diff -up rkhunter-1.3.8/files/rkhunter.conf.smeconfig rkhunter-1.3.8/files/rkhunter.conf --- rkhunter-1.3.8/files/rkhunter.conf.smeconfig 2010-11-13 13:25:22.000000000 -0700 +++ rkhunter-1.3.8/files/rkhunter.conf 2011-04-27 09:38:25.522680955 -0600 @@ -76,7 +76,7 @@ MIRRORS_MODE=0 # NOTE: This option should be present in the configuration file. # #MAIL-ON-WARNING=me@mydomain root@mydomain -MAIL-ON-WARNING="" +MAIL-ON-WARNING="root" # # Specify the mail command to use if MAIL-ON-WARNING is set. @@ -94,16 +94,19 @@ MAIL_CMD=mail -s "[rkhunter] Warnings fo # sure that the directory permissions are tight. # #TMPDIR=/var/lib/rkhunter/tmp +TMPDIR=/var/lib/rkhunter # # Specify the database directory to use. # #DBDIR=/var/lib/rkhunter/db +DBDIR=/var/lib/rkhunter/db # # Specify the script directory to use. # #SCRIPTDIR=/usr/local/lib/rkhunter/scripts +SCRIPTDIR=/usr/share/rkhunter/scripts # # Specify the root directory to use. @@ -155,13 +158,13 @@ UPDATE_LANG="" # # NOTE: This option should be present in the configuration file. # -LOGFILE=/var/log/rkhunter.log +LOGFILE=/var/log/rkhunter/rkhunter.log # # Set the following option to 1 if the log file is to be appended to # whenever rkhunter is run. # -APPEND_LOG=0 +APPEND_LOG=1 # # Set the following option to 1 if the log file is to be copied when @@ -213,7 +216,7 @@ WHITELISTED_IS_WHITE=0 # file, then a value here of 'unset' can be used to avoid warning messages. # This option has a default value of 'no'. # -ALLOW_SSH_ROOT_USER=no +ALLOW_SSH_ROOT_USER=unset # # Set this option to '1' to allow the use of the SSH-1 protocol, but note @@ -255,7 +258,7 @@ ALLOW_SSH_PROT_V1=0 # tests, the test names, and how rkhunter behaves when these options are used. # ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_ports hidden_procs deleted_files packet_cap_apps" +DISABLE_TESTS="apps suspscan system_commands" # # The HASH_FUNC option can be used to specify the command to use @@ -324,6 +327,7 @@ DISABLE_TESTS="suspscan hidden_ports hid # Whenever this option is changed 'rkhunter --propupd' must be run. # #PKGMGR=NONE +PKGMGR=RPM # # It is possible that a file which is part of a package may be modified @@ -466,6 +470,12 @@ DISABLE_TESTS="suspscan hidden_ports hid # #SCRIPTWHITELIST="/sbin/ifup /sbin/ifdown" #SCRIPTWHITELIST="/usr/bin/groups" +SCRIPTWHITELIST=/usr/bin/whatis +SCRIPTWHITELIST=/usr/bin/ldd +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/GET +SCRIPTWHITELIST=/sbin/ifup +SCRIPTWHITELIST=/sbin/ifdown # # Allow the specified commands to have the immutable attribute set. @@ -495,6 +505,14 @@ IMMUTABLE_SET=0 #ALLOWHIDDENDIR="/dev/.initramfs" #ALLOWHIDDENDIR="/dev/.SRC-unix" #ALLOWHIDDENDIR="/dev/.mdadm" +ALLOWHIDDENDIR=/dev/.udev +ALLOWHIDDENDIR=/dev/.udevdb +ALLOWHIDDENDIR=/dev/.udev.tdb +ALLOWHIDDENDIR=/dev/.static +ALLOWHIDDENDIR=/dev/.initramfs +ALLOWHIDDENDIR=/dev/.SRC-unix +ALLOWHIDDENDIR=/dev/.mdadm +ALLOWHIDDENDIR=/dev/.systemd # # Allow the specified hidden files to be whitelisted. @@ -519,6 +537,25 @@ IMMUTABLE_SET=0 #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" #ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" #ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" +ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +ALLOWHIDDENFILE=/lib*/.libcrypto.so.*.hmac +ALLOWHIDDENFILE=/lib*/.libssl.so.*.hmac +ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-add.hmac +ALLOWHIDDENFILE=/usr/bin/.ssh-agent.hmac +ALLOWHIDDENFILE=/usr/lib*/.libfipscheck.so.*.hmac +ALLOWHIDDENFILE=/usr/lib*/.libgcrypt.so.*.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha1hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha256hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha384hmac.hmac +ALLOWHIDDENFILE=/usr/lib*/hmaccalc/sha512hmac.hmac +ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +ALLOWHIDDENFILE=/dev/.mdadm.map +ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +ALLOWHIDDENFILE=/usr/sbin/.ipsec.hmac # # Allow the specified processes to use deleted files. The @@ -534,6 +571,13 @@ IMMUTABLE_SET=0 #ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" #ALLOWPROCDELFILE="/usr/libexec/gconfd-2" #ALLOWPROCDELFILE="/usr/sbin/mysqld" +ALLOWPROCDELFILE=(deleted) +ALLOWPROCDELFILE=/usr/bin/freshclam +ALLOWPROCDELFILE=/usr/bin/perl +ALLOWPROCDELFILE=/usr/bin/python +ALLOWPROCDELFILE=/usr/libexec/dovecot/imap +ALLOWPROCDELFILE=/usr/sbin/asterisk +ALLOWPROCDELFILE=/usr/sbin/httpd # # Allow the specified processes to listen on any network interface. @@ -541,8 +585,11 @@ IMMUTABLE_SET=0 # This is a space-separated list of process names. The option # may be specified more than once. # -#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" -#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" +ALLOWPROCLISTEN="/sbin/dhclient" +ALLOWPROCLISTEN="/usr/sbin/dhcpd" +#ALLOWPROCLISTEN="/usr/bin/dhcpcd" +ALLOWPROCLISTEN="/usr/sbin/pppoe" +#ALLOWPROCLISTEN="/usr/sbin/tcpdump" #ALLOWPROCLISTEN="/usr/sbin/snort-plain" #ALLOWPROCLISTEN="/usr/local/bin/wpa_supplicant" @@ -583,6 +630,8 @@ PHALANX2_DIRTEST=0 # #ALLOWDEVFILE="/dev/shm/pulse-shm-*" #ALLOWDEVFILE="/dev/shm/sem.ADBE_*" +ALLOWDEVFILE=/dev/shm/pulse-shm-* +ALLOWDEVFILE=/dev/md/md-device-map # # This setting tells rkhunter where the inetd configuration @@ -686,7 +735,7 @@ PHALANX2_DIRTEST=0 # This is a space-separated list of pathnames. The option may # be specified more than once. # -#SYSLOG_CONFIG_FILE=/etc/syslog.conf +SYSLOG_CONFIG_FILE=/etc/syslog.conf # # This option permits the use of syslog remote logging. @@ -721,6 +770,7 @@ ALLOW_SYSLOG_REMOTE_LOGGING=0 # The option may be specified more than once. # #SUSPSCAN_DIRS="/tmp /var/tmp" +SUSPSCAN_DIRS="/tmp /var/tmp" # # Directory for temporary files. A memory-based one is better (faster). @@ -783,7 +833,7 @@ SUSPSCAN_THRESH=200 # specified, then RKH will assume the O/S release information is on the # first non-blank line of the file. # -#OS_VERSION_FILE="/etc/release" +OS_VERSION_FILE="/etc/redhat-release" # # The following two options can be used to whitelist files and directories @@ -976,3 +1026,5 @@ SHOW_LOCK_MSGS=1 # both programs, then disable the 'hidden_procs' test. # #DISABLE_UNHIDE=0 + +INSTALLDIR="/usr"