1 |
diff -up rkhunter-1.3.8/files/rkhunter.conf.smeconfig rkhunter-1.3.8/files/rkhunter.conf |
2 |
--- rkhunter-1.3.8/files/rkhunter.conf.smeconfig 2010-11-13 13:25:22.000000000 -0700 |
3 |
+++ rkhunter-1.3.8/files/rkhunter.conf 2011-04-27 09:38:25.522680955 -0600 |
4 |
@@ -76,7 +76,7 @@ MIRRORS_MODE=0 |
5 |
# NOTE: This option should be present in the configuration file. |
6 |
# |
7 |
#MAIL-ON-WARNING=me@mydomain root@mydomain |
8 |
-MAIL-ON-WARNING="" |
9 |
+MAIL-ON-WARNING="root" |
10 |
|
11 |
# |
12 |
# Specify the mail command to use if MAIL-ON-WARNING is set. |
13 |
@@ -94,16 +94,19 @@ MAIL_CMD=mail -s "[rkhunter] Warnings fo |
14 |
# sure that the directory permissions are tight. |
15 |
# |
16 |
#TMPDIR=/var/lib/rkhunter/tmp |
17 |
+TMPDIR=/var/lib/rkhunter |
18 |
|
19 |
# |
20 |
# Specify the database directory to use. |
21 |
# |
22 |
#DBDIR=/var/lib/rkhunter/db |
23 |
+DBDIR=/var/lib/rkhunter/db |
24 |
|
25 |
# |
26 |
# Specify the script directory to use. |
27 |
# |
28 |
#SCRIPTDIR=/usr/local/lib/rkhunter/scripts |
29 |
+SCRIPTDIR=/usr/share/rkhunter/scripts |
30 |
|
31 |
# |
32 |
# Specify the root directory to use. |
33 |
@@ -155,13 +158,13 @@ UPDATE_LANG="" |
34 |
# |
35 |
# NOTE: This option should be present in the configuration file. |
36 |
# |
37 |
-LOGFILE=/var/log/rkhunter.log |
38 |
+LOGFILE=/var/log/rkhunter/rkhunter.log |
39 |
|
40 |
# |
41 |
# Set the following option to 1 if the log file is to be appended to |
42 |
# whenever rkhunter is run. |
43 |
# |
44 |
-APPEND_LOG=0 |
45 |
+APPEND_LOG=1 |
46 |
|
47 |
# |
48 |
# Set the following option to 1 if the log file is to be copied when |
49 |
@@ -213,7 +216,7 @@ WHITELISTED_IS_WHITE=0 |
50 |
# file, then a value here of 'unset' can be used to avoid warning messages. |
51 |
# This option has a default value of 'no'. |
52 |
# |
53 |
-ALLOW_SSH_ROOT_USER=no |
54 |
+ALLOW_SSH_ROOT_USER=unset |
55 |
|
56 |
# |
57 |
# Set this option to '1' to allow the use of the SSH-1 protocol, but note |
58 |
@@ -255,7 +258,7 @@ ALLOW_SSH_PROT_V1=0 |
59 |
# tests, the test names, and how rkhunter behaves when these options are used. |
60 |
# |
61 |
ENABLE_TESTS="all" |
62 |
-DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps" |
63 |
+DISABLE_TESTS="apps suspscan system_commands" |
64 |
|
65 |
# |
66 |
# The HASH_FUNC option can be used to specify the command to use |
67 |
@@ -324,6 +327,7 @@ DISABLE_TESTS="suspscan hidden_ports hid |
68 |
# Whenever this option is changed 'rkhunter --propupd' must be run. |
69 |
# |
70 |
#PKGMGR=NONE |
71 |
+PKGMGR=RPM |
72 |
|
73 |
# |
74 |
# It is possible that a file which is part of a package may be modified |
75 |
@@ -466,6 +470,12 @@ DISABLE_TESTS="suspscan hidden_ports hid |
76 |
# |
77 |
#SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown" |
78 |
#SCRIPTWHITELIST="/usr/bin/groups" |
79 |
+SCRIPTWHITELIST=/usr/bin/whatis |
80 |
+SCRIPTWHITELIST=/usr/bin/ldd |
81 |
+SCRIPTWHITELIST=/usr/bin/groups |
82 |
+SCRIPTWHITELIST=/usr/bin/GET |
83 |
+SCRIPTWHITELIST=/sbin/ifup |
84 |
+SCRIPTWHITELIST=/sbin/ifdown |
85 |
|
86 |
# |
87 |
# Allow the specified commands to have the immutable attribute set. |
88 |
@@ -495,6 +505,14 @@ IMMUTABLE_SET=0 |
89 |
#ALLOWHIDDENDIR="/dev/.initramfs" |
90 |
#ALLOWHIDDENDIR="/dev/.SRC-unix" |
91 |
#ALLOWHIDDENDIR="/dev/.mdadm" |
92 |
+ALLOWHIDDENDIR=/dev/.udev |
93 |
+ALLOWHIDDENDIR=/dev/.udevdb |
94 |
+ALLOWHIDDENDIR=/dev/.udev.tdb |
95 |
+ALLOWHIDDENDIR=/dev/.static |
96 |
+ALLOWHIDDENDIR=/dev/.initramfs |
97 |
+ALLOWHIDDENDIR=/dev/.SRC-unix |
98 |
+ALLOWHIDDENDIR=/dev/.mdadm |
99 |
+ALLOWHIDDENDIR=/dev/.systemd |
100 |
|
101 |
# |
102 |
# Allow the specified hidden files to be whitelisted. |
103 |
@@ -519,6 +537,25 @@ IMMUTABLE_SET=0 |
104 |
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" |
105 |
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" |
106 |
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" |
107 |
+ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz |
108 |
+ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac |
109 |
+ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac |
110 |
+ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac |
111 |
+ALLOWHIDDENFILE=/usr/bin/.ssh.hmac |
112 |
+ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac |
113 |
+ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac |
114 |
+ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac |
115 |
+ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac |
116 |
+ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac |
117 |
+ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac |
118 |
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac |
119 |
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac |
120 |
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac |
121 |
+ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac |
122 |
+ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac |
123 |
+ALLOWHIDDENFILE=/dev/.mdadm.map |
124 |
+ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz |
125 |
+ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac |
126 |
|
127 |
# |
128 |
# Allow the specified processes to use deleted files. The |
129 |
@@ -534,6 +571,13 @@ IMMUTABLE_SET=0 |
130 |
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" |
131 |
#ALLOWPROCDELFILE="/usr/libexec/gconfd-2" |
132 |
#ALLOWPROCDELFILE="/usr/sbin/mysqld" |
133 |
+ALLOWPROCDELFILE=(deleted) |
134 |
+ALLOWPROCDELFILE=/usr/bin/freshclam |
135 |
+ALLOWPROCDELFILE=/usr/bin/perl |
136 |
+ALLOWPROCDELFILE=/usr/bin/python |
137 |
+ALLOWPROCDELFILE=/usr/libexec/dovecot/imap |
138 |
+ALLOWPROCDELFILE=/usr/sbin/asterisk |
139 |
+ALLOWPROCDELFILE=/usr/sbin/httpd |
140 |
|
141 |
# |
142 |
# Allow the specified processes to listen on any network interface. |
143 |
@@ -541,8 +585,11 @@ IMMUTABLE_SET=0 |
144 |
# This is a space-separated list of process names. The option |
145 |
# may be specified more than once. |
146 |
# |
147 |
-#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" |
148 |
-#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" |
149 |
+ALLOWPROCLISTEN="/sbin/dhclient" |
150 |
+ALLOWPROCLISTEN="/usr/sbin/dhcpd" |
151 |
+#ALLOWPROCLISTEN="/usr/bin/dhcpcd" |
152 |
+ALLOWPROCLISTEN="/usr/sbin/pppoe" |
153 |
+#ALLOWPROCLISTEN="/usr/sbin/tcpdump" |
154 |
#ALLOWPROCLISTEN="/usr/sbin/snort-plain" |
155 |
#ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant" |
156 |
|
157 |
@@ -583,6 +630,8 @@ PHALANX2_DIRTEST=0 |
158 |
# |
159 |
#ALLOWDEVFILE="/dev/shm/pulse-shm-*" |
160 |
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" |
161 |
+ALLOWDEVFILE=/dev/shm/pulse-shm-* |
162 |
+ALLOWDEVFILE=/dev/md/md-device-map |
163 |
|
164 |
# |
165 |
# This setting tells rkhunter where the inetd configuration |
166 |
@@ -686,7 +735,7 @@ PHALANX2_DIRTEST=0 |
167 |
# This is a space-separated list of pathnames. The option may |
168 |
# be specified more than once. |
169 |
# |
170 |
-#SYSLOG_CONFIG_FILE=/etc/syslog.conf |
171 |
+SYSLOG_CONFIG_FILE=/etc/syslog.conf |
172 |
|
173 |
# |
174 |
# This option permits the use of syslog remote logging. |
175 |
@@ -721,6 +770,7 @@ ALLOW_SYSLOG_REMOTE_LOGGING=0 |
176 |
# The option may be specified more than once. |
177 |
# |
178 |
#SUSPSCAN_DIRS="/tmp /var/tmp" |
179 |
+SUSPSCAN_DIRS="/tmp /var/tmp" |
180 |
|
181 |
# |
182 |
# Directory for temporary files. A memory-based one is better (faster). |
183 |
@@ -783,7 +833,7 @@ SUSPSCAN_THRESH=200 |
184 |
# specified, then RKH will assume the O/S release information is on the |
185 |
# first non-blank line of the file. |
186 |
# |
187 |
-#OS_VERSION_FILE="/etc/release" |
188 |
+OS_VERSION_FILE="/etc/redhat-release" |
189 |
|
190 |
# |
191 |
# The following two options can be used to whitelist files and directories |
192 |
@@ -976,3 +1026,5 @@ SHOW_LOCK_MSGS=1 |
193 |
# both programs, then disable the 'hidden_procs' test. |
194 |
# |
195 |
#DISABLE_UNHIDE=0 |
196 |
+ |
197 |
+INSTALLDIR="/usr" |