merci, voici :
#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/etc/.etckeeper"
#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWHIDDENFILE="/etc/.java"
#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
#ALLOWHIDDENFILE="/etc/.pwd.lock"
#ALLOWHIDDENFILE="/etc/.init.state"
#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
#ALLOWHIDDENFILE="/etc/.gitignore"
#ALLOWHIDDENFILE="/etc/.bzrignore"
#
# Allow the specified processes to use deleted files. The
# process name may be followed by a colon-separated list of
# full pathnames. The process will then only be whitelisted
# if it is using one of the given files. For example:
#
# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
#
# This is a space-separated list of process names. The option
# may be specified more than once. The option may use wildcard
# characters, but only in the file names.
#
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
#ALLOWPROCDELFILE="/usr/bin/file-roller"
#
# Allow the specified processes to listen on any network interface.
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
#ALLOWPROCLISTEN="/usr/sbin/snort-plain"
#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may
# be specified more than once.
#
#ALLOWPROMISCIF="eth0"
#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH
#
# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
# perform a basic check, or a more thorough check. If the option is set to 0,
# then a basic check is performed. If it is set to 1, then all the directries
# in the /etc and /usr directories are scanned. The default value is 0. Users
# should note that setting this option to 1 will cause the test to take longer
# to complete.
#
PHALANX2_DIRTEST=0
#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"
#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf
#
# Allow the following enabled inetd services.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
# INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
# INETD_ALLOWED_SVC=imaps
# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
# INETD_ALLOWED_SVC=/network/rpc/meta
# INETD_ALLOWED_SVC=/network/rpc/metamed
# INETD_ALLOWED_SVC=/application/font/stfsloader
# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
#INETD_ALLOWED_SVC=echo
#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf
#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
#
# This option tells rkhunter the local system startup file pathnames.
# The directories will be searched for files. By default rkhunter
# will use certain filenames and directories. If the option is set
# to 'none', then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames.
# The option may be specified more than once. The option may use
# wildcard characters.
#
#STARTUP_PATHS="/etc/init.d /etc/rc.local"
#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set. Users of TCB shadow files
# should not set this option.
#
#PASSWORD_FILE=/etc/shadow
#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. The 'root' account does not need to
# be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
# NOTE: For *BSD systems you will probably need to use this option
# for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty sashroot"
#
# Allow the following accounts to have no password. NIS/YP entries do
# not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
#PWDLESS_ACCOUNTS="abc"
#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set. A value of 'NONE' can be used to indicate
# that there is no configuration file, but that the syslog daemon process
# may be running.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf
#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0
#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option may be specified more than once, and is a
# space-separated list consisting of the application names. If a specific
# version is to be whitelisted, then the name must be followed by a colon
# and then the version number. For example:
#
# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
#
# Note above that for the Apache web server, the name 'httpd' is used.
#
#APP_WHITELIST=""
#
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd").
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once.
#
#SUSPSCAN_DIRS="/tmp /var/tmp"
#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm
#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000
#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary.
#
SUSPSCAN_THRESH=200
#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. This option may be specified
# more than once. The option is a space-separated list of one or more
# of four types of whitelisting. These are:
#
# 1) a 'protocol:port' pair (e.g. TCP:25)
# 2) a pathname to an executable (e.g. /usr/sbin/squid)
# 3) a combined pathname, protocol and port
# (e.g. /usr/sbin/squid:TCP:3801)
# 4) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter
# can locate as a command, is whitelisted. (See BINDIR in this file.)
#
# For example:
#
# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
# NOTE: In order to whitelist a pathname, or use the asterisk option,
# the 'lsof' command must be present.
#
#PORT_WHITELIST=""
#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/debian_version"
#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""
#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
# the LD_PRELOAD environment variable.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This is a space-separated list of library pathnames.
# The option may be specified more than once.
#
#SHARED_LIB_WHITELIST="/lib/snoopy.so"
#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN
#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU date command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
#EPOCH_DATE_CMD=""
#
# This setting tells rkhunter the directory containing the available
# Linux kernel modules. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#MODULES_DIR=""
#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
# WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports
# the HTTP protocol:
#
# WEB_CMD="ftp -o -"
#
#WEB_CMD=""
#
# Set the following option to 0 if you do not want to receive a warning if
# any O/S information has changed since the last run of 'rkhunter --propupd'.
# The warnings occur during the file properties check. The default is to
# issue a warning if something has changed.
#
#WARN_ON_OS_CHANGE=1
#
# Set the following option to 1 if you want rkhunter to automatically run
# a file properties update ('--propupd') if the O/S has changed. Detection
# of an O/S change occurs during the file properties check. The default is
# not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply
# by running 'rkhunter --propupd' at least once.
#
#UPDT_ON_OS_CHANGE=0
#
# Set the following option to 1 if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock.
#
# The default is not to use locking.
#
USE_LOCKING=0
#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached. If no value is set, then a
# default of 300 seconds (5 minutes) is used.
#
LOCK_TIMEOUT=300
#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. Some simple messages are echo'd to the users screen
# to let them know that rkhunter is waiting for the lock. Set this option to 0
# if the messages are not to be displayed. The default is to show them.
#
SHOW_LOCK_MSGS=1
#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find / -xdev'). While still not optimal, as it
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures.
#
# Enabling this feature implies you have the knowledge to interpret the results properly.
#
#SCANROOTKITMODE=THOROUGH
#
# The following option can be set to the name(s) of the tests the 'unhide' command is
# to use. In order to maintain compatibility with older versions of 'unhide', this
# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
# will only take effect when they are seen. The test names are a space-separated list,
# and will be executed in the order given.
#
#UNHIDE_TESTS="sys"
#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
# is possible to disable the execution of one of the programs if desired. By default
# rkhunter will look for both programs, and execute each of them as they are found.
# If the value of this option is 0, then both programs will be executed if they are
# present. A value of 1 will disable execution of the C 'unhide' program, and a value
# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
# both programs, then disable the 'hidden_procs' test.
#
DISABLE_UNHIDE=1
INSTALLDIR="/usr"
