rkhunter/sme8/rkhunter-1.3.8-smeconfig.patch

diff -up rkhunter-1.3.8/files/rkhunter.conf.smeconfig rkhunter-1.3.8/files/rkhunter.conf
--- rkhunter-1.3.8/files/rkhunter.conf.smeconfig        2010-11-13 13:25:22.000000000 -0700
+++ rkhunter-1.3.8/files/rkhunter.conf  2011-04-27 09:38:25.522680955 -0600
@@ -76,7 +76,7 @@ MIRRORS_MODE=0
 # NOTE: This option should be present in the configuration file.
 #
 #MAIL-ON-WARNING=me@mydomain   root@mydomain
-MAIL-ON-WARNING=""
+MAIL-ON-WARNING="root"
 
 #
 # Specify the mail command to use if MAIL-ON-WARNING is set.
@@ -94,16 +94,19 @@ MAIL_CMD=mail -s "[rkhunter] Warnings fo
 # sure that the directory permissions are tight.
 #
 #TMPDIR=/var/lib/rkhunter/tmp
+TMPDIR=/var/lib/rkhunter
 
 #
 # Specify the database directory to use.
 #
 #DBDIR=/var/lib/rkhunter/db
+DBDIR=/var/lib/rkhunter/db
 
 #
 # Specify the script directory to use.
 #
 #SCRIPTDIR=/usr/local/lib/rkhunter/scripts
+SCRIPTDIR=/usr/share/rkhunter/scripts
 
 #
 # Specify the root directory to use.
@@ -155,13 +158,13 @@ UPDATE_LANG=""
 #
 # NOTE: This option should be present in the configuration file.
 #
-LOGFILE=/var/log/rkhunter.log
+LOGFILE=/var/log/rkhunter/rkhunter.log
 
 #
 # Set the following option to 1 if the log file is to be appended to
 # whenever rkhunter is run.
 #
-APPEND_LOG=0
+APPEND_LOG=1
 
 #
 # Set the following option to 1 if the log file is to be copied when
@@ -213,7 +216,7 @@ WHITELISTED_IS_WHITE=0
 # file, then a value here of 'unset' can be used to avoid warning messages.
 # This option has a default value of 'no'.
 #
-ALLOW_SSH_ROOT_USER=no
+ALLOW_SSH_ROOT_USER=unset
 
 #
 # Set this option to '1' to allow the use of the SSH-1 protocol, but note
@@ -255,7 +258,7 @@ ALLOW_SSH_PROT_V1=0
 # tests, the test names, and how rkhunter behaves when these options are used.
 #
 ENABLE_TESTS="all"
-DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
+DISABLE_TESTS="apps suspscan system_commands"
 
 #
 # The HASH_FUNC option can be used to specify the command to use
@@ -324,6 +327,7 @@ DISABLE_TESTS="suspscan hidden_ports hid
 # Whenever this option is changed 'rkhunter --propupd' must be run.
 #
 #PKGMGR=NONE
+PKGMGR=RPM
 
 #
 # It is possible that a file which is part of a package may be modified
@@ -466,6 +470,12 @@ DISABLE_TESTS="suspscan hidden_ports hid
 #
 #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown"
 #SCRIPTWHITELIST="/usr/bin/groups"
+SCRIPTWHITELIST=/usr/bin/whatis
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/GET
+SCRIPTWHITELIST=/sbin/ifup
+SCRIPTWHITELIST=/sbin/ifdown
 
 #
 # Allow the specified commands to have the immutable attribute set.
@@ -495,6 +505,14 @@ IMMUTABLE_SET=0
 #ALLOWHIDDENDIR="/dev/.initramfs"
 #ALLOWHIDDENDIR="/dev/.SRC-unix"
 #ALLOWHIDDENDIR="/dev/.mdadm"
+ALLOWHIDDENDIR=/dev/.udev
+ALLOWHIDDENDIR=/dev/.udevdb
+ALLOWHIDDENDIR=/dev/.udev.tdb
+ALLOWHIDDENDIR=/dev/.static
+ALLOWHIDDENDIR=/dev/.initramfs
+ALLOWHIDDENDIR=/dev/.SRC-unix
+ALLOWHIDDENDIR=/dev/.mdadm
+ALLOWHIDDENDIR=/dev/.systemd
 
 #
 # Allow the specified hidden files to be whitelisted.
@@ -519,6 +537,25 @@ IMMUTABLE_SET=0
 #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
 #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
 #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
+ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac
+ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac
+ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
+ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
+ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac
+ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
+ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
+ALLOWHIDDENFILE=/dev/.mdadm.map
+ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
+ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
 
 #
 # Allow the specified processes to use deleted files. The
@@ -534,6 +571,13 @@ IMMUTABLE_SET=0
 #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
 #ALLOWPROCDELFILE="/usr/libexec/gconfd-2"
 #ALLOWPROCDELFILE="/usr/sbin/mysqld"
+ALLOWPROCDELFILE=(deleted)
+ALLOWPROCDELFILE=/usr/bin/freshclam
+ALLOWPROCDELFILE=/usr/bin/perl
+ALLOWPROCDELFILE=/usr/bin/python
+ALLOWPROCDELFILE=/usr/libexec/dovecot/imap
+ALLOWPROCDELFILE=/usr/sbin/asterisk
+ALLOWPROCDELFILE=/usr/sbin/httpd
 
 #
 # Allow the specified processes to listen on any network interface.
@@ -541,8 +585,11 @@ IMMUTABLE_SET=0
 # This is a space-separated list of process names. The option
 # may be specified more than once.
 #
-#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
-#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
+ALLOWPROCLISTEN="/sbin/dhclient"
+ALLOWPROCLISTEN="/usr/sbin/dhcpd"
+#ALLOWPROCLISTEN="/usr/bin/dhcpcd"
+ALLOWPROCLISTEN="/usr/sbin/pppoe"
+#ALLOWPROCLISTEN="/usr/sbin/tcpdump"
 #ALLOWPROCLISTEN="/usr/sbin/snort-plain"
 #ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant"
 
@@ -583,6 +630,8 @@ PHALANX2_DIRTEST=0
 #
 #ALLOWDEVFILE="/dev/shm/pulse-shm-*"
 #ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
+ALLOWDEVFILE=/dev/shm/pulse-shm-*
+ALLOWDEVFILE=/dev/md/md-device-map
 
 #
 # This setting tells rkhunter where the inetd configuration
@@ -686,7 +735,7 @@ PHALANX2_DIRTEST=0
 # This is a space-separated list of pathnames. The option may
 # be specified more than once.
 #
-#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+SYSLOG_CONFIG_FILE=/etc/syslog.conf
 
 #
 # This option permits the use of syslog remote logging.
@@ -721,6 +770,7 @@ ALLOW_SYSLOG_REMOTE_LOGGING=0
 # The option may be specified more than once.
 #
 #SUSPSCAN_DIRS="/tmp /var/tmp"
+SUSPSCAN_DIRS="/tmp /var/tmp"
 
 #
 # Directory for temporary files. A memory-based one is better (faster).
@@ -783,7 +833,7 @@ SUSPSCAN_THRESH=200
 # specified, then RKH will assume the O/S release information is on the
 # first non-blank line of the file.
 #
-#OS_VERSION_FILE="/etc/release"
+OS_VERSION_FILE="/etc/redhat-release"
 
 #
 # The following two options can be used to whitelist files and directories
@@ -976,3 +1026,5 @@ SHOW_LOCK_MSGS=1
 # both programs, then disable the 'hidden_procs' test.
 #
 #DISABLE_UNHIDE=0
+
+INSTALLDIR="/usr"
1	slords	1.1	diff -up rkhunter-1.3.8/files/rkhunter.conf.smeconfig rkhunter-1.3.8/files/rkhunter.conf
2			--- rkhunter-1.3.8/files/rkhunter.conf.smeconfig 2010-11-13 13:25:22.000000000 -0700
3			+++ rkhunter-1.3.8/files/rkhunter.conf 2011-04-27 09:38:25.522680955 -0600
4			@@ -76,7 +76,7 @@ MIRRORS_MODE=0
5			# NOTE: This option should be present in the configuration file.
6			#
7			#MAIL-ON-WARNING=me@mydomain root@mydomain
8			-MAIL-ON-WARNING=""
9			+MAIL-ON-WARNING="root"
10
11			#
12			# Specify the mail command to use if MAIL-ON-WARNING is set.
13			@@ -94,16 +94,19 @@ MAIL_CMD=mail -s "[rkhunter] Warnings fo
14			# sure that the directory permissions are tight.
15			#
16			#TMPDIR=/var/lib/rkhunter/tmp
17			+TMPDIR=/var/lib/rkhunter
18
19			#
20			# Specify the database directory to use.
21			#
22			#DBDIR=/var/lib/rkhunter/db
23			+DBDIR=/var/lib/rkhunter/db
24
25			#
26			# Specify the script directory to use.
27			#
28			#SCRIPTDIR=/usr/local/lib/rkhunter/scripts
29			+SCRIPTDIR=/usr/share/rkhunter/scripts
30
31			#
32			# Specify the root directory to use.
33			@@ -155,13 +158,13 @@ UPDATE_LANG=""
34			#
35			# NOTE: This option should be present in the configuration file.
36			#
37			-LOGFILE=/var/log/rkhunter.log
38			+LOGFILE=/var/log/rkhunter/rkhunter.log
39
40			#
41			# Set the following option to 1 if the log file is to be appended to
42			# whenever rkhunter is run.
43			#
44			-APPEND_LOG=0
45			+APPEND_LOG=1
46
47			#
48			# Set the following option to 1 if the log file is to be copied when
49			@@ -213,7 +216,7 @@ WHITELISTED_IS_WHITE=0
50			# file, then a value here of 'unset' can be used to avoid warning messages.
51			# This option has a default value of 'no'.
52			#
53			-ALLOW_SSH_ROOT_USER=no
54			+ALLOW_SSH_ROOT_USER=unset
55
56			#
57			# Set this option to '1' to allow the use of the SSH-1 protocol, but note
58			@@ -255,7 +258,7 @@ ALLOW_SSH_PROT_V1=0
59			# tests, the test names, and how rkhunter behaves when these options are used.
60			#
61			ENABLE_TESTS="all"
62			-DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps"
63			+DISABLE_TESTS="apps suspscan system_commands"
64
65			#
66			# The HASH_FUNC option can be used to specify the command to use
67			@@ -324,6 +327,7 @@ DISABLE_TESTS="suspscan hidden_ports hid
68			# Whenever this option is changed 'rkhunter --propupd' must be run.
69			#
70			#PKGMGR=NONE
71			+PKGMGR=RPM
72
73			#
74			# It is possible that a file which is part of a package may be modified
75			@@ -466,6 +470,12 @@ DISABLE_TESTS="suspscan hidden_ports hid
76			#
77			#SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown"
78			#SCRIPTWHITELIST="/usr/bin/groups"
79			+SCRIPTWHITELIST=/usr/bin/whatis
80			+SCRIPTWHITELIST=/usr/bin/ldd
81			+SCRIPTWHITELIST=/usr/bin/groups
82			+SCRIPTWHITELIST=/usr/bin/GET
83			+SCRIPTWHITELIST=/sbin/ifup
84			+SCRIPTWHITELIST=/sbin/ifdown
85
86			#
87			# Allow the specified commands to have the immutable attribute set.
88			@@ -495,6 +505,14 @@ IMMUTABLE_SET=0
89			#ALLOWHIDDENDIR="/dev/.initramfs"
90			#ALLOWHIDDENDIR="/dev/.SRC-unix"
91			#ALLOWHIDDENDIR="/dev/.mdadm"
92			+ALLOWHIDDENDIR=/dev/.udev
93			+ALLOWHIDDENDIR=/dev/.udevdb
94			+ALLOWHIDDENDIR=/dev/.udev.tdb
95			+ALLOWHIDDENDIR=/dev/.static
96			+ALLOWHIDDENDIR=/dev/.initramfs
97			+ALLOWHIDDENDIR=/dev/.SRC-unix
98			+ALLOWHIDDENDIR=/dev/.mdadm
99			+ALLOWHIDDENDIR=/dev/.systemd
100
101			#
102			# Allow the specified hidden files to be whitelisted.
103			@@ -519,6 +537,25 @@ IMMUTABLE_SET=0
104			#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
105			#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
106			#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
107			+ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
108			+ALLOWHIDDENFILE=/lib/.libcrypto.so..hmac
109			+ALLOWHIDDENFILE=/lib/.libssl.so..hmac
110			+ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
111			+ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
112			+ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
113			+ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
114			+ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac
115			+ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac
116			+ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so..hmac
117			+ALLOWHIDDENFILE=/usr/lib/.libgcrypt.so..hmac
118			+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac
119			+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac
120			+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac
121			+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac
122			+ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
123			+ALLOWHIDDENFILE=/dev/.mdadm.map
124			+ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
125			+ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac
126
127			#
128			# Allow the specified processes to use deleted files. The
129			@@ -534,6 +571,13 @@ IMMUTABLE_SET=0
130			#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
131			#ALLOWPROCDELFILE="/usr/libexec/gconfd-2"
132			#ALLOWPROCDELFILE="/usr/sbin/mysqld"
133			+ALLOWPROCDELFILE=(deleted)
134			+ALLOWPROCDELFILE=/usr/bin/freshclam
135			+ALLOWPROCDELFILE=/usr/bin/perl
136			+ALLOWPROCDELFILE=/usr/bin/python
137			+ALLOWPROCDELFILE=/usr/libexec/dovecot/imap
138			+ALLOWPROCDELFILE=/usr/sbin/asterisk
139			+ALLOWPROCDELFILE=/usr/sbin/httpd
140
141			#
142			# Allow the specified processes to listen on any network interface.
143			@@ -541,8 +585,11 @@ IMMUTABLE_SET=0
144			# This is a space-separated list of process names. The option
145			# may be specified more than once.
146			#
147			-#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
148			-#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
149			+ALLOWPROCLISTEN="/sbin/dhclient"
150			+ALLOWPROCLISTEN="/usr/sbin/dhcpd"
151			+#ALLOWPROCLISTEN="/usr/bin/dhcpcd"
152			+ALLOWPROCLISTEN="/usr/sbin/pppoe"
153			+#ALLOWPROCLISTEN="/usr/sbin/tcpdump"
154			#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
155			#ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant"
156
157			@@ -583,6 +630,8 @@ PHALANX2_DIRTEST=0
158			#
159			#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
160			#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
161			+ALLOWDEVFILE=/dev/shm/pulse-shm-*
162			+ALLOWDEVFILE=/dev/md/md-device-map
163
164			#
165			# This setting tells rkhunter where the inetd configuration
166			@@ -686,7 +735,7 @@ PHALANX2_DIRTEST=0
167			# This is a space-separated list of pathnames. The option may
168			# be specified more than once.
169			#
170			-#SYSLOG_CONFIG_FILE=/etc/syslog.conf
171			+SYSLOG_CONFIG_FILE=/etc/syslog.conf
172
173			#
174			# This option permits the use of syslog remote logging.
175			@@ -721,6 +770,7 @@ ALLOW_SYSLOG_REMOTE_LOGGING=0
176			# The option may be specified more than once.
177			#
178			#SUSPSCAN_DIRS="/tmp /var/tmp"
179			+SUSPSCAN_DIRS="/tmp /var/tmp"
180
181			#
182			# Directory for temporary files. A memory-based one is better (faster).
183			@@ -783,7 +833,7 @@ SUSPSCAN_THRESH=200
184			# specified, then RKH will assume the O/S release information is on the
185			# first non-blank line of the file.
186			#
187			-#OS_VERSION_FILE="/etc/release"
188			+OS_VERSION_FILE="/etc/redhat-release"
189
190			#
191			# The following two options can be used to whitelist files and directories
192			@@ -976,3 +1026,5 @@ SHOW_LOCK_MSGS=1
193			# both programs, then disable the 'hidden_procs' test.
194			#
195			#DISABLE_UNHIDE=0
196			+
197			+INSTALLDIR="/usr"