# # This is the main configuration file for Rootkit Hunter. # # You can either modify this file directly, or you can create a local # configuration file. The local file must be named 'rkhunter.conf.local', # and must reside in the same directory as this file. Please modify one # or both files to your own requirements. It is suggested that the # command 'rkhunter -C' is run after any changes have been made. # # Please review the documentation before posting bug reports or questions. # To report bugs, obtain updates, or provide patches or comments, please go to: # http://rkhunter.sourceforge.net # # To ask questions about rkhunter, please use the rkhunter-users mailing list. # Note this is a moderated list: please subscribe before posting. # # Lines beginning with a hash (#), and blank lines, are ignored. # End-of-line comments are not supported. # # Most of the following options need only be specified once. If # they appear more than once, then the last one seen will be used. # Some options are allowed to appear more than once, and the text # describing the option will say if this is so. # # Some of the options are space-separated lists of pathnames. If # wildcard characters (globbing) are allowed in the list, then the # text describing the option will say so. # # Space-separated lists may be enclosed by quotes, but these must only # appear at the start and end of the list, not in the middle. # # For example: XXX="abc def gh" (correct) # XXX="abc" "def" "gh" (incorrect) # # # If this option is set to 1, it specifies that the mirrors file # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' # options are used, is to be rotated. Rotating the entries in the file # allows a basic form of load-balancing between the mirror sites whenever # the above options are used. # If the option is set to 0, then the mirrors will be treated as if in # a priority list. That is, the first mirror listed will always be used # first. The second mirror will only be used if the first mirror fails, # the third mirror will only be used if the second mirror fails, and so on. # # If the mirrors file is read-only, then the '--versioncheck' command-line # option can only be used if this option is set to 0. # ROTATE_MIRRORS=1 # # If this option is set to 1, it specifies that when the '--update' # option is used, then the mirrors file is to be checked for updates # as well. If the current mirrors file contains any local mirrors, # these will be prepended to the updated file. # If this option is set to 0, the mirrors file can only be updated # manually. This may be useful if only using local mirrors. # UPDATE_MIRRORS=1 # # The MIRRORS_MODE option tells rkhunter which mirrors are to be # used when the '--update' or '--versioncheck' command-line options # are given. Possible values are: # 0 - use any mirror (the default) # 1 - only use local mirrors # 2 - only use remote mirrors # # Local and remote mirrors can be defined in the mirrors file # by using the 'local=' and 'remote=' keywords respectively. # MIRRORS_MODE=0 # # Email a message to this address if a warning is found when the # system is being checked. Multiple addresses may be specified # simply be separating them with a space. Setting this option to # null disables the option. # # NOTE: This option should be present in the configuration file. # #MAIL-ON-WARNING=me@mydomain root@mydomain MAIL-ON-WARNING="" # # Specify the mail command to use if MAIL-ON-WARNING is set. # # NOTE: Double quotes are not required around the command, but # are required around the subject line if it contains spaces. # MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # # Specify the temporary directory to use. # # NOTE: Do not use /tmp as your temporary directory. Some # important files will be written to this directory, so be # sure that the directory permissions are tight. # TMPDIR=/var/lib/rkhunter/tmp # # Specify the database directory to use. # DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # SCRIPTDIR=/usr/share/rkhunter/scripts # # This option can be used to modify the command directory list used # by rkhunter to locate commands (that is, its PATH). By default # this will be the root PATH, and an internal list of some common # command directories. # # Any directories specified here will, by default, be appended to the # default list. However, if a directory name begins with the '+' # character, then that directory will be prepended to the list (that # is, it will be put at the start of the list). # # This is a space-separated list of directory names. The option may # be specified more than once. # #BINDIR="/bin /usr/bin /sbin /usr/sbin" #BINDIR="+/usr/local/bin +/usr/local/sbin" # # Specify the default language to use. This should be similar # to the ISO 639 language code. # # NOTE: Please ensure that the language you specify is supported. # For a list of supported languages use the following command: # # rkhunter --lang en --list languages # #LANGUAGE=en # # This option is a space-separated list of the languages that are to # be updated when the '--update' option is used. If unset, then all # the languages will be updated. If none of the languages are to be # updated, then set this option to just 'en'. # # The default is for all the languages to be updated. The default # language, specified above, and the English (en) language file will # always be updated regardless of this option. # UPDATE_LANG="" # # Specify the log file pathname. # # NOTE: This option should be present in the configuration file. # LOGFILE=/var/log/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # APPEND_LOG=0 # # Set the following option to 1 if the log file is to be copied when # rkhunter finishes and an error or warning has occurred. The copied # log file name will be appended with the current date and time # (in YYYY-MM-DD_HH:MM:SS format). # For example: rkhunter.log.2009-04-21_00:57:51 # COPY_LOG_ON_ERROR=0 # # Set the following option to enable the rkhunter check start and finish # times to be logged by syslog. Warning messages will also be logged. # The value of the option must be a standard syslog facility and # priority, separated by a dot. For example: # # USE_SYSLOG=authpriv.warning # # Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # #USE_SYSLOG=authpriv.notice # # Set the following option to 1 if the second colour set is to be used. # This can be useful if your screen uses black characters on a white # background (for example, a PC instead of a server). # COLOR_SET2=0 # # Set the following option to 0 if rkhunter should not detect if X is # being used. If X is detected as being used, then the second colour # set will automatically be used. # AUTO_X_DETECT=1 # # Set the following option to 1 if it is wanted that any 'Whitelisted' # results are shown in white rather than green. For colour set 2 users, # setting this option will cause the result to be shown in black. # WHITELISTED_IS_WHITE=0 # # The following option is checked against the SSH configuration file # 'PermitRootLogin' option. A warning will be displayed if they do not # match. However, if a value has not been set in the SSH configuration # file, then a value here of 'unset' can be used to avoid warning messages. # This option has a default value of 'no'. # ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. This option has a default value of '0'. # ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # #SSH_CONFIG_DIR=/etc/ssh # # These two options determine which tests are to be performed. # The ENABLE_TESTS option can use the word 'all' to refer to all the # available tests. The DISABLE_TESTS option can use the word 'none' to # mean that no tests are disabled. The list of disabled tests is applied to # the list of enabled tests. Both options are space-separated lists of test # names. The currently available test names can be seen by using the command # 'rkhunter --list tests'. # # The program defaults are to enable all tests and disable none. However, if # either of the options below are specified, then they will override the # program defaults. # # The supplied configuration file has some tests already disabled, and these # are tests that will be used only occasionally, can be considered # "advanced" or that are prone to produce more than the average number of # false-positives. # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # # hidden_procs test requires the unhide command which is part of the unhide # package in Debian. # # apps test is disabled by default as it triggers warnings about outdated # applications (and warns about possible security risk: we better trust # the Debian Security Team). # ENABLE_TESTS="all" DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" # # The HASH_FUNC option can be used to specify the command to use # for the file hash value check. It can be specified as just the # command name or the full pathname. If just the command name is # given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or # SHA512, then rkhunter will first look for the relevant command, # such as 'sha256sum', and then for 'sha256'. If neither of these # are found, it will then look to see if a perl module has been # installed which will support the relevant hash function. To see # which perl modules have been installed use the command # 'rkhunter --list perl'. # # The default is SHA1, or MD5 if SHA1 cannot be found. # # Systems using prelinking are restricted to using either the # SHA1 or MD5 function. # # A value of 'NONE' (in uppercase) can be specified to indicate that # no hash function should be used. Rootkit Hunter will detect this and # automatically disable the file hash checks. # # Examples: # For Solaris 9 : HASH_FUNC=gmd5sum # For Solaris 10: HASH_FUNC=sha1sum # For AIX (>5.2): HASH_FUNC="csum -hMD5" # For NetBSD : HASH_FUNC="cksum -a sha512" # # NOTE: If the hash function is changed then you MUST run rkhunter with # the '--propupd' option to rebuild the file properties database. # #HASH_FUNC=sha1sum # # The HASH_FLD_IDX option specifies which field from the HASH_FUNC # command output contains the hash value. The fields are assumed to # be space-separated. The default value is 1, but for *BSD users # rkhunter will, by default, use a value of 4 if the HASH_FUNC option # has not been set. The option value must be an integer greater # than zero. # #HASH_FLD_IDX=4 # # The PKGMGR option tells rkhunter to use the specified package manager # to obtain the file property information. This is used when updating # the file properties file ('rkhunter.dat'), and when running the file # properties check. For RedHat/RPM-based systems, 'RPM' can be used to # get information from the RPM database. For Debian-based systems 'DPKG' # can be used, for *BSD systems 'BSD' can be used, and for Solaris # systems 'SOLARIS' can be used. No value, or a value of 'NONE', # indicates that no package manager is to be used. The default is 'NONE'. # # The current package managers, except 'SOLARIS', store the file hash # values using an MD5 hash function. The Solaris package manager includes # a checksum value, but this is not used by default (see USE_SUNSUM below). # # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. # The 'RPM' package manager additionally provides values for the inode, # file permissions, uid, gid and other values. The 'SOLARIS' also provides # most of the values, similar to 'RPM', but not the inode number. # # For any file not part of a package, rkhunter will revert to using the # HASH_FUNC hash function instead. # # Whenever this option is changed 'rkhunter --propupd' must be run. # # NONE is the default for Debian as well, as running --propupd takes # about 4 times longer when it's set to DPKG # #PKGMGR=NONE # # It is possible that a file which is part of a package may be modified # by the administrator. Typically this occurs for configuration files. # However, the package manager may list the file as being modified. For # the RPM package manager this may well depend on how the package was # built. This option specifies those pathnames which are to be exempt # from the package manager verification process, and which will be treated # as non-packaged files. As such, the file properties are still checked. # # This option only takes effect if the PKGMGR option has been set, and # is not 'NONE'. # # This is a space-separated list of pathnames. The option may # be specified more than once. # # Whenever this option is changed 'rkhunter --propupd' must be run. # #PKGMGR_NO_VRFY="" # # This option can be used to tell rkhunter to ignore any prelink # dependency errors for the given commands. However, a warning will also # be issued if the error does not occur for a given command. As such # this option must only be used on commands which experience a persistent # problem. # # Short-term prelink dependency errors can usually be resolved simply by # running the 'prelink' command on the given pathname. # # NOTE: The command 'rkhunter --propupd' must be run whenever this option # is changed. # # This is a space-separated list of command pathnames. The option can be # specified more than once. # #IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" # # If the 'SOLARIS' package manager is used, then it is possible to use # the checksum (hash) value stored for a file. However, this is only a # 16-bit checksum, and as such is not nearly as secure as, for example, # a SHA-2 value. For that reason, the checksum is not used by default, # and the hash function given by HASH_FUNC is used instead. To enable # this option, set its value to 1. The Solaris 'sum' command must be # present on the system if this option is used. # #USE_SUNSUM=0 # # This option is a space-separated list of commands, directories and file # pathnames which will be included in the file properties checks. # This option can be specified more than once. # # Whenever this option is changed, 'rkhunter --propupd' must be run. # # Simple command names - for example, 'top' - and directory names are # added to the internal list of directories to be searched for each of # the command names in the command list. Additionally, full pathnames # to files, which need not be commands, may be given. Any files or # directories which are already part of the internal lists will be # silently ignored from the configuration. # # Normal globbing wildcards are allowed, except for simple command names. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. # # Specific files may be excluded by preceding their name with an # exclamation mark (!). For example, '!/opt/top'. By combining this # with wildcarding, whole directories can be excluded. For example, # '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first # two directory levels of '/etc'. However, anything in '/etc/rc0.d', # '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. # # NOTE: Only files and directories which have been added by the user, # and are not part of the internal lists, can be excluded. So, for # example, it is not possible to exclude the 'ps' command by using # '!/bin/ps'. These will be silently ignored from the configuration. # #USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" #USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" #USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" #USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" # # This option whitelists files and directories from existing, # or not existing, on the system at the time of testing. This # option is used when the configuration file options themselves # are checked, and during the file properties check, the hidden # files and directories checks, and the filesystem check of the # '/dev' directory. # # This is a space-separated list of pathnames. The option may be # specified more than once. The option may use wildcard characters, # but be aware that this is probably not what you want to do as the # wildcarding will be expanded after files have been deleted. As # such deleted files won't be whitelisted if wildcarded. # # NOTE: The user must take into consideration how often the file will # appear and disappear from the system in relation to how often # rkhunter is run. If the file appears, and disappears, too often # then rkhunter may not notice this. All it will see is that the file # has changed. The inode-number and DTM will certainly be different # for each new file, and rkhunter will report this. # #EXISTWHITELIST="" # # Whitelist various attributes of the specified files. # The attributes are those of the 'attributes' test. # Specifying a file name here does not include it being # whitelisted for the write permission test (see below). # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #ATTRWHITELIST="/bin/ps /usr/bin/date" # # Allow the specified commands to have the 'others' # (world) permission have the write-bit set. # # For example, files with permissions r-xr-xrwx # or rwxrwxrwx. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #WRITEWHITELIST="/bin/ps /usr/bin/date" # # Allow the specified commands to be scripts. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/groups SCRIPTWHITELIST=/usr/bin/ldd #SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser #SCRIPTWHITELIST=/usr/sbin/prelink SCRIPTWHITELIST=/usr/bin/unhide.rb # # Allow the specified commands to have the immutable attribute set. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" # # If this option is set to 1, then the immutable-bit test is # reversed. That is, the files are expected to have the bit set. # IMMUTABLE_SET=0 # # Allow the specified hidden directories to be whitelisted. # # This is a space-separated list of directory pathnames. # The option may be specified more than once. The option # may use wildcard characters. # #ALLOWHIDDENDIR="/etc/.java" #ALLOWHIDDENDIR="/dev/.static" #ALLOWHIDDENDIR="/dev/.SRC-unix" #ALLOWHIDDENDIR="/etc/.etckeeper" # # Allow the specified hidden files to be whitelisted. # # This is a space-separated list of filenames. The option may # be specified more than once. The option may use wildcard # characters. # #ALLOWHIDDENFILE="/etc/.java" #ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" #ALLOWHIDDENFILE="/etc/.pwd.lock" #ALLOWHIDDENFILE="/etc/.init.state" #ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" #ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" #ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" #ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" #ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" #ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" #ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" #ALLOWHIDDENFILE="/etc/.gitignore" #ALLOWHIDDENFILE="/etc/.bzrignore" # # Allow the specified processes to use deleted files. The # process name may be followed by a colon-separated list of # full pathnames. The process will then only be whitelisted # if it is using one of the given files. For example: # # ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" # # This is a space-separated list of process names. The option # may be specified more than once. The option may use wildcard # characters, but only in the file names. # #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" #ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" #ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" #ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" #ALLOWPROCDELFILE="/usr/bin/file-roller" # # Allow the specified processes to listen on any network interface. # # This is a space-separated list of process names. The option # may be specified more than once. # #ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" #ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" #ALLOWPROCLISTEN="/usr/sbin/snort-plain" # # Allow the specified network interfaces to be in promiscuous mode. # # This is a space-separated list of interface names. The option may # be specified more than once. # #ALLOWPROMISCIF="eth0" # # SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. # The two allowed options are: THOROUGH or LAZY. # If commented out we do a THOROUGH scan which will increase the runtime. # Even though this adds to the running time it is highly recommended to # leave it like this. # #SCAN_MODE_DEV=THOROUGH # # The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to # perform a basic check, or a more thorough check. If the option is set to 0, # then a basic check is performed. If it is set to 1, then all the directries # in the /etc and /usr directories are scanned. The default value is 0. Users # should note that setting this option to 1 will cause the test to take longer # to complete. # PHALANX2_DIRTEST=0 # # Allow the specified files to be present in the /dev directory, # and not regarded as suspicious. # # This is a space-separated list of pathnames. The option may # be specified more than once. The option may use wildcard # characters. # #ALLOWDEVFILE="/dev/shm/pulse-shm-*" #ALLOWDEVFILE="/dev/shm/sem.ADBE_*" # # This setting tells rkhunter where the inetd configuration # file is located. # #INETD_CONF_PATH=/etc/inetd.conf # # Allow the following enabled inetd services. # # This is a space-separated list of service names. The option may # be specified more than once. # # For non-Solaris users the simple service name should be used. # For example: # # INETD_ALLOWED_SVC=echo # # For Solaris 9 users the simple service name should also be used, but # if it is an RPC service, then the executable pathname should be used. # For example: # # INETD_ALLOWED_SVC=imaps # INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" # # For Solaris 10 users the service/FMRI name should be used. For example: # # INETD_ALLOWED_SVC=/network/rpc/meta # INETD_ALLOWED_SVC=/network/rpc/metamed # INETD_ALLOWED_SVC=/application/font/stfsloader # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord # #INETD_ALLOWED_SVC=echo # # This setting tells rkhunter where the xinetd configuration # file is located. # #XINETD_CONF_PATH=/etc/xinetd.conf # # Allow the following enabled xinetd services. Whilst it would be # nice to use the service names themselves, at the time of testing # we only have the pathname available. As such, these entries are # the xinetd file pathnames. # # This is a space-separated list of service names. The option may # be specified more than once. # #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo # # This option tells rkhunter the local system startup file pathnames. # The directories will be searched for files. By default rkhunter # will use certain filenames and directories. If the option is set # to 'none', then certain tests will be skipped. # # This is a space-separated list of file and directory pathnames. # The option may be specified more than once. The option may use # wildcard characters. # #STARTUP_PATHS="/etc/init.d /etc/rc.local" # # This setting tells rkhunter the pathname to the file containing the # user account passwords. This setting will be worked out by rkhunter, # and so should not usually need to be set. Users of TCB shadow files # should not set this option. # #PASSWORD_FILE=/etc/shadow # # Allow the following accounts to be root equivalent. These accounts # will have a UID value of zero. The 'root' account does not need to # be listed as it is automatically whitelisted. # # This is a space-separated list of account names. The option may # be specified more than once. # # NOTE: For *BSD systems you will probably need to use this option # for the 'toor' account. # #UID0_ACCOUNTS="toor rooty sashroot" # # Allow the following accounts to have no password. NIS/YP entries do # not need to be listed as they are automatically whitelisted. # # This is a space-separated list of account names. The option may # be specified more than once. # #PWDLESS_ACCOUNTS="abc" # # This setting tells rkhunter the pathname to the syslog configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. A value of 'NONE' can be used to indicate # that there is no configuration file, but that the syslog daemon process # may be running. # # This is a space-separated list of pathnames. The option may # be specified more than once. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # # This option permits the use of syslog remote logging. # ALLOW_SYSLOG_REMOTE_LOGGING=0 # # Allow the following applications, or a specific version of an application, # to be whitelisted. This option may be specified more than once, and is a # space-separated list consisting of the application names. If a specific # version is to be whitelisted, then the name must be followed by a colon # and then the version number. For example: # # APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" # # Note above that for the Apache web server, the name 'httpd' is used. # #APP_WHITELIST="" # # Scan for suspicious files in directories containing temporary files and # directories posing a relatively higher risk due to user write access. # Please do not enable by default as suspscan is CPU and I/O intensive and prone to # producing false positives. Do review all settings before usage. # Also be aware that running suspscan in combination with verbose logging on, # RKH's default, will show all ignored files. # Please consider adding all directories the user the (web)server runs as has # write access to including the document root (example: "/var/www") and log # directories (example: "/var/log/httpd"). # # This is a space-separated list of directory pathnames. # The option may be specified more than once. # #SUSPSCAN_DIRS="/tmp /var/tmp" # # Directory for temporary files. A memory-based one is better (faster). # Do not use a directory name that is listed in SUSPSCAN_DIRS. # Please make sure you have a tempfs mounted and the directory exists. # SUSPSCAN_TEMP=/dev/shm # # Maximum filesize in bytes. Files larger than this will not be inspected. # Do make sure you have enough space left in your temporary files directory. # SUSPSCAN_MAXSIZE=10240000 # # Score threshold. Below this value no hits will be reported. # A value of "200" seems "good" after testing on malware. Please adjust # locally if necessary. # SUSPSCAN_THRESH=200 # # The following option can be used to whitelist network ports which # are known to have been used by malware. This option may be specified # more than once. The option is a space-separated list of one or more # of four types of whitelisting. These are: # # 1) a 'protocol:port' pair (e.g. TCP:25) # 2) a pathname to an executable (e.g. /usr/sbin/squid) # 3) a combined pathname, protocol and port # (e.g. /usr/sbin/squid:TCP:3801) # 4) an asterisk ('*') # # Only the UDP or TCP protocol may be specified, and the port number # must be between 1 and 65535 inclusive. # # The asterisk can be used to indicate that any executable which rkhunter # can locate as a command, is whitelisted. (See BINDIR in this file.) # # For example: # # PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" # # NOTE: In order to whitelist a pathname, or use the asterisk option, # the 'lsof' command must be present. # #PORT_WHITELIST="" # # The following option can be used to tell rkhunter where the operating # system 'release' file is located. This file contains information # specifying the current O/S version. RKH will store this information # itself, and check to see if it has changed between each run. If it has # changed, then the user is warned that RKH may issue warning messages # until RKH has been run with the '--propupd' option. # # Since the contents of the file vary according to the O/S distribution, # RKH will perform different actions when it detects the file itself. As # such, this option should not be set unless necessary. If this option is # specified, then RKH will assume the O/S release information is on the # first non-blank line of the file. # #OS_VERSION_FILE="/etc/debian_version" # # The following two options can be used to whitelist files and directories # that would normally be flagged with a warning during the various rootkit # and malware checks. If the file or directory name contains a space, then # the percent character ('%') must be used instead. Only existing files and # directories can be specified, and these must be full pathnames not links. # # Additionally, the RTKT_FILE_WHITELIST option may include a string after the # file name (separated by a colon). This will then only whitelist that string # in that file (as part of the malware checks). For example: # # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" # # If the option list includes the filename on its own as well, then the file # will be whitelisted from rootkit checks of the files existence, but still # only the specific string within the file will be whitelisted. For example: # # RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" # # To whitelist a file from the existence checks, but not from the strings # checks, then include the filename on its own and on its own but with # just a colon appended. For example: # # RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # These are space-separated lists of file and directory pathnames. # The options may be specified more than once. # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" # # The following option can be used to whitelist shared library files that would # normally be flagged with a warning during the preloaded shared library check. # These library pathnames usually exist in the '/etc/ld.so.preload' file or in # the LD_PRELOAD environment variable. # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # This is a space-separated list of library pathnames. # The option may be specified more than once. # #SHARED_LIB_WHITELIST="/lib/snoopy.so" # # To force rkhunter to use the supplied script for the 'stat' or 'readlink' # command, then the following two options can be used. The value must be # set to 'BUILTIN'. # # NOTE: IRIX users will probably need to enable STAT_CMD. # #STAT_CMD=BUILTIN #READLINK_CMD=BUILTIN # # In the file properties test any modification date/time is displayed as the # number of epoch seconds. Rkhunter will try and use the 'date' command, or # failing that the 'perl' command, to display the date and time in a # human-readable format as well. This option may be used if some other command # should be used instead. The given command must understand the '%s' and # 'seconds ago' options found in the GNU date command. # # A value of 'NONE' may be used to request that only the epoch seconds be shown. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if # it is present. # #EPOCH_DATE_CMD="" # # This setting tells rkhunter the directory containing the available # Linux kernel modules. This setting will be worked out by rkhunter, # and so should not usually need to be set. # #MODULES_DIR="" # # The following option can be set to a command which rkhunter will use when # downloading files from the Internet - that is, when the '--update' or # '--versioncheck' option is used. The command can take options. # # This allows the user to use a command other than the one automatically # selected by rkhunter, but still one which it already knows about. # For example: # # WEB_CMD=curl # # Alternatively, the user may specify a completely new command. However, note # that rkhunter expects the downloaded file to be written to stdout, and that # everything written to stderr is ignored. For example: # # WEB_CMD="/opt/bin/dlfile --timeout 5m -q" # # *BSD users may want to use the 'ftp' command, provided that it supports # the HTTP protocol: # # WEB_CMD="ftp -o -" # #WEB_CMD="" # # Set the following option to 0 if you do not want to receive a warning if # any O/S information has changed since the last run of 'rkhunter --propupd'. # The warnings occur during the file properties check. The default is to # issue a warning if something has changed. # #WARN_ON_OS_CHANGE=1 # # Set the following option to 1 if you want rkhunter to automatically run # a file properties update ('--propupd') if the O/S has changed. Detection # of an O/S change occurs during the file properties check. The default is # not to do an automatic update. # # WARNING: Only set this option if you are sure that the update will work # correctly. That is, that the database directory is writeable, that a valid # hash function is available, and so on. This can usually be checked simply # by running 'rkhunter --propupd' at least once. # #UPDT_ON_OS_CHANGE=0 # # Set the following option to 1 if locking is to be used when rkhunter runs. # The lock is set just before logging starts, and is removed when the program # ends. It is used to prevent items such as the log file, and the file # properties file, from becoming corrupted if rkhunter is running more than # once. The mechanism used is to simply create a lock file in the TMPDIR # directory. If the lock file already exists, because rkhunter is already # running, then the current process simply loops around sleeping for 10 seconds # and then retrying the lock. # # The default is not to use locking. # USE_LOCKING=0 # # If locking is used, then rkhunter may have to wait to get the lock file. # This option sets the total amount of time, in seconds, that rkhunter should # wait. It will retry the lock every 10 seconds, until either it obtains the # lock or the timeout value has been reached. If no value is set, then a # default of 300 seconds (5 minutes) is used. # LOCK_TIMEOUT=300 # # If locking is used, then rkhunter may be doing nothing for some time if it # has to wait for the lock. Some simple messages are echo'd to the users screen # to let them know that rkhunter is waiting for the lock. Set this option to 0 # if the messages are not to be displayed. The default is to show them. # SHOW_LOCK_MSGS=1 # # If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function # will search (on a per rootkit basis) for filenames in all of the directories (as defined # by the result of running 'find / -xdev'). While still not optimal, as it # still searches for only file names as opposed to file contents, this is one step away # from the rigidity of searching in known (evidence) or default (installation) locations. # # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. # # You should only activate this feature as part of a more thorough investigation which # should be based on relevant best practices and procedures. # # Enabling this feature implies you have the knowledge to interpret the results properly. # #SCANROOTKITMODE=THOROUGH # # The following option can be set to the name(s) of the tests the 'unhide' command is # to use. In order to maintain compatibility with older versions of 'unhide', this # option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but # will only take effect when they are seen. The test names are a space-separated list, # and will be executed in the order given. # #UNHIDE_TESTS="sys" # # If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it # is possible to disable the execution of one of the programs if desired. By default # rkhunter will look for both programs, and execute each of them as they are found. # If the value of this option is 0, then both programs will be executed if they are # present. A value of 1 will disable execution of the C 'unhide' program, and a value # of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable # both programs, then disable the 'hidden_procs' test. # DISABLE_UNHIDE=1 INSTALLDIR="/usr"