diff -Nur rkhunter-1.3.8.orig/files/rkhunter.conf rkhunter-1.3.8/files/rkhunter.conf --- rkhunter-1.3.8.orig/files/rkhunter.conf 2010-11-13 13:25:22.000000000 -0700 +++ rkhunter-1.3.8/files/rkhunter.conf 2010-12-07 18:49:08.194871526 -0700 @@ -76,7 +76,7 @@ # NOTE: This option should be present in the configuration file. # #MAIL-ON-WARNING=me@mydomain root@mydomain -MAIL-ON-WARNING="" +MAIL-ON-WARNING="root" # # Specify the mail command to use if MAIL-ON-WARNING is set. @@ -94,16 +94,19 @@ # sure that the directory permissions are tight. # #TMPDIR=/var/lib/rkhunter/tmp +TMPDIR=/var/lib/rkhunter # # Specify the database directory to use. # #DBDIR=/var/lib/rkhunter/db +DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # #SCRIPTDIR=/usr/local/lib/rkhunter/scripts +SCRIPTDIR=/usr/share/rkhunter/scripts # # Specify the root directory to use. @@ -155,13 +158,13 @@ # # NOTE: This option should be present in the configuration file. # -LOGFILE=/var/log/rkhunter.log +LOGFILE=/var/log/rkhunter/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # -APPEND_LOG=0 +APPEND_LOG=1 # # Set the following option to 1 if the log file is to be copied when @@ -183,7 +186,7 @@ # Setting the value to 'none', or just leaving the option commented out, # disables the use of syslog. # -#USE_SYSLOG=authpriv.notice +USE_SYSLOG=authpriv.notice # # Set the following option to 1 if the second colour set is to be used. @@ -213,7 +216,7 @@ # file, then a value here of 'unset' can be used to avoid warning messages. # This option has a default value of 'no'. # -ALLOW_SSH_ROOT_USER=no +ALLOW_SSH_ROOT_USER=unset # # Set this option to '1' to allow the use of the SSH-1 protocol, but note @@ -224,7 +227,7 @@ # configuration file, then a value of '2' may be set here in order to # suppress a warning message. This option has a default value of '0'. # -ALLOW_SSH_PROT_V1=0 +ALLOW_SSH_PROT_V1=0 # # This setting tells rkhunter the directory containing the SSH configuration @@ -255,7 +258,7 @@ # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps" +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" # # The HASH_FUNC option can be used to specify the command to use @@ -324,6 +327,7 @@ # Whenever this option is changed 'rkhunter --propupd' must be run. # #PKGMGR=NONE +PKGMGR=RPM # # It is possible that a file which is part of a package may be modified @@ -466,6 +470,12 @@ # #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown" #SCRIPTWHITELIST="/usr/bin/groups" +SCRIPTWHITELIST=/usr/bin/whatis +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/GET +SCRIPTWHITELIST=/sbin/ifup +SCRIPTWHITELIST=/sbin/ifdown # # Allow the specified commands to have the immutable attribute set. @@ -495,6 +505,14 @@ #ALLOWHIDDENDIR="/dev/.initramfs" #ALLOWHIDDENDIR="/dev/.SRC-unix" #ALLOWHIDDENDIR="/dev/.mdadm" +ALLOWHIDDENDIR=/dev/.udev +ALLOWHIDDENDIR=/dev/.udevdb +ALLOWHIDDENDIR=/dev/.udev.tdb +ALLOWHIDDENDIR=/dev/.static +ALLOWHIDDENDIR=/dev/.initramfs +ALLOWHIDDENDIR=/dev/.SRC-unix +ALLOWHIDDENDIR=/dev/.mdadm +ALLOWHIDDENDIR=/dev/.systemd # # Allow the specified hidden files to be whitelisted. @@ -519,6 +537,25 @@ #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac +ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac +ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac +ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac +ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac +ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +ALLOWHIDDENFILE=/dev/.mdadm.map +ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac # # Allow the specified processes to use deleted files. The @@ -583,6 +620,8 @@ # #ALLOWDEVFILE="/dev/shm/pulse-shm-*" #ALLOWDEVFILE="/dev/shm/sem.ADBE_*" +ALLOWDEVFILE=/dev/shm/pulse-shm-* +ALLOWDEVFILE=/dev/md/md-device-map # # This setting tells rkhunter where the inetd configuration @@ -721,6 +760,7 @@ # The option may be specified more than once. # #SUSPSCAN_DIRS="/tmp /var/tmp" +SUSPSCAN_DIRS="/tmp /var/tmp" # # Directory for temporary files. A memory-based one is better (faster). @@ -976,3 +1016,5 @@ # both programs, then disable the 'hidden_procs' test. # #DISABLE_UNHIDE=0 + +INSTALLDIR="/usr"