. # should not set this option.
  550. #
  551. #PASSWORD_FILE=/etc/shadow
  552. #
  553. # Allow the following accounts to be root equivalent. These accounts
  554. # will have a UID value of zero. This option is a space-separated list
  555. # of account names. The 'root' account does not need to be listed as it
  556. # is automatically whitelisted.
  557. #
  558. # NOTE: For *BSD systems you may need to enable this for the 'toor' account.
  559. #
  560. #UID0_ACCOUNTS="toor rooty sashroot"
  561. #
  562. # Allow the following accounts to have no password. This option is a
  563. # space-separated list of account names. NIS/YP entries do not need to
  564. # be listed as they are automatically whitelisted.
  565. #
  566. #PWDLESS_ACCOUNTS="abc"
  567. #
  568. # This setting tells rkhunter the pathname to the syslog configuration
  569. # file. This setting will be worked out by rkhunter, and so should not
  570. # usually need to be set. A value of 'NONE' can be used to indicate
  571. # that there is no configuration file, but that the syslog daemon process
  572. # may be running.
  573. #
  574. #SYSLOG_CONFIG_FILE=/etc/syslog.conf
  575. #
  576. # This option permits the use of syslog remote logging.
  577. #
  578. ALLOW_SYSLOG_REMOTE_LOGGING=0
  579. #
  580. # Allow the following applications, or a specific version of an application,
  581. # to be whitelisted. This option is a space-separated list consisting of the
  582. # application names. If a specific version is to be whitelisted, then the
  583. # name must be followed by a colon and then the version number.
  584. #
  585. # For example: APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
  586. #
  587. # Note above that for the Apache web server, the name 'httpd' is used.
  588. #
  589. #APP_WHITELIST=""
  590. #
  591. # Scan for suspicious files in directories containing temporary files and
  592. # directories posing a relatively higher risk due to user write access.
  593. # Please do not enable by default as suspscan is CPU and I/O intensive and prone to
  594. # producing false positives. Do review all settings before usage.
  595. # Also be aware that running suspscan in combination with verbose logging on,
  596. # RKH's default, will show all ignored files.
  597. # Please consider adding all directories the user the (web)server runs as has
  598. # write access to including the document root (example: "/var/www") and log
  599. # directories (example: "/var/log/httpd").
  600. #
  601. # A space-separated list of directories to scan.
  602. #
  603. SUSPSCAN_DIRS="/tmp /var/tmp"
  604. #
  605. # Directory for temporary files. A memory-based one is better (faster).
  606. # Do not use a directory name that is listed in SUSPSCAN_DIRS.
  607. # Please make sure you have a tempfs mounted and the directory exists.
  608. #
  609. SUSPSCAN_TEMP=/dev/shm
  610. #
  611. # Maximum filesize in bytes. Files larger than this will not be inspected.
  612. # Do make sure you have enough space left in your temporary files directory.
  613. #
  614. SUSPSCAN_MAXSIZE=10240000
  615. #
  616. # Score threshold. Below this value no hits will be reported.
  617. # A value of "200" seems "good" after testing on malware. Please adjust
  618. # locally if necessary.
  619. #
  620. SUSPSCAN_THRESH=200
  621. #
  622. # The following option can be used to whitelist network ports which
  623. # are known to have been used by malware. The option is a space-
  624. # separated list of one or more of three types of whitelisting.
  625. # These are:
  626. #
  627. # 1) a 'protocol:port' pair (e.g. TCP:25)
  628. # 2) a pathname to an executable (e.g. /usr/sbin/squid)
  629. # 3) an asterisk ('*')
  630. #
  631. # Only the UDP or TCP protocol may be specified, and the port number
  632. # must be between 1 and 65535 inclusive.
  633. #
  634. # The asterisk can be used to indicate that any executable in a trusted
  635. # path directory will be whitelisted. A trusted path directory is one which
  636. # rkhunter uses to locate commands. It is composed of the root PATH
  637. # environment variable, and the BINDIR command-line or configuration
  638. # file option.
  639. #
  640. # For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
  641. #
  642. #PORT_WHITELIST=""
  643. #
  644. # The following option can be used to tell rkhunter where the operating
  645. # system 'release' file is located. This file contains information
  646. # specifying the current O/S version. RKH will store this information
  647. # itself, and check to see if it has changed between each run. If it has
  648. # changed, then the user is warned that RKH may issue warning messages
  649. # until RKH has been run with the '--propupd' option.
  650. #
  651. # Since the contents of the file vary according to the O/S distribution,
  652. # RKH will perform different actions when it detects the file itself. As
  653. # such, this option should not be set unless necessary. If this option is
  654. # specified, then RKH will assume the O/S release information is on the
  655. # first non-blank line of the file.
  656. #
  657. #OS_VERSION_FILE="/etc/debian_version"
  658. #
  659. # The following two options can be used to whitelist files and directories
  660. # that would normally be flagged with a warning during the rootkit and
  661. # malware checks. They are both space-separated lists, and as such if the
  662. # file or directory name contains a space, then the percent character ('%')
  663. # must be used instead. Only existing files and directories can be specified,
  664. # and these must be full pathnames not links.
  665. #
  666. # NOTE: It is recommended that if you whitelist any files, then you include
  667. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  668. # configuration option.
  669. #
  670. #RTKT_DIR_WHITELIST=""
  671. #RTKT_FILE_WHITELIST=""
  672. #
  673. # The following option can be used to whitelist shared library files that would
  674. # normally be flagged with a warning during the preloaded shared library check.
  675. # These library pathnames usually exist in the '/etc/ld.so.preload' file. This is
  676. # a space-separated list of library pathnames.
  677. #
  678. # NOTE: It is recommended that if you whitelist any files, then you include
  679. # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
  680. # configuration option.
  681. #
  682. #SHARED_LIB_WHITELIST="/lib/snoopy.so"
  683. #
  684. # To force rkhunter to use the supplied script for the 'stat' or 'readlink'
  685. # command, then the following two options can be used. The value must be
  686. # set to 'BUILTIN'.
  687. #
  688. # NOTE: IRIX users will probably need to enable STAT_CMD.
  689. #
  690. #STAT_CMD=BUILTIN
  691. #READLINK_CMD=BUILTIN
  692. #
  693. # In the file properties test any modification date/time is displayed as the
  694. # number of epoch seconds. Rkhunter will try and use the 'date' command, or
  695. # failing that the 'perl' command, to display the date and time in a
  696. # human-readable format as well. This option may be used if some other command
  697. # should be used instead. The given command must understand the '%s' and
  698. # 'seconds ago' options found in the GNU date command.
  699. #
  700. # A value of 'NONE' may be used to request that only the epoch seconds be shown.
  701. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
  702. # it is present.
  703. #
  704. #EPOCH_DATE_CMD=""
  705. #
  706. # This setting tells rkhunter the directory containing the available
  707. # kernel modules. This setting will be worked out by rkhunter, and
  708. # so should not usually need to be set.
  709. #
  710. #MODULES_DIR=""
  711. #
  712. # The following option can be set to a command which rkhunter will use when
  713. # downloading files from the Internet - that is, when the '--update' or
  714. # '--versioncheck' option is used. The command can take options.
  715. #
  716. # This allows the user to use a command other than the one automatically
  717. # selected by rkhunter, but still one which it already knows about.
  718. #
  719. # For example: WEBCMD=curl
  720. #
  721. # Alternatively, the user may specify a completely new command. However, note
  722. # that rkhunter expects the downloaded file to be written to stdout, and that
  723. # everything written to stderr is ignored.
  724. #
  725. # For example: WEBCMD="/opt/bin/dlfile --timeout 5m -q"
  726. #
  727. #WEBCMD=""
  728. #
  729. # Set the following option to 0 if you do not want to receive a warning if
  730. # any O/S information has changed since the last run of 'rkhunter --propupd'.
  731. # The warnings occur during the file properties check. The default is to
  732. # issue a warning if something has changed.
  733. #
  734. #WARN_ON_OS_CHANGE=1
  735. #
  736. # Set the following option to 1 if you want rkhunter to automatically run
  737. # a file properties update ('--propupd') if the O/S has changed. Detection
  738. # of an O/S change occurs during the file properties check. The default is
  739. # not to do an automatic update.
  740. #
  741. # WARNING: Only set this option if you are sure that the update will work
  742. # correctly. That is, that the database directory is writeable, that a valid
  743. # hash function is available, and so on. This can usually be checked simply
  744. # by running 'rkhunter --propupd' at least once.
  745. #
  746. #UPDT_ON_OS_CHANGE=0
  747. #
  748. # Set the following option to 1 if locking is to be used when rkhunter runs.
  749. # The lock is set just before logging starts, and is removed when the program
  750. # ends. It is used to prevent items such as the log file, and the file
  751. # properties file, from becoming corrupted if rkhunter is running more than
  752. # once. The mechanism used is to simply create a lock file in the TMPDIR
  753. # directory. If the lock file already exists, because rkhunter is already
  754. # running, then the current process simply loops around sleeping for 10 seconds
  755. # and then retrying the lock.
  756. #
  757. # The default is not to use locking.
  758. #
  759. USE_LOCKING=0
  760. #
  761. # If locking is used, then rkhunter may have to wait to get the lock file.
  762. # This option sets the total amount of time, in seconds, that rkhunter should
  763. # wait. It will retry the lock every 10 seconds, until either it obtains the
  764. # lock or the timeout value has been reached. If no value is set, then a
  765. # default of 300 seconds (5 minutes) is used.
  766. #
  767. LOCK_TIMEOUT=300
  768. #
  769. # If locking is used, then rkhunter may be doing nothing for some time if it
  770. # has to wait for the lock. Some simple messages are echo'd to the users screen
  771. # to let them know that rkhunter is waiting for the lock. Set this option to 0
  772. # if the messages are not to be displayed. The default is to show them.
  773. #
  774. SHOW_LOCK_MSGS=1
  775. #
  776. # If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
  777. # will search (on a per rootkit basis) for filenames in all of the directories (as defined
  778. # by the result of running 'find "${RKHROOTDIR}/" -xdev'). While still not optimal, as it
  779. # still searches for only file names as opposed to file contents, this is one step away
  780. # from the rigidity of searching in known (evidence) or default (installation) locations.
  781. #
  782. # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT
  783. # You should only activate this feature as part of a more thorough investigation which
  784. # should be based on relevant best practices and procedures.
  785. # Enabling this feature implies you have the knowledge to interprete results properly.
  786. #
  787. #SCANROOTKITMODE=THOROUGH
  788. INSTALLDIR="/usr"