#
# This is the configuration file for Rootkit Hunter.
#
# Please modify it to your own requirements.
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, will be ignored.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#


#
# If this option is set to 1, it specifies that the mirrors file, which
# is used when the '--update' and '--versioncheck' options are used, is
# to be rotated. Rotating the entries in the file allows a basic form
# of load-balancing between the mirror sites whenever the above options
# are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror will always be used. The
# second mirror will only be used if the first mirror fails, then the
# third mirror will be used if the second fails and so on.
#
ROTATE_MIRRORS=1

#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1

#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
#     0 - use any mirror (the default)
#     1 - only use local mirrors
#     2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors.dat file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0

#
# Email a message to this address when a warning is found.
# Multiple addresses may be specified simply be separating them
# with a space.
#
MAIL-ON-WARNING=isis@mycompany.org   root@mydomain

#
# Specify the mail command to use if MAIL-ON-WARNING is set.
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
TMPDIR=/var/lib/rkhunter/tmp

#
# Specify the database directory to use.
#
DBDIR=/var/lib/rkhunter/db

#
# Specify the script directory to use.
#
SCRIPTDIR=/usr/share/rkhunter/scripts

#
# Specify the root directory to use.
#
#ROOTDIR=""

#
# Specify the command directories to be checked. This is a
# space-separated list of directories.
#
BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"

#
# Specify the language to use. This should be similar
# to the ISO 639 language code.
#
#LANGUAGE=en

#
# Specify the log file pathname.
#
LOGFILE=/var/log/rkhunter.log

#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
APPEND_LOG=0

#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot.
#
# For example: USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
#USE_SYSLOG=authpriv.notice

#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0

#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1

#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. This option has a default value of "no".
#
ALLOW_SSH_ROOT_USER=no

#
# Allow the use of the SSH-1 protocol which is theoretically weaker than SSH-2.
# Do not modify this option unless you have good reasons to use the SSH v1
# protocol (for instance for AFS token passing or Kerberos4 authentication).
#
ALLOW_SSH_PROT_V1=0

#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh

#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either option is specified in this file, then it overrides the program
# default. The supplied rkhunter.conf file has some tests already disabled,
# and these are tests that will be used only incidentally, can be considered
# "advanced" or those that are prone to produce more than the "average" number
# of "false positives".
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
# hidden_procs test requires unhide command which is not yet available
# in Debian. This test should thus remain disabled.
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"

#
# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH

#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just
# the command name or the full pathname. Systems using prelinking
# are restricted to using either SHA1 or MD5 functions. To get rkhunter
# to look for the sha1(sum)/md5(sum) command, or to use the supplied
# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
#   For Solaris 9 : HASH_FUNC=gmd5sum
#   For Solaris 10: HASH_FUNC=sha1sum
#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
#   For NetBSD    : HASH_FUNC="cksum -n -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
#       the '--propupd' option to rebuild the file properties database.
#
#HASH_FUNC=sha1sum

#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is one, but for *BSD users
# rkhunter will automatically use a value of 4. The option value must
# be a positive integer.
#
#HASH_FLD_IDX=4

#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file 'rkhunter.dat', and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used
# to get information from the RPM database. For Debian-based systems
# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
# No value, or a value of 'NONE', indicates that no package manager
# is to be used. The default is 'NONE'.
#
# The current package managers store the file hash values using an
# MD5 hash function.
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values.
#
# For any file not part of a package, rkhunter will revert to using
# the HASH_FUNC hash function instead.
#
PKGMGR="NONE"
# This is the default configuration also for Debian, as a lot of
# packages still do not provide md5sums files

#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test below.
# One command per line (use multiple ATTRWHITELIST lines).
#
#ATTRWHITELIST=/bin/ps

#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# One command per line (use multiple WRITEWHITELIST lines).
#
#WRITEWHITELIST=/bin/ps

#
# Allow the specified commands to be scripts.
# One command per line (use multiple SCRIPTWHITELIST lines).
#
#SCRIPTWHITELIST=/sbin/ifup
#SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/bin/egrep
SCRIPTWHITELIST=/bin/fgrep
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/sbin/prelink

#
# Allow the specified commands to have the immutable attribute set.
# One command per line (use multiple IMMUTWHITELIST lines).
#
#IMMUTWHITELIST=/sbin/ifup

#
# Allow the specified hidden directories.
# One directory per line (use multiple ALLOWHIDDENDIR lines).
#
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

#
# Allow the specified hidden files.
# One file per line (use multiple ALLOWHIDDENFILE lines).
# 
ALLOWHIDDENFILE=/etc/.java
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/etc/.pwd.lock
#ALLOWHIDDENFILE=/etc/.init.state
ALLOWHIDDENFILE=/dev/.initramfs-tools
#
# Allow the specified processes to use deleted files.
# One process per line (use multiple ALLOWPROCDELFILE lines).
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld

#
# Allow the specified processes to listen on any network interface.
# One process per line (use multiple ALLOWPROCLISTEN lines).
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/sbin/dhclient3
#ALLOWPROCLISTEN=/sbin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/sbin/wpa_supplicant

#
# Allow the specified files to be present in the /dev directory.
# One file per line (use multiple ALLOWDEVFILE lines).
#
#ALLOWDEVFILE=/dev/abc

#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf

#
# Allow the following enabled xinetd services.
# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
#
# Below are some Solaris 9 and 10 services that may want to be whitelisted.
#
#INETD_ALLOWED_SVC=echo
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
#INETD_ALLOWED_SVC=/network/rpc/mdcomm
#INETD_ALLOWED_SVC=/network/rpc/meta
#INETD_ALLOWED_SVC=/network/rpc/metamed
#INETD_ALLOWED_SVC=/network/rpc/metamh
#INETD_ALLOWED_SVC=/network/security/ktkt_warn
#INETD_ALLOWED_SVC=/application/x11/xfs
#INETD_ALLOWED_SVC=/application/print/rfc1179
#INETD_ALLOWED_SVC=/application/font/stfsloader
#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp

#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf

#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo

#
# This setting tells rkhunter the local system startup file pathnames.
# More than one file may be present on the system, and so this option
# can be a space-separated list. This setting will be worked out by
# rkhunter, and so should not usually need to be set.
#
#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"

#
# This setting tells rkhunter the local system startup file directory.
# This setting will be worked out by rkhunter, and so should not usually
# need to be set.
#
#SYSTEM_RC_DIR=/etc/rc.d

#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#PASSWORD_FILE=/etc/shadow

#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. This option is a space-separated list
# of account names. The 'root' account does not need to be listed as it
# is automatically whitelisted.
#
# Note: For *BSD systems you may need to enable this for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty"

#
# Allow the following accounts to have no password. This option is a
# space-separated list of account names. NIS/YP entries do not need to
# be listed as they are automatically whitelisted.
#
#PWDLESS_ACCOUNTS="abc"

#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf

#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0

#
# Allow the following application version numbers. This option is a
# space-separated list consisting of the application name, followed
# by a colon and then the version number.
#
# For example: APP_WHITELIST="openssl:0.9.7d gpg:1.2.0"
#
#APP_WHITELIST=""

# 
# Scan for suspicious files in directories containing temporary files.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
#
# List of directories containing temporary files. This is a space-separated
# list.
#
SUSPSCAN_DIRS="/tmp /var/tmp"

#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm

#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000

#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary. 
#
SUSPSCAN_THRESH=200

#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. The option is a space-
# separated list of one or more of three types of whitelisting.
# These are:
#
#   1) a 'protocol:port' pair       (e.g. TCP:25)
#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
#   3) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable in a trusted
# path directory will be whitelisted. A trusted path directory is one which
# rkhunter uses to locate commands. It is composed of the root PATH
# environment variable, and the BINDIR command-line or configuration
# file option.
#
# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
#PORT_WHITELIST=""

#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/release"

#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the rootkit checks.
# If the file or directory name contains a space, then the percent character
# ('%') must be used instead. Only existing files and directories can be
# specified.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""

INSTALLDIR="/usr"

  Performing system configuration file checks
    Checking for SSH configuration file                      [ Found ]
    Checking if SSH root access is allowed                   [ Not allowed ]
    Checking if SSH protocol v1 is allowed                   [ Not allowed ]
    Checking for running syslog daemon                       [ Found ]
    Checking for syslog configuration file                   [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]

  Performing filesystem checks
    Checking /dev for suspicious file types                  [ None found ]
    Checking for hidden files and directories                [ Warning ]

Checking application versions...

    Checking version of Exim MTA                             [ OK ]
    Checking version of GnuPG                                [ OK ]
    Checking version of OpenSSL                              [ OK ]
    Checking version of PHP                                  [ OK ]
    Checking version of OpenSSH                              [ OK ]


System checks summary
=====================

File properties checks...
    Files checked: 129
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 110
    Possible rootkits: 0

Applications checks...
    Applications checked: 5
    Suspect applications: 0

The system checks took: 51 seconds

root@varovani:/home/mriera# ls /etc/.
./         ../        .java/     .pwd.lock  
root@varovani:/home/mriera# ls /dev/.
./                ../               .initramfs/       .initramfs-tools  .static/          .udev/