Uninstall rkhunter HIDS on all hosts

8 files changed, 2 insertions, 1476 deletions

diff --git a/playbooks/update.yml b/playbooks/update.yml
index f64571e..f57abef 100644
--- a/playbooks/update.yml
+++ b/playbooks/update.yml
@@ -43,19 +43,3 @@
         to: "{{ jabberroom }}"
         msg: Casper, TASK [Reboot système programmé dans 1 heure] ******
       tags: reboot
-
-
-    - name: rkhunter internal database update
-      at:
-        command: /usr/bin/rkhunter --propupd
-        count: 50
-        units: minutes
-        unique: yes
-      when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
-
-    - jabber:
-        user: "{{ jabberuserid }}"
-        password: "{{ jabberuserpwd }}"
-        to: "{{ jabberroom }}"
-        msg: Casper, TASK [Mise à jour rkhunter programmée dans 50 min] ******
-      when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml
index e290688..19bacb0 100644
--- a/roles/clients/tasks/main.yml
+++ b/roles/clients/tasks/main.yml
@@ -28,9 +28,6 @@
 - name: Configuration mock
   import_tasks: mock.yml
 
-- name: Configuration rkhunter pour mock
-  import_tasks: rkhunter.yml
-
 - name: Ajout points de montage
   import_tasks: mnt.yml
 
diff --git a/roles/clients/tasks/rkhunter.yml b/roles/clients/tasks/rkhunter.yml
deleted file mode 100644
index 85a1f38..0000000
--- a/roles/clients/tasks/rkhunter.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Changement de mode rkhunter mode lazy
-  lineinfile:
-    path: /etc/rkhunter.conf
-    insertafter: '^#SCAN_MODE_DEV=THOROUGH'
-    line: 'SCAN_MODE_DEV=LAZY'
diff --git a/roles/diagnostics/handlers/main.yml b/roles/diagnostics/handlers/main.yml
index 037a724..9aeb861 100644
--- a/roles/diagnostics/handlers/main.yml
+++ b/roles/diagnostics/handlers/main.yml
@@ -1,2 +1 @@
 - import_tasks: aide.yml
-- import_tasks: rkhunter.yml
diff --git a/roles/diagnostics/handlers/rkhunter.yml b/roles/diagnostics/handlers/rkhunter.yml
deleted file mode 100644
index d332d08..0000000
--- a/roles/diagnostics/handlers/rkhunter.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: initialize rkhunter
-  command: /usr/bin/rkhunter --propupd
diff --git a/roles/diagnostics/tasks/hidsdb.yml b/roles/diagnostics/tasks/hidsdb.yml
index 7269ac9..ebac83e 100644
--- a/roles/diagnostics/tasks/hidsdb.yml
+++ b/roles/diagnostics/tasks/hidsdb.yml
@@ -4,10 +4,6 @@
     state: latest
   tags: hidsdb
 
-- name: rkhunter internal database update
-  command: /usr/bin/rkhunter --propupd
-  tags: hidsdb
-
 - name: aide internal database reset
   command: /usr/sbin/aide -i
   register: hashinfo
diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml
index dafcf8e..20281ff 100644
--- a/roles/diagnostics/tasks/rkhunter.yml
+++ b/roles/diagnostics/tasks/rkhunter.yml
@@ -1,13 +1,7 @@
-- name: Installation du HIDS rkhunter
+- name: Désinstallation du HIDS rkhunter
   package:
     name: "{{ item }}"
-    state: present
+    state: absent
   loop:
     - rkhunter
     - unhide
-
-- name: Configuration de rkhunter
-  template:
-    src: rkhunter.conf.j2
-    dest: /etc/rkhunter.conf
-    mode: 0640
diff --git a/roles/diagnostics/templates/rkhunter.conf.j2 b/roles/diagnostics/templates/rkhunter.conf.j2
deleted file mode 100644
index dd689ba..0000000
--- a/roles/diagnostics/templates/rkhunter.conf.j2
+++ /dev/null
@@ -1,1437 +0,0 @@
-#
-# This is the main configuration file for Rootkit Hunter.
-#
-# You can modify this file directly, or you can create a local configuration
-# file. The local file must be named 'rkhunter.conf.local', and must reside
-# in the same directory as this file. Alternatively you can create a directory,
-# named 'rkhunter.d', which also must be in the same directory as this
-# configuration file. Within the 'rkhunter.d' directory you can place further
-# configuration files. There is no restriction on the file names used, other
-# than they must end in '.conf'.
-#
-# Please modify the configuration file(s) to your own requirements. It is
-# recommended that the command 'rkhunter -C' is run after any changes have
-# been made.
-#
-# Please review the documentation before posting bug reports or questions.
-# To report bugs, provide patches or comments, please go to:
-# http://rkhunter.sourceforge.net
-#
-# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
-# Note that this is a moderated list, so please subscribe before posting.
-#
-# In the configuration files, lines beginning with a hash (#), and blank lines,
-# are ignored. Also, end-of-line comments are not supported.
-#
-# Any of the configuration options may appear more than once. However, several
-# options only take one value, and so the last one seen will be used. Some
-# options are allowed to appear more than once, and the text describing the
-# option will say if this is so. These configuration options will, in effect,
-# have their values concatenated together. To delete a previously specified
-# option list, specify the option with no value (that is, a null string).
-#
-# Some of the options are space-separated lists, others, typically those
-# specifying pathnames, are newline-separated lists. These must be entered
-# as one item per line. Quotes must not be used to surround the pathname.
-#
-# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
-# option:         XXX=/tmp/abc                (correct)
-#                 XXX=/tmp/xyz
-#
-#                 XXX="/tmp/abc"              (incorrect)
-#                 XXX="/tmp/xyz"
-#
-#                 XXX=/tmp/abc  /tmp/xyz      (incorrect)
-#    or           XXX="/tmp/abc  /tmp/xyz"    (incorrect)
-#    or           XXX="/tmp/abc"  "/tmp/xyz"  (incorrect)
-#
-# The last three examples are being configured as space-separated lists,
-# which is incorrect, generally, for options specifying pathnames. They
-# should be configured with one entry per line as in the first example.
-#
-# If wildcard characters (globbing) are allowed for an option, then the
-# text describing the option will say so. Any globbing character explicitly
-# required in a pathname should be escaped.
-#
-# Space-separated lists may be enclosed by quotes, although they are not
-# required. If they are used, then they must only appear at the start and
-# end of the list, not in the middle.
-#
-# For example:    XXX=abc  def  gh            (correct)
-#                 XXX="abc  def  gh"          (correct)
-#                 XXX="abc"  "def"  "gh"      (incorrect)
-#
-# Space-separated lists may also be entered simply as one entry per line.
-#
-# For example:    XXX=abc                     (correct)
-#                 XXX=def
-#                 XXX="gh"
-#
-# If a configuration option is never set, then the program will assume a
-# default value. The text describing the option will state the default value.
-# If there is no default, then rkhunter will calculate a value or pathname
-# to use. If a value is set for a configuration option, then the default
-# value is ignored. If it is wished to keep the default value, as well as
-# any other set value, then the default must be explicitly set.
-#
-
-
-#
-# If this option is set to '1', it specifies that the mirrors file
-# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
-# options are used, is to be rotated. Rotating the entries in the file allows
-# a basic form of load-balancing between the mirror sites whenever the above
-# options are used.
-#
-# If the option is set to '0', then the mirrors will be treated as if in a
-# priority list. That is, the first mirror listed will always be used first.
-# The second mirror will only be used if the first mirror fails, the third
-# mirror will only be used if the second mirror fails, and so on.
-#
-# If the mirrors file is read-only, then the '--versioncheck' command-line
-# option can only be used if this option is set to '0'.
-# 
-# The default value is '1'.
-#
-#ROTATE_MIRRORS=1
-
-#
-# If this option is set to '1', it specifies that when the '--update' option is
-# used, then the mirrors file is to be checked for updates as well. If the
-# current mirrors file contains any local mirrors, these will be prepended to
-# the updated file. If this option is set to '0', the mirrors file can only be
-# updated manually. This may be useful if only using local mirrors.
-#
-# The default value is '1'.
-#
-#UPDATE_MIRRORS=1
-
-#
-# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
-# the '--update' or '--versioncheck' command-line options are given.
-# Possible values are:
-#     0 - use any mirror
-#     1 - only use local mirrors
-#     2 - only use remote mirrors
-#
-# Local and remote mirrors can be defined in the mirrors file by using the
-# 'local=' and 'remote=' keywords respectively.
-#
-# The default value is '0'.
-#
-#MIRRORS_MODE=0
-
-#
-# Email a message to this address if a warning is found when the system is
-# being checked. Multiple addresses may be specified simply be separating
-# them with a space. To disable the option, simply set it to the null string
-# or comment it out.
-#
-# The option may be specified more than once.
-#
-# The default value is the null string.
-#
-# Also see the MAIL_CMD option.
-#
-#MAIL-ON-WARNING=me@mydomain   root@mydomain
-
-#
-# This option specifies the mail command to use if MAIL-ON-WARNING is set.
-#
-# NOTE: Double quotes are not required around the command, but are required
-# around the subject line if it contains spaces.
-#
-# The default is to use the 'mail' command, with a subject line
-# of '[rkhunter] Warnings found for ${HOST_NAME}'.
-#
-#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
-
-#
-# This option specifies the directory to use for temporary files.
-#
-# NOTE: Do not use '/tmp' as your temporary directory. Some important files
-# will be written to this directory, so be sure that the directory permissions
-# are secure.
-#
-# The installer program will set the default directory. If this default is
-# subsequently commented out or removed, then the program will assume a
-# default directory beneath the installation directory.
-#
-#TMPDIR=/var/lib/rkhunter/tmp
-TMPDIR=/var/lib/rkhunter
-
-#
-# This option specifies the database directory to use.
-#
-# The installer program will set the default directory. If this default is
-# subsequently commented out or removed, then the program will assume a
-# default directory beneath the installation directory.
-#
-#DBDIR=/var/lib/rkhunter/db
-DBDIR=/var/lib/rkhunter/db
-
-#
-# This option specifies the script directory to use.
-#
-# The installer program will set the default directory. If this default is
-# subsequently commented out or removed, then the program will not run.
-#
-#SCRIPTDIR=/usr/local/lib/rkhunter/scripts
-SCRIPTDIR=/usr/share/rkhunter/scripts
-
-#
-# This option can be used to modify the command directory list used by rkhunter
-# to locate commands (that is, its PATH). By default this will be the root PATH,
-# and an internal list of some common command directories.
-#
-# Any directories specified here will, by default, be appended to the default
-# list. However, if a directory name begins with the '+' character, then that
-# directory will be prepended to the list (that is, it will be put at the start
-# of the list).
-#
-# This is a space-separated list of directory names. The option may be
-# specified more than once.
-#
-# The default value is based on the root account PATH environment variable.
-#
-#BINDIR=/bin /usr/bin /sbin /usr/sbin
-#BINDIR=+/usr/local/bin +/usr/local/sbin
-
-#
-# This option specifies the default language to use. This should be similar to
-# the ISO 639 language code.
-#
-# NOTE: Please ensure that the language you specify is supported.
-# For a list of supported languages use the following command:
-#
-#       rkhunter --lang en --list languages
-#
-# The default language is 'en' (English).
-#
-#LANGUAGE=en
-
-#
-# This option is a space-separated list of the languages that are to be updated
-# when the '--update' option is used. If unset, then all the languages will be
-# updated. If none of the languages are to be updated, then set this option to
-# just 'en'.
-#
-# The default language, specified by the LANGUAGE option, and the English (en)
-# language file will always be updated regardless of this option.
-#
-# This option may be specified more than once.
-#
-# The default value is the null string, indicating that all the language files
-# will be updated.
-#
-#UPDATE_LANG=""
-
-#
-# This option specifies the log file pathname. The file will be created if it
-# does not initially exist. If the option is unset, then the program will
-# display a message each time it is run saying that the default value is being
-# used.
-#
-# The default value is '/var/log/rkhunter.log'.
-#
-LOGFILE=/var/log/rkhunter/rkhunter.log
-
-#
-# Set this option to '1' if the log file is to be appended to whenever rkhunter
-# is run. A value of '0' will cause a new log file to be created whenever the
-# program is run.
-#
-# The default value is '0'.
-#
-#APPEND_LOG=0
-APPEND_LOG=1
-
-#
-# Set the following option to '1' if the log file is to be copied when rkhunter
-# finishes and an error or warning has occurred. The copied log file name will
-# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
-# For example: rkhunter.log.2009-04-21_00:57:51
-# If the option value is '0', then the log file will not be copied regardless
-# of whether any errors or warnings occurred.
-#
-# The default value is '0'.
-#
-#COPY_LOG_ON_ERROR=0
-
-#
-# Set the following option to enable the rkhunter check start and finish times
-# to be logged by syslog. Warning messages will also be logged. The value of
-# the option must be a standard syslog facility and priority, separated by a
-# dot.  For example:
-#
-#     USE_SYSLOG=authpriv.warning
-#
-# Setting the value to 'NONE', or just leaving the option commented out,
-# disables the use of syslog.
-#
-# The default value is not to use syslog.
-#
-#USE_SYSLOG=authpriv.notice
-
-#
-# Set the following option to '1' if the second colour set is to be used. This
-# can be useful if your screen uses black characters on a white background
-# (for example, a PC instead of a server). A value of '0' will cause the default
-# colour set to be used.
-#
-# The default value is '0'.
-#
-#COLOR_SET2=0
-
-#
-# Set the following option to '0' if rkhunter should not detect if X is being
-# used. If X is detected as being used, then the second colour set will
-# automatically be used. If set to '1', then the use of X will be detected.
-#
-# The default value is '0'.
-#
-AUTO_X_DETECT=1
-
-#
-# Set the following option to '1' if it is wanted that any 'Whitelisted' results
-# are shown in white rather than green. For colour set 2 users, setting this
-# option will cause the result to be shown in black. Setting the option to '0'
-# causes whitelisted results to be displayed in green.
-#
-# The default value is '0'.
-#
-#WHITELISTED_IS_WHITE=0
-
-#
-# The following option is checked against the SSH configuration file
-# 'PermitRootLogin' option. A warning will be displayed if they do not match.
-# However, if a value has not been set in the SSH configuration file, then a
-# value here of 'unset' can be used to avoid warning messages.
-#
-# The default value is 'no'.
-#
-#ALLOW_SSH_ROOT_USER=no
-ALLOW_SSH_ROOT_USER=yes
-
-#
-# Set this option to '1' to allow the use of the SSH-1 protocol, but note
-# that theoretically it is weaker, and therefore less secure, than the
-# SSH-2 protocol. Do not modify this option unless you have good reasons
-# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
-# authentication). If the 'Protocol' option has not been set in the SSH
-# configuration file, then a value of '2' may be set here in order to
-# suppress a warning message. A value of '0' indicates that the use of
-# SSH-1 is not allowed.
-#
-# The default value is '0'.
-#
-#ALLOW_SSH_PROT_V1=0
-ALLOW_SSH_PROT_V1=2
-
-#
-# This setting tells rkhunter the directory containing the SSH configuration
-# file. If unset, this setting will be worked out by rkhunter, and so should
-# not usually need to be set.
-#
-# This option has no default value.
-#
-#SSH_CONFIG_DIR=/etc/ssh
-
-#
-# These two options determine which tests are to be performed. The ENABLE_TESTS
-# option can use the word 'ALL' to refer to all of the available tests. The
-# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
-# disabled. The list of disabled tests is applied to the list of enabled tests.
-#
-# Both options are space-separated lists of test names, and both options may
-# be specified more than once. The currently available test names can be seen
-# by using the command 'rkhunter --list tests'.
-#
-# The supplied configuration file has some tests already disabled, and these
-# are tests that will be used only occasionally, can be considered 'advanced'
-# or that are prone to produce more than the average number of false-positives.
-#
-# Please read the README file for more details about enabling and disabling
-# tests, the test names, and how rkhunter behaves when these options are used.
-#
-# The default values are to enable all tests and to disable none. However, if
-# either of the options below are specified, then they will override the
-# program defaults.
-#
-ENABLE_TESTS=ALL
-#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps
-#DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps ipc_shared_mem
-DISABLE_TESTS={% for item in disabletests %}{{ item }} {% endfor %}
-
-#
-# The HASH_CMD option can be used to specify the command to use for the file
-# properties hash value check. It can be specified as just the command name or
-# the full pathname. If just the command name is given, and it is one of MD5,
-# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
-# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
-# these are found, it will then look to see if a perl module has been installed
-# which will support the relevant hash function. To see which perl modules have
-# been installed use the command 'rkhunter --list perl'.
-#
-# Systems using prelinking are restricted to using either the SHA1 or MD5
-# function.
-#
-# A value of 'NONE' (in uppercase) can be specified to indicate that no hash
-# function should be used. Rkhunter will detect this, and automatically disable
-# the file properties hash check test.
-#
-# Examples:
-#   For Solaris 9 : HASH_CMD=gmd5sum
-#   For Solaris 10: HASH_CMD=sha1sum
-#   For AIX (>5.2): HASH_CMD="csum -hMD5"
-#   For NetBSD    : HASH_CMD="cksum -a sha512"
-#
-# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
-#
-# The default value is the SHA256 function, unless prelinking is used in
-# which case it defaults to the SHA1 function.
-#
-# Also see the HASH_FLD_IDX option. In addition, note the comments under
-# the PKGMGR option relating to the use of HASH_CMD.
-#
-#HASH_CMD=SHA256
-
-#
-# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
-# output contains the hash value. The fields are assumed to be space-separated.
-#
-# The option value must be an integer greater than zero.
-#
-# The default value is '1', but for *BSD users rkhunter will, by default, use a
-# value of '4' if the HASH_CMD option has not been set.
-#
-#HASH_FLD_IDX=4
-
-#
-# The PKGMGR option tells rkhunter to use the specified package manager to
-# obtain the file property information. This is used when updating the file
-# properties file ('rkhunter.dat'), and when running the file properties check.
-# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
-# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
-# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be
-# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of
-# 'NONE', indicates that no package manager is to be used.
-#
-# The package managers obtain each file hash value using a hash function. The
-# Solaris package manager includes a 16-bit checksum value, but this is not
-# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers
-# currently use a SHA256 hash function. Other package managers will, typically,
-# use an MD5 hash function.
-#
-# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value.
-# The 'RPM' package manager additionally provides values for the inode, file
-# permissions, uid, gid and other values. The 'SOLARIS' package manager also
-# provides most of the values, similar to 'RPM', but not the inode number.
-#
-# For any file not part of a package, rkhunter will revert to using the
-# HASH_CMD hash function instead. This means that if the HASH_CMD option
-# is set, and PKGMGR is set, then the HASH_CMD hash function is only used,
-# and stored, for non-packaged files. All packaged files will use, and store,
-# whatever hash function the relevant package manager uses. So, for example,
-# with the 'RPM' package manager, packaged files will be stored with their
-# SHA256 value regardless of the value of the HASH_CMD option.
-#
-# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
-#
-# The default value is 'NONE'.
-#
-# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
-#
-#PKGMGR=NONE
-PKGMGR=RPM
-
-#
-# It is possible that a file, which is part of a package, may have been
-# modified by the administrator. Typically this occurs for configuration
-# files. However, the package manager may list the file as being modified.
-# For the RPM package manager this may well depend on how the package was
-# built. This option specifies a pathname which is to be exempt from the
-# package manager verification process, and which will be treated
-# as a non-packaged file. As such, the file properties are still checked.
-#
-# This option only takes effect if the PKGMGR option has been set, and
-# is not 'NONE'.
-#
-# This option may be specified more than once.
-#
-# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
-#
-# The default value is the null string.
-#
-#PKGMGR_NO_VRFY=""
-
-#
-# If the 'SOLARIS' package manager is used, then it is possible to use the
-# checksum (hash) value stored for a file. However, this is only a 16-bit
-# checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
-# If the option is set to '0', then the checksum is not used and the hash
-# function given by HASH_CMD is used instead. To enable this option, set its
-# value to '1'. The Solaris 'sum' command must be present on the system if this
-# option is used.
-#
-# The default value is '0'.
-#
-#USE_SUNSUM=0
-
-#
-# This option can be used to tell rkhunter to ignore any prelink dependency
-# errors for the given commands. However, a warning will also be issued if the
-# error does not occur for a given command. As such this option must only be
-# used on commands which experience a persistent problem.
-#
-# Short-term prelink dependency errors can usually be resolved simply by
-# running the 'prelink' command on the given pathname.
-#
-# This is a space-separated list of command pathnames. The option can be
-# specified more than once.
-#
-# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
-#
-# The default value is the null string.
-#
-#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
-
-#
-# These options specify a command, directory or file pathname which will be
-# included or excluded in the file properties checks.
-#
-# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
-# 'top' - and directory names are added to the internal list of directories to
-# be searched for each of the command names in the command list. Additionally,
-# full pathnames to files, which need not be commands, may be given. Any files
-# or directories which are already part of the internal lists will be silently
-# ignored from the configuration.
-#
-# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
-# simple command names.
-# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
-#
-# To extend the use of wildcards to include recursive checking of directories,
-# see the GLOBSTAR configuration option.
-#
-# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
-# option. Wildcards may be used with this option.
-#
-# By combining these two options, and using wildcards, whole directories can be
-# excluded. For example:
-#
-#     USER_FILEPROP_FILES_DIRS=/etc/*
-#     USER_FILEPROP_FILES_DIRS=/etc/*/*
-#     EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
-#
-# This will look for files in the first two directory levels of '/etc'. However,
-# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
-# excluded.
-#
-# NOTE: Only files and directories which have been added by the user, and are
-# not part of the internal lists, can be excluded. So, for example, it is not
-# possible to exclude the 'ps' command by using '/bin/ps'. These will be
-# silently ignored from the configuration.
-#
-# Both options can be specified more than once.
-#
-# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
-#
-# The default value for both options is the null string.
-#
-#USER_FILEPROP_FILES_DIRS=top
-#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
-#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
-#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
-#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/*
-#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
-
-#
-# This option whitelists files and directories from existing, or not existing,
-# on the system at the time of testing. This option is used when the
-# configuration file options themselves are checked, and during the file
-# properties check, the hidden files and directories checks, and the filesystem
-# check of the '/dev' directory.
-#
-# This option may be specified more than once, and may use wildcards.
-# Be aware though that this is probably not what you want to do as the
-# wildcarding will be expanded after files have been deleted. As such
-# deleted files won't be whitelisted if wildcarded.
-#
-# NOTE: The user must take into consideration how often the file will appear
-# and disappear from the system in relation to how often rkhunter is run. If
-# the file appears, and disappears, too often then rkhunter may not notice
-# this. All it will see is that the file has changed. The inode number and DTM
-# will certainly be different for each new file, and rkhunter will report this.
-#
-# The default value is the null string.
-#
-#EXISTWHITELIST=""
-EXISTWHITELIST=/bin/ad
-# FreeIPA Certificate Authority
-EXISTWHITELIST=/var/log/pki-ca/system
-# FreeIPA Certificate Authority
-EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
-# FreeIPA with KRA (Password Vault)
-EXISTWHITELIST=/var/log/pki/pki-tomcat/kra/system
-RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/kra/system
-# Some non default installed files we check
-EXISTWHITELIST=/usr/bin/GET
-EXISTWHITELIST=/usr/bin/whatis
-
-#
-# Whitelist various attributes of the specified file. The attributes are those
-# of the 'attributes' test. Specifying a file name here does not include it
-# being whitelisted for the write permission test (see below).
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#ATTRWHITELIST=/usr/bin/date
-
-#
-# Allow the specified file to have the 'others' (world) permission have the
-# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#WRITEWHITELIST=/usr/bin/date
-
-#
-# Allow the specified file to be a script.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#SCRIPTWHITELIST=/usr/bin/groups
-SCRIPTWHITELIST=/usr/bin/whatis
-SCRIPTWHITELIST=/usr/bin/ldd
-SCRIPTWHITELIST=/usr/bin/groups
-SCRIPTWHITELIST=/usr/bin/GET
-{% if ansible_distribution == "CentOS" -%}
-SCRIPTWHITELIST=/sbin/ifup
-SCRIPTWHITELIST=/sbin/ifdown
-{% endif -%}
-
-#
-# Allow the specified file to have the immutable attribute set.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#IMMUTWHITELIST=/sbin/ifdown
-
-#
-# If this option is set to '1', then the immutable-bit test is reversed. That
-# is, the files are expected to have the bit set. A value of '0' means that the
-# immutable-bit should not be set.
-#
-# The default value is '0'.
-#
-#IMMUTABLE_SET=0
-
-#
-# If this option is set to '1', then any changed inode value is ignored in
-# the file properties check. The inode test itself still runs, but it will
-# always return that no inodes have changed.
-#
-# This option may be useful for filesystems such as Btrfs, which handle inodes
-# slightly differently than other filesystems.
-#
-# The default value is '0'.
-#
-#SKIP_INODE_CHECK=0
-
-#
-# Allow the specified hidden directory to be whitelisted.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#ALLOWHIDDENDIR=/etc/.java
-#ALLOWHIDDENDIR=/dev/.udev
-#ALLOWHIDDENDIR=/dev/.udevdb
-#ALLOWHIDDENDIR=/dev/.mdadm
-ALLOWHIDDENDIR="/etc/.java"
-ALLOWHIDDENDIR=/dev/.udev
-ALLOWHIDDENDIR=/dev/.udevdb
-ALLOWHIDDENDIR=/dev/.udev.tdb
-ALLOWHIDDENDIR=/dev/.static
-ALLOWHIDDENDIR=/dev/.initramfs
-ALLOWHIDDENDIR=/dev/.SRC-unix
-ALLOWHIDDENDIR=/dev/.mdadm
-ALLOWHIDDENDIR=/dev/.systemd
-ALLOWHIDDENDIR=/dev/.mount
-# for etckeeper
-ALLOWHIDDENDIR=/etc/.git
-ALLOWHIDDENDIR=/etc/.bzr
-
-#
-# Allow the specified hidden file to be whitelisted.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-# 
-#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
-#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
-#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
-#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
-#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
-#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
-#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
-ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
-ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
-ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
-ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
-ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
-ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
-ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
-ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
-ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
-ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
-ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
-ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
-ALLOWHIDDENFILE=/dev/.mdadm.map
-ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
-ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
-ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
-# etckeeper
-ALLOWHIDDENFILE=/etc/.etckeeper
-ALLOWHIDDENFILE=/etc/.gitignore
-ALLOWHIDDENFILE=/etc/.bzrignore
-# systemd
-ALLOWHIDDENFILE=/etc/.updated
-
-#
-# Allow the specified process to use deleted files. The process name may be
-# followed by a colon-separated list of full pathnames (which have been
-# deleted). The process will then only be whitelisted if it is using one of
-# the given pathnames. For example:
-#
-#     ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
-#
-# This option may be specified more than once. It may also use wildcards, but
-# only in the deleted file pathnames, not in the process name. The use of
-# extended pattern matching in pathname expansion (for example, '**') is not
-# supported for this option. However, the option itself extends globbing when
-# the '*' character is used by matching zero or more characters in the
-# pathname, including those in sub-directories. For example, the pathname
-# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz'
-# but is matched when used in this option. Similarly, using '/tmp/*' will
-# match any file found in the '/tmp' directory or any sub-directories.
-#
-# The default value is the null string.
-#
-#ALLOWPROCDELFILE=/sbin/cardmgr
-#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
-
-#
-# Allow the specified process to listen on any network interface.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#ALLOWPROCLISTEN=/sbin/dhclient
-#ALLOWPROCLISTEN=/usr/bin/dhcpcd
-#ALLOWPROCLISTEN=/usr/sbin/tcpdump
-#ALLOWPROCLISTEN=/usr/sbin/snort-plain
-
-#
-# Allow the specified network interfaces to be in promiscuous mode.
-#
-# This is a space-separated list of interface names. The option may be
-# specified more than once.
-#
-# The default value is the null string.
-#
-#ALLOWPROMISCIF=eth0
-
-#
-# This option specifies how rkhunter should scan the '/dev' directory for
-# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
-#
-# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
-# it is highly recommended that this value is used.
-#
-# The default value is 'THOROUGH'.
-#
-# Also see the ALLOWDEVFILE option.
-#
-#SCAN_MODE_DEV=THOROUGH
-SCAN_MODE_DEV=LAZY
-
-#
-# Allow the specified file to be present in the '/dev' directory, and not
-# regarded as suspicious.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#ALLOWDEVFILE=/dev/shm/pulse-shm-*
-#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
-ALLOWDEVFILE=/dev/shm/pulse-shm-*
-ALLOWDEVFILE=/dev/md/md-device-map
-# tomboy creates this one
-ALLOWDEVFILE="/dev/shm/mono.*"
-# created by libv4l
-ALLOWDEVFILE="/dev/shm/libv4l-*"
-# created by spice video
-ALLOWDEVFILE="/dev/shm/spice.*"
-# created by mdadm
-ALLOWDEVFILE="/dev/md/autorebuild.pid"
-# 389 Directory Server
-ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
-# squid proxy
-ALLOWDEVFILE=/dev/shm/squid-cf*
-# squid ssl cache
-ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm
-ALLOWDEVFILE=/dev/shm/squid-tls_session_cache.shm
-# allow lldpad state file
-ALLOWDEVFILE=/dev/shm/lldpad.state
-# Allow PCS/Pacemaker/Corosync
-ALLOWDEVFILE=/dev/shm/qb-attrd-*
-ALLOWDEVFILE=/dev/shm/qb-cfg-*
-ALLOWDEVFILE=/dev/shm/qb-cib_rw-*
-ALLOWDEVFILE=/dev/shm/qb-cib_shm-*
-ALLOWDEVFILE=/dev/shm/qb-corosync-*
-ALLOWDEVFILE=/dev/shm/qb-cpg-*
-ALLOWDEVFILE=/dev/shm/qb-lrmd-*
-ALLOWDEVFILE=/dev/shm/qb-pengine-*
-ALLOWDEVFILE=/dev/shm/qb-quorum-*
-ALLOWDEVFILE=/dev/shm/qb-stonith-*
-
-#
-# Allow the specified process pathnames to use shared memory segments.
-#
-# This option may be specified more than once, and may use wildcard characters.
-#
-# The default value is the null string.
-#
-#ALLOWIPCPROC=/usr/bin/firefox
-#ALLOWIPCPROC=/usr/bin/vlc
-
-#
-# Allow the specified memory segment creator PIDs to use shared memory segments.
-#
-# This is a space-separated list of PID numbers (as given by the
-# 'ipcs -p' command). This option may be specified more than once.
-#
-# The default value is the null string.
-#
-#ALLOWIPCPID=12345 6789
-
-#
-# Allow the specified account names to use shared memory segments.
-#
-# This is a space-separated list of account names. The option may be specified
-# more than once.
-#
-# The default value is the null string.
-#
-#ALLOWIPCUSER=usera userb
-
-#
-# This option can be used to set the maximum shared memory segment size
-# (in bytes) that is not considered suspicious. Any segment above this size,
-# and with 600 or 666 permissions, will be considered suspicious during the
-# shared memory check.
-#
-# The default is 1048576 (1M) bytes.
-#
-#IPC_SEG_SIZE=1048576
-
-#
-# This option is used to indicate if the Phalanx2 test is to perform a basic
-# check, or a more thorough check. If the option is set to '0', then a basic
-# check is performed. If it is set to '1', then all the directories in the
-# '/etc' and '/usr' directories are scanned.
-#
-# NOTE: Setting this option to '1' will cause the test to take longer
-# to complete.
-#
-# The default value is '0'.
-#
-#PHALANX2_DIRTEST=0
-
-#
-# This option tells rkhunter where the inetd configuration file is located.
-#
-# The default value is the null string.
-#
-#INETD_CONF_PATH=/etc/inetd.conf
-
-#
-# This option allows the specified enabled inetd services.
-#
-# This is a space-separated list of service names. The option may be specified
-# more than once.
-#
-# For non-Solaris users the simple service name should be used.
-# For example:
-#
-#     INETD_ALLOWED_SVC=echo
-#
-# For Solaris 9 users the simple service name should also be used, but
-# if it is an RPC service, then the executable pathname should be used.
-# For example:
-#
-#     INETD_ALLOWED_SVC=imaps
-#     INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
-#
-# For Solaris 10 users the service/FMRI name should be used. For example:
-#
-#     INETD_ALLOWED_SVC=/network/rpc/meta
-#     INETD_ALLOWED_SVC=/network/rpc/metamed
-#     INETD_ALLOWED_SVC=/application/font/stfsloader
-#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
-#
-# The default value is the null string.
-#
-#INETD_ALLOWED_SVC=echo
-
-#
-# This option tells rkhunter where the xinetd configuration file is located.
-#
-# The default value is the null string.
-#
-#XINETD_CONF_PATH=/etc/xinetd.conf
-
-#
-# This option allows the specified enabled xinetd services. Whilst it would be
-# nice to use the service names themselves, at the time of testing we only have
-# the pathname available. As such, these entries are the xinetd file pathnames.
-#
-# This is a space-separated list of service names. The option may be specified
-# more than once.
-#
-# The default value is the null string.
-#
-#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
-
-#
-# This option tells rkhunter the local system startup file pathnames. The
-# directories will be searched for files. If unset, then rkhunter will try
-# and determine were the startup files are located. If the option is set to
-# 'NONE' then certain tests will be skipped.
-#
-# This is a space-separated list of file and directory pathnames. The option
-# may be specified more than once, and may use wildcard characters.
-#
-# This option has no default value.
-#
-#STARTUP_PATHS=/etc/rc.d /etc/rc.local
-
-#
-# This option tells rkhunter the pathname to the file containing the user
-# account passwords. If unset, this setting will be worked out by rkhunter,
-# and so should not usually need to be set. Users of TCB shadow files should
-# not set this option.
-#
-# This option has no default value.
-#
-#PASSWORD_FILE=/etc/shadow
-
-#
-# This option allows the specified accounts to be root equivalent. These
-# accounts will have a UID value of zero. The 'root' account does not need
-# to be listed as it is automatically whitelisted.
-#
-# This is a space-separated list of account names. The option may be specified
-# more than once.
-#
-# NOTE: For *BSD systems you will probably need to use this option for the
-# 'toor' account.
-#
-# The default value is the null string.
-#
-#UID0_ACCOUNTS=toor rooty
-
-#
-# This option allows the specified accounts to have no password. NIS/YP entries
-# do not need to be listed as they are automatically whitelisted.
-#
-# This is a space-separated list of account names. The option may be specified
-# more than once.
-#
-# The default value is the null string.
-#
-#PWDLESS_ACCOUNTS=abc
-
-#
-# This option tells rkhunter the pathname to the syslog configuration file.
-# If unset, this setting will be worked out by rkhunter, and so should not
-# usually need to be set. A value of 'NONE' can be used to indicate that
-# there is no configuration file, but that the syslog daemon process may
-# be running.
-#
-# This is a space-separated list of pathnames. The option may be specified
-# more than once.
-#
-# This option has no default value.
-#
-#SYSLOG_CONFIG_FILE=/etc/syslog.conf
-
-#
-# If this option is set to '1', then the use of syslog remote logging is
-# permitted. A value of '0' disallows the use of remote logging.
-#
-# The default value is '0'.
-#
-#ALLOW_SYSLOG_REMOTE_LOGGING=0
-
-#
-# This option allows the specified applications, or a specific version of an
-# application, to be whitelisted. If a specific version is to be whitelisted,
-# then the name must be followed by a colon and then the version number.
-# For example:
-#
-#     APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
-#
-# This is a space-separated list of pathnames. The option may be specified
-# more than once.
-#
-# The default value is the null string.
-#
-#APP_WHITELIST=""
-
-# 
-# Set this option to scan for suspicious files in directories which pose a
-# relatively higher risk due to user write access.
-#
-# Please do not enable the 'suspscan' test by default as it is CPU and I/O
-# intensive, and prone to producing false positives. Do review all settings
-# before usage. Also be aware that running 'suspscan' in combination with
-# verbose logging on, rkhunter's default, will show all ignored files.
-#
-# Please consider adding all directories the user the (web)server runs as,
-# and has write access to, including the document root (e.g: '/var/www') and
-# log directories (e.g: '/var/log/httpd'). 
-#
-# This is a space-separated list of directory pathnames. The option may be
-# specified more than once.
-#
-# The default value is the '/tmp' and '/var/tmp' directories.
-#
-#SUSPSCAN_DIRS=/tmp /var/tmp
-
-#
-# This option specifies the directory for temporary files used by the
-# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
-# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
-# as that is highly likely to cause false-positive results.
-#
-# The default value is '/dev/shm'.
-#
-#SUSPSCAN_TEMP=/dev/shm
-
-#
-# This option specifies the 'suspscan' test maximum filesize in bytes. Files
-# larger than this will not be inspected. Do make sure you have enough space
-# available in your temporary files directory.
-#
-# The default value is '1024000'.
-#
-#SUSPSCAN_MAXSIZE=1024000
-
-#
-# This option specifies the 'suspscan' test score threshold. Below this value
-# no hits will be reported.
-#
-# The default value is '200'.
-#
-#SUSPSCAN_THRESH=200
-
-#
-# This option may be used to whitelist file pathnames from the suspscan test.
-#
-# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
-# option.
-#
-# This option may be specified more than once.
-#
-# The default value is the null string.
-#
-#SUSPSCAN_WHITELIST=""
-
-#
-# The following options can be used to whitelist network ports which are known
-# to have been used by malware. 
-#
-# The PORT_WHITELIST option is a space-separated list of one or more of two
-# types of whitelisting. These are:
-#
-#   1) a 'protocol:port' pair
-#   2) an asterisk ('*')
-#
-# Only the UDP or TCP protocol may be specified, and the port number must be
-# between 1 and 65535 inclusive.
-#
-# The asterisk can be used to indicate that any executable which rkhunter can
-# locate as a command, is whitelisted. (Also see BINDIR)
-#
-# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
-# These are:
-#
-#   1) a pathname to an executable
-#   2) a combined pathname, protocol and port
-#
-# As above, the protocol can only be TCP or UDP, and the port number must be
-# between 1 and 65535 inclusive.
-#
-# Examples:
-#
-#     PORT_WHITELIST=TCP:2001 UDP:32011
-#     PORT_PATH_WHITELIST=/usr/sbin/squid
-#     PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
-#
-# NOTE: In order to whitelist a pathname, or use the asterisk option, the
-# 'lsof' command must be present.
-#
-# Both options may be specified more than once.
-#
-# The default value for both options is the null string.
-#
-#PORT_WHITELIST=""
-#PORT_PATH_WHITELIST=""
-
-#
-# The following option can be used to tell rkhunter where the operating system
-# 'release' file is located. This file contains information specifying the
-# current O/S version. RKH will store this information, and check to see if it
-# has changed between each run. If it has changed, then the user is warned that
-# RKH may issue warning messages until RKH has been run with the '--propupd'
-# option.
-#
-# Since the contents of the file vary according to the O/S distribution, RKH
-# will perform different actions when it detects the file itself. As such, this
-# option should not be set unless necessary. If this option is specified, then
-# RKH will assume the O/S release information is on the first non-blank line of
-# the file.
-#
-# This option has no default value.
-#
-# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
-#
-#OS_VERSION_FILE=/etc/release
-
-#
-# Set the following option to '0' if you do not want to receive a warning if any
-# O/S information has changed since the last run of 'rkhunter --propupd'. The
-# warnings occur during the file properties check. Setting a value of '1' will
-# cause rkhunter to issue a warning if something has changed.
-#
-# The default value is '1'.
-#
-#WARN_ON_OS_CHANGE=1
-
-#
-# Set the following option to '1' if you want rkhunter to automatically run a
-# file properties update ('--propupd') if the O/S has changed. Detection of an
-# O/S change occurs during the file properties check. Setting a value of '0'
-# will cause rkhunter not to do an automatic update.
-#
-# WARNING: Only set this option if you are sure that the update will work
-# correctly. That is, that the database directory is writeable, that a valid
-# hash function is available, and so on. This can usually be checked simply by
-# running 'rkhunter --propupd' at least once.
-#
-# The default value is '0'.
-#
-#UPDT_ON_OS_CHANGE=0
-
-#
-# The following two options can be used to whitelist files and directories that
-# would normally be flagged with a warning during the various rootkit and
-# malware checks. Only existing files and directories can be specified, and
-# these must be full pathnames not links.
-#
-# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
-# file name (separated by a colon). This will then only whitelist that string
-# in that file (as part of the malware checks). For example:
-#
-#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
-#
-# If the option list includes the filename on its own as well, then the file
-# will be whitelisted from rootkit checks of the files existence, but still
-# only the specific string within the file will be whitelisted. For example:
-#
-#     RTKT_FILE_WHITELIST=/etc/rc.local
-#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
-#
-# To whitelist a file from the existence checks, but not from the strings
-# checks, then include the filename on its own and on its own but with just
-# a colon appended. For example:
-#
-#     RTKT_FILE_WHITELIST=/etc/rc.local
-#     RTKT_FILE_WHITELIST=/etc/rc.local:
-#
-# NOTE: It is recommended that if you whitelist any files, then you include
-# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
-# configuration option.
-#
-# Both of these options may be specified more than once.
-#
-# For both options the default value is the null string.
-#
-#RTKT_DIR_WHITELIST=""
-#RTKT_FILE_WHITELIST=""
-RTKT_FILE_WHITELIST=/bin/ad
-# FreeIPA Certificate Authority
-RTKT_FILE_WHITELIST=/var/log/pki-ca/system
-# FreeIPA Certificate Authority
-RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
-
-#
-# The following option can be used to whitelist shared library files that would
-# normally be flagged with a warning during the preloaded shared library check.
-# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
-# the LD_PRELOAD environment variable.
-#
-# NOTE: It is recommended that if you whitelist any files, then you include
-# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
-# configuration option.
-#
-# This option is a space-separated list of library pathnames. The option may be
-# specified more than once.
-#
-# The default value is the null string.
-#
-#SHARED_LIB_WHITELIST=/lib/snoopy.so
-
-#
-# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
-# command the following two options can be used. The value must be set to
-# 'BUILTIN'.
-#
-# NOTE: IRIX users will probably need to enable STAT_CMD.
-#
-# For both options the default value is the null string.
-#
-#STAT_CMD=BUILTIN
-#READLINK_CMD=BUILTIN
-
-#
-# In the file properties test any modification date/time is displayed as the
-# number of epoch seconds. Rkhunter will try and use the 'date' command, or
-# failing that the 'perl' command, to display the date and time in a
-# human-readable format as well. This option may be used if some other command
-# should be used instead. The given command must understand the '%s' and
-# 'seconds ago' options found in the GNU 'date' command.
-#
-# A value of 'NONE' may be used to request that only the epoch seconds be shown.
-# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
-# it is present.
-#
-# This option has no default value.
-#
-#EPOCH_DATE_CMD=""
-
-#
-# This setting tells rkhunter the directory containing the available Linux
-# kernel modules. If unset, this setting will be worked out by rkhunter, and
-# so should not usually need to be set.
-#
-# This option has no default value.
-#
-#MODULES_DIR=""
-
-#
-# The following option can be set to a command which rkhunter will use when
-# downloading files from the Internet - that is, when the '--update' or
-# '--versioncheck' option is used. The command can take options.
-#
-# This allows the user to use a command other than the one automatically
-# selected by rkhunter, but still one which it already knows about.
-# For example:
-#
-#     WEB_CMD=curl
-#
-# Alternatively, the user may specify a completely new command. However, note
-# that rkhunter expects the downloaded file to be written to stdout, and that
-# everything written to stderr is ignored. For example:
-#
-#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
-#
-# *BSD users may want to use the 'ftp' command, provided that it supports the
-# HTTP protocol:
-#
-#     WEB_CMD="ftp -o -"
-#
-# This option has no default value.
-#
-#WEB_CMD=""
-
-#
-# Set the following option to '1' if locking is to be used when rkhunter runs.
-# The lock is set just before logging starts, and is removed when the program
-# ends. It is used to prevent items such as the log file, and the file
-# properties file, from becoming corrupted if rkhunter is running more than
-# once. The mechanism used is to simply create a lock file in the LOCKDIR
-# directory. If the lock file already exists, because rkhunter is already
-# running, then the current process simply loops around sleeping for 10 seconds
-# and then retrying the lock. A value of '0' means not to use locking.
-#
-# The default value is '0'.
-#
-# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
-#
-#USE_LOCKING=0
-
-#
-# This option specifies the directory to be used when locking is enabled.
-# If the option is unset, then the directory to be used will be worked out
-# by rkhunter. In that instance the directories '/run/lock', '/var/lock',
-# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none
-# of those can be found, or are not read/writeable, then the TMPDIR directory
-# will be used.
-#
-# To avoid the lock file persisting across a server reboot, the directory
-# used should be memory-resident.
-#
-# This option has no default value.
-#
-#LOCKDIR=""
-
-#
-# If locking is used, then rkhunter may have to wait to get the lock file.
-# This option sets the total amount of time, in seconds, that rkhunter should
-# wait. It will retry the lock every 10 seconds, until either it obtains the
-# lock or the timeout value has been reached.
-#
-# The default value is 300 seconds (5 minutes).
-#
-#LOCK_TIMEOUT=300
-
-#
-# If locking is used, then rkhunter may be doing nothing for some time if it
-# has to wait for the lock. If this option is set to '1', then some simple
-# messages are echoed to the users screen to let them know that rkhunter is
-# waiting for the lock. Set this option to '0' if the messages are not to be
-# displayed.
-#
-# The default value is '1'.
-#
-#SHOW_LOCK_MSGS=1
-
-#
-# If this option is set to 'THOROUGH' then rkhunter will search (on a per
-# rootkit basis) for filenames in all of the directories (as defined by the
-# result of running 'find / -xdev'). While still not optimal, as it still
-# searches for only file names as opposed to file contents, this is one step
-# away from the rigidity of searching in known (evidence) or default
-# (installation) locations.
-#
-# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
-#
-# You should only activate this feature as part of a more thorough
-# investigation, which should be based on relevant best practices and
-# procedures. 
-#
-# Enabling this feature implies you have the knowledge to interpret the
-# results properly. 
-#
-# The default value is the null string.
-#
-#SCANROOTKITMODE=THOROUGH
-
-#
-# The following option can be set to the name(s) of the tests the 'unhide'
-# command is to use. Options such as '-m' and '-v' may be specified, but will
-# only take effect when they are seen. The test names are a space-separated
-# list, and will be executed in the order given.
-#
-# This option may be specified more than once.
-#
-# The default value is 'sys' in order to maintain compatibility with older
-# versions of 'unhide'.
-#
-#UNHIDE_TESTS=sys
-
-#
-# The following option can be used to set options for the 'unhide-tcp' command.
-# The options are space-separated.
-#
-# This option may be specified more than once.
-#
-# The default value is the null string.
-#
-#UNHIDETCP_OPTS=""
-
-#
-# This option can be set to either '0' or '1'. If set to '1' then the summary,
-# shown after rkhunter has run, will display the actual number of warnings
-# found. If it is set to '0', then the summary will simply indicate that
-# 'One or more' warnings were found. If no warnings were found, and this option
-# is set to '1', then a "0" will be shown. If the option is set to '0', then
-# the words 'No warnings' will be shown.
-#
-# The default value is '0'.
-#
-#SHOW_SUMMARY_WARNINGS_NUMBER=0
-
-#
-# This option is used to determine where, if anywhere, the summary scan time is
-# displayed. A value of '0' indicates that it should not be displayed anywhere.
-# A value of '1' indicates that the time should only appear on the screen, and a
-# value of '2' that it should only appear in the log file. A value of '3'
-# indicates that the time taken should appear both on the screen and in the log
-# file.
-#
-# The default value is '3'.
-#
-#SHOW_SUMMARY_TIME=3
-
-#
-# The two options below may be used to check if a file is missing or empty
-# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
-# if the file is missing, since that can be interpreted as a file of no size.
-# However, the file will only be reported as missing if the MISSING_LOGFILES
-# option hasn't already done this.
-#
-# Both options are space-separated lists of pathnames, and may be specified
-# more than once.
-#
-# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
-# perfectly possible for the file to be either missing or empty. As such these
-# options may produce false-positive warnings when log files are rotated.
-#
-# For both options the default value is the null string.
-#
-#EMPTY_LOGFILES=""
-#MISSING_LOGFILES=""
-
-#
-# This option can be set to either '0' or '1'. If set to '1' then the globbing
-# characters '**' can be used to allow the recursive checking of directories.
-# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option.
-# For example:
-#
-#	USER_FILEPROP_FILES_DIRS=/etc/**/*.conf
-#
-# This will check all '.conf' files within the '/etc' directory, and any
-# sub-directories (at any level). If GLOBSTAR is not set, then the shell will
-# interpret '**' as '*' and only one level of sub-directories will be checked.
-#
-# NOTE: This option is only valid for those shells which support the 'globstar'
-# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command,
-# and 'ksh' via the 'set' command.
-#
-# The default value is '0'.
-#
-#GLOBSTAR=0
-
-INSTALLDIR="/usr"
-ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant