diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2020-10-23 09:49:29 +0200 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2020-10-23 09:49:29 +0200 |
commit | 1113392fcf56b722bc2fd13dc9ca6e17aa81f0a3 (patch) | |
tree | c5f0a3b37d569e76fb2155170cd0329beeafa438 | |
parent | ef2a1711fd66bba4cc86abe0798490eba6c2f065 (diff) | |
download | playbooks-ansible-1113392fcf56b722bc2fd13dc9ca6e17aa81f0a3.tar.gz playbooks-ansible-1113392fcf56b722bc2fd13dc9ca6e17aa81f0a3.tar.xz playbooks-ansible-1113392fcf56b722bc2fd13dc9ca6e17aa81f0a3.zip |
Uninstall rkhunter HIDS on all hosts
-rw-r--r-- | playbooks/update.yml | 16 | ||||
-rw-r--r-- | roles/clients/tasks/main.yml | 3 | ||||
-rw-r--r-- | roles/clients/tasks/rkhunter.yml | 5 | ||||
-rw-r--r-- | roles/diagnostics/handlers/main.yml | 1 | ||||
-rw-r--r-- | roles/diagnostics/handlers/rkhunter.yml | 2 | ||||
-rw-r--r-- | roles/diagnostics/tasks/hidsdb.yml | 4 | ||||
-rw-r--r-- | roles/diagnostics/tasks/rkhunter.yml | 10 | ||||
-rw-r--r-- | roles/diagnostics/templates/rkhunter.conf.j2 | 1437 |
8 files changed, 2 insertions, 1476 deletions
diff --git a/playbooks/update.yml b/playbooks/update.yml index f64571e..f57abef 100644 --- a/playbooks/update.yml +++ b/playbooks/update.yml @@ -43,19 +43,3 @@ to: "{{ jabberroom }}" msg: Casper, TASK [Reboot système programmé dans 1 heure] ****** tags: reboot - - - - name: rkhunter internal database update - at: - command: /usr/bin/rkhunter --propupd - count: 50 - units: minutes - unique: yes - when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" - - - jabber: - user: "{{ jabberuserid }}" - password: "{{ jabberuserpwd }}" - to: "{{ jabberroom }}" - msg: Casper, TASK [Mise à jour rkhunter programmée dans 50 min] ****** - when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml index e290688..19bacb0 100644 --- a/roles/clients/tasks/main.yml +++ b/roles/clients/tasks/main.yml @@ -28,9 +28,6 @@ - name: Configuration mock import_tasks: mock.yml -- name: Configuration rkhunter pour mock - import_tasks: rkhunter.yml - - name: Ajout points de montage import_tasks: mnt.yml diff --git a/roles/clients/tasks/rkhunter.yml b/roles/clients/tasks/rkhunter.yml deleted file mode 100644 index 85a1f38..0000000 --- a/roles/clients/tasks/rkhunter.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Changement de mode rkhunter mode lazy - lineinfile: - path: /etc/rkhunter.conf - insertafter: '^#SCAN_MODE_DEV=THOROUGH' - line: 'SCAN_MODE_DEV=LAZY' diff --git a/roles/diagnostics/handlers/main.yml b/roles/diagnostics/handlers/main.yml index 037a724..9aeb861 100644 --- a/roles/diagnostics/handlers/main.yml +++ b/roles/diagnostics/handlers/main.yml @@ -1,2 +1 @@ - import_tasks: aide.yml -- import_tasks: rkhunter.yml diff --git a/roles/diagnostics/handlers/rkhunter.yml b/roles/diagnostics/handlers/rkhunter.yml deleted file mode 100644 index d332d08..0000000 --- a/roles/diagnostics/handlers/rkhunter.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: initialize rkhunter - command: /usr/bin/rkhunter --propupd diff --git a/roles/diagnostics/tasks/hidsdb.yml b/roles/diagnostics/tasks/hidsdb.yml index 7269ac9..ebac83e 100644 --- a/roles/diagnostics/tasks/hidsdb.yml +++ b/roles/diagnostics/tasks/hidsdb.yml @@ -4,10 +4,6 @@ state: latest tags: hidsdb -- name: rkhunter internal database update - command: /usr/bin/rkhunter --propupd - tags: hidsdb - - name: aide internal database reset command: /usr/sbin/aide -i register: hashinfo diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml index dafcf8e..20281ff 100644 --- a/roles/diagnostics/tasks/rkhunter.yml +++ b/roles/diagnostics/tasks/rkhunter.yml @@ -1,13 +1,7 @@ -- name: Installation du HIDS rkhunter +- name: Désinstallation du HIDS rkhunter package: name: "{{ item }}" - state: present + state: absent loop: - rkhunter - unhide - -- name: Configuration de rkhunter - template: - src: rkhunter.conf.j2 - dest: /etc/rkhunter.conf - mode: 0640 diff --git a/roles/diagnostics/templates/rkhunter.conf.j2 b/roles/diagnostics/templates/rkhunter.conf.j2 deleted file mode 100644 index dd689ba..0000000 --- a/roles/diagnostics/templates/rkhunter.conf.j2 +++ /dev/null @@ -1,1437 +0,0 @@ -# -# This is the main configuration file for Rootkit Hunter. -# -# You can modify this file directly, or you can create a local configuration -# file. The local file must be named 'rkhunter.conf.local', and must reside -# in the same directory as this file. Alternatively you can create a directory, -# named 'rkhunter.d', which also must be in the same directory as this -# configuration file. Within the 'rkhunter.d' directory you can place further -# configuration files. There is no restriction on the file names used, other -# than they must end in '.conf'. -# -# Please modify the configuration file(s) to your own requirements. It is -# recommended that the command 'rkhunter -C' is run after any changes have -# been made. -# -# Please review the documentation before posting bug reports or questions. -# To report bugs, provide patches or comments, please go to: -# http://rkhunter.sourceforge.net -# -# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. -# Note that this is a moderated list, so please subscribe before posting. -# -# In the configuration files, lines beginning with a hash (#), and blank lines, -# are ignored. Also, end-of-line comments are not supported. -# -# Any of the configuration options may appear more than once. However, several -# options only take one value, and so the last one seen will be used. Some -# options are allowed to appear more than once, and the text describing the -# option will say if this is so. These configuration options will, in effect, -# have their values concatenated together. To delete a previously specified -# option list, specify the option with no value (that is, a null string). -# -# Some of the options are space-separated lists, others, typically those -# specifying pathnames, are newline-separated lists. These must be entered -# as one item per line. Quotes must not be used to surround the pathname. -# -# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an -# option: XXX=/tmp/abc (correct) -# XXX=/tmp/xyz -# -# XXX="/tmp/abc" (incorrect) -# XXX="/tmp/xyz" -# -# XXX=/tmp/abc /tmp/xyz (incorrect) -# or XXX="/tmp/abc /tmp/xyz" (incorrect) -# or XXX="/tmp/abc" "/tmp/xyz" (incorrect) -# -# The last three examples are being configured as space-separated lists, -# which is incorrect, generally, for options specifying pathnames. They -# should be configured with one entry per line as in the first example. -# -# If wildcard characters (globbing) are allowed for an option, then the -# text describing the option will say so. Any globbing character explicitly -# required in a pathname should be escaped. -# -# Space-separated lists may be enclosed by quotes, although they are not -# required. If they are used, then they must only appear at the start and -# end of the list, not in the middle. -# -# For example: XXX=abc def gh (correct) -# XXX="abc def gh" (correct) -# XXX="abc" "def" "gh" (incorrect) -# -# Space-separated lists may also be entered simply as one entry per line. -# -# For example: XXX=abc (correct) -# XXX=def -# XXX="gh" -# -# If a configuration option is never set, then the program will assume a -# default value. The text describing the option will state the default value. -# If there is no default, then rkhunter will calculate a value or pathname -# to use. If a value is set for a configuration option, then the default -# value is ignored. If it is wished to keep the default value, as well as -# any other set value, then the default must be explicitly set. -# - - -# -# If this option is set to '1', it specifies that the mirrors file -# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' -# options are used, is to be rotated. Rotating the entries in the file allows -# a basic form of load-balancing between the mirror sites whenever the above -# options are used. -# -# If the option is set to '0', then the mirrors will be treated as if in a -# priority list. That is, the first mirror listed will always be used first. -# The second mirror will only be used if the first mirror fails, the third -# mirror will only be used if the second mirror fails, and so on. -# -# If the mirrors file is read-only, then the '--versioncheck' command-line -# option can only be used if this option is set to '0'. -# -# The default value is '1'. -# -#ROTATE_MIRRORS=1 - -# -# If this option is set to '1', it specifies that when the '--update' option is -# used, then the mirrors file is to be checked for updates as well. If the -# current mirrors file contains any local mirrors, these will be prepended to -# the updated file. If this option is set to '0', the mirrors file can only be -# updated manually. This may be useful if only using local mirrors. -# -# The default value is '1'. -# -#UPDATE_MIRRORS=1 - -# -# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when -# the '--update' or '--versioncheck' command-line options are given. -# Possible values are: -# 0 - use any mirror -# 1 - only use local mirrors -# 2 - only use remote mirrors -# -# Local and remote mirrors can be defined in the mirrors file by using the -# 'local=' and 'remote=' keywords respectively. -# -# The default value is '0'. -# -#MIRRORS_MODE=0 - -# -# Email a message to this address if a warning is found when the system is -# being checked. Multiple addresses may be specified simply be separating -# them with a space. To disable the option, simply set it to the null string -# or comment it out. -# -# The option may be specified more than once. -# -# The default value is the null string. -# -# Also see the MAIL_CMD option. -# -#MAIL-ON-WARNING=me@mydomain root@mydomain - -# -# This option specifies the mail command to use if MAIL-ON-WARNING is set. -# -# NOTE: Double quotes are not required around the command, but are required -# around the subject line if it contains spaces. -# -# The default is to use the 'mail' command, with a subject line -# of '[rkhunter] Warnings found for ${HOST_NAME}'. -# -#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" - -# -# This option specifies the directory to use for temporary files. -# -# NOTE: Do not use '/tmp' as your temporary directory. Some important files -# will be written to this directory, so be sure that the directory permissions -# are secure. -# -# The installer program will set the default directory. If this default is -# subsequently commented out or removed, then the program will assume a -# default directory beneath the installation directory. -# -#TMPDIR=/var/lib/rkhunter/tmp -TMPDIR=/var/lib/rkhunter - -# -# This option specifies the database directory to use. -# -# The installer program will set the default directory. If this default is -# subsequently commented out or removed, then the program will assume a -# default directory beneath the installation directory. -# -#DBDIR=/var/lib/rkhunter/db -DBDIR=/var/lib/rkhunter/db - -# -# This option specifies the script directory to use. -# -# The installer program will set the default directory. If this default is -# subsequently commented out or removed, then the program will not run. -# -#SCRIPTDIR=/usr/local/lib/rkhunter/scripts -SCRIPTDIR=/usr/share/rkhunter/scripts - -# -# This option can be used to modify the command directory list used by rkhunter -# to locate commands (that is, its PATH). By default this will be the root PATH, -# and an internal list of some common command directories. -# -# Any directories specified here will, by default, be appended to the default -# list. However, if a directory name begins with the '+' character, then that -# directory will be prepended to the list (that is, it will be put at the start -# of the list). -# -# This is a space-separated list of directory names. The option may be -# specified more than once. -# -# The default value is based on the root account PATH environment variable. -# -#BINDIR=/bin /usr/bin /sbin /usr/sbin -#BINDIR=+/usr/local/bin +/usr/local/sbin - -# -# This option specifies the default language to use. This should be similar to -# the ISO 639 language code. -# -# NOTE: Please ensure that the language you specify is supported. -# For a list of supported languages use the following command: -# -# rkhunter --lang en --list languages -# -# The default language is 'en' (English). -# -#LANGUAGE=en - -# -# This option is a space-separated list of the languages that are to be updated -# when the '--update' option is used. If unset, then all the languages will be -# updated. If none of the languages are to be updated, then set this option to -# just 'en'. -# -# The default language, specified by the LANGUAGE option, and the English (en) -# language file will always be updated regardless of this option. -# -# This option may be specified more than once. -# -# The default value is the null string, indicating that all the language files -# will be updated. -# -#UPDATE_LANG="" - -# -# This option specifies the log file pathname. The file will be created if it -# does not initially exist. If the option is unset, then the program will -# display a message each time it is run saying that the default value is being -# used. -# -# The default value is '/var/log/rkhunter.log'. -# -LOGFILE=/var/log/rkhunter/rkhunter.log - -# -# Set this option to '1' if the log file is to be appended to whenever rkhunter -# is run. A value of '0' will cause a new log file to be created whenever the -# program is run. -# -# The default value is '0'. -# -#APPEND_LOG=0 -APPEND_LOG=1 - -# -# Set the following option to '1' if the log file is to be copied when rkhunter -# finishes and an error or warning has occurred. The copied log file name will -# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). -# For example: rkhunter.log.2009-04-21_00:57:51 -# If the option value is '0', then the log file will not be copied regardless -# of whether any errors or warnings occurred. -# -# The default value is '0'. -# -#COPY_LOG_ON_ERROR=0 - -# -# Set the following option to enable the rkhunter check start and finish times -# to be logged by syslog. Warning messages will also be logged. The value of -# the option must be a standard syslog facility and priority, separated by a -# dot. For example: -# -# USE_SYSLOG=authpriv.warning -# -# Setting the value to 'NONE', or just leaving the option commented out, -# disables the use of syslog. -# -# The default value is not to use syslog. -# -#USE_SYSLOG=authpriv.notice - -# -# Set the following option to '1' if the second colour set is to be used. This -# can be useful if your screen uses black characters on a white background -# (for example, a PC instead of a server). A value of '0' will cause the default -# colour set to be used. -# -# The default value is '0'. -# -#COLOR_SET2=0 - -# -# Set the following option to '0' if rkhunter should not detect if X is being -# used. If X is detected as being used, then the second colour set will -# automatically be used. If set to '1', then the use of X will be detected. -# -# The default value is '0'. -# -AUTO_X_DETECT=1 - -# -# Set the following option to '1' if it is wanted that any 'Whitelisted' results -# are shown in white rather than green. For colour set 2 users, setting this -# option will cause the result to be shown in black. Setting the option to '0' -# causes whitelisted results to be displayed in green. -# -# The default value is '0'. -# -#WHITELISTED_IS_WHITE=0 - -# -# The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not match. -# However, if a value has not been set in the SSH configuration file, then a -# value here of 'unset' can be used to avoid warning messages. -# -# The default value is 'no'. -# -#ALLOW_SSH_ROOT_USER=no -ALLOW_SSH_ROOT_USER=yes - -# -# Set this option to '1' to allow the use of the SSH-1 protocol, but note -# that theoretically it is weaker, and therefore less secure, than the -# SSH-2 protocol. Do not modify this option unless you have good reasons -# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 -# authentication). If the 'Protocol' option has not been set in the SSH -# configuration file, then a value of '2' may be set here in order to -# suppress a warning message. A value of '0' indicates that the use of -# SSH-1 is not allowed. -# -# The default value is '0'. -# -#ALLOW_SSH_PROT_V1=0 -ALLOW_SSH_PROT_V1=2 - -# -# This setting tells rkhunter the directory containing the SSH configuration -# file. If unset, this setting will be worked out by rkhunter, and so should -# not usually need to be set. -# -# This option has no default value. -# -#SSH_CONFIG_DIR=/etc/ssh - -# -# These two options determine which tests are to be performed. The ENABLE_TESTS -# option can use the word 'ALL' to refer to all of the available tests. The -# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are -# disabled. The list of disabled tests is applied to the list of enabled tests. -# -# Both options are space-separated lists of test names, and both options may -# be specified more than once. The currently available test names can be seen -# by using the command 'rkhunter --list tests'. -# -# The supplied configuration file has some tests already disabled, and these -# are tests that will be used only occasionally, can be considered 'advanced' -# or that are prone to produce more than the average number of false-positives. -# -# Please read the README file for more details about enabling and disabling -# tests, the test names, and how rkhunter behaves when these options are used. -# -# The default values are to enable all tests and to disable none. However, if -# either of the options below are specified, then they will override the -# program defaults. -# -ENABLE_TESTS=ALL -#DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps -#DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps ipc_shared_mem -DISABLE_TESTS={% for item in disabletests %}{{ item }} {% endfor %} - -# -# The HASH_CMD option can be used to specify the command to use for the file -# properties hash value check. It can be specified as just the command name or -# the full pathname. If just the command name is given, and it is one of MD5, -# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the -# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of -# these are found, it will then look to see if a perl module has been installed -# which will support the relevant hash function. To see which perl modules have -# been installed use the command 'rkhunter --list perl'. -# -# Systems using prelinking are restricted to using either the SHA1 or MD5 -# function. -# -# A value of 'NONE' (in uppercase) can be specified to indicate that no hash -# function should be used. Rkhunter will detect this, and automatically disable -# the file properties hash check test. -# -# Examples: -# For Solaris 9 : HASH_CMD=gmd5sum -# For Solaris 10: HASH_CMD=sha1sum -# For AIX (>5.2): HASH_CMD="csum -hMD5" -# For NetBSD : HASH_CMD="cksum -a sha512" -# -# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. -# -# The default value is the SHA256 function, unless prelinking is used in -# which case it defaults to the SHA1 function. -# -# Also see the HASH_FLD_IDX option. In addition, note the comments under -# the PKGMGR option relating to the use of HASH_CMD. -# -#HASH_CMD=SHA256 - -# -# The HASH_FLD_IDX option specifies which field from the HASH_CMD command -# output contains the hash value. The fields are assumed to be space-separated. -# -# The option value must be an integer greater than zero. -# -# The default value is '1', but for *BSD users rkhunter will, by default, use a -# value of '4' if the HASH_CMD option has not been set. -# -#HASH_FLD_IDX=4 - -# -# The PKGMGR option tells rkhunter to use the specified package manager to -# obtain the file property information. This is used when updating the file -# properties file ('rkhunter.dat'), and when running the file properties check. -# For RedHat/RPM-based systems, 'RPM' can be used to get information from the -# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems -# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be -# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of -# 'NONE', indicates that no package manager is to be used. -# -# The package managers obtain each file hash value using a hash function. The -# Solaris package manager includes a 16-bit checksum value, but this is not -# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers -# currently use a SHA256 hash function. Other package managers will, typically, -# use an MD5 hash function. -# -# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value. -# The 'RPM' package manager additionally provides values for the inode, file -# permissions, uid, gid and other values. The 'SOLARIS' package manager also -# provides most of the values, similar to 'RPM', but not the inode number. -# -# For any file not part of a package, rkhunter will revert to using the -# HASH_CMD hash function instead. This means that if the HASH_CMD option -# is set, and PKGMGR is set, then the HASH_CMD hash function is only used, -# and stored, for non-packaged files. All packaged files will use, and store, -# whatever hash function the relevant package manager uses. So, for example, -# with the 'RPM' package manager, packaged files will be stored with their -# SHA256 value regardless of the value of the HASH_CMD option. -# -# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. -# -# The default value is 'NONE'. -# -# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. -# -#PKGMGR=NONE -PKGMGR=RPM - -# -# It is possible that a file, which is part of a package, may have been -# modified by the administrator. Typically this occurs for configuration -# files. However, the package manager may list the file as being modified. -# For the RPM package manager this may well depend on how the package was -# built. This option specifies a pathname which is to be exempt from the -# package manager verification process, and which will be treated -# as a non-packaged file. As such, the file properties are still checked. -# -# This option only takes effect if the PKGMGR option has been set, and -# is not 'NONE'. -# -# This option may be specified more than once. -# -# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. -# -# The default value is the null string. -# -#PKGMGR_NO_VRFY="" - -# -# If the 'SOLARIS' package manager is used, then it is possible to use the -# checksum (hash) value stored for a file. However, this is only a 16-bit -# checksum, and as such is not nearly as secure as, for example, a SHA-2 value. -# If the option is set to '0', then the checksum is not used and the hash -# function given by HASH_CMD is used instead. To enable this option, set its -# value to '1'. The Solaris 'sum' command must be present on the system if this -# option is used. -# -# The default value is '0'. -# -#USE_SUNSUM=0 - -# -# This option can be used to tell rkhunter to ignore any prelink dependency -# errors for the given commands. However, a warning will also be issued if the -# error does not occur for a given command. As such this option must only be -# used on commands which experience a persistent problem. -# -# Short-term prelink dependency errors can usually be resolved simply by -# running the 'prelink' command on the given pathname. -# -# This is a space-separated list of command pathnames. The option can be -# specified more than once. -# -# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. -# -# The default value is the null string. -# -#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top - -# -# These options specify a command, directory or file pathname which will be -# included or excluded in the file properties checks. -# -# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, -# 'top' - and directory names are added to the internal list of directories to -# be searched for each of the command names in the command list. Additionally, -# full pathnames to files, which need not be commands, may be given. Any files -# or directories which are already part of the internal lists will be silently -# ignored from the configuration. -# -# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for -# simple command names. -# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. -# -# To extend the use of wildcards to include recursive checking of directories, -# see the GLOBSTAR configuration option. -# -# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS -# option. Wildcards may be used with this option. -# -# By combining these two options, and using wildcards, whole directories can be -# excluded. For example: -# -# USER_FILEPROP_FILES_DIRS=/etc/* -# USER_FILEPROP_FILES_DIRS=/etc/*/* -# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* -# -# This will look for files in the first two directory levels of '/etc'. However, -# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be -# excluded. -# -# NOTE: Only files and directories which have been added by the user, and are -# not part of the internal lists, can be excluded. So, for example, it is not -# possible to exclude the 'ps' command by using '/bin/ps'. These will be -# silently ignored from the configuration. -# -# Both options can be specified more than once. -# -# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. -# -# The default value for both options is the null string. -# -#USER_FILEPROP_FILES_DIRS=top -#USER_FILEPROP_FILES_DIRS=/usr/local/sbin -#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf -#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local -#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/* -#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* - -# -# This option whitelists files and directories from existing, or not existing, -# on the system at the time of testing. This option is used when the -# configuration file options themselves are checked, and during the file -# properties check, the hidden files and directories checks, and the filesystem -# check of the '/dev' directory. -# -# This option may be specified more than once, and may use wildcards. -# Be aware though that this is probably not what you want to do as the -# wildcarding will be expanded after files have been deleted. As such -# deleted files won't be whitelisted if wildcarded. -# -# NOTE: The user must take into consideration how often the file will appear -# and disappear from the system in relation to how often rkhunter is run. If -# the file appears, and disappears, too often then rkhunter may not notice -# this. All it will see is that the file has changed. The inode number and DTM -# will certainly be different for each new file, and rkhunter will report this. -# -# The default value is the null string. -# -#EXISTWHITELIST="" -EXISTWHITELIST=/bin/ad -# FreeIPA Certificate Authority -EXISTWHITELIST=/var/log/pki-ca/system -# FreeIPA Certificate Authority -EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system -# FreeIPA with KRA (Password Vault) -EXISTWHITELIST=/var/log/pki/pki-tomcat/kra/system -RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/kra/system -# Some non default installed files we check -EXISTWHITELIST=/usr/bin/GET -EXISTWHITELIST=/usr/bin/whatis - -# -# Whitelist various attributes of the specified file. The attributes are those -# of the 'attributes' test. Specifying a file name here does not include it -# being whitelisted for the write permission test (see below). -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ATTRWHITELIST=/usr/bin/date - -# -# Allow the specified file to have the 'others' (world) permission have the -# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#WRITEWHITELIST=/usr/bin/date - -# -# Allow the specified file to be a script. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/whatis -SCRIPTWHITELIST=/usr/bin/ldd -SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/GET -{% if ansible_distribution == "CentOS" -%} -SCRIPTWHITELIST=/sbin/ifup -SCRIPTWHITELIST=/sbin/ifdown -{% endif -%} - -# -# Allow the specified file to have the immutable attribute set. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#IMMUTWHITELIST=/sbin/ifdown - -# -# If this option is set to '1', then the immutable-bit test is reversed. That -# is, the files are expected to have the bit set. A value of '0' means that the -# immutable-bit should not be set. -# -# The default value is '0'. -# -#IMMUTABLE_SET=0 - -# -# If this option is set to '1', then any changed inode value is ignored in -# the file properties check. The inode test itself still runs, but it will -# always return that no inodes have changed. -# -# This option may be useful for filesystems such as Btrfs, which handle inodes -# slightly differently than other filesystems. -# -# The default value is '0'. -# -#SKIP_INODE_CHECK=0 - -# -# Allow the specified hidden directory to be whitelisted. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ALLOWHIDDENDIR=/etc/.java -#ALLOWHIDDENDIR=/dev/.udev -#ALLOWHIDDENDIR=/dev/.udevdb -#ALLOWHIDDENDIR=/dev/.mdadm -ALLOWHIDDENDIR="/etc/.java" -ALLOWHIDDENDIR=/dev/.udev -ALLOWHIDDENDIR=/dev/.udevdb -ALLOWHIDDENDIR=/dev/.udev.tdb -ALLOWHIDDENDIR=/dev/.static -ALLOWHIDDENDIR=/dev/.initramfs -ALLOWHIDDENDIR=/dev/.SRC-unix -ALLOWHIDDENDIR=/dev/.mdadm -ALLOWHIDDENDIR=/dev/.systemd -ALLOWHIDDENDIR=/dev/.mount -# for etckeeper -ALLOWHIDDENDIR=/etc/.git -ALLOWHIDDENDIR=/etc/.bzr - -# -# Allow the specified hidden file to be whitelisted. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz -#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac -#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac -#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac -#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac -#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac -#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac -ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" -ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac -ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac -ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac -ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac -ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac -ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac -ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac -ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac -ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac -ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac -ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac -ALLOWHIDDENFILE=/dev/.mdadm.map -ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz -ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz -ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac -# etckeeper -ALLOWHIDDENFILE=/etc/.etckeeper -ALLOWHIDDENFILE=/etc/.gitignore -ALLOWHIDDENFILE=/etc/.bzrignore -# systemd -ALLOWHIDDENFILE=/etc/.updated - -# -# Allow the specified process to use deleted files. The process name may be -# followed by a colon-separated list of full pathnames (which have been -# deleted). The process will then only be whitelisted if it is using one of -# the given pathnames. For example: -# -# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz -# -# This option may be specified more than once. It may also use wildcards, but -# only in the deleted file pathnames, not in the process name. The use of -# extended pattern matching in pathname expansion (for example, '**') is not -# supported for this option. However, the option itself extends globbing when -# the '*' character is used by matching zero or more characters in the -# pathname, including those in sub-directories. For example, the pathname -# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz' -# but is matched when used in this option. Similarly, using '/tmp/*' will -# match any file found in the '/tmp' directory or any sub-directories. -# -# The default value is the null string. -# -#ALLOWPROCDELFILE=/sbin/cardmgr -#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* - -# -# Allow the specified process to listen on any network interface. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ALLOWPROCLISTEN=/sbin/dhclient -#ALLOWPROCLISTEN=/usr/bin/dhcpcd -#ALLOWPROCLISTEN=/usr/sbin/tcpdump -#ALLOWPROCLISTEN=/usr/sbin/snort-plain - -# -# Allow the specified network interfaces to be in promiscuous mode. -# -# This is a space-separated list of interface names. The option may be -# specified more than once. -# -# The default value is the null string. -# -#ALLOWPROMISCIF=eth0 - -# -# This option specifies how rkhunter should scan the '/dev' directory for -# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. -# -# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, -# it is highly recommended that this value is used. -# -# The default value is 'THOROUGH'. -# -# Also see the ALLOWDEVFILE option. -# -#SCAN_MODE_DEV=THOROUGH -SCAN_MODE_DEV=LAZY - -# -# Allow the specified file to be present in the '/dev' directory, and not -# regarded as suspicious. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ALLOWDEVFILE=/dev/shm/pulse-shm-* -#ALLOWDEVFILE=/dev/shm/sem.ADBE_* -ALLOWDEVFILE=/dev/shm/pulse-shm-* -ALLOWDEVFILE=/dev/md/md-device-map -# tomboy creates this one -ALLOWDEVFILE="/dev/shm/mono.*" -# created by libv4l -ALLOWDEVFILE="/dev/shm/libv4l-*" -# created by spice video -ALLOWDEVFILE="/dev/shm/spice.*" -# created by mdadm -ALLOWDEVFILE="/dev/md/autorebuild.pid" -# 389 Directory Server -ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats -# squid proxy -ALLOWDEVFILE=/dev/shm/squid-cf* -# squid ssl cache -ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm -ALLOWDEVFILE=/dev/shm/squid-tls_session_cache.shm -# allow lldpad state file -ALLOWDEVFILE=/dev/shm/lldpad.state -# Allow PCS/Pacemaker/Corosync -ALLOWDEVFILE=/dev/shm/qb-attrd-* -ALLOWDEVFILE=/dev/shm/qb-cfg-* -ALLOWDEVFILE=/dev/shm/qb-cib_rw-* -ALLOWDEVFILE=/dev/shm/qb-cib_shm-* -ALLOWDEVFILE=/dev/shm/qb-corosync-* -ALLOWDEVFILE=/dev/shm/qb-cpg-* -ALLOWDEVFILE=/dev/shm/qb-lrmd-* -ALLOWDEVFILE=/dev/shm/qb-pengine-* -ALLOWDEVFILE=/dev/shm/qb-quorum-* -ALLOWDEVFILE=/dev/shm/qb-stonith-* - -# -# Allow the specified process pathnames to use shared memory segments. -# -# This option may be specified more than once, and may use wildcard characters. -# -# The default value is the null string. -# -#ALLOWIPCPROC=/usr/bin/firefox -#ALLOWIPCPROC=/usr/bin/vlc - -# -# Allow the specified memory segment creator PIDs to use shared memory segments. -# -# This is a space-separated list of PID numbers (as given by the -# 'ipcs -p' command). This option may be specified more than once. -# -# The default value is the null string. -# -#ALLOWIPCPID=12345 6789 - -# -# Allow the specified account names to use shared memory segments. -# -# This is a space-separated list of account names. The option may be specified -# more than once. -# -# The default value is the null string. -# -#ALLOWIPCUSER=usera userb - -# -# This option can be used to set the maximum shared memory segment size -# (in bytes) that is not considered suspicious. Any segment above this size, -# and with 600 or 666 permissions, will be considered suspicious during the -# shared memory check. -# -# The default is 1048576 (1M) bytes. -# -#IPC_SEG_SIZE=1048576 - -# -# This option is used to indicate if the Phalanx2 test is to perform a basic -# check, or a more thorough check. If the option is set to '0', then a basic -# check is performed. If it is set to '1', then all the directories in the -# '/etc' and '/usr' directories are scanned. -# -# NOTE: Setting this option to '1' will cause the test to take longer -# to complete. -# -# The default value is '0'. -# -#PHALANX2_DIRTEST=0 - -# -# This option tells rkhunter where the inetd configuration file is located. -# -# The default value is the null string. -# -#INETD_CONF_PATH=/etc/inetd.conf - -# -# This option allows the specified enabled inetd services. -# -# This is a space-separated list of service names. The option may be specified -# more than once. -# -# For non-Solaris users the simple service name should be used. -# For example: -# -# INETD_ALLOWED_SVC=echo -# -# For Solaris 9 users the simple service name should also be used, but -# if it is an RPC service, then the executable pathname should be used. -# For example: -# -# INETD_ALLOWED_SVC=imaps -# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd -# -# For Solaris 10 users the service/FMRI name should be used. For example: -# -# INETD_ALLOWED_SVC=/network/rpc/meta -# INETD_ALLOWED_SVC=/network/rpc/metamed -# INETD_ALLOWED_SVC=/application/font/stfsloader -# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord -# -# The default value is the null string. -# -#INETD_ALLOWED_SVC=echo - -# -# This option tells rkhunter where the xinetd configuration file is located. -# -# The default value is the null string. -# -#XINETD_CONF_PATH=/etc/xinetd.conf - -# -# This option allows the specified enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing we only have -# the pathname available. As such, these entries are the xinetd file pathnames. -# -# This is a space-separated list of service names. The option may be specified -# more than once. -# -# The default value is the null string. -# -#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo - -# -# This option tells rkhunter the local system startup file pathnames. The -# directories will be searched for files. If unset, then rkhunter will try -# and determine were the startup files are located. If the option is set to -# 'NONE' then certain tests will be skipped. -# -# This is a space-separated list of file and directory pathnames. The option -# may be specified more than once, and may use wildcard characters. -# -# This option has no default value. -# -#STARTUP_PATHS=/etc/rc.d /etc/rc.local - -# -# This option tells rkhunter the pathname to the file containing the user -# account passwords. If unset, this setting will be worked out by rkhunter, -# and so should not usually need to be set. Users of TCB shadow files should -# not set this option. -# -# This option has no default value. -# -#PASSWORD_FILE=/etc/shadow - -# -# This option allows the specified accounts to be root equivalent. These -# accounts will have a UID value of zero. The 'root' account does not need -# to be listed as it is automatically whitelisted. -# -# This is a space-separated list of account names. The option may be specified -# more than once. -# -# NOTE: For *BSD systems you will probably need to use this option for the -# 'toor' account. -# -# The default value is the null string. -# -#UID0_ACCOUNTS=toor rooty - -# -# This option allows the specified accounts to have no password. NIS/YP entries -# do not need to be listed as they are automatically whitelisted. -# -# This is a space-separated list of account names. The option may be specified -# more than once. -# -# The default value is the null string. -# -#PWDLESS_ACCOUNTS=abc - -# -# This option tells rkhunter the pathname to the syslog configuration file. -# If unset, this setting will be worked out by rkhunter, and so should not -# usually need to be set. A value of 'NONE' can be used to indicate that -# there is no configuration file, but that the syslog daemon process may -# be running. -# -# This is a space-separated list of pathnames. The option may be specified -# more than once. -# -# This option has no default value. -# -#SYSLOG_CONFIG_FILE=/etc/syslog.conf - -# -# If this option is set to '1', then the use of syslog remote logging is -# permitted. A value of '0' disallows the use of remote logging. -# -# The default value is '0'. -# -#ALLOW_SYSLOG_REMOTE_LOGGING=0 - -# -# This option allows the specified applications, or a specific version of an -# application, to be whitelisted. If a specific version is to be whitelisted, -# then the name must be followed by a colon and then the version number. -# For example: -# -# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 -# -# This is a space-separated list of pathnames. The option may be specified -# more than once. -# -# The default value is the null string. -# -#APP_WHITELIST="" - -# -# Set this option to scan for suspicious files in directories which pose a -# relatively higher risk due to user write access. -# -# Please do not enable the 'suspscan' test by default as it is CPU and I/O -# intensive, and prone to producing false positives. Do review all settings -# before usage. Also be aware that running 'suspscan' in combination with -# verbose logging on, rkhunter's default, will show all ignored files. -# -# Please consider adding all directories the user the (web)server runs as, -# and has write access to, including the document root (e.g: '/var/www') and -# log directories (e.g: '/var/log/httpd'). -# -# This is a space-separated list of directory pathnames. The option may be -# specified more than once. -# -# The default value is the '/tmp' and '/var/tmp' directories. -# -#SUSPSCAN_DIRS=/tmp /var/tmp - -# -# This option specifies the directory for temporary files used by the -# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is -# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS -# as that is highly likely to cause false-positive results. -# -# The default value is '/dev/shm'. -# -#SUSPSCAN_TEMP=/dev/shm - -# -# This option specifies the 'suspscan' test maximum filesize in bytes. Files -# larger than this will not be inspected. Do make sure you have enough space -# available in your temporary files directory. -# -# The default value is '1024000'. -# -#SUSPSCAN_MAXSIZE=1024000 - -# -# This option specifies the 'suspscan' test score threshold. Below this value -# no hits will be reported. -# -# The default value is '200'. -# -#SUSPSCAN_THRESH=200 - -# -# This option may be used to whitelist file pathnames from the suspscan test. -# -# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration -# option. -# -# This option may be specified more than once. -# -# The default value is the null string. -# -#SUSPSCAN_WHITELIST="" - -# -# The following options can be used to whitelist network ports which are known -# to have been used by malware. -# -# The PORT_WHITELIST option is a space-separated list of one or more of two -# types of whitelisting. These are: -# -# 1) a 'protocol:port' pair -# 2) an asterisk ('*') -# -# Only the UDP or TCP protocol may be specified, and the port number must be -# between 1 and 65535 inclusive. -# -# The asterisk can be used to indicate that any executable which rkhunter can -# locate as a command, is whitelisted. (Also see BINDIR) -# -# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. -# These are: -# -# 1) a pathname to an executable -# 2) a combined pathname, protocol and port -# -# As above, the protocol can only be TCP or UDP, and the port number must be -# between 1 and 65535 inclusive. -# -# Examples: -# -# PORT_WHITELIST=TCP:2001 UDP:32011 -# PORT_PATH_WHITELIST=/usr/sbin/squid -# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 -# -# NOTE: In order to whitelist a pathname, or use the asterisk option, the -# 'lsof' command must be present. -# -# Both options may be specified more than once. -# -# The default value for both options is the null string. -# -#PORT_WHITELIST="" -#PORT_PATH_WHITELIST="" - -# -# The following option can be used to tell rkhunter where the operating system -# 'release' file is located. This file contains information specifying the -# current O/S version. RKH will store this information, and check to see if it -# has changed between each run. If it has changed, then the user is warned that -# RKH may issue warning messages until RKH has been run with the '--propupd' -# option. -# -# Since the contents of the file vary according to the O/S distribution, RKH -# will perform different actions when it detects the file itself. As such, this -# option should not be set unless necessary. If this option is specified, then -# RKH will assume the O/S release information is on the first non-blank line of -# the file. -# -# This option has no default value. -# -# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. -# -#OS_VERSION_FILE=/etc/release - -# -# Set the following option to '0' if you do not want to receive a warning if any -# O/S information has changed since the last run of 'rkhunter --propupd'. The -# warnings occur during the file properties check. Setting a value of '1' will -# cause rkhunter to issue a warning if something has changed. -# -# The default value is '1'. -# -#WARN_ON_OS_CHANGE=1 - -# -# Set the following option to '1' if you want rkhunter to automatically run a -# file properties update ('--propupd') if the O/S has changed. Detection of an -# O/S change occurs during the file properties check. Setting a value of '0' -# will cause rkhunter not to do an automatic update. -# -# WARNING: Only set this option if you are sure that the update will work -# correctly. That is, that the database directory is writeable, that a valid -# hash function is available, and so on. This can usually be checked simply by -# running 'rkhunter --propupd' at least once. -# -# The default value is '0'. -# -#UPDT_ON_OS_CHANGE=0 - -# -# The following two options can be used to whitelist files and directories that -# would normally be flagged with a warning during the various rootkit and -# malware checks. Only existing files and directories can be specified, and -# these must be full pathnames not links. -# -# Additionally, the RTKT_FILE_WHITELIST option may include a string after the -# file name (separated by a colon). This will then only whitelist that string -# in that file (as part of the malware checks). For example: -# -# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm -# -# If the option list includes the filename on its own as well, then the file -# will be whitelisted from rootkit checks of the files existence, but still -# only the specific string within the file will be whitelisted. For example: -# -# RTKT_FILE_WHITELIST=/etc/rc.local -# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm -# -# To whitelist a file from the existence checks, but not from the strings -# checks, then include the filename on its own and on its own but with just -# a colon appended. For example: -# -# RTKT_FILE_WHITELIST=/etc/rc.local -# RTKT_FILE_WHITELIST=/etc/rc.local: -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# Both of these options may be specified more than once. -# -# For both options the default value is the null string. -# -#RTKT_DIR_WHITELIST="" -#RTKT_FILE_WHITELIST="" -RTKT_FILE_WHITELIST=/bin/ad -# FreeIPA Certificate Authority -RTKT_FILE_WHITELIST=/var/log/pki-ca/system -# FreeIPA Certificate Authority -RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system - -# -# The following option can be used to whitelist shared library files that would -# normally be flagged with a warning during the preloaded shared library check. -# These library pathnames usually exist in the '/etc/ld.so.preload' file or in -# the LD_PRELOAD environment variable. -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# This option is a space-separated list of library pathnames. The option may be -# specified more than once. -# -# The default value is the null string. -# -#SHARED_LIB_WHITELIST=/lib/snoopy.so - -# -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command the following two options can be used. The value must be set to -# 'BUILTIN'. -# -# NOTE: IRIX users will probably need to enable STAT_CMD. -# -# For both options the default value is the null string. -# -#STAT_CMD=BUILTIN -#READLINK_CMD=BUILTIN - -# -# In the file properties test any modification date/time is displayed as the -# number of epoch seconds. Rkhunter will try and use the 'date' command, or -# failing that the 'perl' command, to display the date and time in a -# human-readable format as well. This option may be used if some other command -# should be used instead. The given command must understand the '%s' and -# 'seconds ago' options found in the GNU 'date' command. -# -# A value of 'NONE' may be used to request that only the epoch seconds be shown. -# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if -# it is present. -# -# This option has no default value. -# -#EPOCH_DATE_CMD="" - -# -# This setting tells rkhunter the directory containing the available Linux -# kernel modules. If unset, this setting will be worked out by rkhunter, and -# so should not usually need to be set. -# -# This option has no default value. -# -#MODULES_DIR="" - -# -# The following option can be set to a command which rkhunter will use when -# downloading files from the Internet - that is, when the '--update' or -# '--versioncheck' option is used. The command can take options. -# -# This allows the user to use a command other than the one automatically -# selected by rkhunter, but still one which it already knows about. -# For example: -# -# WEB_CMD=curl -# -# Alternatively, the user may specify a completely new command. However, note -# that rkhunter expects the downloaded file to be written to stdout, and that -# everything written to stderr is ignored. For example: -# -# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" -# -# *BSD users may want to use the 'ftp' command, provided that it supports the -# HTTP protocol: -# -# WEB_CMD="ftp -o -" -# -# This option has no default value. -# -#WEB_CMD="" - -# -# Set the following option to '1' if locking is to be used when rkhunter runs. -# The lock is set just before logging starts, and is removed when the program -# ends. It is used to prevent items such as the log file, and the file -# properties file, from becoming corrupted if rkhunter is running more than -# once. The mechanism used is to simply create a lock file in the LOCKDIR -# directory. If the lock file already exists, because rkhunter is already -# running, then the current process simply loops around sleeping for 10 seconds -# and then retrying the lock. A value of '0' means not to use locking. -# -# The default value is '0'. -# -# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options. -# -#USE_LOCKING=0 - -# -# This option specifies the directory to be used when locking is enabled. -# If the option is unset, then the directory to be used will be worked out -# by rkhunter. In that instance the directories '/run/lock', '/var/lock', -# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none -# of those can be found, or are not read/writeable, then the TMPDIR directory -# will be used. -# -# To avoid the lock file persisting across a server reboot, the directory -# used should be memory-resident. -# -# This option has no default value. -# -#LOCKDIR="" - -# -# If locking is used, then rkhunter may have to wait to get the lock file. -# This option sets the total amount of time, in seconds, that rkhunter should -# wait. It will retry the lock every 10 seconds, until either it obtains the -# lock or the timeout value has been reached. -# -# The default value is 300 seconds (5 minutes). -# -#LOCK_TIMEOUT=300 - -# -# If locking is used, then rkhunter may be doing nothing for some time if it -# has to wait for the lock. If this option is set to '1', then some simple -# messages are echoed to the users screen to let them know that rkhunter is -# waiting for the lock. Set this option to '0' if the messages are not to be -# displayed. -# -# The default value is '1'. -# -#SHOW_LOCK_MSGS=1 - -# -# If this option is set to 'THOROUGH' then rkhunter will search (on a per -# rootkit basis) for filenames in all of the directories (as defined by the -# result of running 'find / -xdev'). While still not optimal, as it still -# searches for only file names as opposed to file contents, this is one step -# away from the rigidity of searching in known (evidence) or default -# (installation) locations. -# -# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. -# -# You should only activate this feature as part of a more thorough -# investigation, which should be based on relevant best practices and -# procedures. -# -# Enabling this feature implies you have the knowledge to interpret the -# results properly. -# -# The default value is the null string. -# -#SCANROOTKITMODE=THOROUGH - -# -# The following option can be set to the name(s) of the tests the 'unhide' -# command is to use. Options such as '-m' and '-v' may be specified, but will -# only take effect when they are seen. The test names are a space-separated -# list, and will be executed in the order given. -# -# This option may be specified more than once. -# -# The default value is 'sys' in order to maintain compatibility with older -# versions of 'unhide'. -# -#UNHIDE_TESTS=sys - -# -# The following option can be used to set options for the 'unhide-tcp' command. -# The options are space-separated. -# -# This option may be specified more than once. -# -# The default value is the null string. -# -#UNHIDETCP_OPTS="" - -# -# This option can be set to either '0' or '1'. If set to '1' then the summary, -# shown after rkhunter has run, will display the actual number of warnings -# found. If it is set to '0', then the summary will simply indicate that -# 'One or more' warnings were found. If no warnings were found, and this option -# is set to '1', then a "0" will be shown. If the option is set to '0', then -# the words 'No warnings' will be shown. -# -# The default value is '0'. -# -#SHOW_SUMMARY_WARNINGS_NUMBER=0 - -# -# This option is used to determine where, if anywhere, the summary scan time is -# displayed. A value of '0' indicates that it should not be displayed anywhere. -# A value of '1' indicates that the time should only appear on the screen, and a -# value of '2' that it should only appear in the log file. A value of '3' -# indicates that the time taken should appear both on the screen and in the log -# file. -# -# The default value is '3'. -# -#SHOW_SUMMARY_TIME=3 - -# -# The two options below may be used to check if a file is missing or empty -# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check -# if the file is missing, since that can be interpreted as a file of no size. -# However, the file will only be reported as missing if the MISSING_LOGFILES -# option hasn't already done this. -# -# Both options are space-separated lists of pathnames, and may be specified -# more than once. -# -# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is -# perfectly possible for the file to be either missing or empty. As such these -# options may produce false-positive warnings when log files are rotated. -# -# For both options the default value is the null string. -# -#EMPTY_LOGFILES="" -#MISSING_LOGFILES="" - -# -# This option can be set to either '0' or '1'. If set to '1' then the globbing -# characters '**' can be used to allow the recursive checking of directories. -# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option. -# For example: -# -# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf -# -# This will check all '.conf' files within the '/etc' directory, and any -# sub-directories (at any level). If GLOBSTAR is not set, then the shell will -# interpret '**' as '*' and only one level of sub-directories will be checked. -# -# NOTE: This option is only valid for those shells which support the 'globstar' -# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command, -# and 'ksh' via the 'set' command. -# -# The default value is '0'. -# -#GLOBSTAR=0 - -INSTALLDIR="/usr" -ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant |