/etc/rkhunter.conf is in rkhunter 1.3.8-10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 | #
# This is the main configuration file for Rootkit Hunter.
#
# You can either modify this file directly, or you can create a local
# configuration file. The local file must be named 'rkhunter.conf.local',
# and must reside in the same directory as this file. Please modify one
# or both files to your own requirements. It is suggested that the
# command 'rkhunter -C' is run after any changes have been made.
#
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, are ignored.
# End-of-line comments are not supported.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#
# Some of the options are space-separated lists of pathnames. If
# wildcard characters (globbing) are allowed in the list, then the
# text describing the option will say so.
#
#
# If this option is set to 1, it specifies that the mirrors file
# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
# options are used, is to be rotated. Rotating the entries in the file
# allows a basic form of load-balancing between the mirror sites whenever
# the above options are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror listed will always be used
# first. The second mirror will only be used if the first mirror fails,
# the third mirror will only be used if the second mirror fails, and so on.
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to 0.
#
ROTATE_MIRRORS=1
#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1
#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
# 0 - use any mirror (the default)
# 1 - only use local mirrors
# 2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0
#
# Email a message to this address if a warning is found when the
# system is being checked. Multiple addresses may be specified
# simply be separating them with a space. Setting this option to
# null disables the option.
#
# NOTE: This option should be present in the configuration file.
#
#MAIL-ON-WARNING=me@mydomain root@mydomain
MAIL-ON-WARNING=""
#
# Specify the mail command to use if MAIL-ON-WARNING is set.
#
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
TMPDIR=/var/lib/rkhunter/tmp
#
# Specify the database directory to use.
#
DBDIR=/var/lib/rkhunter/db
#
# Specify the script directory to use.
#
SCRIPTDIR=/usr/share/rkhunter/scripts
#
# Specify the root directory to use.
#
#ROOTDIR=""
#
# This option can be used to modify the command directory list used
# by rkhunter to locate commands (that is, its PATH). By default
# this will be the root PATH, and an internal list of some common
# command directories.
#
# Any directories specified here will, by default, be appended to the
# default list. However, if a directory name begins with the '+'
# character, then that directory will be prepended to the list (that
# is, it will be put at the start of the list).
#
# This is a space-separated list of directory names. The option may
# be specified more than once.
#
#BINDIR="/bin /usr/bin /sbin /usr/sbin"
#BINDIR="+/usr/local/bin +/usr/local/sbin"
#
# Specify the default language to use. This should be similar
# to the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
# For a list of supported languages use the following command:
#
# rkhunter --lang en --list languages
#
#LANGUAGE=en
#
# This option is a space-separated list of the languages that are to
# be updated when the '--update' option is used. If unset, then all
# the languages will be updated. If none of the languages are to be
# updated, then set this option to just 'en'.
#
# The default is for all the languages to be updated. The default
# language, specified above, and the English (en) language file will
# always be updated regardless of this option.
#
UPDATE_LANG=""
#
# Specify the log file pathname.
#
# NOTE: This option should be present in the configuration file.
#
LOGFILE=/var/log/rkhunter.log
#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
APPEND_LOG=0
#
# Set the following option to 1 if the log file is to be copied when
# rkhunter finishes and an error or warning has occurred. The copied
# log file name will be appended with the current date and time
# (in YYYY-MM-DD_HH:MM:SS format).
# For example: rkhunter.log.2009-04-21_00:57:51
#
COPY_LOG_ON_ERROR=0
#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot. For example:
#
# USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
#USE_SYSLOG=authpriv.notice
#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0
#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1
#
# Set the following option to 1 if it is wanted that any 'Whitelisted'
# results are shown in white rather than green. For colour set 2 users,
# setting this option will cause the result to be shown in black.
#
WHITELISTED_IS_WHITE=0
#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. However, if a value has not been set in the SSH configuration
# file, then a value here of 'unset' can be used to avoid warning messages.
# This option has a default value of 'no'.
#
ALLOW_SSH_ROOT_USER=no
#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
ALLOW_SSH_PROT_V1=0
#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh
#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either of the options below are specified, then they will override the
# program defaults.
#
# The supplied configuration file has some tests already disabled, and these
# are tests that will be used only occasionally, can be considered
# "advanced" or that are prone to produce more than the average number of
# false-positives.
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# hidden_procs test requires the unhide command which is part of the unhide
# package in Debian.
#
# apps test is disabled by default as it triggers warnings about outdated
# applications (and warns about possible security risk: we better trust
# the Debian Security Team).
#
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just the
# command name or the full pathname. If just the command name is
# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or
# SHA512, then rkhunter will first look for the relevant command,
# such as 'sha256sum', and then for 'sha256'. If neither of these
# are found, it will then look to see if a perl module has been
# installed which will support the relevant hash function. To see
# which perl modules have been installed use the command
# 'rkhunter --list perl'.
#
# The default is SHA1, or MD5 if SHA1 cannot be found.
#
# Systems using prelinking are restricted to using either the
# SHA1 or MD5 function.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
# For Solaris 9 : HASH_FUNC=gmd5sum
# For Solaris 10: HASH_FUNC=sha1sum
# For AIX (>5.2): HASH_FUNC="csum -hMD5"
# For NetBSD : HASH_FUNC="cksum -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
# the '--propupd' option to rebuild the file properties database.
#
#HASH_FUNC=sha1sum
#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is 1, but for *BSD users
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
# has not been set. The option value must be an integer greater
# than zero.
#
#HASH_FLD_IDX=4
#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file ('rkhunter.dat'), and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used to
# get information from the RPM database. For Debian-based systems 'DPKG'
# can be used, for *BSD systems 'BSD' can be used, and for Solaris
# systems 'SOLARIS' can be used. No value, or a value of 'NONE',
# indicates that no package manager is to be used. The default is 'NONE'.
#
# The current package managers, except 'SOLARIS', store the file hash
# values using an MD5 hash function. The Solaris package manager includes
# a checksum value, but this is not used by default (see USE_SUNSUM below).
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values. The 'SOLARIS' also provides
# most of the values, similar to 'RPM', but not the inode number.
#
# For any file not part of a package, rkhunter will revert to using the
# HASH_FUNC hash function instead.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
# NONE is the default for Debian as well, as running --propupd takes
# about 4 times longer when it's set to DPKG
#
#PKGMGR=NONE
#
# It is possible that a file which is part of a package may be modified
# by the administrator. Typically this occurs for configuration files.
# However, the package manager may list the file as being modified. For
# the RPM package manager this may well depend on how the package was
# built. This option specifies those pathnames which are to be exempt
# from the package manager verification process, and which will be treated
# as non-packaged files. As such, the file properties are still checked.
#
# This option only takes effect if the PKGMGR option has been set, and
# is not 'NONE'.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
# Whenever this option is changed 'rkhunter --propupd' must be run.
#
#PKGMGR_NO_VRFY=""
#
# This option can be used to tell rkhunter to ignore any prelink
# dependency errors for the given commands. However, a warning will also
# be issued if the error does not occur for a given command. As such
# this option must only be used on commands which experience a persistent
# problem.
#
# Short-term prelink dependency errors can usually be resolved simply by
# running the 'prelink' command on the given pathname.
#
# NOTE: The command 'rkhunter --propupd' must be run whenever this option
# is changed.
#
# This is a space-separated list of command pathnames. The option can be
# specified more than once.
#
#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top"
#
# If the 'SOLARIS' package manager is used, then it is possible to use
# the checksum (hash) value stored for a file. However, this is only a
# 16-bit checksum, and as such is not nearly as secure as, for example,
# a SHA-2 value. For that reason, the checksum is not used by default,
# and the hash function given by HASH_FUNC is used instead. To enable
# this option, set its value to 1. The Solaris 'sum' command must be
# present on the system if this option is used.
#
#USE_SUNSUM=0
#
# This option is a space-separated list of commands, directories and file
# pathnames. This option can be specified more than once.
#
# Whenever this option is changed, 'rkhunter --propupd' must be run.
#
# Simple command names - for example, 'top' - and directory names are
# added to the internal list of directories to be searched for each of
# the command names in the command list. Additionally, full pathnames
# to files, which need not be commands, may be given. Any files or
# directories which are already part of the internal lists will be
# silently ignored from the configuration.
#
# Normal globbing wildcards are allowed, except for simple command names.
# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
#
# Specific files may be excluded by preceding their name with an
# exclamation mark (!). For example, '!/opt/top'. By combining this
# with wildcarding, whole directories can be excluded. For example,
# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first
# two directory levels of '/etc'. However, anything in '/etc/rc0.d',
# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded.
#
# NOTE: Only files and directories which have been added by the user,
# and are not part of the internal lists, can be excluded. So, for
# example, it is not possible to exclude the 'ps' command by using
# '!/bin/ps'. These will be silently ignored from the configuration.
#
#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf"
#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat"
#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*"
#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*"
#
# This option whitelists files and directories from existing,
# or not existing, on the system at the time of testing. This
# option is used when the configuration file options themselves
# are checked, and during the file properties check, the hidden
# files and directories checks, and the filesystem check of the
# '/dev' directory.
#
# This is a space-separated list of pathnames. The option may be
# specified more than once. The option may use wildcard characters,
# but be aware that this is probably not what you want to do as the
# wildcarding will be expanded after files have been deleted. As
# such deleted files won't be whitelisted if wildcarded.
#
# NOTE: The user must take into consideration how often the file will
# appear and disappear from the system in relation to how often
# rkhunter is run. If the file appears, and disappears, too often
# then rkhunter may not notice this. All it will see is that the file
# has changed. The inode-number and DTM will certainly be different
# for each new file, and rkhunter will report this.
#
#EXISTWHITELIST=""
#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test (see below).
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ATTRWHITELIST="/bin/ps /usr/bin/date"
#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#WRITEWHITELIST="/bin/ps /usr/bin/date"
#
# Allow the specified commands to be scripts.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink
#
# Allow the specified commands to have the immutable attribute set.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown"
#
# If this option is set to 1, then the immutable-bit test is
# reversed. That is, the files are expected to have the bit set.
#
IMMUTABLE_SET=0
#
# Allow the specified hidden directories to be whitelisted.
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once. The option
# may use wildcard characters.
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.initramfs"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/dev/.mdadm"
#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
#ALLOWHIDDENFILE="/etc/.pwd.lock"
#ALLOWHIDDENFILE="/etc/.init.state"
#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
#
# Allow the specified processes to use deleted files. The
# process name may be followed by a colon-separated list of
# full pathnames. The process will then only be whitelisted
# if it is using one of the given files. For example:
#
# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
#ALLOWPROCDELFILE="/usr/sbin/mysqld"
#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
#ALLOWPROCDELFILE="/usr/bin/file-roller"
#
# Allow the specified processes to listen on any network interface.
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may
# be specified more than once.
#
#ALLOWPROMISCIF="eth0"
#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH
#
# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
# perform a basic check, or a more thorough check. If the option is set to 0,
# then a basic check is performed. If it is set to 1, then all the directries
# in the /etc and /usr directories are scanned. The default value is 0. Users
# should note that setting this option to 1 will cause the test to take longer
# to complete.
#
PHALANX2_DIRTEST=0
#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
# Allow the following enabled inetd services.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
# INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
# INETD_ALLOWED_SVC=imaps
# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
# INETD_ALLOWED_SVC=/network/rpc/meta
# INETD_ALLOWED_SVC=/network/rpc/metamed
# INETD_ALLOWED_SVC=/application/font/stfsloader
# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
#INETD_ALLOWED_SVC=echo
#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
#
# This option tells rkhunter the local system startup file pathnames.
# The directories will be searched for files. By default rkhunter
# will use certain filenames and directories. If the option is set
# to 'none', then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames.
# The option may be specified more than once. The option may use
# wildcard characters.
#
#STARTUP_PATHS="/etc/init.d /etc/rc.local"
#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set. Users of TCB shadow files
# should not set this option.
#
#PASSWORD_FILE=/etc/shadow
#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. The 'root' account does not need to
# be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
# NOTE: For *BSD systems you will probably need to use this option
# for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty sashroot"
#
# Allow the following accounts to have no password. NIS/YP entries do
# not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
#PWDLESS_ACCOUNTS="abc"
#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set. A value of 'NONE' can be used to indicate
# that there is no configuration file, but that the syslog daemon process
# may be running.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0
#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option may be specified more than once, and is a
# space-separated list consisting of the application names. If a specific
# version is to be whitelisted, then the name must be followed by a colon
# and then the version number. For example:
#
# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
#
# Note above that for the Apache web server, the name 'httpd' is used.
#
#APP_WHITELIST=""
#
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd").
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once.
#
#SUSPSCAN_DIRS="/tmp /var/tmp"
#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm
#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000
#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary.
#
SUSPSCAN_THRESH=200
#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. This option may be specified
# more than once. The option is a space-separated list of one or more
# of four types of whitelisting. These are:
#
# 1) a 'protocol:port' pair (e.g. TCP:25)
# 2) a pathname to an executable (e.g. /usr/sbin/squid)
# 3) a combined pathname, protocol and port
# (e.g. /usr/sbin/squid:TCP:3801)
# 4) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter
# can locate as a command, is whitelisted. (See BINDIR in this file.)
#
# For example:
#
# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
# NOTE: In order to whitelist a pathname, or use the asterisk option,
# the 'lsof' command must be present.
#
#PORT_WHITELIST=""
#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/debian_version"
#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This is a space-separated list of library pathnames.
# The option may be specified more than once.
#
#SHARED_LIB_WHITELIST="/lib/snoopy.so"
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU date command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
#EPOCH_DATE_CMD=""
#
# This setting tells rkhunter the directory containing the available
# Linux kernel modules. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#MODULES_DIR=""
#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
# WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports
# the HTTP protocol:
#
# WEB_CMD="ftp -o -"
#
#WEB_CMD=""
#
# Set the following option to 0 if you do not want to receive a warning if
# any O/S information has changed since the last run of 'rkhunter --propupd'.
# The warnings occur during the file properties check. The default is to
# issue a warning if something has changed.
#
#WARN_ON_OS_CHANGE=1
#
# Set the following option to 1 if you want rkhunter to automatically run
# a file properties update ('--propupd') if the O/S has changed. Detection
# of an O/S change occurs during the file properties check. The default is
# not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply
# by running 'rkhunter --propupd' at least once.
#
#UPDT_ON_OS_CHANGE=0
#
# Set the following option to 1 if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock.
#
# The default is not to use locking.
#
USE_LOCKING=0
#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached. If no value is set, then a
# default of 300 seconds (5 minutes) is used.
#
LOCK_TIMEOUT=300
#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. Some simple messages are echo'd to the users screen
# to let them know that rkhunter is waiting for the lock. Set this option to 0
# if the messages are not to be displayed. The default is to show them.
#
SHOW_LOCK_MSGS=1
#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find "${RKHROOTDIR}/" -xdev'). While still not optimal, as it
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures.
#
# Enabling this feature implies you have the knowledge to interpret the results properly.
#
#SCANROOTKITMODE=THOROUGH
#
# The following option can be set to the name(s) of the tests the 'unhide' command is
# to use. In order to maintain compatibility with older versions of 'unhide', this
# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
# will only take effect when they are seen. The test names are a space-separated list,
# and will be executed in the order given.
#
#UNHIDE_TESTS="sys"
#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
# is possible to disable the execution of one of the programs if desired. By default
# rkhunter will look for both programs, and execute each of them as they are found.
# If the value of this option is 0, then both programs will be executed if they are
# present. A value of 1 will disable execution of the C 'unhide' program, and a value
# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
# both programs, then disable the 'hidden_procs' test.
#
DISABLE_UNHIDE=1
INSTALLDIR="/usr"
|