JFIFxxC      C  " }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr### This file is used to configure the daily cron job for chkrootkit(1) ## It is sourced by chkrootkit-daily so needs to be a valid ## shell script. ## ## The majority of the options allow the output of chkrootkit to be ## filtered (changed) and/or ignored to hide false positives. ## Whether the daily cron job should run chkrootkit at all # true/false, default: true RUN_DAILY="true" ## Arguments to pass to chkrootkit (default: ""). # See chkrootkit(1) for details, but particularly useful are # "-q" (especially useful if you set DIFF_MODE=false above ) # "-e" and "-s" (which are yet another way to hide output) # The default is to pass no arguments so you see all output: this is # particularly useful with DIFF_MODE=true as it gives context when the # output changes, but DIFF_MODE hides the text that does not change RUN_DAILY_OPTS="" ## Whether to show changes since last run (true/false, default: true) # true means you will see how the entire differs (using diff(1)) to # the 'expected' output in /var/log/chkrootkit/log.expected # if that file does not exist you will see the whole output. # # If set to false you see the whole output every day - if you do set # DIFF_MODE to "false" you probably also want RUN_DAILY_OPTS="-q" # DIFF_MODE="true" ### The results of chkrootkit are passed through $FILTER and $IGNORE_FILE ## FILTER is a way of changing output to make it stable or hide it ## completely (especially useful when DIFF_MODE=true # # FILTER can be any shell command which will be piped unfiltered output # on stdin and anything written to stdout will become the new, # filtered, output. # # The default uses sed to do two things # 1) stops message (from ifpromisc, run by the 'sniffer' test) about # 'usual' network managers changing if their pid, interface name, # or order changes # 2) stops list of processes not using utmp (from chkutmp) changing if # their pid changes # To disable both of these defaults you can set this to "" or "cat" FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/usr/lib/systemd/systemd-networkd|/usr/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'" ## If $IGNORE_FILE exists then lines of output matching patterns that ## appear in $IGNORE_FILE are removed from the output. Each line in ## $IGNORE_FILE interpreted as an extended regexp, see grep(1). If ## $IGNORE_FILE is empty (the default) or does not exist then no ## filtering is done. # # This is done after $FILTER - you can use either or both. IGNORE_FILE # is slightly simpler but slightly less powerfull than FILTER as you # can only hide, not change output. # # The default is /etc/chkrootkit/chkrootkit.ignore (which is empty by # default, meaning nothing is ignored) IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore" ## Email address to which output is sent. # If empty, no email is sent by chkrootkit-daily: output is left on stdout # (if running under cron stdout may be emailed) MAILTO="root" ### The remaining options are commented out as the defaults are likely ### to be fine for most users, but you can edit these as well: ## Subject of email # SUBJECT="[chkrootkit] alert for $(hostname --fqdn 2>/dev/null || hostname --short 2>/dev/null || echo "localhost")" ## The chkrootkit(1) scanner that is run # what is actually run is: eval "$IONICE" "$CHKROOTKIT" "$RUN_DAILY_OPTS" #CHKROOTKIT=/usr/sbin/chkrootkit ## Where output is saved #LOG_DIR=/var/log/chkrootkit ## 'Clean' output (after FILTER and IGNORE_FILE) #OUTPUT="$LOG_DIR/log.today" ## 'Raw' output is saved here #RAW_OUTPUT="$OUTPUT.raw" ## 'Expected' output (only used if DIFF_MODE=true) #EXPECTED_OUTPUT="$LOG_DIR/log.expected" ## The default is to run using ionice if possible. ## If you do not want to use ionice at all, set IONICE="" instead #if [ -x /usr/bin/ionice ] && /usr/bin/ionice -c3 true 2>/dev/null; then # IONICE="/usr/bin/ionice -c3" #else # IONICE="" #fi