rkhunter.conf

在网络安全中经常会遇到rootkit

#
# Allow the specified commands to have the immutable attribute set.
# One command per line (use multiple IMMUTWHITELIST lines).
#
#IMMUTWHITELIST=/sbin/ifup

#
# Allow the specified hidden directories.
# One directory per line (use multiple ALLOWHIDDENDIR lines).
#
#ALLOWHIDDENDIR=/etc/.java
#ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
#ALLOWHIDDENDIR=/dev/.static
#ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

#
# Allow the specified hidden files.
# One file per line (use multiple ALLOWHIDDENFILE lines).
# 
#ALLOWHIDDENFILE=/etc/.java
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
#ALLOWHIDDENFILE=/etc/.pwd.lock
#ALLOWHIDDENFILE=/etc/.init.state

#
# Allow the specified processes to use deleted files.
# One process per line (use multiple ALLOWPROCDELFILE lines).
#
#ALLOWPROCDELFILE=/sbin/cardmgr
#ALLOWPROCDELFILE=/usr/sbin/gpm
#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
#ALLOWPROCDELFILE=/usr/sbin/mysqld

#
# Allow the specified processes to listen on any network interface.
# One process per line (use multiple ALLOWPROCLISTEN lines).
#
#ALLOWPROCLISTEN=/sbin/dhclient
#ALLOWPROCLISTEN=/usr/bin/dhcpcd
#ALLOWPROCLISTEN=/usr/sbin/pppoe
#ALLOWPROCLISTEN=/usr/sbin/tcpdump
#ALLOWPROCLISTEN=/usr/sbin/snort-plain
#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant

#
# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH

#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious. One file per line (use multiple
# ALLOWDEVFILE lines).
#
#ALLOWDEVFILE=/dev/abc
#ALLOWDEVFILE=/dev/shm/pulse-shm-*

#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf

#
# Allow the following enabled inetd services.
# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
#
# Below are some Solaris 9 and 10 services that may want to be whitelisted.
#
#INETD_ALLOWED_SVC=echo
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
#INETD_ALLOWED_SVC=/network/rpc/mdcomm
#INETD_ALLOWED_SVC=/network/rpc/meta
#INETD_ALLOWED_SVC=/network/rpc/metamed
#INETD_ALLOWED_SVC=/network/rpc/metamh
#INETD_ALLOWED_SVC=/network/security/ktkt_warn
#INETD_ALLOWED_SVC=/application/x11/xfs
#INETD_ALLOWED_SVC=/application/print/rfc1179
#INETD_ALLOWED_SVC=/application/font/stfsloader
#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp

#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf

#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo

#
# This setting tells rkhunter the local system startup file pathnames.
# More than one file may be present on the system, and so this option
# can be a space-separated list. This setting will be worked out by
# rkhunter, and so should not usually need to be set.
#
# If the system uses a directory of local startup scripts, then rather
# that setting all the file names here, leave this setting blank, and
# specify the directory name in SYSTEM_RC_DIR instead.
#
# If the system does not use a local startup script at all, then this
# setting can be set to 'none'. Without this, rkhunter would give a
# warning that no local startup script could be found.
#
#LOCAL_RC_PATH="/etc/rc.local /etc/rc.d/rc.sysinit"

#
# This setting tells rkhunter the local system startup file directory.
# This setting will be worked out by rkhunter, and so should not usually
# need to be set.
#
#SYSTEM_RC_DIR=/etc/rc.d

#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#PASSWORD_FILE=/etc/shadow

#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. This option is a space-separated list
# of account names. The 'root' account does not need to be listed as it
# is automatically whitelisted.
#
# Note: For *BSD systems you may need to enable this for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty"

#
# Allow the following accounts to have no password. This option is a
# space-separated list of account names. NIS/YP entries do not need to
# be listed as they are automatically whitelisted.
#
#PWDLESS_ACCOUNTS="abc"

#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf

#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0

#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option is a space-separated list consisting of the
# application names. If a specific version is to be whitelisted, then the
# name must be followed by a colon and then the version number.
#
# For example: APP_WHITELIST="openssl:0.9.7d gpg"
#
#APP_WHITELIST=""

# 
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has 
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd"). 
#
# A space-separated list of directories to scan.
#
SUSPSCAN_DIRS="/tmp /var/tmp"

#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm

#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000

#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary. 
#
SUSPSCAN_THRESH=200

#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. The option is a space-
# separated list of one or more of three types of whitelisting.
# These are:
#
#   1) a 'protocol:port' pair       (e.g. TCP:25)
#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
#   3) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable in a trusted
# path directory will be whitelisted. A trusted path directory is one which
# rkhunter uses to locate commands. It is composed of the root PATH
# environment variable, and the BINDIR command-line or configuration
# file option.
#
# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
#PORT_WHITELIST=""

#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/release"

#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the rootkit checks.
# If the file or directory name contains a space, then the percent character
# ('%') must be used instead. Only existing files and directories can be
# specified.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""

#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN