# # This is the configuration file for Rootkit Hunter. # # Please modify it to your own requirements. # Please review the documentation before posting bug reports or questions. # To report bugs, obtain updates, or provide patches or comments, please go to: # http://rkhunter.sourceforge.net # # To ask questions about rkhunter, please use the rkhunter-users mailing list. # Note this is a moderated list: please subscribe before posting. # # Lines beginning with a hash (#), and blank lines, will be ignored. # # Most of the following options need only be specified once. If # they appear more than once, then the last one seen will be used. # Some options are allowed to appear more than once, and the text # describing the option will say if this is so. # # # If this option is set to 1, it specifies that the mirrors file, which # is used when the '--update' and '--versioncheck' options are used, is # to be rotated. Rotating the entries in the file allows a basic form # of load-balancing between the mirror sites whenever the above options # are used. # If the option is set to 0, then the mirrors will be treated as if in # a priority list. That is, the first mirror will always be used. The # second mirror will only be used if the first mirror fails, then the # third mirror will be used if the second fails and so on. # ROTATE_MIRRORS=1 # # If this option is set to 1, it specifies that when the '--update' # option is used, then the mirrors file is to be checked for updates # as well. If the current mirrors file contains any local mirrors, # these will be prepended to the updated file. # If this option is set to 0, the mirrors file can only be updated # manually. This may be useful if only using local mirrors. # UPDATE_MIRRORS=1 # # The MIRRORS_MODE option tells rkhunter which mirrors are to be # used when the '--update' or '--versioncheck' command-line options # are given. Possible values are: # 0 - use any mirror (the default) # 1 - only use local mirrors # 2 - only use remote mirrors # # Local and remote mirrors can be defined in the mirrors.dat file # by using the 'local=' and 'remote=' keywords respectively. # MIRRORS_MODE=0 # # Email a message to this address if a warning is found when the # system is being checked. Multiple addresses may be specified # simply be separating them with a space. # MAIL-ON-WARNING=mmcgrath@redhat.com # # Specify the mail command to use if MAIL-ON-WARNING is set. # NOTE: Double quotes are not required around the command, but # are required around the subject line if it contains spaces. # MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # # Specify the temporary directory to use. # # NOTE: Do not use /tmp as your temporary directory. Some # important files will be written to this directory, so be # sure that the directory permissions are tight. # TMPDIR=/var/lib/rkhunter # # Specify the database directory to use. # DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # SCRIPTDIR=/usr/share/rkhunter/scripts # # Specify the root directory to use. # #ROOTDIR="" # # Specify the command directories to be checked. This is a # space-separated list of directories. # BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec" # # Specify the language to use. This should be similar # to the ISO 639 language code. # # NOTE: Please ensure that the language you specify is supported. # For a list of supported languages use the following command: # # rkhunter --lang en --list languages # #LANGUAGE=en # # Specify the log file pathname. # LOGFILE=/var/log/rkhunter/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # # # Set the following option to enable the rkhunter check start and finish # times to be logged by syslog. Warning messages will also be logged. # The value of the option must be a standard syslog facility and # priority, separated by a dot. # # For example: USE_SYSLOG=authpriv.warning # # Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # USE_SYSLOG=authpriv.notice # # Set the following option to 1 if the second colour set is to be used. # This can be useful if your screen uses black characters on a white # background (for example, a PC instead of a server). # COLOR_SET2=0 # # Set the following option to 0 if rkhunter should not detect if X is # being used. If X is detected as being used, then the second colour # set will automatically be used. # AUTO_X_DETECT=1 # # The following option is checked against the SSH configuration file # 'PermitRootLogin' option. A warning will be displayed if they do not # match. However, if a value has not been set in the SSH configuration # file, then a value here of 'yes' or 'unset' will not cause a warning. # This option has a default value of 'no'. # ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. This option has a default value of '0'. # ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # #SSH_CONFIG_DIR=/etc/ssh # # These two options determine which tests are to be performed. # The ENABLE_TESTS option can use the word 'all' to refer to all the # available tests. The DISABLE_TESTS option can use the word 'none' to # mean that no tests are disabled. The list of disabled tests is applied to # the list of enabled tests. Both options are space-separated lists of test # names. The currently available test names can be seen by using the command # 'rkhunter --list tests'. # # The program defaults are to enable all tests and disable none. However, if # either option is specified in this file, then it overrides the program # default. The supplied rkhunter.conf file has some tests already disabled, # and these are tests that will be used only incidentally, can be considered # "advanced" or those that are prone to produce more than the "average" number # of "false positives". # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" # # The HASH_FUNC option can be used to specify the command to use # for the file hash value check. It can be specified as just # the command name or the full pathname. Systems using prelinking # are restricted to using either SHA1 or MD5 functions. To get rkhunter # to look for the sha1(sum)/md5(sum) command, or to use the supplied # perl scripts, simply specify this option as 'SHA1' or 'MD5' in # uppercase. The default is SHA1, or MD5 if SHA1 cannot be found. # # A value of 'NONE' (in uppercase) can be specified to indicate that # no hash function should be used. Rootkit Hunter will detect this and # automatically disable the file hash checks. # # Examples: # For Solaris 9 : HASH_FUNC=gmd5sum # For Solaris 10: HASH_FUNC=sha1sum # For AIX (>5.2): HASH_FUNC="csum -hMD5" # For NetBSD : HASH_FUNC="cksum -a sha512" # # NOTE: If the hash function is changed then you MUST run rkhunter with # the '--propupd' option to rebuild the file properties database. # HASH_FUNC=sha1sum # # The HASH_FLD_IDX option specifies which field from the HASH_FUNC # command output contains the hash value. The fields are assumed to # be space-separated. The default value is one, but for *BSD users # rkhunter will, by default, use a value of 4 if the HASH_FUNC option # has not been set. The option value must be a positive integer. # #HASH_FLD_IDX=4 # # The PKGMGR option tells rkhunter to use the specified package manager # to obtain the file property information. This is used when updating # the file properties file 'rkhunter.dat', and when running the file # properties check. For RedHat/RPM-based systems, 'RPM' can be used # to get information from the RPM database. For Debian-based systems # 'DPKG' can be used, and for *BSD systems 'BSD' can be used. # No value, or a value of 'NONE', indicates that no package manager # is to be used. The default is 'NONE'. # # The current package managers store the file hash values using an # MD5 hash function. # # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. # The 'RPM' package manager additionally provides values for the inode, # file permissions, uid, gid and other values. # # For any file not part of a package, rkhunter will revert to using # the HASH_FUNC hash function instead. # PKGMGR=RPM # # Whitelist various attributes of the specified files. # The attributes are those of the 'attributes' test. # Specifying a file name here does not include it being # whitelisted for the write permission test below. # One command per line (use multiple ATTRWHITELIST lines). # #ATTRWHITELIST=/bin/ps # # Allow the specified commands to have the 'others' # (world) permission have the write-bit set. # # For example, files with permissions r-xr-xrwx # or rwxrwxrwx. # # One command per line (use multiple WRITEWHITELIST lines). # #WRITEWHITELIST=/bin/ps # # Allow the specified commands to be scripts. # One command per line (use multiple SCRIPTWHITELIST lines). # #SCRIPTWHITELIST=/sbin/ifup #SCRIPTWHITELIST=/sbin/ifdown #SCRIPTWHITELIST=/usr/bin/groups # # Allow the specified commands to have the immutable attribute set. # One command per line (use multiple IMMUTWHITELIST lines). # #IMMUTWHITELIST=/sbin/ifup # # Allow the specified hidden directories. # One directory per line (use multiple ALLOWHIDDENDIR lines). # ALLOWHIDDENDIR=/dev/.udev # # Allow the specified hidden files. # One file per line (use multiple ALLOWHIDDENFILE lines). # ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac ALLOWHIDDENFILE=/usr/bin/.ssh.hmac ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac # # Allow the specified processes to use deleted files. # One process per line (use multiple ALLOWPROCDELFILE lines). # #ALLOWPROCDELFILE=/sbin/cardmgr #ALLOWPROCDELFILE=/usr/sbin/gpm #ALLOWPROCDELFILE=/usr/libexec/gconfd-2 #ALLOWPROCDELFILE=/usr/sbin/mysqld # # Allow the specified processes to listen on any network interface. # One process per line (use multiple ALLOWPROCLISTEN lines). # #ALLOWPROCLISTEN=/sbin/dhclient #ALLOWPROCLISTEN=/usr/bin/dhcpcd #ALLOWPROCLISTEN=/usr/sbin/pppoe #ALLOWPROCLISTEN=/usr/sbin/tcpdump #ALLOWPROCLISTEN=/usr/sbin/snort-plain #ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant # # SCAN_MODE_DEV governs how we scan /dev for suspicious files. # The two allowed options are: THOROUGH or LAZY. # If commented out we do a THOROUGH scan which will increase the runtime. # Even though this adds to the running time it is highly recommended to # leave it like this. # #SCAN_MODE_DEV=THOROUGH # # Allow the specified files to be present in the /dev directory, # and not regarded as suspicious. One file per line (use multiple # ALLOWDEVFILE lines). # #ALLOWDEVFILE=/dev/abc #ALLOWDEVFILE=/dev/shm/pulse-shm-* # # This setting tells rkhunter where the inetd configuration # file is located. # #INETD_CONF_PATH=/etc/inetd.conf # # Allow the following enabled inetd services. # Only one service per line (use multiple INETD_ALLOWED_SVC lines). # # Below are some Solaris 9 and 10 services that may want to be whitelisted. # #INETD_ALLOWED_SVC=echo #INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd #INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto #INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd #INETD_ALLOWED_SVC=/usr/sbin/rpc.metad #INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd #INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd #INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd #INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd #INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd #INETD_ALLOWED_SVC=/usr/lib/gss/gssd #INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader #INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd #INETD_ALLOWED_SVC=/network/rpc/mdcomm #INETD_ALLOWED_SVC=/network/rpc/meta #INETD_ALLOWED_SVC=/network/rpc/metamed #INETD_ALLOWED_SVC=/network/rpc/metamh #INETD_ALLOWED_SVC=/network/security/ktkt_warn #INETD_ALLOWED_SVC=/application/x11/xfs #INETD_ALLOWED_SVC=/application/print/rfc1179 #INETD_ALLOWED_SVC=/application/font/stfsloader #INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord #INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp #INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp # # This setting tells rkhunter where the xinetd configuration # file is located. # #XINETD_CONF_PATH=/etc/xinetd.conf # # Allow the following enabled xinetd services. Whilst it would be # nice to use the service names themselves, at the time of testing # we only have the pathname available. As such, these entries are # the xinetd file pathnames. # Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines). # XINETD_ALLOWED_SVC=/etc/xinetd.d/rsync XINETD_ALLOWED_SVC=/etc/xinetd.d/cvspserver XINETD_ALLOWED_SVC=/etc/xinetd.d/tftp XINETD_ALLOWED_SVC=/etc/xinetd.d/git-server XINETD_ALLOWED_SVC=/etc/xinetd.d/bzr-server # # This setting tells rkhunter the local system startup file pathnames. # More than one file may be present on the system, and so this option # can be a space-separated list. This setting will be worked out by # rkhunter, and so should not usually need to be set. # # If the system uses a directory of local startup scripts, then rather # that setting all the file names here, leave this setting blank, and # specify the directory name in SYSTEM_RC_DIR instead. # # If the system does not use a local startup script at all, then this # setting can be set to 'none'. Without this, rkhunter would give a # warning that no local startup script could be found. # #LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit" # # This setting tells rkhunter the local system startup file directory. # This setting will be worked out by rkhunter, and so should not usually # need to be set. # #SYSTEM_RC_DIR=/etc/rc.d # # This setting tells rkhunter the pathname to the file containing the # user account passwords. This setting will be worked out by rkhunter, # and so should not usually need to be set. # PASSWORD_FILE=/etc/shadow # # Allow the following accounts to be root equivalent. These accounts # will have a UID value of zero. This option is a space-separated list # of account names. The 'root' account does not need to be listed as it # is automatically whitelisted. # # Note: For *BSD systems you may need to enable this for the 'toor' account. # #UID0_ACCOUNTS="toor rooty" # # Allow the following accounts to have no password. This option is a # space-separated list of account names. NIS/YP entries do not need to # be listed as they are automatically whitelisted. # #PWDLESS_ACCOUNTS="abc" # # This setting tells rkhunter the pathname to the syslog configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # # This option permits the use of syslog remote logging. # ALLOW_SYSLOG_REMOTE_LOGGING=1 # # Allow the following applications, or a specific version of an application, # to be whitelisted. This option is a space-separated list consisting of the # application names. If a specific version is to be whitelisted, then the # name must be followed by a colon and then the version number. # # For example: APP_WHITELIST="openssl:0.9.7d gpg" # #APP_WHITELIST="" # # Scan for suspicious files in directories containing temporary files and # directories posing a relatively higher risk due to user write access. # Please do not enable by default as suspscan is CPU and I/O intensive and prone to # producing false positives. Do review all settings before usage. # Also be aware that running suspscan in combination with verbose logging on, # RKH's default, will show all ignored files. # Please consider adding all directories the user the (web)server runs as has # write access to including the document root (example: "/var/www") and log # directories (example: "/var/log/httpd"). # # A space-separated list of directories to scan. # SUSPSCAN_DIRS="/tmp /var/tmp" # # Directory for temporary files. A memory-based one is better (faster). # Do not use a directory name that is listed in SUSPSCAN_DIRS. # Please make sure you have a tempfs mounted and the directory exists. # SUSPSCAN_TEMP=/dev/shm # # Maximum filesize in bytes. Files larger than this will not be inspected. # Do make sure you have enough space left in your temporary files directory. # SUSPSCAN_MAXSIZE=10240000 # # Score threshold. Below this value no hits will be reported. # A value of "200" seems "good" after testing on malware. Please adjust # locally if necessary. # SUSPSCAN_THRESH=200 # # The following option can be used to whitelist network ports which # are known to have been used by malware. The option is a space- # separated list of one or more of three types of whitelisting. # These are: # # 1) a 'protocol:port' pair (e.g. TCP:25) # 2) a pathname to an executable (e.g. /usr/sbin/squid) # 3) an asterisk ('*') # # Only the UDP or TCP protocol may be specified, and the port number # must be between 1 and 65535 inclusive. # # The asterisk can be used to indicate that any executable in a trusted # path directory will be whitelisted. A trusted path directory is one which # rkhunter uses to locate commands. It is composed of the root PATH # environment variable, and the BINDIR command-line or configuration # file option. # # For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" # #PORT_WHITELIST="" # # The following option can be used to tell rkhunter where the operating # system 'release' file is located. This file contains information # specifying the current O/S version. RKH will store this information # itself, and check to see if it has changed between each run. If it has # changed, then the user is warned that RKH may issue warning messages # until RKH has been run with the '--propupd' option. # # Since the contents of the file vary according to the O/S distribution, # RKH will perform different actions when it detects the file itself. As # such, this option should not be set unless necessary. If this option is # specified, then RKH will assume the O/S release information is on the # first non-blank line of the file. # OS_VERSION_FILE=/etc/redhat-release # # The following two options can be used to whitelist files and directories # that would normally be flagged with a warning during the rootkit checks. # If the file or directory name contains a space, then the percent character # ('%') must be used instead. Only existing files and directories can be # specified. # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" # # To force rkhunter to use the supplied script for the 'stat' or 'readlink' # command, then the following two options can be used. The value must be # set to 'BUILTIN'. # # NOTE: IRIX users will probably need to enable STAT_CMD. # #STAT_CMD=BUILTIN #READLINK_CMD=BUILTIN INSTALLDIR=/usr SCRIPTWHITELIST=/usr/bin/whatis SCRIPTWHITELIST=/usr/bin/ldd SCRIPTWHITELIST=/usr/bin/groups SCRIPTWHITELIST=/usr/bin/GET SCRIPTWHITELIST=/sbin/ifup SCRIPTWHITELIST=/sbin/ifdown