The Rootkit Hunter configuration file is stored at /etc/rkhunter.conf.
This file is well documented and contain many of Rootkit Hunter's configuration options.
The following are all options currently set.
TMPDIR=/var/lib/rkhunter/tmp DBDIR=/var/lib/rkhunter/db SCRIPTDIR=/usr/share/rkhunter/scripts LOGFILE=/var/log/rkhunter.log USE_SYSLOG=authpriv.warning AUTO_X_DETECT=1 ENABLE_TESTS=all DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps HASH_CMD=sha256sum SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/ldd #SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser #SCRIPTWHITELIST=/usr/sbin/prelink #SCRIPTWHITELIST=/usr/sbin/unhide.rb DISABLE_UNHIDE=1 INSTALLDIR=/usr
The entire file is:
# # This is the main configuration file for Rootkit Hunter. # # You can modify this file directly, or you can create a local configuration # file. The local file must be named 'rkhunter.conf.local', and must reside # in the same directory as this file. Alternatively you can create a directory, # named 'rkhunter.d', which also must be in the same directory as this # configuration file. Within the 'rkhunter.d' directory you can place further # configuration files. There is no restriction on the file names used, other # than they must end in '.conf'. # # Please modify the configuration file(s) to your own requirements. It is # recommended that the command 'rkhunter -C' is run after any changes have # been made. # # Please review the documentation before posting bug reports or questions. # To report bugs, obtain updates, or provide patches or comments, please go # to: http://rkhunter.sourceforge.net # # To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. # Note that this is a moderated list, so please subscribe before posting. # # In the configuration files, lines beginning with a hash (#), and blank lines, # are ignored. Also, end-of-line comments are not supported. # # Any of the configuration options may appear more than once. However, several # options only take one value, and so the last one seen will be used. Some # options are allowed to appear more than once, and the text describing the # option will say if this is so. These configuration options will, in effect, # have their values concatenated together. To delete a previously specified # option list, specify the option with no value (that is, a null string). # # Some of the options are space-separated lists, others, typically those # specifying pathnames, are newline-separated lists. These must be entered # as one item per line. Quotes must not be used to surround the pathname. # For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an # option: XXX=/tmp/abc (correct) # XXX=/tmp/xyz # # XXX="/tmp/abc" (incorrect) # XXX="/tmp/xyz" # # XXX=/tmp/abc /tmp/xyz (incorrect) # or XXX="/tmp/abc /tmp/xyz" (incorrect) # or XXX="/tmp/abc" "/tmp/xyz" (incorrect) # # The last three examples are being configured as space-separated lists, # which is incorrect, generally, for options specifying pathnames. They # should be configured with one entry per line as in the first example. # # If wildcard characters (globbing) are allowed for an option, then the # text describing the option will say so. # # Space-separated lists may be enclosed by quotes, although they are not # required. If they are used, then they must only appear at the start and # end of the list, not in the middle. # # For example: XXX=abc def gh (correct) # XXX="abc def gh" (correct) # XXX="abc" "def" "gh" (incorrect) # # Space-separated lists may also be entered simply as one entry per line. # # For example: XXX=abc (correct) # XXX=def # XXX="gh" # # If a configuration option is never set, then the program will assume a # default value. The text describing the option will state the default value. # If there is no default, then rkhunter will calculate a value or pathname # to use. # # # If this option is set to '1', it specifies that the mirrors file # ('mirrors.dat'), which is used when the '--update' and '--versioncheck' # options are used, is to be rotated. Rotating the entries in the file allows # a basic form of load-balancing between the mirror sites whenever the above # options are used. # # If the option is set to '0', then the mirrors will be treated as if in a # priority list. That is, the first mirror listed will always be used first. # The second mirror will only be used if the first mirror fails, the third # mirror will only be used if the second mirror fails, and so on. # # If the mirrors file is read-only, then the '--versioncheck' command-line # option can only be used if this option is set to '0'. # # The default value is '1'. # #ROTATE_MIRRORS=1 # # If this option is set to '1', it specifies that when the '--update' option is # used, then the mirrors file is to be checked for updates as well. If the # current mirrors file contains any local mirrors, these will be prepended to # the updated file. If this option is set to '0', the mirrors file can only be # updated manually. This may be useful if only using local mirrors. # # The default value is '1'. # #UPDATE_MIRRORS=1 # # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when # the '--update' or '--versioncheck' command-line options are given. # Possible values are: # 0 - use any mirror # 1 - only use local mirrors # 2 - only use remote mirrors # # Local and remote mirrors can be defined in the mirrors file by using the # 'local=' and 'remote=' keywords respectively. # # The default value is '0'. # #MIRRORS_MODE=0 # # Email a message to this address if a warning is found when the system is # being checked. Multiple addresses may be specified simply be separating # them with a space. To disable the option, simply set it to the null string # or comment it out. # # The option may be specified more than once. # # The default value is the null string. # # Also see the MAIL_CMD option. # #MAIL-ON-WARNING=root # # This option specifies the mail command to use if MAIL-ON-WARNING is set. # # NOTE: Double quotes are not required around the command, but are required # around the subject line if it contains spaces. # # The default is to use the 'mail' command, with a subject line # of '[rkhunter] Warnings found for ${HOST_NAME}'. # #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # # This option specifies the directory to use for temporary files. # # NOTE: Do not use '/tmp' as your temporary directory. Some important files # will be written to this directory, so be sure that the directory permissions # are secure. # # The installer program will set the default directory. If this default is # subsequently commented out or removed, then the program will assume a # default directory beneath the installation directory. # TMPDIR=/var/lib/rkhunter/tmp # # This option specifies the database directory to use. # # The installer program will set the default directory. If this default is # subsequently commented out or removed, then the program will assume a # default directory beneath the installation directory. # DBDIR=/var/lib/rkhunter/db # # This option specifies the script directory to use. # # The installer program will set the default directory. If this default is # subsequently commented out or removed, then the program will not run. # SCRIPTDIR=/usr/share/rkhunter/scripts # # This option can be used to modify the command directory list used by rkhunter # to locate commands (that is, its PATH). By default this will be the root PATH, # and an internal list of some common command directories. # # Any directories specified here will, by default, be appended to the default # list. However, if a directory name begins with the '+' character, then that # directory will be prepended to the list (that is, it will be put at the start # of the list). # # This is a space-separated list of directory names. The option may be # specified more than once. # # The default value is based on the root account PATH environment variable. # #BINDIR=/bin /usr/bin /sbin /usr/sbin #BINDIR=+/usr/local/bin +/usr/local/sbin # # This option specifies the default language to use. This should be similar to # the ISO 639 language code. # # NOTE: Please ensure that the language you specify is supported. # For a list of supported languages use the following command: # # rkhunter --lang en --list languages # # The default language is 'en' (English). # #LANGUAGE=en # # This option is a space-separated list of the languages that are to be updated # when the '--update' option is used. If unset, then all the languages will be # updated. If none of the languages are to be updated, then set this option to # just 'en'. # # The default language, specified by the LANGUAGE option, and the English (en) # language file will always be updated regardless of this option. # # This option may be specified more than once. # # The default value is the null string, indicating that all the language files # will be updated. # #UPDATE_LANG="" # # This option specifies the log file pathname. The file will be created if it # does not initially exist. If the option is unset, then the program will # display a message each time it is run saying that the default value is being # used. # # The default value is '/var/log/rkhunter.log'. # LOGFILE=/var/log/rkhunter.log # # Set this option to '1' if the log file is to be appended to whenever rkhunter # is run. A value of '0' will cause a new log file to be created whenever the # program is run. # # The default value is '0'. # #APPEND_LOG=0 # # Set the following option to '1' if the log file is to be copied when rkhunter # finishes and an error or warning has occurred. The copied log file name will # be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). # For example: rkhunter.log.2009-04-21_00:57:51 # If the option value is '0', then the log file will not be copied regardless # of whether any errors or warnings occurred. # # The default value is '0'. # #COPY_LOG_ON_ERROR=0 # # Set the following option to enable the rkhunter check start and finish times # to be logged by syslog. Warning messages will also be logged. The value of # the option must be a standard syslog facility and priority, separated by a # dot. For example: # # USE_SYSLOG=authpriv.warning # # Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # # The default value is not to use syslog. # USE_SYSLOG=authpriv.warning # # Set the following option to '1' if the second colour set is to be used. This # can be useful if your screen uses black characters on a white background # (for example, a PC instead of a server). A value of '0' will cause the default # colour set to be used. # # The default value is '0'. # #COLOR_SET2=0 # # Set the following option to '0' if rkhunter should not detect if X is being # used. If X is detected as being used, then the second colour set will # automatically be used. If set to '1', then the use of X will be detected. # # The default value is '0'. # AUTO_X_DETECT=1 # # Set the following option to '1' if it is wanted that any 'Whitelisted' results # are shown in white rather than green. For colour set 2 users, setting this # option will cause the result to be shown in black. Setting the option to '0' # causes whitelisted results to be displayed in green. # # The default value is '0'. # #WHITELISTED_IS_WHITE=0 # # The following option is checked against the SSH configuration file # 'PermitRootLogin' option. A warning will be displayed if they do not match. # However, if a value has not been set in the SSH configuration file, then a # value here of 'unset' can be used to avoid warning messages. # # The default value is 'no'. # #ALLOW_SSH_ROOT_USER=no # # Set this option to '1' to allow the use of the SSH-1 protocol, but note # that theoretically it is weaker, and therefore less secure, than the # SSH-2 protocol. Do not modify this option unless you have good reasons # to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 # authentication). If the 'Protocol' option has not been set in the SSH # configuration file, then a value of '2' may be set here in order to # suppress a warning message. A value of '0' indicates that the use of # SSH-1 is not allowed. # # The default value is '0'. # #ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # # This option has no default value. # #SSH_CONFIG_DIR=/etc/ssh # # These two options determine which tests are to be performed. The ENABLE_TESTS # option can use the word 'all' to refer to all of the available tests. The # DISABLE_TESTS option can use the word 'none' to mean that no tests are # disabled. The list of disabled tests is applied to the list of enabled tests. # # Both options are space-separated lists of test names, and both options may # be specified more than once. The currently available test names can be seen # by using the command 'rkhunter --list tests'. # # The supplied configuration file has some tests already disabled, and these # are tests that will be used only occasionally, can be considered 'advanced' # or that are prone to produce more than the average number of false-positives. # # Please read the README file for more details about enabling and disabling # tests, the test names, and how rkhunter behaves when these options are used. # # The default values are to enable all tests and to disable none. However, if # either of the options below are specified, then they will override the # program defaults. # # hidden_procs test requires the unhide and/or unhide.rb commands which are # part of the unhide respectively unhide.rb packages in Debian. # # apps test is disabled by default as it triggers warnings about outdated # applications (and warns about possible security risk: we better trust # the Debian Security Team). # ENABLE_TESTS=all DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps # # The HASH_CMD option can be used to specify the command to use for the file # properties hash value check. It can be specified as just the command name or # the full pathname. If just the command name is given, and it is one of MD5, # SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the # relevant command, such as 'sha256sum', and then for 'sha256'. If neither of # these are found, it will then look to see if a perl module has been installed # which will support the relevant hash function. To see which perl modules have # been installed use the command 'rkhunter --list perl'. # # Systems using prelinking are restricted to using either the SHA1 or MD5 # function. # # A value of 'NONE' (in uppercase) can be specified to indicate that no hash # function should be used. Rkhunter will detect this, and automatically disable # the file properties hash check test. # # Examples: # For Solaris 9 : HASH_CMD=gmd5sum # For Solaris 10: HASH_CMD=sha1sum # For AIX (>5.2): HASH_CMD="csum -hMD5" # For NetBSD : HASH_CMD="cksum -a sha512" # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # # The default value is the SHA1 function, or MD5 if SHA1 cannot be found. # # Also see the HASH_FLD_IDX option. # HASH_CMD=sha256sum # # The HASH_FLD_IDX option specifies which field from the HASH_CMD command # output contains the hash value. The fields are assumed to be space-separated. # # The option value must be an integer greater than zero. # # The default value is '1', but for *BSD users rkhunter will, by default, use a # value of '4' if the HASH_CMD option has not been set. # #HASH_FLD_IDX=4 # # The PKGMGR option tells rkhunter to use the specified package manager to # obtain the file property information. This is used when updating the file # properties file ('rkhunter.dat'), and when running the file properties check. # For RedHat/RPM-based systems, 'RPM' can be used to get information from the # RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems # 'BSD' can be used, and for Solaris systems 'SOLARIS' can be used. No value, # or a value of 'NONE', indicates that no package manager is to be used. # # The current package managers, except 'SOLARIS', store the file hash values # using an MD5 hash function. The Solaris package manager includes a checksum # value, but this is not used by default (see USE_SUNSUM below). # # The 'DPKG' and 'BSD' package managers only provide MD5 hash values. # The 'RPM' package manager additionally provides values for the inode, # file permissions, uid, gid and other values. The 'SOLARIS' also provides # most of the values, similar to 'RPM', but not the inode number. # # For any file not part of a package, rkhunter will revert to using the # HASH_CMD hash function instead. # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # # The default value is 'NONE'. # # Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. # # NONE is the default for Debian as well, as running --propupd takes # about 4 times longer when it's set to DPKG # #PKGMGR=NONE # # It is possible that a file, which is part of a package, may have been # modified by the administrator. Typically this occurs for configuration # files. However, the package manager may list the file as being modified. # For the RPM package manager this may well depend on how the package was # built. This option specifies a pathname which is to be exempt from the # package manager verification process, and which will be treated # as a non-packaged file. As such, the file properties are still checked. # # This option only takes effect if the PKGMGR option has been set, and # is not 'NONE'. # # This option may be specified more than once. # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # # The default value is the null string. # #PKGMGR_NO_VRFY="" # # If the 'SOLARIS' package manager is used, then it is possible to use the # checksum (hash) value stored for a file. However, this is only a 16-bit # checksum, and as such is not nearly as secure as, for example, a SHA-2 value. # If the option is set to '0', then the checksum is not used and the hash # function given by HASH_CMD is used instead. To enable this option, set its # value to '1'. The Solaris 'sum' command must be present on the system if this # option is used. # # The default value is '0'. # #USE_SUNSUM=0 # # This option can be used to tell rkhunter to ignore any prelink dependency # errors for the given commands. However, a warning will also be issued if the # error does not occur for a given command. As such this option must only be # used on commands which experience a persistent problem. # # Short-term prelink dependency errors can usually be resolved simply by # running the 'prelink' command on the given pathname. # # This is a space-separated list of command pathnames. The option can be # specified more than once. # # NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. # # The default value is the null string. # #IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top # # These options specify a command, directory or file pathname which will be # included or excluded in the file properties checks. # # For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, # 'top' - and directory names are added to the internal list of directories to # be searched for each of the command names in the command list. Additionally, # full pathnames to files, which need not be commands, may be given. Any files # or directories which are already part of the internal lists will be silently # ignored from the configuration. # # For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for # simple command names. # For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. # # Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS # option. Wildcards may be used with this option. # # By combining these two options, and using wildcards, whole directories can be # excluded. For example: # # USER_FILEPROP_FILES_DIRS=/etc/* # USER_FILEPROP_FILES_DIRS=/etc/*/* # EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* # # This will look for files in the first two directory levels of '/etc'. However, # anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be # excluded. # # NOTE: Only files and directories which have been added by the user, and are # not part of the internal lists, can be excluded. So, for example, it is not # possible to exclude the 'ps' command by using '/bin/ps'. These will be # silently ignored from the configuration. # # Both options can be specified more than once. # # NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. # # The default value for both options is the null string. # #USER_FILEPROP_FILES_DIRS=top #USER_FILEPROP_FILES_DIRS=/usr/local/sbin #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf #USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local #USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/* #USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/* #EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* #EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat #EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter* # # This option whitelists files and directories from existing, or not existing, # on the system at the time of testing. This option is used when the # configuration file options themselves are checked, and during the file # properties check, the hidden files and directories checks, and the filesystem # check of the '/dev' directory. # # This option may be specified more than once, and may use wildcards. # Be aware though that this is probably not what you want to do as the # wildcarding will be expanded after files have been deleted. As such # deleted files won't be whitelisted if wildcarded. # # NOTE: The user must take into consideration how often the file will appear # and disappear from the system in relation to how often rkhunter is run. If # the file appears, and disappears, too often then rkhunter may not notice # this. All it will see is that the file has changed. The inode-number and DTM # will certainly be different for each new file, and rkhunter will report this. # # The default value is the null string. # #EXISTWHITELIST="" # # Whitelist various attributes of the specified file. The attributes are those # of the 'attributes' test. Specifying a file name here does not include it # being whitelisted for the write permission test (see below). # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ATTRWHITELIST=/usr/bin/date # # Allow the specified file to have the 'others' (world) permission have the # write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #WRITEWHITELIST=/usr/bin/date # # Allow the specified file to be a script. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # SCRIPTWHITELIST=/bin/egrep SCRIPTWHITELIST=/bin/fgrep SCRIPTWHITELIST=/bin/which SCRIPTWHITELIST=/usr/bin/ldd #SCRIPTWHITELIST=/usr/bin/lwp-request SCRIPTWHITELIST=/usr/sbin/adduser #SCRIPTWHITELIST=/usr/sbin/prelink #SCRIPTWHITELIST=/usr/sbin/unhide.rb # # Allow the specified file to have the immutable attribute set. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #IMMUTWHITELIST=/sbin/ifdown # # If this option is set to '1', then the immutable-bit test is reversed. That # is, the files are expected to have the bit set. A value of '0' means that the # immutable-bit should not be set. # # The default value is '0'. # #IMMUTABLE_SET=0 # # Allow the specified hidden directory to be whitelisted. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWHIDDENDIR=/etc/.java #ALLOWHIDDENDIR=/etc/.git #ALLOWHIDDENDIR=/dev/.lxc # # Allow the specified hidden file to be whitelisted. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac #ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac #ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac #ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac #ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz #ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz #ALLOWHIDDENFILE=/etc/.gitignore #ALLOWHIDDENFILE=/etc/.bzrignore #ALLOWHIDDENFILE=/etc/.etckeeper # # Allow the specified process to use deleted files. The process name may be # followed by a colon-separated list of full pathnames. The process will then # only be whitelisted if it is using one of the given files. For example: # # ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz # # This option may be specified more than once. It may also use wildcards, but # only in the file names. # # The default value is the null string. # #ALLOWPROCDELFILE=/sbin/cardmgr #ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2 #ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* #ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel #ALLOWPROCDELFILE=/usr/bin/file-roller # # Allow the specified process to listen on any network interface. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWPROCLISTEN=/sbin/dhclient #ALLOWPROCLISTEN=/usr/bin/dhcpcd #ALLOWPROCLISTEN=/usr/sbin/tcpdump #ALLOWPROCLISTEN=/usr/sbin/snort-plain # # Allow the specified network interfaces to be in promiscuous mode. # # This is a space-separated list of interface names. The option may be # specified more than once. # # The default value is the null string. # #ALLOWPROMISCIF=eth0 # # This option specifies how rkhunter should scan the '/dev' directory for # suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. # # A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, # it is highly recommended that this value is used. # # The default value is 'THOROUGH'. # # Also see the ALLOWDEVFILE option. # #SCAN_MODE_DEV=THOROUGH # # Allow the specified file to be present in the '/dev' directory, and not # regarded as suspicious. # # This option may be specified more than once, and may use wildcard characters. # # The default value is the null string. # #ALLOWDEVFILE=/dev/shm/pulse-shm-* #ALLOWDEVFILE=/dev/shm/sem.ADBE_* # # This option is used to indicate if the Phalanx2 test is to perform a basic # check, or a more thorough check. If the option is set to '0', then a basic # check is performed. If it is set to '1', then all the directories in the # '/etc' and '/usr' directories are scanned. # # NOTE: Setting this option to '1' will cause the test to take longer # to complete. # # The default value is '0'. # #PHALANX2_DIRTEST=0 # # This option tells rkhunter where the inetd configuration file is located. # # The default value is the null string. # #INETD_CONF_PATH=/etc/inetd.conf # # This option allows the specified enabled inetd services. # # This is a space-separated list of service names. The option may be specified # more than once. # # For non-Solaris users the simple service name should be used. # For example: # # INETD_ALLOWED_SVC=echo # # For Solaris 9 users the simple service name should also be used, but # if it is an RPC service, then the executable pathname should be used. # For example: # # INETD_ALLOWED_SVC=imaps # INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd # # For Solaris 10 users the service/FMRI name should be used. For example: # # INETD_ALLOWED_SVC=/network/rpc/meta # INETD_ALLOWED_SVC=/network/rpc/metamed # INETD_ALLOWED_SVC=/application/font/stfsloader # INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord # # The default value is the null string. # #INETD_ALLOWED_SVC=echo # # This option tells rkhunter where the xinetd configuration file is located. # # The default value is the null string. # #XINETD_CONF_PATH=/etc/xinetd.conf # # This option allows the specified enabled xinetd services. Whilst it would be # nice to use the service names themselves, at the time of testing we only have # the pathname available. As such, these entries are the xinetd file pathnames. # # This is a space-separated list of service names. The option may be specified # more than once. # # The default value is the null string. # #XINETD_ALLOWED_SVC=/etc/xinetd.d/echo # # This option tells rkhunter the local system startup file pathnames. The # directories will be searched for files. By default rkhunter will try and # determine were the startup files are located. If the option is set to 'NONE', # then certain tests will be skipped. # # This is a space-separated list of file and directory pathnames. The option # may be specified more than once, and may use wildcard characters. # # This option has no default value. # #STARTUP_PATHS=/etc/init.d /etc/rc.local # # This option tells rkhunter the pathname to the file containing the user # account passwords. This setting will be worked out by rkhunter, and so # should not usually need to be set. Users of TCB shadow files should not # set this option. # # This option has no default value. # #PASSWORD_FILE=/etc/shadow # # This option allows the specified accounts to be root equivalent. These # accounts will have a UID value of zero. The 'root' account does not need # to be listed as it is automatically whitelisted. # # This is a space-separated list of account names. The option may be specified # more than once. # # NOTE: For *BSD systems you will probably need to use this option for the # 'toor' account. # # The default value is the null string. # #UID0_ACCOUNTS=toor rooty sashroot # # This option allows the specified accounts to have no password. NIS/YP entries # do not need to be listed as they are automatically whitelisted. # # This is a space-separated list of account names. The option may be specified # more than once. # # The default value is the null string. # #PWDLESS_ACCOUNTS=abc # # This option tells rkhunter the pathname to the syslog configuration file. # This setting will be worked out by rkhunter, and so should not usually need # to be set. A value of 'NONE' can be used to indicate that there is no # configuration file, but that the syslog daemon process may be running. # # This is a space-separated list of pathnames. The option may be specified # more than once. # # This option has no default value. # #SYSLOG_CONFIG_FILE=/etc/syslog.conf # # If this option is set to '1', then the use of syslog remote logging is # permitted. A value of '0' disallows the use of remote logging. # # The default value is '0'. # #ALLOW_SYSLOG_REMOTE_LOGGING=0 # # This option allows the specified applications, or a specific version of an # application, to be whitelisted. If a specific version is to be whitelisted, # then the name must be followed by a colon and then the version number. # For example: # # APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 # # This is a space-separated list of pathnames. The option may be specified # more than once. # # The default value is the null string. # #APP_WHITELIST="" # # Set this option to scan for suspicious files in directories which pose a # relatively higher risk due to user write access. # # Please do not enable the 'suspscan' test by default as it is CPU and I/O # intensive, and prone to producing false positives. Do review all settings # before usage. Also be aware that running 'suspscan' in combination with # verbose logging on, rkhunter's default, will show all ignored files. # # Please consider adding all directories the user the (web)server runs as, # and has write access to, including the document root (e.g: '/var/www') and # log directories (e.g: '/var/log/httpd'). # # This is a space-separated list of directory pathnames. The option may be # specified more than once. # # The default value is the '/tmp' and '/var/tmp' directories. # #SUSPSCAN_DIRS=/tmp /var/tmp # # This option specifies the directory for temporary files used by the # 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is # better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS # as that is highly likely to cause false-positive results. # # The default value is '/dev/shm'. # #SUSPSCAN_TEMP=/dev/shm # # This option specifies the 'suspscan' test maximum filesize in bytes. Files # larger than this will not be inspected. Do make sure you have enough space # available in your temporary files directory. # # The default value is '1024000'. # #SUSPSCAN_MAXSIZE=10240000 # # This option specifies the 'suspscan' test score threshold. Below this value # no hits will be reported. # # The default value is '200'. # #SUSPSCAN_THRESH=200 # # The following options can be used to whitelist network ports which are known # to have been used by malware. # # The PORT_WHITELIST option is a space-separated list of one or more of two # types of whitelisting. These are: # # 1) a 'protocol:port' pair # 2) an asterisk ('*') # # Only the UDP or TCP protocol may be specified, and the port number must be # between 1 and 65535 inclusive. # # The asterisk can be used to indicate that any executable which rkhunter can # locate as a command, is whitelisted. (Also see BINDIR) # # The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. # These are: # # 1) a pathname to an executable # 2) a combined pathname, protocol and port # # As above, the protocol can only be TCP or UDP, and the port number must be # between 1 and 65535 inclusive. # # Examples: # # PORT_WHITELIST=TCP:2001 UDP:32011 # PORT_PATH_WHITELIST=/usr/sbin/squid # PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 # # NOTE: In order to whitelist a pathname, or use the asterisk option, the # 'lsof' command must be present. # # Both options may be specified more than once. # # The default value for both options is the null string. # #PORT_WHITELIST="" #PORT_PATH_WHITELIST="" # # The following option can be used to tell rkhunter where the operating system # 'release' file is located. This file contains information specifying the # current O/S version. RKH will store this information, and check to see if it # has changed between each run. If it has changed, then the user is warned that # RKH may issue warning messages until RKH has been run with the '--propupd' # option. # # Since the contents of the file vary according to the O/S distribution, RKH # will perform different actions when it detects the file itself. As such, this # option should not be set unless necessary. If this option is specified, then # RKH will assume the O/S release information is on the first non-blank line of # the file. # # This option has no default value. # # Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. # #OS_VERSION_FILE=/etc/debian_version # # Set the following option to '0' if you do not want to receive a warning if any # O/S information has changed since the last run of 'rkhunter --propupd'. The # warnings occur during the file properties check. Setting a value of '1' will # cause rkhunter to issue a warning if something has changed. # # The default value is '1'. # #WARN_ON_OS_CHANGE=1 # # Set the following option to '1' if you want rkhunter to automatically run a # file properties update ('--propupd') if the O/S has changed. Detection of an # O/S change occurs during the file properties check. Setting a value of '0' # will cause rkhunter not to do an automatic update. # # WARNING: Only set this option if you are sure that the update will work # correctly. That is, that the database directory is writeable, that a valid # hash function is available, and so on. This can usually be checked simply by # running 'rkhunter --propupd' at least once. # # The default value is '0'. # #UPDT_ON_OS_CHANGE=0 # # The following two options can be used to whitelist files and directories that # would normally be flagged with a warning during the various rootkit and # malware checks. Only existing files and directories can be specified, and # these must be full pathnames not links. # # Additionally, the RTKT_FILE_WHITELIST option may include a string after the # file name (separated by a colon). This will then only whitelist that string # in that file (as part of the malware checks). For example: # # RTKT_FILE_WHITELIST=/etc/rc.local:hdparm # # If the option list includes the filename on its own as well, then the file # will be whitelisted from rootkit checks of the files existence, but still # only the specific string within the file will be whitelisted. For example: # # RTKT_FILE_WHITELIST=/etc/rc.local # RTKT_FILE_WHITELIST=/etc/rc.local:hdparm # # To whitelist a file from the existence checks, but not from the strings # checks, then include the filename on its own and on its own but with just # a colon appended. For example: # # RTKT_FILE_WHITELIST=/etc/rc.local # RTKT_FILE_WHITELIST=/etc/rc.local: # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # Both of these options may be specified more than once. # # For both options the default value is the null string. # #RTKT_DIR_WHITELIST="" #RTKT_FILE_WHITELIST="" # # The following option can be used to whitelist shared library files that would # normally be flagged with a warning during the preloaded shared library check. # These library pathnames usually exist in the '/etc/ld.so.preload' file or in # the LD_PRELOAD environment variable. # # NOTE: It is recommended that if you whitelist any files, then you include # those files in the file properties check. See the USER_FILEPROP_FILES_DIRS # configuration option. # # This option is a space-separated list of library pathnames. The option may be # specified more than once. # # The default value is the null string. # #SHARED_LIB_WHITELIST=/lib/snoopy.so # # To force rkhunter to use the supplied script for the 'stat' or 'readlink' # command the following two options can be used. The value must be set to # 'BUILTIN'. # # NOTE: IRIX users will probably need to enable STAT_CMD. # # For both options the default value is the null string. # #STAT_CMD=BUILTIN #READLINK_CMD=BUILTIN # # In the file properties test any modification date/time is displayed as the # number of epoch seconds. Rkhunter will try and use the 'date' command, or # failing that the 'perl' command, to display the date and time in a # human-readable format as well. This option may be used if some other command # should be used instead. The given command must understand the '%s' and # 'seconds ago' options found in the GNU 'date' command. # # A value of 'NONE' may be used to request that only the epoch seconds be shown. # A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if # it is present. # # This option has no default value. # #EPOCH_DATE_CMD="" # # This setting tells rkhunter the directory containing the available Linux # kernel modules. This setting will be worked out by rkhunter, and so should # not usually need to be set. # # This option has no default value. # #MODULES_DIR="" # # The following option can be set to a command which rkhunter will use when # downloading files from the Internet - that is, when the '--update' or # '--versioncheck' option is used. The command can take options. # # This allows the user to use a command other than the one automatically # selected by rkhunter, but still one which it already knows about. # For example: # # WEB_CMD=curl # # Alternatively, the user may specify a completely new command. However, note # that rkhunter expects the downloaded file to be written to stdout, and that # everything written to stderr is ignored. For example: # # WEB_CMD="/opt/bin/dlfile --timeout 5m -q" # # *BSD users may want to use the 'ftp' command, provided that it supports the # HTTP protocol: # # WEB_CMD="ftp -o -" # # This option has no default value. # #WEB_CMD="" # # Set the following option to '1' if locking is to be used when rkhunter runs. # The lock is set just before logging starts, and is removed when the program # ends. It is used to prevent items such as the log file, and the file # properties file, from becoming corrupted if rkhunter is running more than # once. The mechanism used is to simply create a lock file in the TMPDIR # directory. If the lock file already exists, because rkhunter is already # running, then the current process simply loops around sleeping for 10 seconds # and then retrying the lock. A value of '0' means not to use locking. # # The default value is '0'. # # Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options. # #USE_LOCKING=0 # # If locking is used, then rkhunter may have to wait to get the lock file. # This option sets the total amount of time, in seconds, that rkhunter should # wait. It will retry the lock every 10 seconds, until either it obtains the # lock or the timeout value has been reached. # # The default value is 300 seconds (5 minutes). # #LOCK_TIMEOUT=300 # # If locking is used, then rkhunter may be doing nothing for some time if it # has to wait for the lock. If this option is set to '1', then some simple # messages are echoed to the users screen to let them know that rkhunter is # waiting for the lock. Set this option to '0' if the messages are not to be # displayed. # # The default value is '1'. # #SHOW_LOCK_MSGS=1 # # If this option is set to 'THOROUGH' then rkhunter will search (on a per # rootkit basis) for filenames in all of the directories (as defined by the # result of running 'find / -xdev'). While still not optimal, as it still # searches for only file names as opposed to file contents, this is one step # away from the rigidity of searching in known (evidence) or default # (installation) locations. # # THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. # # You should only activate this feature as part of a more thorough # investigation, which should be based on relevant best practices and # procedures. # # Enabling this feature implies you have the knowledge to interpret the # results properly. # # The default value is the null string. # #SCANROOTKITMODE=THOROUGH # # The following option can be set to the name(s) of the tests the 'unhide' # command is to use. Options such as '-m' and '-v' may be specified, but will # only take effect when they are seen. The test names are a space-separated # list, and will be executed in the order given. # # This option may be specified more than once. # # The default value is 'sys' in order to maintain compatibility with older # versions of 'unhide'. # #UNHIDE_TESTS=sys # # The following option can be used to set options for the 'unhide-tcp' command. # The options are space-separated. # # This option may be specified more than once. # # The default value is the null string. # #UNHIDETCP_OPTS="" # # If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, # then it is possible to disable the execution of one of the programs if # desired. By default rkhunter will look for both programs, and execute each # of them as they are found. If the value of this option is '0', then both # programs will be executed if they are present. A value of '1' will disable # execution of the C 'unhide' program, and a value of '2' will disable the Ruby # 'unhide.rb' program. To disable both programs, then disable the # 'hidden_procs' test. # # The default value is '0'. # DISABLE_UNHIDE=1 INSTALLDIR=/usr # # This option can be set to either '0' or '1'. If set to '1' then the summary, # shown after rkhunter has run, will display the actual number of warnings # found. If it is set to '0', then the summary will simply indicate that # 'One or more' warnings were found. If no warnings were found, and this option # is set to '1', then a "0" will be shown. If the option is set to '0', then # the words 'No warnings' will be shown. # # The default value is '0'. # #SHOW_SUMMARY_WARNINGS_NUMBER=0 # # This option is used to determine where, if anywhere, the summary scan time is # displayed. A value of '0' indicates that it should not be displayed anywhere. # A value of '1' indicates that the time should only appear on the screen, and a # value of '2' that it should only appear in the log file. A value of '3' # indicates that the time taken should appear both on the screen and in the log # file. # # The default value is '3'. # #SHOW_SUMMARY_TIME=3 # # The two options below may be used to check if a file is missing or empty # (that is, it has a size of zero). The EMPTY_LOGFILES option will also check # if the file is missing, since that can be interpreted as a file of no size. # However, the file will only be reported as missing if the MISSING_LOGFILES # option hasn't already done this. # # Both options are space-separated lists of pathnames, and may be specified # more than once. # # NOTE: Log files are usually 'rotated' by some mechanism. At that time it is # perfectly possible for the file to be either missing or empty. As such these # options may produce false-positive warnings when log files are rotated. # # For both options the default value is the null string. # #EMPTY_LOGFILES="" #MISSING_LOGFILES=""
The default configuration file.
# Defaults for rkhunter automatic tasks # sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter # # This is a POSIX shell fragment # # Set this to yes to enable rkhunter daily runs # (default: true) CRON_DAILY_RUN="yes" # Set this to yes to enable rkhunter weekly database updates # (default: true) CRON_DB_UPDATE="yes" # Set this to yes to enable reports of weekly database updates # (default: false) #DB_UPDATE_EMAIL="false" DB_UPDATE_EMAIL="yes" # Set this to the email address where reports and run output should be sent # (default: root) #REPORT_EMAIL="root" REPORT_EMAIL="admin@sharewiz.net" # Set this to yes to enable automatic database updates # (default: false) APT_AUTOGEN="false" # Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) # (default: 0) NICE="0" # Should daily check be run when running on battery # powermgmt-base is required to detect if running on battery or on AC power # (default: false) RUN_CHECK_ON_BATTERY="false"
The original default configuration file.
# Defaults for rkhunter automatic tasks # sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter # # This is a POSIX shell fragment # # Set this to yes to enable rkhunter daily runs # (default: false) CRON_DAILY_RUN="yes" # Set this to yes to enable rkhunter weekly database updates # (default: false) CRON_DB_UPDATE="yes" # Set this to yes to enable reports of weekly database updates # (default: false) DB_UPDATE_EMAIL="false" # Set this to the email address where reports and run output should be sent # (default: root) REPORT_EMAIL="root" # Set this to yes to enable automatic database updates # (default: false) APT_AUTOGEN="false" # Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) # (default: 0) NICE="0" # Should daily check be run when running on battery # powermgmt-base is required to detect if running on battery or on AC power # (default: false) RUN_CHECK_ON_BATTERY="false"