rkhunter.conf

在网络安全中经常会遇到rootkit

#
# This is the configuration file for Rootkit Hunter.
#
# Please modify it to your own requirements.
# Please review the documentation before posting bug reports or questions.
# To report bugs, obtain updates, or provide patches or comments, please go to:
# http://rkhunter.sourceforge.net
#
# To ask questions about rkhunter, please use the rkhunter-users mailing list.
# Note this is a moderated list: please subscribe before posting.
#
# Lines beginning with a hash (#), and blank lines, will be ignored.
#
# Most of the following options need only be specified once. If
# they appear more than once, then the last one seen will be used.
# Some options are allowed to appear more than once, and the text
# describing the option will say if this is so.
#


#
# If this option is set to 1, it specifies that the mirrors file, which
# is used when the '--update' and '--versioncheck' options are used, is
# to be rotated. Rotating the entries in the file allows a basic form
# of load-balancing between the mirror sites whenever the above options
# are used.
# If the option is set to 0, then the mirrors will be treated as if in
# a priority list. That is, the first mirror will always be used. The
# second mirror will only be used if the first mirror fails, then the
# third mirror will be used if the second fails and so on.
#
ROTATE_MIRRORS=1

#
# If this option is set to 1, it specifies that when the '--update'
# option is used, then the mirrors file is to be checked for updates
# as well. If the current mirrors file contains any local mirrors,
# these will be prepended to the updated file.
# If this option is set to 0, the mirrors file can only be updated
# manually. This may be useful if only using local mirrors.
#
UPDATE_MIRRORS=1

#
# The MIRRORS_MODE option tells rkhunter which mirrors are to be
# used when the '--update' or '--versioncheck' command-line options
# are given. Possible values are:
#     0 - use any mirror (the default)
#     1 - only use local mirrors
#     2 - only use remote mirrors
#
# Local and remote mirrors can be defined in the mirrors.dat file
# by using the 'local=' and 'remote=' keywords respectively.
#
MIRRORS_MODE=0

#
# Email a message to this address if a warning is found when the
# system is being checked. Multiple addresses may be specified
# simply be separating them with a space.
#
#MAIL-ON-WARNING=me@mydomain   root@mydomain

#
# Specify the mail command to use if MAIL-ON-WARNING is set.
# NOTE: Double quotes are not required around the command, but
# are required around the subject line if it contains spaces.
#
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

#
# Specify the temporary directory to use.
#
# NOTE: Do not use /tmp as your temporary directory. Some
# important files will be written to this directory, so be
# sure that the directory permissions are tight.
#
#TMPDIR=/var/lib/rkhunter/tmp

#
# Specify the database directory to use.
#
#DBDIR=/var/lib/rkhunter/db

#
# Specify the script directory to use.
#
#SCRIPTDIR=/usr/local/lib/rkhunter/scripts

#
# Specify the root directory to use.
#
#ROOTDIR=""

#
# Specify the command directories to be checked. This is a
# space-separated list of directories.
#
#BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"

#
# Specify the language to use. This should be similar
# to the ISO 639 language code.
#
# NOTE: Please ensure that the language you specify is supported.
#       For a list of supported languages use the following command:
#
#           rkhunter --lang en --list languages
#
#LANGUAGE=en

#
# Specify the log file pathname.
#
LOGFILE=/var/log/rkhunter.log

#
# Set the following option to 1 if the log file is to be appended to
# whenever rkhunter is run.
#
APPEND_LOG=0

#
# Set the following option to enable the rkhunter check start and finish
# times to be logged by syslog. Warning messages will also be logged.
# The value of the option must be a standard syslog facility and
# priority, separated by a dot.
#
# For example: USE_SYSLOG=authpriv.warning
#
# Setting the value to 'none', or just leaving the option commented out,
# disables the use of syslog.
#
#USE_SYSLOG=authpriv.notice

#
# Set the following option to 1 if the second colour set is to be used.
# This can be useful if your screen uses black characters on a white
# background (for example, a PC instead of a server).
#
COLOR_SET2=0

#
# Set the following option to 0 if rkhunter should not detect if X is
# being used. If X is detected as being used, then the second colour
# set will automatically be used.
#
AUTO_X_DETECT=1

#
# The following option is checked against the SSH configuration file
# 'PermitRootLogin' option. A warning will be displayed if they do not
# match. However, if a value has not been set in the SSH configuration
# file, then a value here of 'yes' or 'unset' will not cause a warning.
# This option has a default value of 'no'.
#
ALLOW_SSH_ROOT_USER=no

#
# Set this option to '1' to allow the use of the SSH-1 protocol, but note
# that theoretically it is weaker, and therefore less secure, than the
# SSH-2 protocol. Do not modify this option unless you have good reasons
# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
# authentication). If the 'Protocol' option has not been set in the SSH
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
ALLOW_SSH_PROT_V1=0

#
# This setting tells rkhunter the directory containing the SSH configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SSH_CONFIG_DIR=/etc/ssh

#
# These two options determine which tests are to be performed.
# The ENABLE_TESTS option can use the word 'all' to refer to all the
# available tests. The DISABLE_TESTS option can use the word 'none' to
# mean that no tests are disabled. The list of disabled tests is applied to
# the list of enabled tests. Both options are space-separated lists of test
# names. The currently available test names can be seen by using the command
# 'rkhunter --list tests'.
#
# The program defaults are to enable all tests and disable none. However, if
# either option is specified in this file, then it overrides the program
# default. The supplied rkhunter.conf file has some tests already disabled,
# and these are tests that will be used only incidentally, can be considered
# "advanced" or those that are prone to produce more than the "average" number
# of "false positives".
#
# Please read the README file for more details about enabling and disabling
# tests, the test names, and how rkhunter behaves when these options are used.
#
ENABLE_TESTS="all"
DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"

#
# The HASH_FUNC option can be used to specify the command to use
# for the file hash value check. It can be specified as just
# the command name or the full pathname. Systems using prelinking
# are restricted to using either SHA1 or MD5 functions. To get rkhunter
# to look for the sha1(sum)/md5(sum) command, or to use the supplied
# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
#
# A value of 'NONE' (in uppercase) can be specified to indicate that
# no hash function should be used. Rootkit Hunter will detect this and
# automatically disable the file hash checks.
#
# Examples:
#   For Solaris 9 : HASH_FUNC=gmd5sum
#   For Solaris 10: HASH_FUNC=sha1sum
#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
#   For NetBSD    : HASH_FUNC="cksum -a sha512"
#
# NOTE: If the hash function is changed then you MUST run rkhunter with
#       the '--propupd' option to rebuild the file properties database.
#
#HASH_FUNC=sha1sum

#
# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
# command output contains the hash value. The fields are assumed to
# be space-separated. The default value is one, but for *BSD users
# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
# has not been set. The option value must be a positive integer.
#
#HASH_FLD_IDX=4

#
# The PKGMGR option tells rkhunter to use the specified package manager
# to obtain the file property information. This is used when updating
# the file properties file 'rkhunter.dat', and when running the file
# properties check. For RedHat/RPM-based systems, 'RPM' can be used
# to get information from the RPM database. For Debian-based systems
# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
# No value, or a value of 'NONE', indicates that no package manager
# is to be used. The default is 'NONE'.
#
# The current package managers store the file hash values using an
# MD5 hash function.
#
# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
# The 'RPM' package manager additionally provides values for the inode,
# file permissions, uid, gid and other values.
#
# For any file not part of a package, rkhunter will revert to using
# the HASH_FUNC hash function instead.
#
#PKGMGR=NONE

#
# Whitelist various attributes of the specified files.
# The attributes are those of the 'attributes' test.
# Specifying a file name here does not include it being
# whitelisted for the write permission test below.
# One command per line (use multiple ATTRWHITELIST lines).
#
#ATTRWHITELIST=/bin/ps

#
# Allow the specified commands to have the 'others'
# (world) permission have the write-bit set.
#
# For example, files with permissions r-xr-xrwx
# or rwxrwxrwx.
#
# One command per line (use multiple WRITEWHITELIST lines).
#
#WRITEWHITELIST=/bin/ps

#
# Allow the specified commands to be scripts.
# One command per line (use multiple SCRIPTWHITELIST lines).
#
#SCRIPTWHITELIST=/sbin/ifup
#SCRIPTWHITELIST=/sbin/ifdown
#SCRIPTWHITELIST=/usr/bin/groups