diff -up rkhunter-1.3.4/files/rkhunter.conf.smeconfig rkhunter-1.3.4/files/rkhunter.conf diff -up rkhunter-1.3.4/files/rkhunter.conf.smeconfig rkhunter-1.3.4/files/rkhunter.conf --- rkhunter-1.3.4/files/rkhunter.conf.smeconfig 2009-04-02 10:59:37.000000000 -0600 +++ rkhunter-1.3.4/files/rkhunter.conf 2009-04-02 11:41:08.000000000 -0600 @@ -84,17 +84,17 @@ # important files will be written to this directory, so be # sure that the directory permissions are tight. # -#TMPDIR=/var/lib/rkhunter/tmp +TMPDIR=/var/lib/rkhunter/ # # Specify the database directory to use. # -#DBDIR=/var/lib/rkhunter/db +DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # -#SCRIPTDIR=/usr/local/lib/rkhunter/scripts +SCRIPTDIR=/usr/share/rkhunter/scripts # # Specify the root directory to use. @@ -123,13 +123,13 @@ # # NOTE: This option should be present in the configuration file. # -LOGFILE=/var/log/rkhunter.log +LOGFILE=/var/log/rkhunter/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # -APPEND_LOG=0 +APPEND_LOG=1 # # Set the following option to enable the rkhunter check start and finish @@ -165,7 +165,7 @@ # file, then a value here of 'yes' or 'unset' will not cause a warning. # This option has a default value of 'no'. # -ALLOW_SSH_ROOT_USER=no +ALLOW_SSH_ROOT_USER=yes # # Set this option to '1' to allow the use of the SSH-1 protocol, but note @@ -205,7 +205,7 @@ # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" +DISABLE_TESTS="apps suspscan system_commands" # # The HASH_FUNC option can be used to specify the command to use @@ -260,7 +260,7 @@ # For any file not part of a package, rkhunter will revert to using # the HASH_FUNC hash function instead. # -#PKGMGR=NONE +PKGMGR=RPM # # Whitelist the hash (content) for the specified files. Only useful @@ -298,6 +298,12 @@ #SCRIPTWHITELIST=/sbin/ifup #SCRIPTWHITELIST=/sbin/ifdown #SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/whatis +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/GET +SCRIPTWHITELIST=/sbin/ifup +SCRIPTWHITELIST=/sbin/ifdown # # Allow the specified commands to have the immutable attribute set. @@ -310,7 +316,7 @@ # One directory per line (use multiple ALLOWHIDDENDIR lines). # #ALLOWHIDDENDIR=/etc/.java -#ALLOWHIDDENDIR=/dev/.udev +ALLOWHIDDENDIR=/dev/.udev #ALLOWHIDDENDIR=/dev/.udevdb #ALLOWHIDDENDIR=/dev/.udev.tdb #ALLOWHIDDENDIR=/dev/.static @@ -322,7 +328,7 @@ # One file per line (use multiple ALLOWHIDDENFILE lines). # #ALLOWHIDDENFILE=/etc/.java -#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz #ALLOWHIDDENFILE=/etc/.pwd.lock #ALLOWHIDDENFILE=/etc/.init.state @@ -340,14 +346,22 @@ #ALLOWPROCDELFILE=/usr/sbin/gpm #ALLOWPROCDELFILE=/usr/libexec/gconfd-2 #ALLOWPROCDELFILE=/usr/sbin/mysqld +ALLOWPROCDELFILE=(deleted) +ALLOWPROCDELFILE=/usr/bin/freshclam +ALLOWPROCDELFILE=/usr/bin/perl +ALLOWPROCDELFILE=/usr/bin/python +ALLOWPROCDELFILE=/usr/libexec/dovecot/imap +ALLOWPROCDELFILE=/usr/sbin/asterisk +ALLOWPROCDELFILE=/usr/sbin/httpd # # Allow the specified processes to listen on any network interface. # One process per line (use multiple ALLOWPROCLISTEN lines). # -#ALLOWPROCLISTEN=/sbin/dhclient +ALLOWPROCLISTEN=/sbin/dhclient +ALLOWPROCLISTEN=/usr/bin/dhcpd #ALLOWPROCLISTEN=/usr/bin/dhcpcd -#ALLOWPROCLISTEN=/usr/sbin/pppoe +ALLOWPROCLISTEN=/usr/sbin/pppoe #ALLOWPROCLISTEN=/usr/sbin/tcpdump #ALLOWPROCLISTEN=/usr/sbin/snort-plain #ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant @@ -367,7 +381,7 @@ # ALLOWDEVFILE lines). # #ALLOWDEVFILE=/dev/abc -#ALLOWDEVFILE=/dev/shm/pulse-shm-* +ALLOWDEVFILE=/dev/shm/pulse-shm-* # # This setting tells rkhunter where the inetd configuration @@ -460,7 +474,7 @@ # file. This setting will be worked out by rkhunter, and so should not # usually need to be set. # -#SYSLOG_CONFIG_FILE=/etc/syslog.conf +SYSLOG_CONFIG_FILE=/etc/syslog.conf # # This option permits the use of syslog remote logging. @@ -549,7 +563,7 @@ # specified, then RKH will assume the O/S release information is on the # first non-blank line of the file. # -#OS_VERSION_FILE="/etc/release" +OS_VERSION_FILE="/etc/redhat-release" # # The following two options can be used to whitelist files and directories @@ -578,3 +592,4 @@ # #MODULES_DIR="" +INSTALLDIR="/usr"