| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # | 
					
						
							|  |  |  | # This is the main configuration file for Rootkit Hunter. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # You can modify this file directly, or you can create a local configuration | 
					
						
							|  |  |  | # file. The local file must be named 'rkhunter.conf.local', and must reside | 
					
						
							|  |  |  | # in the same directory as this file. Alternatively you can create a directory, | 
					
						
							|  |  |  | # named 'rkhunter.d', which also must be in the same directory as this | 
					
						
							|  |  |  | # configuration file. Within the 'rkhunter.d' directory you can place further | 
					
						
							|  |  |  | # configuration files. There is no restriction on the file names used, other | 
					
						
							|  |  |  | # than they must end in '.conf'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Please modify the configuration file(s) to your own requirements. It is | 
					
						
							|  |  |  | # recommended that the command 'rkhunter -C' is run after any changes have | 
					
						
							|  |  |  | # been made. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Please review the documentation before posting bug reports or questions. | 
					
						
							|  |  |  | # To report bugs, provide patches or comments, please go to: | 
					
						
							|  |  |  | # http://rkhunter.sourceforge.net | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. | 
					
						
							|  |  |  | # Note that this is a moderated list, so please subscribe before posting. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # In the configuration files, lines beginning with a hash (#), and blank lines, | 
					
						
							|  |  |  | # are ignored. Also, end-of-line comments are not supported. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Any of the configuration options may appear more than once. However, several | 
					
						
							|  |  |  | # options only take one value, and so the last one seen will be used. Some | 
					
						
							|  |  |  | # options are allowed to appear more than once, and the text describing the | 
					
						
							|  |  |  | # option will say if this is so. These configuration options will, in effect, | 
					
						
							|  |  |  | # have their values concatenated together. To delete a previously specified | 
					
						
							|  |  |  | # option list, specify the option with no value (that is, a null string). | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Some of the options are space-separated lists, others, typically those | 
					
						
							|  |  |  | # specifying pathnames, are newline-separated lists. These must be entered | 
					
						
							|  |  |  | # as one item per line. Quotes must not be used to surround the pathname. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an | 
					
						
							|  |  |  | # option:         XXX=/tmp/abc                (correct) | 
					
						
							|  |  |  | #                 XXX=/tmp/xyz | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #                 XXX="/tmp/abc"              (incorrect) | 
					
						
							|  |  |  | #                 XXX="/tmp/xyz" | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #                 XXX=/tmp/abc  /tmp/xyz      (incorrect) | 
					
						
							|  |  |  | #    or           XXX="/tmp/abc  /tmp/xyz"    (incorrect) | 
					
						
							|  |  |  | #    or           XXX="/tmp/abc"  "/tmp/xyz"  (incorrect) | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The last three examples are being configured as space-separated lists, | 
					
						
							|  |  |  | # which is incorrect, generally, for options specifying pathnames. They | 
					
						
							|  |  |  | # should be configured with one entry per line as in the first example. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If wildcard characters (globbing) are allowed for an option, then the | 
					
						
							|  |  |  | # text describing the option will say so. Any globbing character explicitly | 
					
						
							|  |  |  | # required in a pathname should be escaped. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Space-separated lists may be enclosed by quotes, although they are not | 
					
						
							|  |  |  | # required. If they are used, then they must only appear at the start and | 
					
						
							|  |  |  | # end of the list, not in the middle. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For example:    XXX=abc  def  gh            (correct) | 
					
						
							|  |  |  | #                 XXX="abc  def  gh"          (correct) | 
					
						
							|  |  |  | #                 XXX="abc"  "def"  "gh"      (incorrect) | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Space-separated lists may also be entered simply as one entry per line. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For example:    XXX=abc                     (correct) | 
					
						
							|  |  |  | #                 XXX=def | 
					
						
							|  |  |  | #                 XXX="gh" | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If a configuration option is never set, then the program will assume a | 
					
						
							|  |  |  | # default value. The text describing the option will state the default value. | 
					
						
							|  |  |  | # If there is no default, then rkhunter will calculate a value or pathname | 
					
						
							|  |  |  | # to use. If a value is set for a configuration option, then the default | 
					
						
							|  |  |  | # value is ignored. If it is wished to keep the default value, as well as | 
					
						
							|  |  |  | # any other set value, then the default must be explicitly set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to '1', it specifies that the mirrors file | 
					
						
							|  |  |  | # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' | 
					
						
							|  |  |  | # options are used, is to be rotated. Rotating the entries in the file allows | 
					
						
							|  |  |  | # a basic form of load-balancing between the mirror sites whenever the above | 
					
						
							|  |  |  | # options are used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If the option is set to '0', then the mirrors will be treated as if in a | 
					
						
							|  |  |  | # priority list. That is, the first mirror listed will always be used first. | 
					
						
							|  |  |  | # The second mirror will only be used if the first mirror fails, the third | 
					
						
							|  |  |  | # mirror will only be used if the second mirror fails, and so on. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If the mirrors file is read-only, then the '--versioncheck' command-line | 
					
						
							|  |  |  | # option can only be used if this option is set to '0'. | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # The default value is '1'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ROTATE_MIRRORS=1 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to '1', it specifies that when the '--update' option is | 
					
						
							|  |  |  | # used, then the mirrors file is to be checked for updates as well. If the | 
					
						
							|  |  |  | # current mirrors file contains any local mirrors, these will be prepended to | 
					
						
							|  |  |  | # the updated file. If this option is set to '0', the mirrors file can only be | 
					
						
							|  |  |  | # updated manually. This may be useful if only using local mirrors. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '1'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UPDATE_MIRRORS=1 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when | 
					
						
							|  |  |  | # the '--update' or '--versioncheck' command-line options are given. | 
					
						
							|  |  |  | # Possible values are: | 
					
						
							|  |  |  | #     0 - use any mirror | 
					
						
							|  |  |  | #     1 - only use local mirrors | 
					
						
							|  |  |  | #     2 - only use remote mirrors | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Local and remote mirrors can be defined in the mirrors file by using the | 
					
						
							|  |  |  | # 'local=' and 'remote=' keywords respectively. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #MIRRORS_MODE=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Email a message to this address if a warning is found when the system is | 
					
						
							|  |  |  | # being checked. Multiple addresses may be specified simply be separating | 
					
						
							|  |  |  | # them with a space. To disable the option, simply set it to the null string | 
					
						
							|  |  |  | # or comment it out. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the MAIL_CMD option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #MAIL-ON-WARNING=me@mydomain   root@mydomain | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the mail command to use if MAIL-ON-WARNING is set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Double quotes are not required around the command, but are required | 
					
						
							|  |  |  | # around the subject line if it contains spaces. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default is to use the 'mail' command, with a subject line | 
					
						
							|  |  |  | # of '[rkhunter] Warnings found for ${HOST_NAME}'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the directory to use for temporary files. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Do not use '/tmp' as your temporary directory. Some important files | 
					
						
							|  |  |  | # will be written to this directory, so be sure that the directory permissions | 
					
						
							|  |  |  | # are secure. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The installer program will set the default directory. If this default is | 
					
						
							|  |  |  | # subsequently commented out or removed, then the program will assume a | 
					
						
							|  |  |  | # default directory beneath the installation directory. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #TMPDIR=/var/lib/rkhunter/tmp | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the database directory to use. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The installer program will set the default directory. If this default is | 
					
						
							|  |  |  | # subsequently commented out or removed, then the program will assume a | 
					
						
							|  |  |  | # default directory beneath the installation directory. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #DBDIR=/var/lib/rkhunter/db | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the script directory to use. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The installer program will set the default directory. If this default is | 
					
						
							|  |  |  | # subsequently commented out or removed, then the program will not run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SCRIPTDIR=/usr/local/lib/rkhunter/scripts | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option can be used to modify the command directory list used by rkhunter | 
					
						
							|  |  |  | # to locate commands (that is, its PATH). By default this will be the root PATH, | 
					
						
							|  |  |  | # and an internal list of some common command directories. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Any directories specified here will, by default, be appended to the default | 
					
						
							|  |  |  | # list. However, if a directory name begins with the '+' character, then that | 
					
						
							|  |  |  | # directory will be prepended to the list (that is, it will be put at the start | 
					
						
							|  |  |  | # of the list). | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of directory names. The option may be | 
					
						
							|  |  |  | # specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is based on the root account PATH environment variable. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the default language to use. This should be similar to | 
					
						
							|  |  |  | # the ISO 639 language code. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Please ensure that the language you specify is supported. | 
					
						
							|  |  |  | # For a list of supported languages use the following command: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #       rkhunter --lang en --list languages | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default language is 'en' (English). | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #LANGUAGE=en | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option is a space-separated list of the languages that are to be updated | 
					
						
							|  |  |  | # when the '--update' option is used. If unset, then all the languages will be | 
					
						
							|  |  |  | # updated. If none of the languages are to be updated, then set this option to | 
					
						
							|  |  |  | # just 'en'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default language, specified by the LANGUAGE option, and the English (en) | 
					
						
							|  |  |  | # language file will always be updated regardless of this option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string, indicating that all the language files | 
					
						
							|  |  |  | # will be updated. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UPDATE_LANG="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the log file pathname. The file will be created if it | 
					
						
							|  |  |  | # does not initially exist. If the option is unset, then the program will | 
					
						
							|  |  |  | # display a message each time it is run saying that the default value is being | 
					
						
							|  |  |  | # used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '/var/log/rkhunter.log'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | LOGFILE=/var/log/rkhunter.log | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set this option to '1' if the log file is to be appended to whenever rkhunter | 
					
						
							|  |  |  | # is run. A value of '0' will cause a new log file to be created whenever the | 
					
						
							|  |  |  | # program is run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #APPEND_LOG=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '1' if the log file is to be copied when rkhunter | 
					
						
							|  |  |  | # finishes and an error or warning has occurred. The copied log file name will | 
					
						
							|  |  |  | # be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). | 
					
						
							|  |  |  | # For example: rkhunter.log.2009-04-21_00:57:51 | 
					
						
							|  |  |  | # If the option value is '0', then the log file will not be copied regardless | 
					
						
							|  |  |  | # of whether any errors or warnings occurred. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #COPY_LOG_ON_ERROR=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to enable the rkhunter check start and finish times | 
					
						
							|  |  |  | # to be logged by syslog. Warning messages will also be logged. The value of | 
					
						
							|  |  |  | # the option must be a standard syslog facility and priority, separated by a | 
					
						
							|  |  |  | # dot.  For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     USE_SYSLOG=authpriv.warning | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Setting the value to 'NONE', or just leaving the option commented out, | 
					
						
							|  |  |  | # disables the use of syslog. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is not to use syslog. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #USE_SYSLOG=authpriv.notice | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '1' if the second colour set is to be used. This | 
					
						
							|  |  |  | # can be useful if your screen uses black characters on a white background | 
					
						
							|  |  |  | # (for example, a PC instead of a server). A value of '0' will cause the default | 
					
						
							|  |  |  | # colour set to be used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #COLOR_SET2=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '0' if rkhunter should not detect if X is being | 
					
						
							|  |  |  | # used. If X is detected as being used, then the second colour set will | 
					
						
							|  |  |  | # automatically be used. If set to '1', then the use of X will be detected. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | AUTO_X_DETECT=1 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '1' if it is wanted that any 'Whitelisted' results | 
					
						
							|  |  |  | # are shown in white rather than green. For colour set 2 users, setting this | 
					
						
							|  |  |  | # option will cause the result to be shown in black. Setting the option to '0' | 
					
						
							|  |  |  | # causes whitelisted results to be displayed in green. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #WHITELISTED_IS_WHITE=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option is checked against the SSH configuration file | 
					
						
							|  |  |  | # 'PermitRootLogin' option. A warning will be displayed if they do not match. | 
					
						
							|  |  |  | # However, if a value has not been set in the SSH configuration file, then a | 
					
						
							|  |  |  | # value here of 'unset' can be used to avoid warning messages. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is 'no'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOW_SSH_ROOT_USER=no | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set this option to '1' to allow the use of the SSH-1 protocol, but note | 
					
						
							|  |  |  | # that theoretically it is weaker, and therefore less secure, than the | 
					
						
							|  |  |  | # SSH-2 protocol. Do not modify this option unless you have good reasons | 
					
						
							|  |  |  | # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 | 
					
						
							|  |  |  | # authentication). If the 'Protocol' option has not been set in the SSH | 
					
						
							|  |  |  | # configuration file, then a value of '2' may be set here in order to | 
					
						
							|  |  |  | # suppress a warning message. A value of '0' indicates that the use of | 
					
						
							|  |  |  | # SSH-1 is not allowed. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOW_SSH_PROT_V1=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This setting tells rkhunter the directory containing the SSH configuration | 
					
						
							|  |  |  | # file. If unset, this setting will be worked out by rkhunter, and so should | 
					
						
							|  |  |  | # not usually need to be set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SSH_CONFIG_DIR=/etc/ssh | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # These two options determine which tests are to be performed. The ENABLE_TESTS | 
					
						
							|  |  |  | # option can use the word 'ALL' to refer to all of the available tests. The | 
					
						
							|  |  |  | # DISABLE_TESTS option can use the word 'NONE' to mean that no tests are | 
					
						
							|  |  |  | # disabled. The list of disabled tests is applied to the list of enabled tests. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Both options are space-separated lists of test names, and both options may | 
					
						
							|  |  |  | # be specified more than once. The currently available test names can be seen | 
					
						
							|  |  |  | # by using the command 'rkhunter --list tests'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The supplied configuration file has some tests already disabled, and these | 
					
						
							|  |  |  | # are tests that will be used only occasionally, can be considered 'advanced' | 
					
						
							|  |  |  | # or that are prone to produce more than the average number of false-positives. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Please read the README file for more details about enabling and disabling | 
					
						
							|  |  |  | # tests, the test names, and how rkhunter behaves when these options are used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default values are to enable all tests and to disable none. However, if | 
					
						
							|  |  |  | # either of the options below are specified, then they will override the | 
					
						
							|  |  |  | # program defaults. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | ENABLE_TESTS=ALL | 
					
						
							|  |  |  | DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The HASH_CMD option can be used to specify the command to use for the file | 
					
						
							|  |  |  | # properties hash value check. It can be specified as just the command name or | 
					
						
							|  |  |  | # the full pathname. If just the command name is given, and it is one of MD5, | 
					
						
							|  |  |  | # SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the | 
					
						
							|  |  |  | # relevant command, such as 'sha256sum', and then for 'sha256'. If neither of | 
					
						
							|  |  |  | # these are found, it will then look to see if a perl module has been installed | 
					
						
							|  |  |  | # which will support the relevant hash function. To see which perl modules have | 
					
						
							|  |  |  | # been installed use the command 'rkhunter --list perl'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Systems using prelinking are restricted to using either the SHA1 or MD5 | 
					
						
							|  |  |  | # function. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # A value of 'NONE' (in uppercase) can be specified to indicate that no hash | 
					
						
							|  |  |  | # function should be used. Rkhunter will detect this, and automatically disable | 
					
						
							|  |  |  | # the file properties hash check test. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Examples: | 
					
						
							|  |  |  | #   For Solaris 9 : HASH_CMD=gmd5sum | 
					
						
							|  |  |  | #   For Solaris 10: HASH_CMD=sha1sum | 
					
						
							|  |  |  | #   For AIX (>5.2): HASH_CMD="csum -hMD5" | 
					
						
							|  |  |  | #   For NetBSD    : HASH_CMD="cksum -a sha512" | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the SHA256 function, unless prelinking is used in | 
					
						
							|  |  |  | # which case it defaults to the SHA1 function. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the HASH_FLD_IDX option. In addition, note the comments under | 
					
						
							|  |  |  | # the PKGMGR option relating to the use of HASH_CMD. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #HASH_CMD=SHA256 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The HASH_FLD_IDX option specifies which field from the HASH_CMD command | 
					
						
							|  |  |  | # output contains the hash value. The fields are assumed to be space-separated. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The option value must be an integer greater than zero. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '1', but for *BSD users rkhunter will, by default, use a | 
					
						
							|  |  |  | # value of '4' if the HASH_CMD option has not been set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #HASH_FLD_IDX=4 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The PKGMGR option tells rkhunter to use the specified package manager to | 
					
						
							|  |  |  | # obtain the file property information. This is used when updating the file | 
					
						
							|  |  |  | # properties file ('rkhunter.dat'), and when running the file properties check. | 
					
						
							|  |  |  | # For RedHat/RPM-based systems, 'RPM' can be used to get information from the | 
					
						
							|  |  |  | # RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems | 
					
						
							|  |  |  | # 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be | 
					
						
							|  |  |  | # used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of | 
					
						
							|  |  |  | # 'NONE', indicates that no package manager is to be used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The package managers obtain each file hash value using a hash function. The | 
					
						
							|  |  |  | # Solaris package manager includes a 16-bit checksum value, but this is not | 
					
						
							|  |  |  | # used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers | 
					
						
							|  |  |  | # currently use a SHA256 hash function. Other package managers will, typically, | 
					
						
							|  |  |  | # use an MD5 hash function. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value. | 
					
						
							|  |  |  | # The 'RPM' package manager additionally provides values for the inode, file | 
					
						
							|  |  |  | # permissions, uid, gid and other values. The 'SOLARIS' package manager also | 
					
						
							|  |  |  | # provides most of the values, similar to 'RPM', but not the inode number. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For any file not part of a package, rkhunter will revert to using the | 
					
						
							|  |  |  | # HASH_CMD hash function instead. This means that if the HASH_CMD option | 
					
						
							|  |  |  | # is set, and PKGMGR is set, then the HASH_CMD hash function is only used, | 
					
						
							|  |  |  | # and stored, for non-packaged files. All packaged files will use, and store, | 
					
						
							|  |  |  | # whatever hash function the relevant package manager uses. So, for example, | 
					
						
							|  |  |  | # with the 'RPM' package manager, packaged files will be stored with their | 
					
						
							|  |  |  | # SHA256 value regardless of the value of the HASH_CMD option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is 'NONE'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PKGMGR=NONE | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # It is possible that a file, which is part of a package, may have been | 
					
						
							|  |  |  | # modified by the administrator. Typically this occurs for configuration | 
					
						
							|  |  |  | # files. However, the package manager may list the file as being modified. | 
					
						
							|  |  |  | # For the RPM package manager this may well depend on how the package was | 
					
						
							|  |  |  | # built. This option specifies a pathname which is to be exempt from the | 
					
						
							|  |  |  | # package manager verification process, and which will be treated | 
					
						
							|  |  |  | # as a non-packaged file. As such, the file properties are still checked. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option only takes effect if the PKGMGR option has been set, and | 
					
						
							|  |  |  | # is not 'NONE'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PKGMGR_NO_VRFY="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If the 'SOLARIS' package manager is used, then it is possible to use the | 
					
						
							|  |  |  | # checksum (hash) value stored for a file. However, this is only a 16-bit | 
					
						
							|  |  |  | # checksum, and as such is not nearly as secure as, for example, a SHA-2 value. | 
					
						
							|  |  |  | # If the option is set to '0', then the checksum is not used and the hash | 
					
						
							|  |  |  | # function given by HASH_CMD is used instead. To enable this option, set its | 
					
						
							|  |  |  | # value to '1'. The Solaris 'sum' command must be present on the system if this | 
					
						
							|  |  |  | # option is used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #USE_SUNSUM=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option can be used to tell rkhunter to ignore any prelink dependency | 
					
						
							|  |  |  | # errors for the given commands. However, a warning will also be issued if the | 
					
						
							|  |  |  | # error does not occur for a given command. As such this option must only be | 
					
						
							|  |  |  | # used on commands which experience a persistent problem. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Short-term prelink dependency errors can usually be resolved simply by | 
					
						
							|  |  |  | # running the 'prelink' command on the given pathname. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of command pathnames. The option can be | 
					
						
							|  |  |  | # specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # These options specify a command, directory or file pathname which will be | 
					
						
							|  |  |  | # included or excluded in the file properties checks. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, | 
					
						
							|  |  |  | # 'top' - and directory names are added to the internal list of directories to | 
					
						
							|  |  |  | # be searched for each of the command names in the command list. Additionally, | 
					
						
							|  |  |  | # full pathnames to files, which need not be commands, may be given. Any files | 
					
						
							|  |  |  | # or directories which are already part of the internal lists will be silently | 
					
						
							|  |  |  | # ignored from the configuration. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for | 
					
						
							|  |  |  | # simple command names. | 
					
						
							|  |  |  | # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # To extend the use of wildcards to include recursive checking of directories, | 
					
						
							|  |  |  | # see the GLOBSTAR configuration option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS | 
					
						
							|  |  |  | # option. Wildcards may be used with this option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # By combining these two options, and using wildcards, whole directories can be | 
					
						
							|  |  |  | # excluded. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     USER_FILEPROP_FILES_DIRS=/etc/* | 
					
						
							|  |  |  | #     USER_FILEPROP_FILES_DIRS=/etc/*/* | 
					
						
							|  |  |  | #     EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This will look for files in the first two directory levels of '/etc'. However, | 
					
						
							|  |  |  | # anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be | 
					
						
							|  |  |  | # excluded. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Only files and directories which have been added by the user, and are | 
					
						
							|  |  |  | # not part of the internal lists, can be excluded. So, for example, it is not | 
					
						
							|  |  |  | # possible to exclude the 'ps' command by using '/bin/ps'. These will be | 
					
						
							|  |  |  | # silently ignored from the configuration. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Both options can be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value for both options is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #USER_FILEPROP_FILES_DIRS=top | 
					
						
							|  |  |  | #USER_FILEPROP_FILES_DIRS=/usr/local/sbin | 
					
						
							|  |  |  | #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf | 
					
						
							|  |  |  | #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local | 
					
						
							|  |  |  | #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/* | 
					
						
							|  |  |  | #EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option whitelists files and directories from existing, or not existing, | 
					
						
							|  |  |  | # on the system at the time of testing. This option is used when the | 
					
						
							|  |  |  | # configuration file options themselves are checked, and during the file | 
					
						
							|  |  |  | # properties check, the hidden files and directories checks, and the filesystem | 
					
						
							|  |  |  | # check of the '/dev' directory. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcards. | 
					
						
							|  |  |  | # Be aware though that this is probably not what you want to do as the | 
					
						
							|  |  |  | # wildcarding will be expanded after files have been deleted. As such | 
					
						
							|  |  |  | # deleted files won't be whitelisted if wildcarded. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: The user must take into consideration how often the file will appear | 
					
						
							|  |  |  | # and disappear from the system in relation to how often rkhunter is run. If | 
					
						
							|  |  |  | # the file appears, and disappears, too often then rkhunter may not notice | 
					
						
							|  |  |  | # this. All it will see is that the file has changed. The inode number and DTM | 
					
						
							|  |  |  | # will certainly be different for each new file, and rkhunter will report this. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #EXISTWHITELIST="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Whitelist various attributes of the specified file. The attributes are those | 
					
						
							|  |  |  | # of the 'attributes' test. Specifying a file name here does not include it | 
					
						
							|  |  |  | # being whitelisted for the write permission test (see below). | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ATTRWHITELIST=/usr/bin/date | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified file to have the 'others' (world) permission have the | 
					
						
							|  |  |  | # write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #WRITEWHITELIST=/usr/bin/date | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified file to be a script. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SCRIPTWHITELIST=/usr/bin/groups | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified file to have the immutable attribute set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #IMMUTWHITELIST=/sbin/ifdown | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to '1', then the immutable-bit test is reversed. That | 
					
						
							|  |  |  | # is, the files are expected to have the bit set. A value of '0' means that the | 
					
						
							|  |  |  | # immutable-bit should not be set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #IMMUTABLE_SET=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to '1', then any changed inode value is ignored in | 
					
						
							|  |  |  | # the file properties check. The inode test itself still runs, but it will | 
					
						
							|  |  |  | # always return that no inodes have changed. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be useful for filesystems such as Btrfs, which handle inodes | 
					
						
							|  |  |  | # slightly differently than other filesystems. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SKIP_INODE_CHECK=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified hidden directory to be whitelisted. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWHIDDENDIR=/etc/.java | 
					
						
							|  |  |  | ALLOWHIDDENDIR=/dev/.udev | 
					
						
							|  |  |  | #ALLOWHIDDENDIR=/dev/.udevdb | 
					
						
							|  |  |  | #ALLOWHIDDENDIR=/dev/.mdadm | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified hidden file to be whitelisted. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac | 
					
						
							|  |  |  | #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified process to use deleted files. The process name may be | 
					
						
							|  |  |  | # followed by a colon-separated list of full pathnames (which have been | 
					
						
							|  |  |  | # deleted). The process will then only be whitelisted if it is using one of | 
					
						
							|  |  |  | # the given pathnames. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. It may also use wildcards, but | 
					
						
							|  |  |  | # only in the deleted file pathnames, not in the process name. The use of | 
					
						
							|  |  |  | # extended pattern matching in pathname expansion (for example, '**') is not | 
					
						
							|  |  |  | # supported for this option. However, the option itself extends globbing when | 
					
						
							|  |  |  | # the '*' character is used by matching zero or more characters in the | 
					
						
							|  |  |  | # pathname, including those in sub-directories. For example, the pathname | 
					
						
							|  |  |  | # '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz' | 
					
						
							|  |  |  | # but is matched when used in this option. Similarly, using '/tmp/*' will | 
					
						
							|  |  |  | # match any file found in the '/tmp' directory or any sub-directories. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWPROCDELFILE=/sbin/cardmgr | 
					
						
							|  |  |  | #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified process to listen on any network interface. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWPROCLISTEN=/sbin/dhclient | 
					
						
							|  |  |  | #ALLOWPROCLISTEN=/usr/bin/dhcpcd | 
					
						
							|  |  |  | #ALLOWPROCLISTEN=/usr/sbin/tcpdump | 
					
						
							|  |  |  | #ALLOWPROCLISTEN=/usr/sbin/snort-plain | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified network interfaces to be in promiscuous mode. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of interface names. The option may be | 
					
						
							|  |  |  | # specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWPROMISCIF=eth0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies how rkhunter should scan the '/dev' directory for | 
					
						
							|  |  |  | # suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, | 
					
						
							|  |  |  | # it is highly recommended that this value is used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is 'THOROUGH'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the ALLOWDEVFILE option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SCAN_MODE_DEV=THOROUGH | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified file to be present in the '/dev' directory, and not | 
					
						
							|  |  |  | # regarded as suspicious. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWDEVFILE=/dev/shm/pulse-shm-* | 
					
						
							|  |  |  | #ALLOWDEVFILE=/dev/shm/sem.ADBE_* | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified process pathnames to use shared memory segments. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWIPCPROC=/usr/bin/firefox | 
					
						
							|  |  |  | #ALLOWIPCPROC=/usr/bin/vlc | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified memory segment creator PIDs to use shared memory segments. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of PID numbers (as given by the | 
					
						
							|  |  |  | # 'ipcs -p' command). This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWIPCPID=12345 6789 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Allow the specified account names to use shared memory segments. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of account names. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOWIPCUSER=usera userb | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option can be used to set the maximum shared memory segment size | 
					
						
							|  |  |  | # (in bytes) that is not considered suspicious. Any segment above this size, | 
					
						
							|  |  |  | # and with 600 or 666 permissions, will be considered suspicious during the | 
					
						
							|  |  |  | # shared memory check. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default is 1048576 (1M) bytes. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #IPC_SEG_SIZE=1048576 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option is used to indicate if the Phalanx2 test is to perform a basic | 
					
						
							|  |  |  | # check, or a more thorough check. If the option is set to '0', then a basic | 
					
						
							|  |  |  | # check is performed. If it is set to '1', then all the directories in the | 
					
						
							|  |  |  | # '/etc' and '/usr' directories are scanned. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Setting this option to '1' will cause the test to take longer | 
					
						
							|  |  |  | # to complete. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PHALANX2_DIRTEST=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option tells rkhunter where the inetd configuration file is located. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #INETD_CONF_PATH=/etc/inetd.conf | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option allows the specified enabled inetd services. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of service names. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For non-Solaris users the simple service name should be used. | 
					
						
							|  |  |  | # For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=echo | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For Solaris 9 users the simple service name should also be used, but | 
					
						
							|  |  |  | # if it is an RPC service, then the executable pathname should be used. | 
					
						
							|  |  |  | # For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=imaps | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For Solaris 10 users the service/FMRI name should be used. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=/network/rpc/meta | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=/network/rpc/metamed | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=/application/font/stfsloader | 
					
						
							|  |  |  | #     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #INETD_ALLOWED_SVC=echo | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option tells rkhunter where the xinetd configuration file is located. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #XINETD_CONF_PATH=/etc/xinetd.conf | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option allows the specified enabled xinetd services. Whilst it would be | 
					
						
							|  |  |  | # nice to use the service names themselves, at the time of testing we only have | 
					
						
							|  |  |  | # the pathname available. As such, these entries are the xinetd file pathnames. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of service names. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option tells rkhunter the local system startup file pathnames. The | 
					
						
							|  |  |  | # directories will be searched for files. If unset, then rkhunter will try | 
					
						
							|  |  |  | # and determine were the startup files are located. If the option is set to | 
					
						
							|  |  |  | # 'NONE' then certain tests will be skipped. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of file and directory pathnames. The option | 
					
						
							|  |  |  | # may be specified more than once, and may use wildcard characters. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #STARTUP_PATHS=/etc/rc.d /etc/rc.local | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option tells rkhunter the pathname to the file containing the user | 
					
						
							|  |  |  | # account passwords. If unset, this setting will be worked out by rkhunter, | 
					
						
							|  |  |  | # and so should not usually need to be set. Users of TCB shadow files should | 
					
						
							|  |  |  | # not set this option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PASSWORD_FILE=/etc/shadow | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option allows the specified accounts to be root equivalent. These | 
					
						
							|  |  |  | # accounts will have a UID value of zero. The 'root' account does not need | 
					
						
							|  |  |  | # to be listed as it is automatically whitelisted. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of account names. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: For *BSD systems you will probably need to use this option for the | 
					
						
							|  |  |  | # 'toor' account. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UID0_ACCOUNTS=toor rooty | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option allows the specified accounts to have no password. NIS/YP entries | 
					
						
							|  |  |  | # do not need to be listed as they are automatically whitelisted. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of account names. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PWDLESS_ACCOUNTS=abc | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option tells rkhunter the pathname to the syslog configuration file. | 
					
						
							|  |  |  | # If unset, this setting will be worked out by rkhunter, and so should not | 
					
						
							|  |  |  | # usually need to be set. A value of 'NONE' can be used to indicate that | 
					
						
							|  |  |  | # there is no configuration file, but that the syslog daemon process may | 
					
						
							|  |  |  | # be running. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of pathnames. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SYSLOG_CONFIG_FILE=/etc/syslog.conf | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to '1', then the use of syslog remote logging is | 
					
						
							|  |  |  | # permitted. A value of '0' disallows the use of remote logging. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #ALLOW_SYSLOG_REMOTE_LOGGING=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option allows the specified applications, or a specific version of an | 
					
						
							|  |  |  | # application, to be whitelisted. If a specific version is to be whitelisted, | 
					
						
							|  |  |  | # then the name must be followed by a colon and then the version number. | 
					
						
							|  |  |  | # For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of pathnames. The option may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #APP_WHITELIST="" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # Set this option to scan for suspicious files in directories which pose a | 
					
						
							|  |  |  | # relatively higher risk due to user write access. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Please do not enable the 'suspscan' test by default as it is CPU and I/O | 
					
						
							|  |  |  | # intensive, and prone to producing false positives. Do review all settings | 
					
						
							|  |  |  | # before usage. Also be aware that running 'suspscan' in combination with | 
					
						
							|  |  |  | # verbose logging on, rkhunter's default, will show all ignored files. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Please consider adding all directories the user the (web)server runs as, | 
					
						
							|  |  |  | # and has write access to, including the document root (e.g: '/var/www') and | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # log directories (e.g: '/var/log/httpd'). | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # | 
					
						
							|  |  |  | # This is a space-separated list of directory pathnames. The option may be | 
					
						
							|  |  |  | # specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the '/tmp' and '/var/tmp' directories. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SUSPSCAN_DIRS=/tmp /var/tmp | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the directory for temporary files used by the | 
					
						
							|  |  |  | # 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is | 
					
						
							|  |  |  | # better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS | 
					
						
							|  |  |  | # as that is highly likely to cause false-positive results. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '/dev/shm'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SUSPSCAN_TEMP=/dev/shm | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the 'suspscan' test maximum filesize in bytes. Files | 
					
						
							|  |  |  | # larger than this will not be inspected. Do make sure you have enough space | 
					
						
							|  |  |  | # available in your temporary files directory. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '1024000'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SUSPSCAN_MAXSIZE=1024000 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the 'suspscan' test score threshold. Below this value | 
					
						
							|  |  |  | # no hits will be reported. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '200'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SUSPSCAN_THRESH=200 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be used to whitelist file pathnames from the suspscan test. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration | 
					
						
							|  |  |  | # option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SUSPSCAN_WHITELIST="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following options can be used to whitelist network ports which are known | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # to have been used by malware. | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # | 
					
						
							|  |  |  | # The PORT_WHITELIST option is a space-separated list of one or more of two | 
					
						
							|  |  |  | # types of whitelisting. These are: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #   1) a 'protocol:port' pair | 
					
						
							|  |  |  | #   2) an asterisk ('*') | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Only the UDP or TCP protocol may be specified, and the port number must be | 
					
						
							|  |  |  | # between 1 and 65535 inclusive. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The asterisk can be used to indicate that any executable which rkhunter can | 
					
						
							|  |  |  | # locate as a command, is whitelisted. (Also see BINDIR) | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. | 
					
						
							|  |  |  | # These are: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #   1) a pathname to an executable | 
					
						
							|  |  |  | #   2) a combined pathname, protocol and port | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # As above, the protocol can only be TCP or UDP, and the port number must be | 
					
						
							|  |  |  | # between 1 and 65535 inclusive. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Examples: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     PORT_WHITELIST=TCP:2001 UDP:32011 | 
					
						
							|  |  |  | #     PORT_PATH_WHITELIST=/usr/sbin/squid | 
					
						
							|  |  |  | #     PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: In order to whitelist a pathname, or use the asterisk option, the | 
					
						
							|  |  |  | # 'lsof' command must be present. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Both options may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value for both options is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #PORT_WHITELIST="" | 
					
						
							|  |  |  | #PORT_PATH_WHITELIST="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option can be used to tell rkhunter where the operating system | 
					
						
							|  |  |  | # 'release' file is located. This file contains information specifying the | 
					
						
							|  |  |  | # current O/S version. RKH will store this information, and check to see if it | 
					
						
							|  |  |  | # has changed between each run. If it has changed, then the user is warned that | 
					
						
							|  |  |  | # RKH may issue warning messages until RKH has been run with the '--propupd' | 
					
						
							|  |  |  | # option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Since the contents of the file vary according to the O/S distribution, RKH | 
					
						
							|  |  |  | # will perform different actions when it detects the file itself. As such, this | 
					
						
							|  |  |  | # option should not be set unless necessary. If this option is specified, then | 
					
						
							|  |  |  | # RKH will assume the O/S release information is on the first non-blank line of | 
					
						
							|  |  |  | # the file. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #OS_VERSION_FILE=/etc/release | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '0' if you do not want to receive a warning if any | 
					
						
							|  |  |  | # O/S information has changed since the last run of 'rkhunter --propupd'. The | 
					
						
							|  |  |  | # warnings occur during the file properties check. Setting a value of '1' will | 
					
						
							|  |  |  | # cause rkhunter to issue a warning if something has changed. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '1'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #WARN_ON_OS_CHANGE=1 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '1' if you want rkhunter to automatically run a | 
					
						
							|  |  |  | # file properties update ('--propupd') if the O/S has changed. Detection of an | 
					
						
							|  |  |  | # O/S change occurs during the file properties check. Setting a value of '0' | 
					
						
							|  |  |  | # will cause rkhunter not to do an automatic update. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # WARNING: Only set this option if you are sure that the update will work | 
					
						
							|  |  |  | # correctly. That is, that the database directory is writeable, that a valid | 
					
						
							|  |  |  | # hash function is available, and so on. This can usually be checked simply by | 
					
						
							|  |  |  | # running 'rkhunter --propupd' at least once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UPDT_ON_OS_CHANGE=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following two options can be used to whitelist files and directories that | 
					
						
							|  |  |  | # would normally be flagged with a warning during the various rootkit and | 
					
						
							|  |  |  | # malware checks. Only existing files and directories can be specified, and | 
					
						
							|  |  |  | # these must be full pathnames not links. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Additionally, the RTKT_FILE_WHITELIST option may include a string after the | 
					
						
							|  |  |  | # file name (separated by a colon). This will then only whitelist that string | 
					
						
							|  |  |  | # in that file (as part of the malware checks). For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If the option list includes the filename on its own as well, then the file | 
					
						
							|  |  |  | # will be whitelisted from rootkit checks of the files existence, but still | 
					
						
							|  |  |  | # only the specific string within the file will be whitelisted. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     RTKT_FILE_WHITELIST=/etc/rc.local | 
					
						
							|  |  |  | #     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # To whitelist a file from the existence checks, but not from the strings | 
					
						
							|  |  |  | # checks, then include the filename on its own and on its own but with just | 
					
						
							|  |  |  | # a colon appended. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     RTKT_FILE_WHITELIST=/etc/rc.local | 
					
						
							|  |  |  | #     RTKT_FILE_WHITELIST=/etc/rc.local: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: It is recommended that if you whitelist any files, then you include | 
					
						
							|  |  |  | # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS | 
					
						
							|  |  |  | # configuration option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Both of these options may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For both options the default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #RTKT_DIR_WHITELIST="" | 
					
						
							|  |  |  | #RTKT_FILE_WHITELIST="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option can be used to whitelist shared library files that would | 
					
						
							|  |  |  | # normally be flagged with a warning during the preloaded shared library check. | 
					
						
							|  |  |  | # These library pathnames usually exist in the '/etc/ld.so.preload' file or in | 
					
						
							|  |  |  | # the LD_PRELOAD environment variable. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: It is recommended that if you whitelist any files, then you include | 
					
						
							|  |  |  | # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS | 
					
						
							|  |  |  | # configuration option. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option is a space-separated list of library pathnames. The option may be | 
					
						
							|  |  |  | # specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SHARED_LIB_WHITELIST=/lib/snoopy.so | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # To force rkhunter to use the supplied script for the 'stat' or 'readlink' | 
					
						
							|  |  |  | # command the following two options can be used. The value must be set to | 
					
						
							|  |  |  | # 'BUILTIN'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: IRIX users will probably need to enable STAT_CMD. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For both options the default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #STAT_CMD=BUILTIN | 
					
						
							|  |  |  | #READLINK_CMD=BUILTIN | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # In the file properties test any modification date/time is displayed as the | 
					
						
							|  |  |  | # number of epoch seconds. Rkhunter will try and use the 'date' command, or | 
					
						
							|  |  |  | # failing that the 'perl' command, to display the date and time in a | 
					
						
							|  |  |  | # human-readable format as well. This option may be used if some other command | 
					
						
							|  |  |  | # should be used instead. The given command must understand the '%s' and | 
					
						
							|  |  |  | # 'seconds ago' options found in the GNU 'date' command. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # A value of 'NONE' may be used to request that only the epoch seconds be shown. | 
					
						
							|  |  |  | # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if | 
					
						
							|  |  |  | # it is present. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #EPOCH_DATE_CMD="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This setting tells rkhunter the directory containing the available Linux | 
					
						
							|  |  |  | # kernel modules. If unset, this setting will be worked out by rkhunter, and | 
					
						
							|  |  |  | # so should not usually need to be set. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #MODULES_DIR="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option can be set to a command which rkhunter will use when | 
					
						
							|  |  |  | # downloading files from the Internet - that is, when the '--update' or | 
					
						
							|  |  |  | # '--versioncheck' option is used. The command can take options. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This allows the user to use a command other than the one automatically | 
					
						
							|  |  |  | # selected by rkhunter, but still one which it already knows about. | 
					
						
							|  |  |  | # For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     WEB_CMD=curl | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Alternatively, the user may specify a completely new command. However, note | 
					
						
							|  |  |  | # that rkhunter expects the downloaded file to be written to stdout, and that | 
					
						
							|  |  |  | # everything written to stderr is ignored. For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     WEB_CMD="/opt/bin/dlfile --timeout 5m -q" | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # *BSD users may want to use the 'ftp' command, provided that it supports the | 
					
						
							|  |  |  | # HTTP protocol: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #     WEB_CMD="ftp -o -" | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #WEB_CMD="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Set the following option to '1' if locking is to be used when rkhunter runs. | 
					
						
							|  |  |  | # The lock is set just before logging starts, and is removed when the program | 
					
						
							|  |  |  | # ends. It is used to prevent items such as the log file, and the file | 
					
						
							|  |  |  | # properties file, from becoming corrupted if rkhunter is running more than | 
					
						
							|  |  |  | # once. The mechanism used is to simply create a lock file in the LOCKDIR | 
					
						
							|  |  |  | # directory. If the lock file already exists, because rkhunter is already | 
					
						
							|  |  |  | # running, then the current process simply loops around sleeping for 10 seconds | 
					
						
							|  |  |  | # and then retrying the lock. A value of '0' means not to use locking. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #USE_LOCKING=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option specifies the directory to be used when locking is enabled. | 
					
						
							|  |  |  | # If the option is unset, then the directory to be used will be worked out | 
					
						
							|  |  |  | # by rkhunter. In that instance the directories '/run/lock', '/var/lock', | 
					
						
							|  |  |  | # '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none | 
					
						
							|  |  |  | # of those can be found, or are not read/writeable, then the TMPDIR directory | 
					
						
							|  |  |  | # will be used. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # To avoid the lock file persisting across a server reboot, the directory | 
					
						
							|  |  |  | # used should be memory-resident. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option has no default value. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #LOCKDIR="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If locking is used, then rkhunter may have to wait to get the lock file. | 
					
						
							|  |  |  | # This option sets the total amount of time, in seconds, that rkhunter should | 
					
						
							|  |  |  | # wait. It will retry the lock every 10 seconds, until either it obtains the | 
					
						
							|  |  |  | # lock or the timeout value has been reached. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is 300 seconds (5 minutes). | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #LOCK_TIMEOUT=300 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If locking is used, then rkhunter may be doing nothing for some time if it | 
					
						
							|  |  |  | # has to wait for the lock. If this option is set to '1', then some simple | 
					
						
							|  |  |  | # messages are echoed to the users screen to let them know that rkhunter is | 
					
						
							|  |  |  | # waiting for the lock. Set this option to '0' if the messages are not to be | 
					
						
							|  |  |  | # displayed. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '1'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SHOW_LOCK_MSGS=1 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # If this option is set to 'THOROUGH' then rkhunter will search (on a per | 
					
						
							|  |  |  | # rootkit basis) for filenames in all of the directories (as defined by the | 
					
						
							|  |  |  | # result of running 'find / -xdev'). While still not optimal, as it still | 
					
						
							|  |  |  | # searches for only file names as opposed to file contents, this is one step | 
					
						
							|  |  |  | # away from the rigidity of searching in known (evidence) or default | 
					
						
							|  |  |  | # (installation) locations. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # You should only activate this feature as part of a more thorough | 
					
						
							|  |  |  | # investigation, which should be based on relevant best practices and | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # procedures. | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # | 
					
						
							|  |  |  | # Enabling this feature implies you have the knowledge to interpret the | 
					
						
							| 
									
										
										
										
											2022-11-20 20:03:01 -06:00
										 |  |  | # results properly. | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SCANROOTKITMODE=THOROUGH | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option can be set to the name(s) of the tests the 'unhide' | 
					
						
							|  |  |  | # command is to use. Options such as '-m' and '-v' may be specified, but will | 
					
						
							|  |  |  | # only take effect when they are seen. The test names are a space-separated | 
					
						
							|  |  |  | # list, and will be executed in the order given. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is 'sys' in order to maintain compatibility with older | 
					
						
							|  |  |  | # versions of 'unhide'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UNHIDE_TESTS=sys | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The following option can be used to set options for the 'unhide-tcp' command. | 
					
						
							|  |  |  | # The options are space-separated. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option may be specified more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #UNHIDETCP_OPTS="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option can be set to either '0' or '1'. If set to '1' then the summary, | 
					
						
							|  |  |  | # shown after rkhunter has run, will display the actual number of warnings | 
					
						
							|  |  |  | # found. If it is set to '0', then the summary will simply indicate that | 
					
						
							|  |  |  | # 'One or more' warnings were found. If no warnings were found, and this option | 
					
						
							|  |  |  | # is set to '1', then a "0" will be shown. If the option is set to '0', then | 
					
						
							|  |  |  | # the words 'No warnings' will be shown. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SHOW_SUMMARY_WARNINGS_NUMBER=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option is used to determine where, if anywhere, the summary scan time is | 
					
						
							|  |  |  | # displayed. A value of '0' indicates that it should not be displayed anywhere. | 
					
						
							|  |  |  | # A value of '1' indicates that the time should only appear on the screen, and a | 
					
						
							|  |  |  | # value of '2' that it should only appear in the log file. A value of '3' | 
					
						
							|  |  |  | # indicates that the time taken should appear both on the screen and in the log | 
					
						
							|  |  |  | # file. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '3'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #SHOW_SUMMARY_TIME=3 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The two options below may be used to check if a file is missing or empty | 
					
						
							|  |  |  | # (that is, it has a size of zero). The EMPTY_LOGFILES option will also check | 
					
						
							|  |  |  | # if the file is missing, since that can be interpreted as a file of no size. | 
					
						
							|  |  |  | # However, the file will only be reported as missing if the MISSING_LOGFILES | 
					
						
							|  |  |  | # option hasn't already done this. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Both options are space-separated lists of pathnames, and may be specified | 
					
						
							|  |  |  | # more than once. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: Log files are usually 'rotated' by some mechanism. At that time it is | 
					
						
							|  |  |  | # perfectly possible for the file to be either missing or empty. As such these | 
					
						
							|  |  |  | # options may produce false-positive warnings when log files are rotated. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # For both options the default value is the null string. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #EMPTY_LOGFILES="" | 
					
						
							|  |  |  | #MISSING_LOGFILES="" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This option can be set to either '0' or '1'. If set to '1' then the globbing | 
					
						
							|  |  |  | # characters '**' can be used to allow the recursive checking of directories. | 
					
						
							|  |  |  | # This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option. | 
					
						
							|  |  |  | # For example: | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #	USER_FILEPROP_FILES_DIRS=/etc/**/*.conf | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This will check all '.conf' files within the '/etc' directory, and any | 
					
						
							|  |  |  | # sub-directories (at any level). If GLOBSTAR is not set, then the shell will | 
					
						
							|  |  |  | # interpret '**' as '*' and only one level of sub-directories will be checked. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # NOTE: This option is only valid for those shells which support the 'globstar' | 
					
						
							|  |  |  | # option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command, | 
					
						
							|  |  |  | # and 'ksh' via the 'set' command. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # The default value is '0'. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | #GLOBSTAR=0 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | INSTALLDIR=/usr | 
					
						
							|  |  |  | DBDIR=/var/lib/rkhunter/db | 
					
						
							|  |  |  | SCRIPTDIR=/usr/lib/rkhunter/scripts | 
					
						
							|  |  |  | TMPDIR=/var/lib/rkhunter/tmp | 
					
						
							|  |  |  | USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf | 
					
						
							|  |  |  | SCRIPTWHITELIST=/usr/bin/ldd | 
					
						
							|  |  |  | SCRIPTWHITELIST=/usr/bin/vendor_perl/GET | 
					
						
							| 
									
										
										
										
											2022-05-03 16:57:52 -05:00
										 |  |  | BINDIR=/bin /usr/bin /sbin /usr/sbin | 
					
						
							|  |  |  | BINDIR=+/usr/local/bin +/usr/local/sbin | 
					
						
							|  |  |  | # Allowlist for false postives | 
					
						
							|  |  |  | ALLOWPROCLISTEN=/usr/bin/inspircd | 
					
						
							|  |  |  | PORT_WHITELIST=TCP:6667 | 
					
						
							|  |  |  | ALLOWDEVFILE=/dev/shm/PostgreSQL* | 
					
						
							|  |  |  | ALLOWDEVFILE=/dev/shm/mono* | 
					
						
							| 
									
										
										
										
											2022-05-02 15:00:29 -05:00
										 |  |  | 
 |