mkdir -p './dbus-1/session.d'
mkdir -p './fish/completions'
mkdir -p './glvnd/egl_vendor.d'
+mkdir -p './grokevt/systems'
mkdir -p './guest-session'
mkdir -p './initramfs-tools/hooks'
mkdir -p './initramfs-tools/scripts/init-bottom'
mkdir -p './request-key.d'
mkdir -p './security/limits.d'
mkdir -p './security/namespace.d'
+mkdir -p './smartmontools/smartd_warning.d'
mkdir -p './systemd/network'
mkdir -p './systemd/user'
mkdir -p './udev/hwdb.d'
maybe chmod 0644 'apt/apt.conf.d/50unattended-upgrades'
maybe chmod 0644 'apt/apt.conf.d/60icons'
maybe chmod 0644 'apt/apt.conf.d/70debconf'
+maybe chmod 0644 'apt/apt.conf.d/90rkhunter'
maybe chmod 0644 'apt/apt.conf.d/99update-notifier'
maybe chmod 0755 'apt/preferences.d'
maybe chmod 0664 'apt/sources.list'
maybe chmod 0755 'cron.daily/ntp'
maybe chmod 0755 'cron.daily/passwd'
maybe chmod 0755 'cron.daily/popularity-contest'
+maybe chmod 0755 'cron.daily/rkhunter'
maybe chmod 0755 'cron.daily/rsnapshot'
maybe chmod 0755 'cron.daily/ubuntu-advantage-tools'
maybe chmod 0755 'cron.daily/update-notifier-common'
maybe chmod 0644 'cron.weekly/.placeholder'
maybe chmod 0755 'cron.weekly/0anacron'
maybe chmod 0755 'cron.weekly/man-db'
+maybe chmod 0755 'cron.weekly/rkhunter'
maybe chmod 0755 'cron.weekly/rsnapshot'
maybe chmod 0755 'cron.weekly/update-notifier-common'
maybe chmod 0644 'crontab'
maybe chmod 0644 'default/openvpn'
maybe chmod 0644 'default/psad'
maybe chmod 0644 'default/rcS'
+maybe chmod 0644 'default/rkhunter'
maybe chmod 0644 'default/rsync'
maybe chmod 0644 'default/rsyslog'
maybe chmod 0644 'default/saned'
+maybe chmod 0644 'default/smartmontools'
maybe chmod 0644 'default/speech-dispatcher'
maybe chmod 0644 'default/ssh'
maybe chmod 0644 'default/ufw'
maybe chmod 0755 'groff'
maybe chmod 0644 'groff/man.local'
maybe chmod 0644 'groff/mdoc.local'
+maybe chmod 0755 'grokevt'
+maybe chmod 0755 'grokevt/systems'
maybe chmod 0644 'group'
maybe chmod 0644 'group-'
maybe chmod 0755 'grub.d'
maybe chmod 0644 'gtk-3.0/im-multipress.conf'
maybe chmod 0755 'gtk-3.0/settings.ini'
maybe chmod 0755 'guest-session'
+maybe chmod 0755 'guymager'
+maybe chmod 0644 'guymager/guymager.cfg'
maybe chmod 0644 'hdparm.conf'
maybe chmod 0644 'host.conf'
maybe chmod 0644 'hostname'
maybe chmod 0755 'init.d/sendsigs'
maybe chmod 0755 'init.d/single'
maybe chmod 0644 'init.d/skeleton'
+maybe chmod 0755 'init.d/smartmontools'
maybe chmod 0755 'init.d/speech-dispatcher'
maybe chmod 0755 'init.d/ssh'
maybe chmod 0755 'init.d/thermald'
maybe chmod 0755 'logcheck/ignore.d.server'
maybe chmod 0644 'logcheck/ignore.d.server/gpg-agent'
maybe chmod 0644 'logcheck/ignore.d.server/libsasl2-modules'
+maybe chmod 0644 'logcheck/ignore.d.server/rkhunter'
maybe chmod 0644 'logcheck/ignore.d.server/rsyslog'
maybe chmod 0644 'login.defs'
maybe chmod 0644 'logrotate.conf'
maybe chmod 0644 'logrotate.d/mongodb-server'
maybe chmod 0644 'logrotate.d/pm-utils'
maybe chmod 0644 'logrotate.d/ppp'
+maybe chmod 0644 'logrotate.d/rkhunter'
maybe chmod 0644 'logrotate.d/rsnapshot'
maybe chmod 0644 'logrotate.d/rsyslog'
maybe chmod 0644 'logrotate.d/speech-dispatcher'
maybe chmod 0755 'resolvconf/update-libc.d/postfix'
maybe chmod 0755 'resolvconf/update.d'
maybe chmod 0755 'resolvconf/update.d/libc'
+maybe chmod 0644 'rkhunter.conf'
maybe chmod 0755 'rmt'
maybe chmod 0644 'rpc'
maybe chmod 0644 'rsnapshot.conf'
maybe chmod 0644 'sane.d/umax1220u.conf'
maybe chmod 0644 'sane.d/umax_pp.conf'
maybe chmod 0644 'sane.d/xerox_mfp.conf'
+maybe chmod 0755 'scalpel'
+maybe chmod 0644 'scalpel/scalpel.conf'
maybe chmod 0644 'screenrc'
maybe chmod 0644 'securetty'
maybe chmod 0755 'security'
maybe chmod 0644 'skel/.bashrc'
maybe chmod 0644 'skel/.profile'
maybe chmod 0644 'skel/examples.desktop'
+maybe chmod 0644 'smartd.conf'
+maybe chmod 0755 'smartmontools'
+maybe chmod 0755 'smartmontools/run.d'
+maybe chmod 0755 'smartmontools/run.d/10mail'
+maybe chmod 0755 'smartmontools/run.d/10powersave-notify'
+maybe chmod 0755 'smartmontools/smartd_warning.d'
maybe chmod 0644 'smi.conf'
maybe chmod 0755 'speech-dispatcher'
maybe chmod 0755 'speech-dispatcher/clients'
--- /dev/null
+/usr/bin/python2-futurize
\ No newline at end of file
--- /dev/null
+/usr/bin/mpg123.bin
\ No newline at end of file
--- /dev/null
+/usr/share/man/man1/mpg123.bin.1.gz
\ No newline at end of file
--- /dev/null
+/usr/bin/mpg123.bin
\ No newline at end of file
--- /dev/null
+/usr/share/man/man1/mpg123.bin.1.gz
\ No newline at end of file
--- /dev/null
+/usr/bin/python2-pasteurize
\ No newline at end of file
--- /dev/null
+/usr/bin/python2-pbr
\ No newline at end of file
--- /dev/null
+// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled
+DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; };
--- /dev/null
+#!/bin/sh
+
+RKHUNTER=/usr/bin/rkhunter
+
+test -x $RKHUNTER || exit 0
+
+# source our config
+. /etc/default/rkhunter
+
+if [ -z "$NICE" ]; then
+ NICE=0
+fi
+
+if [ -z "$RUN_CHECK_ON_BATTERY" ]; then
+ RUN_CHECK_ON_BATTERY="false"
+fi
+
+# Do not run daily check if running on battery except if explicitely allowed
+if [ -x /usr/bin/on_ac_power >/dev/null 2>&1 ]; then
+ on_ac_power >/dev/null 2>&1
+ [ $? -eq 1 -a "$RUN_CHECK_ON_BATTERY" != "true" ] && exit 0
+fi
+
+case "$CRON_DAILY_RUN" in
+ [YyTt]*)
+ OUTFILE=`mktemp` || exit 1
+ /usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only --appendlog > $OUTFILE
+ if [ -s "$OUTFILE" -a -n "$REPORT_EMAIL" ]; then
+ (
+ echo "Subject: [rkhunter] $(hostname) - Daily report"
+ echo "To: $REPORT_EMAIL"
+ echo ""
+ cat $OUTFILE
+ ) | /usr/sbin/sendmail $REPORT_EMAIL
+ fi
+ rm -f $OUTFILE
+ ;;
+ *)
+ exit 0
+ ;;
+esac
+
--- /dev/null
+#!/bin/sh
+
+RKHUNTER=/usr/bin/rkhunter
+
+test -x $RKHUNTER || exit 0
+
+# source our config
+. /etc/default/rkhunter
+
+case "$CRON_DB_UPDATE" in
+ [YyTt]*)
+
+ if [ ! -x /usr/bin/wget ] && [ ! -x /usr/bin/curl ] && [ ! -x /usr/bin/links ] && \
+ [ ! -x /usr/bin/elinks ] && [ ! -x /usr/bin/lynx ]; then
+ echo "No tool with which to download rkhunter updates was found on your system. Please install wget, curl, (e)links or lynx"
+ exit 1
+ fi
+
+ OUTFILE=`mktemp` || exit 1
+
+ case "$DB_UPDATE_EMAIL" in
+ [YyTt]*)
+ (
+ echo "Subject: [rkhunter] $(hostname) - Weekly database update"
+ echo "To: $REPORT_EMAIL"
+ echo ""
+ $RKHUNTER --versioncheck --nocolors --appendlog
+ $RKHUNTER --update --nocolors --appendlog
+ ) | /usr/sbin/sendmail $REPORT_EMAIL
+ ;;
+ *)
+ $RKHUNTER --versioncheck --appendlog 1>/dev/null 2>$OUTFILE
+ $RKHUNTER --update --appendlog 1>/dev/null 2>>$OUTFILE
+ ;;
+ esac
+
+ if [ -s "$OUTFILE" ]; then
+ (
+ echo "Subject: [rkhunter] $(hostname) - Weekly rkhunter database update"
+ echo "To: $REPORT_EMAIL"
+ echo ""
+ cat $OUTFILE
+ ) | /usr/sbin/sendmail $REPORT_EMAIL
+ fi
+ rm -f $OUTFILE
+ ;;
+
+ *)
+ exit 0
+ ;;
+esac
--- /dev/null
+# Defaults for rkhunter automatic tasks
+# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
+#
+# This is a POSIX shell fragment
+#
+
+# Set this to yes to enable rkhunter daily runs
+# (default: false)
+CRON_DAILY_RUN=""
+
+# Set this to yes to enable rkhunter weekly database updates
+# (default: false)
+CRON_DB_UPDATE=""
+
+# Set this to yes to enable reports of weekly database updates
+# (default: false)
+DB_UPDATE_EMAIL="false"
+
+# Set this to the email address where reports and run output should be sent
+# (default: root)
+REPORT_EMAIL="root"
+
+# Set this to yes to enable automatic database updates
+# (default: false)
+APT_AUTOGEN="false"
+
+# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
+# (default: 0)
+NICE="0"
+
+# Should daily check be run when running on battery
+# powermgmt-base is required to detect if running on battery or on AC power
+# (default: false)
+RUN_CHECK_ON_BATTERY="false"
--- /dev/null
+# Defaults for smartmontools initscript (/etc/init.d/smartmontools)
+# This is a POSIX shell fragment
+
+# List of devices you want to explicitly enable S.M.A.R.T. for
+# Not needed (and not recommended) if the device is monitored by smartd
+#enable_smart="/dev/hda /dev/hdb"
+
+# uncomment to start smartd on system startup
+#start_smartd=yes
+
+# uncomment to pass additional options to smartd on startup
+#smartd_opts="--interval=1800"
--- /dev/null
+REM ****************************************************************************
+REM Project: GUYMAGER
+REM ****************************************************************************
+REM Programmer: Guy Voncken
+REM Police Grand-Ducale
+REM Service de Police Judiciaire
+REM Section Nouvelles Technologies
+REM ****************************************************************************
+REM Main configuration file
+REM ****************************************************************************
+
+REM Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017
+REM Guy Voncken
+REM
+REM This file is part of Guymager.
+REM
+REM Guymager is free software: you can redistribute it and/or modify
+REM it under the terms of the GNU General Public License as published by
+REM the Free Software Foundation, either version 2 of the License, or
+REM (at your option) any later version.
+REM
+REM Guymager is distributed in the hope that it will be useful,
+REM but WITHOUT ANY WARRANTY; without even the implied warranty of
+REM MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+REM GNU General Public License for more details.
+REM
+REM You should have received a copy of the GNU General Public License
+REM along with Guymager. If not, see <http://www.gnu.org/licenses/>.
+
+
+REM ATTENTION
+REM ---------
+REM Do not edit this file; put all your changes into /etc/guymager/local.cfg instead!
+REM See the notes at the end of this file.
+
+SECTION GUYMAGER
+
+REM How this configuration file works
+REM ---------------------------------
+
+
+REM Guymager user interface
+REM -----------------------
+REM
+REM The parameter Language contains the language code (for example 'de', 'fr', 'en'). If Guymager doesn't
+REM find the corresponding language file it switches to english instead. Contact the author of Guymager if
+REM your language is missing. The language files are named guymager_xx.qm, where xx is the language code.
+REM If you installed a Debian package, they can be found in directory /usr/share/guymager.
+REM Set the parameter Language to AUTO in order to detect the language in use on your system automatically.
+REM
+REM CheckRootRights decides whether or not Guymager shows the user a warning dialog when starting it without
+REM root rights.
+REM
+REM The StartupXxx parameters configure the position and size of the main guymager window at startup.
+REM StartupSize can be set to one of the following:
+REM STANDARD Let the X-Window manager choose what it thinks is best
+REM MAXIMISED or MAXIMIZED Maximum size
+REM FULLSCREEN Maximum size and take away the title bar
+REM MANUAL Use the values specified for StartupSizeManualX, StartupSizeManualY,
+REM StartupSizeManualDx and StartupSizeManualDy.
+REM The final result always slightly depends on the X-Window manager in use. For instance, there might be
+REM window managers that can't distinguish MAXIMISED and FULLSCREEN.
+REM
+REM The dialog that appears when chooosing the image destination path can be adjusted in a similar way by
+REM of the parameters FileDialogSize, FileDialogSizeManualDx, FileDialogSizeManualDy. Unfortunately, this
+REM only works when using the alternative file dialog, not the Qt file dialog (see UseFileDialogFromQt
+REM below).
+REM
+REM NumberStyle influences the way how numbers are displayed in guymager. There 3 possible values:
+REM Locale Use the value of the system LOCALE to determine the format (set the LANG environment
+REM correctly).
+REM DecimalComma The format would look like 78.234,56 (normal format)
+REM DecimalPoint The format would look like 78,234.56 (unusual american format)
+REM Remark: Using Locale, more differences are possible. Thus, with the environment variable LANG set to
+REM fr_FR, the number would be displayed as 78 234,56 (space as thousands separator). Setting NumberStyle
+REM to something else than Locale is not recommended (you may use it if you are too lazy to set up your
+REM LANG variable correctly).
+REM
+REM ScreenRefreshInterval [ms] Some screen fields (speed, remaining time, ...) are refreshed regularly.
+REM ScreenRefreshInterval specifies how often this should occur.
+REM
+REM UseFileDialogFromQt When set to Yes, guymager uses the standard Qt file/directory selection dialogs.
+REM There once was a Qt version with a bug in its dialog and an alternative dialog
+REM was quickly added to guymager. The bug should have gone by now and this
+REM configuration parameter should be set to Yes (the Qt dialogs are better then
+REM the alternative programmed by the author of guymager).
+REM Adjusting the dialog size (see configuration parameters FileDialogSize,
+REM FileDialogSizeManualDx and FileDialogSizeManualDy) only works with the
+REM alternative dialog.
+REM
+REM WarnAboutImageSize Check if image would fit uncompressed to the destination at the moment where
+REM the acquisition is started. If not, show a warning.
+REM
+REM WarnAboutSegmentFileCount Check if the number of segment files would exceed 14972 if the data was stored
+REM uncompressed in EWF format. If yes, show a warning. Remark: The 14972th segment
+REM would have the file extension ZZZ and thus, more than 14972 segments may lead to
+REM problems as there is no clear standard for EWF file names.
+REM
+REM AutoExit This parameter controls the default setting of the menu point "Misc/Exit" after
+REM all acquisitions have completed.
+REM
+REM AutoExitCountdown = 60 If the autoexit feature becomes active (i.e. the menu flag is set and the acquisitions
+REM end), a popup appears with a countdown. AutoExitCountdown allows to set start value
+REM of the countdown (in seconds).
+
+Language='auto'
+CheckRootRights=yes
+
+StartupSize = MANUAL
+StartupSizeManualX = 130
+StartupSizeManualY = 250
+StartupSizeManualDx = 1000
+StartupSizeManualDy = 500
+
+FileDialogSize = MANUAL
+FileDialogSizeManualDx = 800
+FileDialogSizeManualDy = 500
+
+NumberStyle=Locale
+
+ScreenRefreshInterval = 1500
+
+UseFileDialogFromQt = Yes
+
+WarnAboutImageSize = Yes
+WarnAboutSegmentFileCount = Yes
+
+AutoExit = Off
+AutoExitCountdown = 60
+
+REM Table Fonts
+REM The font configuration table allows chosing own fonts for different GUI elements of Guymager. The left
+REM most column of the table below specifies the object. It may be one of the following:
+REM Menu The main Guymager menus, its submenus as well as the table popup menu.
+REM Toolbar The toolbar just below the menu bar.
+REM Table The main Guymager table and the table shown in the clone dialog.
+REM InfoField The information field in the lower part of the Guymager window.
+REM AcquisitionDialogs The dialogs for normally acquiting and cloning devices.
+REM MessageDialogs Other message dialogs.
+REM DialogData Dialogs with data areas (such as the device info dialog) use this font for
+REM their data area. A monospaced font should be used, for example 'Courier' or
+REM 'Ubuntu Mono'. All other parts of the dialog are using the font specified
+REM under MessageDialogs.
+REM The remaining table columns specify the font to use (Family, Size, Weight and Italic). Column 'Italic'
+REM may contain YES or NO. Weight is a number between 0 and 100. The following weights are copied from
+REM the Qt documentation:
+REM Light 25
+REM Normal 50
+REM DemiBold 63
+REM Bold 75
+REM Black 87
+REM In order to use the default system font comment out the correspdong line or indicate an empty
+REM family name.
+
+TABLE Fonts None
+ REM Object Family Size Weight Italic
+ REM --------------- --------------------------------------------
+REM Menu 'Arial' 8 75 no
+REM Toolbar 'Arial' 8 75 no
+REM Table 'Arial' 8 75 no
+REM InfoField 'Arial' 8 75 no
+REM AcquisitionDialogs 'Arial' 8 75 no
+REM MessageDialogs 'Arial' 8 75 no
+REM DialogData 'Courier' 8 50 no
+ENDTABLE
+
+
+REM Table Columns
+REM This table controls the columns that are to be shown in the main Guymager table as well as in the clone
+REM dialog. The table reflects the column order, i.e. the top most column in the configuration table is shown
+REM as the first one left in the GUI. Columns may also be repeated in order to have them displayed more
+REM than once.
+REM ColumnName The column name reference. This may be one of the following: SerialNr, LinuxDevice,
+REM Model, NativePath, ByPath, Interface, State, AdditionalStateInfo, Size, HiddenAreas,
+REM BadSectors, Progress, AverageSpeed, TimeRemaining, FifoUsage, SectorSizeLog, SectorSizePhys,
+REM CurrentSpeed, Examiner and UserField. See below for further details on column UserField.
+REM Alignment Alignment inside the table cell: LEFT, RIGHT or CENTER.
+REM MinWidth On startup, Guymager gives every column the size it needs for showing its contents. But
+REM certain columns change their content length while Guymager is running. As it might be
+REM annoying to enlarge the corresponding column manually everytime its text gets longer,
+REM this parameter allows for setting a bigger intial width than the one used normally.
+REM Set to 0 for default width.
+REM ShowInMainTable Decides whether the column should be shown in the main table; set to ON or OFF.
+REM ShowInCloneTable Decides whether the column should be shown in the clone dialog table; set to ON or OFF.
+REM Eventhough each one of the columns might be set to ON, there's no sense in switching on
+REM columns like CurrentSpeed, for example, as the clone dialog is not updated dynamically.
+REM
+REM The purpose of the special column UserField is to provide the user with a field for its own remarks. For
+REM example, some people use Guymager in machines connected to disk racks. They take UserField for entering the
+REM disk slot number in order to have a better overview. The column name may be configured to any string:
+REM
+REM UserFieldName Specify the name that should be displayed for the UserField column. If the string is left
+REM empty, the column's name simply is 'UserField'.
+REM
+REM AdditionalStateInfoName Similar to UserFieldName, this parameter allows for changing the name of the
+REM column AdditionalStateInfo. Leave it empty for the default name.
+
+TABLE Columns None
+ REM ColumnName Alignment MinWidth ShowIn ShowIn
+ REM MainTable CloneTable
+ REM ------------------------------------------------------------------------------
+ 'SerialNr' LEFT 0 YES YES
+ 'LinuxDevice' LEFT 0 YES YES
+ 'Model' LEFT 0 YES YES
+ 'NativePath' LEFT 0 NO NO
+ 'ByPath' LEFT 0 NO NO
+ 'Interface' LEFT 0 NO NO
+ 'State' LEFT 200 YES NO
+ 'AdditionalStateInfo' LEFT 0 NO NO
+ 'Size' RIGHT 0 YES YES
+ 'HiddenAreas' RIGHT 0 YES NO
+ 'BadSectors' RIGHT 0 YES NO
+ 'Progress' LEFT 0 YES NO
+ 'AverageSpeed' RIGHT 0 YES NO
+ 'TimeRemaining' CENTER 0 YES NO
+ 'FifoUsage' LEFT 0 YES NO
+ 'SectorSizeLog' LEFT 0 NO NO
+ 'SectorSizePhys' LEFT 0 NO NO
+ 'CurrentSpeed' LEFT 0 NO NO
+ 'UserField' LEFT 0 NO NO
+ 'Examiner' LEFT 0 NO NO
+ENDTABLE
+
+UserFieldName = ''
+AdditionalStateInfoName = ''
+
+REM Table Colors
+REM The table contains color settings for different items on the screen:
+REM LocalDevices Color to be used for marking local devices (i.e. devices with serial numbers found in
+REM configuration table LocalDevices, see above) in the user interface. The whole row gets
+REM this color.
+REM AdditionalStateX (where X is a number) Devices maybe marked by this color depending on the values in
+REM the additional state info. See description of configuration parameter
+REM CommandGetAddStateInfo for more information.
+REM
+REM All other entries refer to the colored dot of the acquisition state field for reflecting the current state:
+REM StateIdle Nothing has been done with this device yet.
+REM StateAcquire Acquisition running
+REM StateAcquirePaused Acquisition interrupted (device cannot be accessed any longer)
+REM StateVerify Verfication running
+REM StateVerifyPaused Verfication interrupted (device cannot be accessed any longer)
+REM StateCleanup Acquisition has been aborted by user and Guymager is removing partial files
+REM StateFinished Finished successfully
+REM StateFinishedBadVerify Finished, but the MD5 check while re-reading the source after acquisition failed.
+REM This state only can occur if MD5 verification was switched on in the acquisition dialog.
+REM StateAbortedUser Acquisition or verification aborted by user. Not an error, as it is the user's wish.
+REM StateAbortedOther Acquisition or verification aborted for some other reason (for instance, if writing to
+REM the destination fails). This is an error.
+
+TABLE Colors None
+ REM Color R G B
+ REM ----------------------------------------
+ LocalDevices 255 197 189
+ AdditionalState1 186 255 174
+ AdditionalState2 255 254 137
+ AdditionalState3 255 213 66
+ AdditionalState4 255 126 126
+ StateIdle 255 255 255
+ StateQueued 186 206 253
+ StateAcquire 15 73 205
+ StateAcquirePaused 255 150 0
+ StateVerify 78 132 255
+ StateVerifyPaused 255 150 0
+ StateCleanup 228 0 255
+ StateFinished 54 255 0
+ StateFinishedBadVerify 255 30 0
+ StateFinishedDuplicateFailed 255 234 0
+ StateAbortedUser 255 255 255
+ StateAbortedOther 255 30 0
+ENDTABLE
+
+
+REM Image creation
+REM --------------
+REM
+REM EwfFormat The EWF format (alias E01 format) differs depending on which software created
+REM it. With this parameter, you can control which style guymager should follow.
+REM Possible values are: Encase1, Encase2, Encase3, Encase4, Encase5, Encase6, Smart,
+REM FTK, Linen5, Linen6 and Guymager. See libewf for more information.
+REM When chosing "Guymager", the program uses its own EWF generation functions, which
+REM require only very little RAM and still are as fast as libewf. With any other setting,
+REM the program uses libewf i order to create the EWF images.
+REM Select Guymager or Encase6 in order to be able to produce segment files bigger than 2GiB.
+REM
+REM EwfCompression The compression level for EWF images. Possible values are:
+REM None No compression at all, images become very big. Not recommended.
+REM Empty With this setting, Guymager does no compression, except if a block contains
+REM zero bytes only. Such blocks are replaced by their compressed equivalent.
+REM Optimal settings for slow systems.
+REM Fast Fast Z compression. Optimal setting for most imagers.
+REM Best Best Z compression. Images normally become slightly smaller than
+REM with setting "Fast", but CPU load grows heavily. Not recommended.
+REM
+REM EwfCompressionThreshold This threshold indicates a minimal compression ratio that must be achieved or else the
+REM data is stored uncompressed. The default value is 0.999 which means, that a chunk will
+REM be stored compressed if the compressed data is less than 99.9% in size of the original
+REM data. This parameter has been added to avoid mmessages about "inefficiency" in XWF.
+REM
+REM EwfNaming EWF images are subdivided into segments, starting with extension E01 for the first
+REM segment. Subsequent segments get the filename extension E02-E99, then EAA-EZZ, then
+REM FAA-ZZZ. After that, it is unclear how to continue (there is no clear standard for the
+REM EWF file naming).
+REM Guymager supports two ways for naming segments beyond ZZZ:
+REM Old Continue with ZZZxxx, where xxx represents characters from 000 to ZZZ in base36
+REM notation (i.e. 0-9 and A-Z). After that, it would continue with ZZZxxxx and so on.
+REM Guymager version <= 0.6.9 used this naming scheme.
+REM FTK After ZZZ follows E14972, E14973 and so on. This naming system is the default for
+REM Guymager version 0.6.10 and later.
+REM Attention: This parameter only has effect if EwfFormat is set to Guymager.
+REM
+REM AffEnabled Simson Garfinkel, the inventor of the AFF format, recommends not to use AFF any longer.
+REM Therefore, this switch has been introduced and it is 'false' by default. You might use EWF
+REM instead.
+REM Switch AffEnabled on in case you need to generate AFF images.
+REM
+REM AffCompression The compression level for AFF images. Valid range: 1 - 9. A value of 1 results in a
+REM fast, minimal compression and 9 in a slow, high compression.
+REM See aff documentation for more information.
+REM
+REM AffMarkBadSectors Aff supports a possibility for marking bad sectors. If this parameter is enabled and
+REM a bad sector is encountered, then the bad sector is written with a special content to
+REM the image ("BAD SECTOR\0" followed by 501 random bytes). If this parameter is disabled,
+REM then bad sectors are replaced by 512 zero bytes.
+REM This parameter only influences images in AFF format.
+REM
+REM SpecialFilenameChars By default, guymager only allows the characters a-z, A-Z, 0-9 and _ to figure
+REM in the image filenames. If you wannt to allow special chars and you are sure
+REM that your destination file system can handle them, you might add them to
+REM the parameter SpecialFilenameChars. Example: SpecialFilenameChars = '.- '
+REM would allow you to use the characters . and - as well as spaces.
+REM
+REM CalcImageFileMD5 Switch the parameter on in order to have Guymager calculate the MD5 hashes of the image
+REM file(s). The calculation is done over the whole file(s), not just the contents.
+REM NOTE: The MD5 hashes are calculated during image verification and therefore, it only
+REM is done if the checkbox for image verification is set in the acquisition dialog window.
+REM Switching this parameter on is interesting for checking the individual files of an image.
+REM
+REM The Guymager info file can be passed directly to md5sum for image file verfication. In case
+REM you want to do so, please observe one detail: The info file uses CR/LF for beginning a new
+REM line (the reason is that many Windows applications fail badly when using the LF standard).
+REM Therefore, do not use md5sum -c myimage.info but one of the following commands:
+REM cat myimage.info | tr -d '\r' | md5sum -c
+REM or
+REM cat myimage.info | dos2unix | md5sum -c
+REM Both do the same: Eliminate the DOS-CR and pass the rest to the md5sum command. You
+REM may ignore md5sum's warnings about improperly formatted lines (these are simply the all
+REM the other text lines found in the info file).
+REM
+REM DuplicateImage Enable Guymager to produce duplicate images, i.e. generate two identical images during
+REM an acquisition. When switched on, the acquisition dialog has an additional button named
+REM "Duplicate image...".
+REM Switch this parameter off if you always want to do single images.
+REM
+REM DirectoryFieldEditing The destination directory for images and info files normally is selected by mouse by means
+REM of a dialog and the directory field is not directy editable. This is the safest way as it
+REM ensures that you never a select a non-existent directory.
+REM Switch this parameter on if you like to be able to directly type the directory path into
+REM the corresponding field. This might be a faster solution for people who know their
+REM directories by heart. At the same time it's less safe in case of typos.
+REM If ever you enter a non-existent directory then Guymager by default asks if you would like
+REM to create it (see parameter ConfirmDirectoryCreation).
+REM
+REM AllowPathInFilename The parameter is switched off by default and entering parts of the path in the filename field
+REM is forbidden. In case you think in relative paths it might be interesting to switch this
+REM parameter on and thus allow entering parts of the path together with the filename.
+REM Example: You set the directory field to "/mycases/case_0815/images" and enter the filename
+REM "JohnDoe/Laptop". The image/info files would then be stored under
+REM "/mycases/case_0815/images/JohnDoe/Laptop.xxx".
+REM
+REM ConfirmDirectoryCreation If ever the entered destination directory does not exist, Guymager tries to create it. If
+REM this parameter is switched on then Guymager only does so after asking the user. When set to
+REM 'off' it automatically creates the directories without asking.
+REM Attention: Setting this parameters to 'off' might lead to uncontrolled directory creation in
+REM case of typing errors.
+REM Normally, this parameter only has an effect if DirectoryFieldEditing or AllowPathInFilename
+REM are switched on. Otherwise, the destination directory should always exist as it has been selected
+REM by the file selection dialog and thus doesn't need to be created (except in the unlikely case
+REM where the directory had been deleted in the meantime).
+REM
+REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and
+REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF
+REM if you don't work with Encase (default setting). Set it to ON if ever you work with
+REM Encase and want to avoid the Encase problems.
+REM
+REM AvoidCifsProblems Some NAS systems have problems for closing files (function fclose) when running under heavy
+REM load (i.e., running several acquisitions in parallel, for example). This may result in
+REM acquisitions aborting with errors. The problem only has been observed on systems attached via
+REM Cifs/Samba so far. NFS systems seem to run fine. When switching parameter AvoidCifsProblems
+REM on, Guymager flushes and synchronizes buffers before closing image files. The thus can be
+REM avoided. The downside is a performance loss, which can be reduced by choosing a large image
+REM file segment size.
+
+EwfFormat = Guymager
+EwfCompression = FAST
+EwfCompressionThreshold = 0.999
+EwfNaming = FTK
+AffEnabled = false
+AffCompression = 1
+AffMarkBadSectors = TRUE
+SpecialFilenameChars = ''
+CalcImageFileMD5 = off
+DuplicateImage = on
+DirectoryFieldEditing = off
+AllowPathInFilename = off
+ConfirmDirectoryCreation = on
+
+AvoidEncaseProblems = off
+AvoidCifsProblems = off
+
+REM Acquisition dialog
+REM ------------------
+
+REM DefaultFormat This parameter decides, which forensic format should be chosen by default for the
+REM first acquisition after starting Guymager. For subsequent acquisitions, the format
+REM of the previous acquisition will be selected by default.
+REM Possible values are DD, AFF and EWF.
+
+DefaultFormat = EWF
+
+REM InfoFieldsForDd The dd format has no possibility for storing meta information about an image. Hence, the
+REM fields examiner, notes, etc. usually are greyed out in the acquisition dialog when selecting
+REM dd format. By switching on this parameter, those entry fields become available for dd images
+REM also. The strings entered will then be written to the info file.
+
+InfoFieldsForDd = disabled
+
+REM The parameters below all refer to the acquisition dialog entry fields. Let us explain the different
+REM fields first. There are 2 fields related to image file fragmentation:
+REM SplitFileSwitch Decides whether the image file fragmentation is on or off. For EWF images, it
+REM is always on and for AFF images always off. For DD images, the user may choose
+REM himself.
+REM SplitFileSize The max. size of the fragments (sometimes called segments) in MiB. The maximum
+REM value for EWF images is 2047.
+REM 2047 is a good choice. For EWF images, the number of files will be reduced to
+REM the minimum. For DD images, the fragments stay below the FAT limitation (2GiB).
+
+REM There are 5 fields defined by the EWF file format, their names are self-explaining:
+REM EwfCaseNumber
+REM EwfEvidenceNumber
+REM EwfExaminer
+REM EwfDescription
+REM EwfNotes
+REM Guymager uses these fields when choosing the EWF or the AFF format. When choosing the dd format, they
+REM are of no use and decativated.
+REM
+REM There are 4 other important entry fields in the acquisition dialog:
+REM DestImageDirectory The directory that will be used for storing the image files
+REM DestInfoDirectory The directory that will be used for storing the info file
+REM DestImageFilename The filename of the image files (without the extension)
+REM DestInfoFilename The filename of the info file (without the extension)
+REM
+REM Finally, there are some checkboxes in the acquisition dialog that are controlled by the following
+REM entry fields:
+REM HashCalcMD5 The checkbox for MD5 hash
+REM HashCalcSHA1 The checkbox for SHA-1 hash
+REM HashCalcSHA256 The checkbox for SHA-256 hash
+REM HashVerifySrc The checkbox for the source verification (re-read source and chek if it
+REM returns the same data than during acquisition)
+REM HashVerifyDst The checkbox for the imager verification (read and check the image after
+REM the acquisition has been done)
+REM
+REM For each one of these fields, there is an entry in configuration table DlgAcquireField. It has the
+REM following structure:
+REM FieldName The name of the field, as indicated above
+REM
+REM EntryMode Determine the bevahiour of each field; the following entry modes are available:
+REM Hide The corresponding field is not shown in the acquisition dialog.
+REM Nevertheless, it exists and it is always set to its default value
+REM (see below). This mode useful if a certain EWF field always should
+REM be filled in with the same standard value.
+REM
+REM ShowDefault The field is visible in the acquisiton dialog and it is automatically
+REM filled in with the default value.
+REM
+REM ShowLast The field is shown in the acquisiton dialog. When the acquisition
+REM dialog is opened for the first time after guymager startup, the field
+REM is filled in with the default value. On subsequent acquisition dialog
+REM appearances, the field contains the value entered previously (which
+REM may still be the default value, if it was not edited).
+REM
+REM DefaultValue The default value for the field. It may contain any text you like (for the checkboxes: See
+REM below). Guymager knows several special sequences, that will be replaced automatically.
+REM See "Special Tokens" below.
+REM
+REM Checkboxes: Simply put '1' if you want to have the checkbox enabled or '0' for having it
+REM disabled. Attention: Putting other values may lead to unpredictable results.
+REM
+REM Note that each and every field must be contained exactely once in the configuration table DlgAcquireField.
+REM
+REM *** Example A ***
+REM TABLE DlgAcquireField NoName
+REM REM Field Entry Default
+REM REM name mode value
+REM REM -------------------------------------------------------------------------
+REM ...
+REM 'EwfNotes' Hide 'Acquisition done by guymager %version%'
+REM ...
+REM ENDTABLE
+REM The field EwfNotes would not be shown in the acquisition dialog. As it has a default value, it would always
+REM be initialised with that string. The special sequence %version% would be replaced and the string written to
+REM the EWF image files would be sometheing like 'Acquisition done by guymager 0.3.1'
+REM
+REM *** Example B **
+REM TABLE DlgAcquireField NoName
+REM REM Field Entry Default
+REM REM name mode value
+REM REM -------------------------------------------------------------------------
+REM ...
+REM 'EwfExaminer' Show 'Marc Murrsky acquired it on %d%. %MMMM% %yyyy%'
+REM ...
+REM ENDTABLE
+REM With this setting, the acquisition dialog would open up with the examiner field preset to
+REM something similar to 'Marc Murrsky acquired it on 5. December 2007'
+
+TABLE DlgAcquireField NoName
+ REM Field Entry mode Entry mode Default
+ REM name image clone value
+ REM ------------------------------------------------------------------------------------
+ 'SplitFileSwitch' ShowLast Hide '1'
+ 'SplitFileSize' ShowLast Hide '2047'
+ 'SplitFileUnit' ShowLast Hide 'MiB'
+ 'EwfCaseNumber' ShowLast Hide ''
+ 'EwfEvidenceNumber' ShowDefault Hide ''
+ 'EwfExaminer' ShowLast Hide ''
+ 'EwfDescription' ShowDefault Hide ''
+ 'EwfNotes' ShowDefault Hide '%serial%'
+ 'UserField' Hide Hide ''
+ 'DestImageDirectory' ShowLast Hide ''
+ 'DestInfoDirectory' Hide ShowLast ''
+ 'DestImageFilename' ShowDefault Hide ''
+ 'DestInfoFilename' ShowDefault ShowDefault ''
+ 'HashCalcMD5' ShowLast ShowLast '1'
+ 'HashCalcSHA1' ShowLast ShowLast '0'
+ 'HashCalcSHA256' ShowLast ShowLast '0'
+ 'HashVerifySrc' ShowLast ShowLast '0'
+ 'HashVerifyDst' ShowLast ShowLast '1'
+ENDTABLE
+
+
+REM There is a another configuration table, DlgAcquireRule, which allows to copy the contents of some
+REM fields automatically to others while typing. The entries in this table are processed one after the
+REM other everytime you hit a key in any of the 8 fields.
+REM
+REM TriggerFieldName The trigger field is field where the action happens (i.e. which has the focus
+REM while you are typing). If the trigger field name doesn't match, the the line
+REM is ignored. If it matches, we have a trigger and Guymager does what the rest
+REM of the line says.
+REM
+REM DestinationFieldName On trigger, this field will be filled in with the value indicated in column
+REM Value.
+REM
+REM Value The string to be written to the field DestinationFieldName if there's a trigger.
+REM The value may contain the same special sequences than the ones described
+REM above. Additionally, there are special sequences for referring to other fields.
+REM These are constructed by putting the field name between two percent signs (for
+REM example '%EwfNotes%')
+REM
+REM *** Example A ***
+REM The info filename should always be the same than the image filename, i.e. when typing in the field
+REM for the image filename, the contents should automatically be copied to the field for the info
+REM filename:
+REM TABLE DlgAcquireRule NoName
+REM REM Trigger Destination Value
+REM REM field name field name
+REM REM ----------------------------------------------------------------------
+REM 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
+REM ENDTABLE
+REM Read the entry like this: Everytime a key in DestImageFilename is hit, refresh DestInfoFilename with the
+REM value %DestImageFilename%, which would be interpreted as a special sequence and corresponds to the
+REM contents of DestImageFilename.
+REM It still would be possible to edit the info filename separately and thus different image and info
+REM filenames.
+REM
+REM *** Example B ***
+REM Like example A, but do the same when editing te info filename; when typing in it, the image filename
+REM should be changed to the new name typed for the info file:
+REM TABLE DlgAcquireRule NoName
+REM REM Trigger Destination Value
+REM REM field name field name
+REM REM ---------------------------------------------------------------------
+REM 'DestInfoFilename' 'DestImageFilename' '%DestImageFilename%'
+REM ENDTABLE
+REM
+REM *** Example C ***
+REM Set the info field to the examiner name, the case name plus the date:
+REM TABLE DlgAcquireRule NoName
+REM REM Trigger Destination Value
+REM REM field name field name
+REM REM ----------------------------------------------------------------------------------------------
+REM 'EwfExaminer' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
+REM 'EwfCaseNumber' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
+REM ENDTABLE
+REM Note that we have to enter the same value twice here, as we have 2 triggers.
+
+TABLE DlgAcquireRule NoName
+ REM Trigger Destination Value
+ REM field name field name
+ REM ----------------------------------------------------------------------
+ 'DestImageDirectory' 'DestInfoDirectory' '%DestImageDirectory%'
+ 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
+ENDTABLE
+
+
+REM Special tokens
+REM --------------
+
+REM Guymager uses special tokens whenever text needs to replaced automatically according to the user's instructions.
+REM Currently, these tokens are used in the configuration tables DlgAcquireRule and DlgAcquireField, RunStats module
+REM and configuration parameter CommandAcquisitionEnd.
+
+REM Date and time tokens
+REM %d% the day as a number without a leading zero (1 to 31)
+REM %dd% the day as a number with a leading zero (01 to 31)
+REM %ddd% the abbreviated localized day name (e.g. 'Mon' to 'Sun')
+REM %dddd% the long localized day name (e.g. 'Monday' to 'Sunday')
+REM %M% the month as a number without a leading zero (1-12)
+REM %MM% the month as a number with a leading zero (01-12)
+REM %MMM% the abbreviated localized month name (e.g. 'Jan' to 'Dec')
+REM %MMMM% the long localized month name (e.g. 'January' to 'December')
+REM %yy% the year as two digit number (00-99)
+REM %yyyy% the year as four digit number
+REM
+REM %h% the hour without a leading zero (0 to 23 or 1 to 12 if AM/PM display)
+REM %hh% the hour with a leading zero (00 to 23 or 01 to 12 if AM/PM display)
+REM %m% the minute without a leading zero (0 to 59)
+REM %mm% the minute with a leading zero (00 to 59)
+REM %s% the second without a leading zero (0 to 59)
+REM %ss% the second with a leading zero (00 to 59)
+REM %z% the milliseconds without leading zeroes (0 to 999)
+REM %zzz% the milliseconds with leading zeroes (000 to 999)
+REM %AP% use AM/PM display. %AP% will be replaced by either "AM" or "PM".
+REM %ap% use am/pm display. %ap% will be replaced by either "am" or "pm".
+REM Remark: The date/time tokens have been copied from Trolltech's Qt documentation.
+REM
+REM Static tokens
+REM %Version% Guymager software version
+REM %MacAddr% MAC address of the 1st ethernet card found
+REM %HostName% Computer's host name
+REM
+REM Device / acquisition related tokens
+REM %Dev% Device, for example /dev/sdf
+REM %Size% Device size in bytes
+REM %SizeHuman% Device size in human readable format (e.g. '247G', '32M')
+REM %SizeHumanNoSep% Like %SizeHuman%, but wihtout thousands separator
+REM %State% The acquisition state
+REM %ExtendedState% The acquisition state as shwon in the main GUI
+REM %Serial% Serial number of the device
+REM %Model% Device model
+REM %LocalDevice% Device is part of the local PC, value is YES or NO (see configutaion table LocalDevices)
+REM %CurrentSpeed% Current speed, unit MB/s
+REM %AverageSpeed% Average speed, unit MB/s
+REM %Progress% Progress, unit %
+REM %TimeRemaining% Estimated time remaining to accomplish acquisition (format hh:mm:ss)
+REM %BadSectors% Number of bad sectors
+REM %HiddenAreas% The information about hidden areas as shown in the GUI
+REM %SplitFileSize% File size of image fragmnets
+REM %VerifySrc% Verify source, value is YES or NO
+REM %CalcMD5% MD5 calculation enabled, value is YES or NO
+REM %CalcSHA1% SHA1 calculation enabled, value is YES or NO
+REM %CalcSHA256% SHA256 calculation enabled, value is YES or NO
+REM %Clone% Device is cloned, MD5 value is YES or NO
+REM %Duplicate% A duplicate image is written, value is YES or NO
+REM %UserField% Contents of the user field
+REM %AddStateInfo% Additional state information
+REM The following tokens are related to the acquisition dialog input fields. They all exist a second time with a "2"
+REM appended, for example "%CaseNumber%" and "%CaseNumber2%". The second one only is set if %Duplicate% is YES. It's empty
+REM otherwise.
+REM %CaseNumber% Case number \
+REM %Examiner% Examiner | as entered in the
+REM %EvidenceNumber% Evidence number | corresponding field
+REM %Description% Description | of the acqusition dialog
+REM %Notes% Notes /
+REM %Image% Path and file name of image
+REM %InfoFile% Path and file name of .info file
+REM %VerifyDst% Verify image, value is YES or NO
+REM
+REM Not all tokens are meaningful in every position. For example, there's no sense in specifying token %Progress%
+REM in configuration table DlgAcquireRule, as the acquisition is not even started yet when the acquisition dialog
+REM is shown.
+REM
+REM The special token %DEVICE_BLOCK% only can be used for the Runstats module. See the description of the RunStats
+REM module below.
+
+
+REM Guymager internals
+REM ------------------
+REM
+REM Device list scanning
+REM --------------------
+REM DeviceScanMethod Guymager knows 3 methods for getting the list of the available memory devices: The old one,
+REM that uses libparted, the new one that uses DBUS/HAL and the even newer one that uses
+REM DeviceKit-Disks. Select your method by setting this parameter to:
+REM
+REM libudev The newest method (recommended for Ubuntu >= 15.10). See remarks for
+REM UDisks below.
+REM
+REM DBusDevKit or UDisks Recommended for 9.04 <= Ubuntu <= 15.04. You need a Linux system
+REM supporting UDisks for this setting. In older versions, UDisks was named
+REM DeviceKit (in Ubuntu 9.04 and 9.10 for instance). From guymager's point
+REM view, UDisks and DeviceKit are both the same. Newer distributions switched
+REM from UDisks to UDisks2, but UDisks2 is incompatible and unusable. Guymager
+REM therefore should be run with libudev on those systems.
+REM
+REM DBusHAL Use the previous method (recommended for systems like Ubuntu 8.10).
+REM
+REM libparted Use the old method. It was observed that the internal scan function hung
+REM while an acquisition was running. This leads to the problem that the devices
+REM shown in guymager possibly cannot be updated while an acquisition is running.
+REM When using this method, the command specified in configuration parameter
+REM CommandGetSerialNumber (see below) is used for finding the serial number of
+REM each device (not really elegant). Again, DBusHAL is the recommended setting.
+REM When chossing an unsupported scan method, Guymager shows the user a dialog asking to fall back
+REM to a supported one.
+REM
+REM CommandGetSerialNumber is used to extract the serial number from a device when setting DeviceScanMethod to libparted (not
+REM recommended). When chosing another scan method, the command will never be called, except if parameter
+REM ForceCommandGetSerialNumber is set (see below). The placeholder %dev in the command string will be replaced
+REM by the device (/dev/hda or /dev/sdc for instance). Examples:
+REM CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
+REM CommandGetSerialNumber = 'bash -c "hdparm -I %dev | grep -i ''Serial Number'' | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
+REM
+REM ForceCommandGetSerialNumber Use CommandGetSerialNumber not only when DeviceScanMethod is libparted, but also for others. This
+REM can be interesting in case wrong serial numbers are displayed, which was observed to happen with
+REM certain USB adapter devices.
+REM
+REM CommandGetAddStateInfo contains the command to be executed in order to gather additional state information. By default, CommandGetAddStateInfo
+REM simply is an empty string and no additional information is read nor displayed. If set, the command executed
+REM is expected to return its information in three separate lines (separated by \n):
+REM 1st line: Information text. This text is displayed in the device specific screen area of Guymager
+REM (bottom area of the main window).
+REM 2nd line: A value of 0 tells Guymager that the device cannot be acquired. Guymager forbids the
+REM acquisition of the device in that case. Any other value enables device acquisition.
+REM If this parameter is missing, the device can be acquired.
+REM 3rd line: An integer number indicating the color to be used for marking the device. The number
+REM refers to the colors named AdditionalStateX in the configuration table Colors (see
+REM above), where X corresponds to the color returned by the command. If this parameter
+REM is missing, the default color (wite) is used.
+REM The command may include the two placeholders %dev and %local which will be replaced accordingly. See
+REM the description of CommandGetSerialNumber above for the use of %dev. %local will be replaced by 1
+REM if the %dev refers to a local device and 0 otherwise.
+REM
+REM If you plan to use this feature, you may do a first test with the configuration setting
+REM CommandGetAddStateInfo='bash -c "/usr/share/guymager/stateinfo.sh %dev"'
+REM where the file /usr/share/guymager/stateinfo.sh is executable and contains the lines
+REM echo "Moie Welt! - $1"
+REM echo "0"
+REM echo "2"
+REM
+REM CommandAcquisitionEnd The command given is called whenever an acquisition ends. Guymager knows several special tokens (chraracter sequences)
+REM that will be replaced automatically. See "Special tokens" above.
+REM The parameter is left empty by default and no script called in that case.
+REM
+REM ScanInterval Speficies how often an automatic device scan (for detecting newly connected devices)
+REM should launched. Unit: Seconds. Keep in mind, that the device scan can be launched as well manually.
+REM
+REM QueryDeviceMediaInfo Guymager has the possibility to gather extended media info about the connected devices. The media info
+REM mainly includes HPA/DCO settings. Some non-standard devices do not expect the corresponding ATA
+REM commands and may even need to be resetted when trying to query media info. In such cases,
+REM QueryDeviceMediaInfo may be switched off. By default, it is on.
+REM
+REM DirectIO Decides whether Guymager reads data in direct IO mode or not. Normally, direct mode should be a little
+REM faster, but it was observed that reading from SSDSs may be much slower in direct mode. The default
+REM setting therefore is "off".
+REM IMPORTANT:
+REM 1) DirectIO only can be switched on if parameter FifoMemoryManager is also on.
+REM 2) Linux does not read single sectors when DirectIO is off. While this is good for speed, it's a
+REM problem for disks with bad sectors ("contagious error"). Therefore, Guymager switches DirectIO
+REM on when it encounters bad sectors, disregarding the DirectIO configuration parameter. After
+REM the bad sectors area has been read, it switched back to the configured DirectIO mode.
+REM See also www.elsevierscitech.com/pdfs/Contagious_errors.pdf for more information about the
+REM contagious error problem.
+
+DeviceScanMethod = libudev
+CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
+ForceCommandGetSerialNumber = false
+CommandGetAddStateInfo = ''
+CommandAcquisitionEnd = ''
+
+ScanInterval = 6000
+QueryDeviceMediaInfo = on
+DirectIO = off
+
+
+REM The RunStats module allows to forward information about Guymager's current state to users or applications.
+REM Principally, Guymager takes a user provided template file, modifies its contents according to the
+REM instructions given in the template file and writes the result to the output file. The template and output
+REM are specified by the parameters RunStatsTemplateActive and RunStatsOutput.
+REM
+REM RunStatsTemplateActive contains the filename for the active template, i.e. the template used when Guymager
+REM is running. When Guymager ends, it modifies the output file one last time just before exiting according to
+REM the contents of another template file, specified by parameter RunStatsTemplateEnded. If parameter
+REM RunStatsTemplateEnded is empty or doesn't point to a valid file, Guymager leaves the output with the content
+REM it last wrote before exiting.
+REM
+REM The template file may contain special tokens which are to be replaced by Guymager. All other text is
+REM transferred directly to the output file. Tokens always start and end with the % character, see "Token list"
+REM above.
+REM
+REM The token %DEVICE_BLOCK% is specififc to the Runstats module. This token must appear twice in the RunStats
+REM template file. The part in between is repeated as many times as there are devices shown in Guymager's main
+REM device table.
+REM
+REM If you installed Guymager from a Debian package (usual way for installing programs on a Debian, Ubuntu
+REM or other Debian based system) you find examples of RunStats template files in /usr/share/doc/guymager/
+REM or /usr/share/doc/guymager-beta/ .
+REM
+REM Parameter RunStatsInterval specifies how often the output file is to be updated (unit: seconds). Guymager
+REM reads the template at startup and after every 10 output file updates, thus allowing for template file changes
+REM to in the appear in the output file without restarting Guymager.
+REM
+REM In order to switch off the Runstats module, set RunStatsInterval to 0 ot set the active template or output
+REM file to an empty string.
+
+RunStatsTemplateActive = ''
+RunStatsTemplateEnded = ''
+RunStatsOutput = ''
+RunStatsInterval = 60
+
+REM Other settings
+REM --------------
+REM Block sizes: Guymager works internally with threads for doing the different jobs (read, hash calculation, compression,
+REM write) and forwards the data in blocks through fifos from one thread to another. The block size may be adjusted individually
+REM for the different forensic formats. There's only one exception: When using EWF with mult-threaded compression the block size
+REM is 32768 bytes (32KB).
+REM It is recommended to use a multiple of kilobytes or megabytes for the block sizes, because the block size corresponds to size
+REM of the data read at once from the source drive and most drive's caches perform best with such "round" numbers. So, if you want
+REM to work with a block size of 10 kilobyte, specify 10240 (instead of 10000).
+REM
+REM FifoBlockSizeDD The block size for dd images (in bytes). Recommended value: 262144 (256K).
+REM
+REM FifoBlockSizeEWF The block size for EWF images (in bytes). Recommended value: 32768 (32K). ATTENTION: Tests have shown
+REM that the software "X-Ways Forensics" is not able to handle EWF images with a block size above 256K. Thus,
+REM the recommended maximum value for FifoBlockSizeEWF is 262144.
+REM
+REM FifoBlockSizeAFF The block size for AFF images (in bytes). Recommended value: 16777216 (16M).
+REM
+REM FifoMaxMem The amount of memory used for the internal FIFO queues of an acquisition. The value is indicated in
+REM Megabytes. If you set it to 0, Guymager uses 1/8 of the available RAM, maximally 64MB per acquisition.
+REM Keep in mind, that the total amount of memory used by Guymager may be much higher: With a value of
+REM 256 and 4 acquisitions running in parallel, a total of 1GB RAM would be used by Guymager - only for
+REM the FIFOs, not counting the overhead required by Guymager and the libs it uses (Qt, libewf, ...).
+REM The recommended value is 0 (automatic memory usage calculation).
+REM
+REM FifoMemoryManager Set to on to use the internal FIFO memory manager. If switched off, the classical C functions malloc and
+REM free are used. FifoMemoryManager must be switched on in order to use direct IO (see parameter DirectIO).
+REM It should be switched off for debug purposes only.
+REM
+REM UseSeparatehashThread The hash calculation can be done in a separate thread or in the read thread (i.e. the thread reading
+REM the data from the source). Using a separate thread led to a slight performance advantage on the
+REM developer's machine.
+REM
+REM CompressionThreads The number of threads for parallel compression. The recommended value is the number of processors.
+REM This parameter has a significant performance influence when working with compressed file format
+REM (EWF format). It has no impact on other formats (dd).
+REM Set to AUTO will use the number of CPUs installed in the system (recommended).
+REM Set to 0 for disabling multi-threaded compression and build EWF file the conventional way.
+REM
+REM BadSectorLogThreshold This parameter has been introduced in order to prevent Guymager from writing excessively big log files
+REM when acquiring devices with many (millions) bad sectors. As soon as the threshold has been reached,
+REM Guymager does not any longer log every single bad sector it encounters but only logs from time to time.
+REM The number of log entries after reaching BadSectorLogThreshold depends on parameter BadSectorLogModulo.
+REM When setting BadSectorLogModulo to 1000, then only every 1000th bad sector will be logged after reaching
+REM BadSectorLogThreshold.
+REM A value of 0 deactivates the bad sector log threshold feature.
+REM
+REM BadSectorLogModulo Only active if BadSectorLogThreshold is not zero.
+REM See BadSectorLogThreshold for explanations.
+REM
+REM LimitJobs Limit the number of acquisitions running in parallel to the value specified in this parameter. If
+REM the number of acquisitions started exceeds the value given by LimitJobs, the ones started last are
+REM queued and will be held until a former acquisition ends.
+REM The reason for this parameter is that some users observed degraded performance with heavy SATA IO load.
+REM They claimed, that the overall performance is better when limiting the number of parallel jobs. However,
+REM the author of Guymager has not been presented any performance test results up until now.
+REM Setting this parameter OFF results in starting acqusitions immediately. A value of AUTO corresponds
+REM to half the number of CPUs installed, with a maximum of value 4.
+REM
+REM JobMaxBadSectors Only active if LimitJobs is ON.
+REM With the introduction of the job queue, a problem arises with faulty disks. It could happen that healthy
+REM disks are not going to be acquired because of faulty disks blocking the job queue. JobMaxBadSectors prevents
+REM from this by ending acquisitions exceeding the given number of bad sectors.
+REM Set JobMaxBadSectors to 0 in order not to end acquisitions because of bad sectors.
+REM
+REM JobDisconnectTimeout Only active if LimitJobs is ON.
+REM See remarks for JobMaxBadSectors. JobDisconnectTimeout works in a similar way. It ends acquisitions
+REM which have been in state "disconnected" (i.e. which can no longer be accessed) for too long.
+REM Set JobDisconnectTimeout to 0 in order not to end acquisitions because of switching to state
+REM disconnected. Unit: Seconds.
+
+
+FifoBlockSizeDD = 262144
+FifoBlockSizeEWF = 32768
+FifoBlockSizeAFF = 16777216
+FifoMaxMem = 0
+FifoMemoryManager = On
+
+UseSeparatehashThread = Yes
+CompressionThreads = AUTO
+
+BadSectorLogThreshold = 0
+BadSectorLogModulo = 1000
+
+LimitJobs = OFF
+JobMaxBadSectors = 200
+JobDisconnectTimeout = 10000
+
+REM Debug settings
+REM --------------
+REM SignalHandling For debug purpose only. Switch off SignalHandling only when working with debuggers (gdb).
+REM Recommended value: Enabled.
+REM
+REM WriteToDevNull For debug purpose only. Writes image to /dev/null instead of the indicated file. This switch can
+REM be used for performance tests. Only used when creating a dd images.
+REM
+REM UseMemWatch For debug purpose only. Uses the memwatch malloc/free functions for finding dynamic memory problems.
+REM Creates a file named memwatch.log when enabled in the directory where guymager is started. MemWatch
+REM may slow down guymager significantly.
+REM
+REM VerboseLibewf For debug purpose only. Have libewf output internal messages to stderr.
+REM
+REM CheckEwfData For debug purpose only. When using the EWF format and working with separate compression thread(s),
+REM Guymager does a special check on the data if this parameter is set. The check is done just before
+REM passing the data to the EWF library function that writes it to the image. It checks if the data can
+REM be uncompressed correctly, if the lengths match and if the CRC is ok.
+
+SignalHandling = Enabled
+WriteToDevNull = false
+UseMemWatch = false
+VerboseLibewf = false
+CheckEwfData = false
+
+
+REM Device info commands
+REM --------------------
+REM In order to get a complete set of information for each acquired drives, guymager executes several standard Linux
+REM commands. These commands are contained in the list named DeviceInfoCommands, see below. They are executed when
+REM - selecting the "Info" menu point for a device (results are shown in a dialog window)
+REM - starting an acquisition (results are written to the .info file)
+REM They are executed in the order they appear. The string %dev will be replaced by the corresponding device path
+REM (i.e. /dev/sdb for instance). Examples of interesting commands:
+REM 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' -- for switching SMART interface on and showing SMART info
+REM 'bash -c "hdparm -I %dev"' -- for showing other identification info
+
+TABLE DeviceInfoCommands NoName
+ REM Command
+ REM -------------------------------------------
+ 'bash -c "search="`basename %dev`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for %dev""'
+ 'bash -c "smartctl -s on %dev ; smartctl -a %dev"'
+ 'bash -c "hdparm -I %dev"'
+ REM 'bash -c disk_stat %dev'
+ENDTABLE
+
+
+
+REM Tables LocalDevices and HiddenDevices
+REM The local devices may be entered here. Guymager will mark them colored and will not allow to acquire them. The
+REM table allows for entering the Linux device path, serial number, model, native path or by path. Examples:
+REM '/dev/sda'
+REM 'S042J10XC57542'
+REM
+REM Table HiddenDevices works the same way, except that devices listed here won't appear at all in the Guymaer GUI.
+REM
+REM LocalHiddenDevicesUseRegExp defines whether the given strings for local and hidden devices should be interpreted
+REM as regular expressions or not. Example: With LocalHiddenDevicesUseRegExp switched on, the following string would
+REM match all loop devices in the range 10-15 (i.e. /dev/loop10 .. /dev/loop15):
+REM '/dev/loop1[0-5]'
+REM
+REM For both (reg. exp. on and off) the comparison is case independent.
+
+LocalHiddenDevicesUseRegExp = false
+
+TABLE LocalDevices NoName
+ REM Device
+ REM -------------------------------------------
+
+ENDTABLE
+
+TABLE HiddenDevices NoName
+ REM Device
+ REM -------------------------------------------
+
+ENDTABLE
+
+
+REM Below we include a local configuration file. All entries in the local configuration file will override the ones above.
+REM
+REM If ever you want to change some of the settings above, don't do it directly here, as all your changes would be
+REM gone when installing a new version of guymager. Edit /etc/guymager/local.cfg instead.
+
+INCLUDE_OPTIONAL /etc/guymager/local.cfg
+INCLUDE_OPTIONAL ./local.cfg
+
+ENDSECTION
--- /dev/null
+#!/bin/sh -e
+#
+# smartmontools init.d startup script
+#
+# (C) 2003,04,07 Guido Günther <agx@sigxcpu.org>
+#
+# loosely based on the init script that comes with smartmontools which is
+# copyrighted 2002 by Bruce Allen <smartmontools-support@lists.sourceforge.net>
+#
+### BEGIN INIT INFO
+# Provides: smartmontools
+# Required-Start: $syslog $remote_fs
+# Required-Stop: $syslog $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 1
+# Short-Description: SMART monitoring daemon
+### END INIT INFO
+
+SMARTCTL=/usr/sbin/smartctl
+DAEMON=/usr/sbin/smartd
+PIDFILE=/var/run/smartd.pid
+[ -x $SMARTCTL ] || exit 0
+[ -x $DAEMON ] || exit 0
+. /lib/lsb/init-functions
+
+RET=0
+
+[ -r /etc/default/rcS ] && . /etc/default/rcS
+[ -r /etc/default/smartmontools ] && . /etc/default/smartmontools
+
+smartd_opts="--pidfile $PIDFILE $smartd_opts"
+
+enable_smart() {
+ log_action_begin_msg "Enabling S.M.A.R.T."
+ for device in $enable_smart; do
+ log_action_cont_msg "$device"
+ if ! $SMARTCTL --quietmode=errorsonly --smart=on $device; then
+ log_action_cont_msg "(failed)"
+ RET=2
+ fi
+ done
+ log_action_end_msg 0
+}
+
+check_start_smartd_option() {
+ if [ ! "$start_smartd" = "yes" ]; then
+ [ "$VERBOSE" = "yes" ] && log_warning_msg "Not starting S.M.A.R.T. daemon smartd, disabled via /etc/default/smartmontools"
+ return 1
+ else
+ return 0
+ fi
+}
+
+running_pid()
+{
+ # Check if a given process pid's cmdline matches a given name
+ pid=$1
+ name=$2
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+ # Is this the expected child?
+ [ "$cmd" != "$name" ] && return 1
+ return 0
+}
+
+running()
+{
+# Check if the process is running looking at /proc
+# (works for all users)
+ # No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ # Obtain the pid and check it against the binary name
+ pid=`cat $PIDFILE`
+ running_pid $pid $DAEMON || return 1
+ return 0
+}
+
+case "$1" in
+ start)
+ [ -n "$enable_smart" ] && enable_smart
+ if check_start_smartd_option; then
+
+ log_daemon_msg "Starting S.M.A.R.T. daemon" "smartd"
+ if running; then
+ log_progress_msg "already running"
+ log_end_msg 0
+ exit 0
+ fi
+ rm -f $PIDFILE
+ if start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --exec $DAEMON -- $smartd_opts; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ RET=1
+ fi
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping S.M.A.R.T. daemon" "smartd"
+ start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
+ log_end_msg 0
+ ;;
+ reload|force-reload)
+ log_daemon_msg "Reloading S.M.A.R.T. daemon" "smartd"
+ if start-stop-daemon --stop --quiet --signal 1 \
+ --pidfile $PIDFILE; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ RET=1
+ fi
+ ;;
+ restart)
+ if check_start_smartd_option; then
+ log_daemon_msg "Restarting S.M.A.R.T. daemon" "smartd"
+ start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE
+ rm -f $PIDFILE
+ if start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --exec $DAEMON -- $smartd_opts; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ RET=1
+ fi
+ fi
+ ;;
+ status)
+ status_of_proc $DAEMON smartd && exit 0 || exit $?
+ ;;
+ *)
+ echo "Usage: /etc/init.d/smartmontools {start|stop|restart|reload|force-reload|status}"
+ exit 1
+esac
+
+exit $RET
--- /dev/null
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rkhunter: Rootkit hunter check started \(version [0-9.]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rkhunter: Scanning took ([0-9]+ minutes? and )?[0-9]+ seconds?$
--- /dev/null
+/var/log/rkhunter.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ notifempty
+ create 640 root adm
+}
image/gif; gthumb '%s'; test=test -n "$DISPLAY"
image/png; gthumb '%s'; test=test -n "$DISPLAY"
application/x-info; /usr/bin/info -f '%s'; needsterminal; description=GNU Info document
+audio/mpeg; mpg123 -q %s; needsterminal
application/mxf; /usr/bin/mplayer %s; description="MXF video"
application/x-netshow-channel; /usr/bin/mplayer %s; description="Windows Media Station file"
application/ogg; /usr/bin/mplayer %s; description="Ogg multimedia file"
--- /dev/null
+../init.d/smartmontools
\ No newline at end of file
--- /dev/null
+../init.d/smartmontools
\ No newline at end of file
--- /dev/null
+../init.d/smartmontools
\ No newline at end of file
--- /dev/null
+../init.d/smartmontools
\ No newline at end of file
--- /dev/null
+../init.d/smartmontools
\ No newline at end of file
--- /dev/null
+#
+# This is the main configuration file for Rootkit Hunter.
+#
+# You can modify this file directly, or you can create a local configuration
+# file. The local file must be named 'rkhunter.conf.local', and must reside
+# in the same directory as this file. Alternatively you can create a directory,
+# named 'rkhunter.d', which also must be in the same directory as this
+# configuration file. Within the 'rkhunter.d' directory you can place further
+# configuration files. There is no restriction on the file names used, other
+# than they must end in '.conf'.
+#
+# Please modify the configuration file(s) to your own requirements. It is
+# recommended that the command 'rkhunter -C' is run after any changes have
+# been made.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list.
+# Note that this is a moderated list, so please subscribe before posting.
+#
+# In the configuration files, lines beginning with a hash (#), and blank lines,
+# are ignored. Also, end-of-line comments are not supported.
+#
+# Any of the configuration options may appear more than once. However, several
+# options only take one value, and so the last one seen will be used. Some
+# options are allowed to appear more than once, and the text describing the
+# option will say if this is so. These configuration options will, in effect,
+# have their values concatenated together. To delete a previously specified
+# option list, specify the option with no value (that is, a null string).
+#
+# Some of the options are space-separated lists, others, typically those
+# specifying pathnames, are newline-separated lists. These must be entered
+# as one item per line. Quotes must not be used to surround the pathname.
+#
+# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an
+# option: XXX=/tmp/abc (correct)
+# XXX=/tmp/xyz
+#
+# XXX="/tmp/abc" (incorrect)
+# XXX="/tmp/xyz"
+#
+# XXX=/tmp/abc /tmp/xyz (incorrect)
+# or XXX="/tmp/abc /tmp/xyz" (incorrect)
+# or XXX="/tmp/abc" "/tmp/xyz" (incorrect)
+#
+# The last three examples are being configured as space-separated lists,
+# which is incorrect, generally, for options specifying pathnames. They
+# should be configured with one entry per line as in the first example.
+#
+# If wildcard characters (globbing) are allowed for an option, then the
+# text describing the option will say so. Any globbing character explicitly
+# required in a pathname should be escaped.
+#
+# Space-separated lists may be enclosed by quotes, although they are not
+# required. If they are used, then they must only appear at the start and
+# end of the list, not in the middle.
+#
+# For example: XXX=abc def gh (correct)
+# XXX="abc def gh" (correct)
+# XXX="abc" "def" "gh" (incorrect)
+#
+# Space-separated lists may also be entered simply as one entry per line.
+#
+# For example: XXX=abc (correct)
+# XXX=def
+# XXX="gh"
+#
+# If a configuration option is never set, then the program will assume a
+# default value. The text describing the option will state the default value.
+# If there is no default, then rkhunter will calculate a value or pathname
+# to use. If a value is set for a configuration option, then the default
+# value is ignored. If it is wished to keep the default value, as well as
+# any other set value, then the default must be explicitly set.
+#
+
+
+#
+# If this option is set to '1', it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file allows
+# a basic form of load-balancing between the mirror sites whenever the above
+# options are used.
+#
+# If the option is set to '0', then the mirrors will be treated as if in a
+# priority list. That is, the first mirror listed will always be used first.
+# The second mirror will only be used if the first mirror fails, the third
+# mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to '0'.
+#
+# The default value is '1'.
+#
+#ROTATE_MIRRORS=1
+
+#
+# If this option is set to '1', it specifies that when the '--update' option is
+# used, then the mirrors file is to be checked for updates as well. If the
+# current mirrors file contains any local mirrors, these will be prepended to
+# the updated file. If this option is set to '0', the mirrors file can only be
+# updated manually. This may be useful if only using local mirrors.
+#
+# The default value is '1'.
+#
+UPDATE_MIRRORS=0
+
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when
+# the '--update' or '--versioncheck' command-line options are given.
+# Possible values are:
+# 0 - use any mirror
+# 1 - only use local mirrors
+# 2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file by using the
+# 'local=' and 'remote=' keywords respectively.
+#
+# The default value is '0'.
+#
+MIRRORS_MODE=1
+
+#
+# Email a message to this address if a warning is found when the system is
+# being checked. Multiple addresses may be specified simply be separating
+# them with a space. To disable the option, simply set it to the null string
+# or comment it out.
+#
+# The option may be specified more than once.
+#
+# The default value is the null string.
+#
+# Also see the MAIL_CMD option.
+#
+#MAIL-ON-WARNING=root
+
+#
+# This option specifies the mail command to use if MAIL-ON-WARNING is set.
+#
+# NOTE: Double quotes are not required around the command, but are required
+# around the subject line if it contains spaces.
+#
+# The default is to use the 'mail' command, with a subject line
+# of '[rkhunter] Warnings found for ${HOST_NAME}'.
+#
+#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+
+#
+# This option specifies the directory to use for temporary files.
+#
+# NOTE: Do not use '/tmp' as your temporary directory. Some important files
+# will be written to this directory, so be sure that the directory permissions
+# are secure.
+#
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will assume a
+# default directory beneath the installation directory.
+#
+TMPDIR=/var/lib/rkhunter/tmp
+
+#
+# This option specifies the database directory to use.
+#
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will assume a
+# default directory beneath the installation directory.
+#
+DBDIR=/var/lib/rkhunter/db
+
+#
+# This option specifies the script directory to use.
+#
+# The installer program will set the default directory. If this default is
+# subsequently commented out or removed, then the program will not run.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
+
+#
+# This option can be used to modify the command directory list used by rkhunter
+# to locate commands (that is, its PATH). By default this will be the root PATH,
+# and an internal list of some common command directories.
+#
+# Any directories specified here will, by default, be appended to the default
+# list. However, if a directory name begins with the '+' character, then that
+# directory will be prepended to the list (that is, it will be put at the start
+# of the list).
+#
+# This is a space-separated list of directory names. The option may be
+# specified more than once.
+#
+# The default value is based on the root account PATH environment variable.
+#
+#BINDIR=/bin /usr/bin /sbin /usr/sbin
+#BINDIR=+/usr/local/bin +/usr/local/sbin
+
+#
+# This option specifies the default language to use. This should be similar to
+# the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+# For a list of supported languages use the following command:
+#
+# rkhunter --lang en --list languages
+#
+# The default language is 'en' (English).
+#
+#LANGUAGE=en
+
+#
+# This option is a space-separated list of the languages that are to be updated
+# when the '--update' option is used. If unset, then all the languages will be
+# updated. If none of the languages are to be updated, then set this option to
+# just 'en'.
+#
+# The default language, specified by the LANGUAGE option, and the English (en)
+# language file will always be updated regardless of this option.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string, indicating that all the language files
+# will be updated.
+#
+UPDATE_LANG="en"
+
+#
+# This option specifies the log file pathname. The file will be created if it
+# does not initially exist. If the option is unset, then the program will
+# display a message each time it is run saying that the default value is being
+# used.
+#
+# The default value is '/var/log/rkhunter.log'.
+#
+LOGFILE=/var/log/rkhunter.log
+
+#
+# Set this option to '1' if the log file is to be appended to whenever rkhunter
+# is run. A value of '0' will cause a new log file to be created whenever the
+# program is run.
+#
+# The default value is '0'.
+#
+#APPEND_LOG=0
+
+#
+# Set the following option to '1' if the log file is to be copied when rkhunter
+# finishes and an error or warning has occurred. The copied log file name will
+# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format).
+# For example: rkhunter.log.2009-04-21_00:57:51
+# If the option value is '0', then the log file will not be copied regardless
+# of whether any errors or warnings occurred.
+#
+# The default value is '0'.
+#
+#COPY_LOG_ON_ERROR=0
+
+#
+# Set the following option to enable the rkhunter check start and finish times
+# to be logged by syslog. Warning messages will also be logged. The value of
+# the option must be a standard syslog facility and priority, separated by a
+# dot. For example:
+#
+# USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'NONE', or just leaving the option commented out,
+# disables the use of syslog.
+#
+# The default value is not to use syslog.
+#
+USE_SYSLOG=authpriv.warning
+
+#
+# Set the following option to '1' if the second colour set is to be used. This
+# can be useful if your screen uses black characters on a white background
+# (for example, a PC instead of a server). A value of '0' will cause the default
+# colour set to be used.
+#
+# The default value is '0'.
+#
+#COLOR_SET2=0
+
+#
+# Set the following option to '0' if rkhunter should not detect if X is being
+# used. If X is detected as being used, then the second colour set will
+# automatically be used. If set to '1', then the use of X will be detected.
+#
+# The default value is '0'.
+#
+AUTO_X_DETECT=1
+
+#
+# Set the following option to '1' if it is wanted that any 'Whitelisted' results
+# are shown in white rather than green. For colour set 2 users, setting this
+# option will cause the result to be shown in black. Setting the option to '0'
+# causes whitelisted results to be displayed in green.
+#
+# The default value is '0'.
+#
+#WHITELISTED_IS_WHITE=0
+
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not match.
+# However, if a value has not been set in the SSH configuration file, then a
+# value here of 'unset' can be used to avoid warning messages.
+#
+# The default value is 'no'.
+#
+#ALLOW_SSH_ROOT_USER=no
+
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. A value of '0' indicates that the use of
+# SSH-1 is not allowed.
+#
+# The default value is '0'.
+#
+ALLOW_SSH_PROT_V1=2
+
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. If unset, this setting will be worked out by rkhunter, and so should
+# not usually need to be set.
+#
+# This option has no default value.
+#
+#SSH_CONFIG_DIR=/etc/ssh
+
+#
+# These two options determine which tests are to be performed. The ENABLE_TESTS
+# option can use the word 'ALL' to refer to all of the available tests. The
+# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are
+# disabled. The list of disabled tests is applied to the list of enabled tests.
+#
+# Both options are space-separated lists of test names, and both options may
+# be specified more than once. The currently available test names can be seen
+# by using the command 'rkhunter --list tests'.
+#
+# The supplied configuration file has some tests already disabled, and these
+# are tests that will be used only occasionally, can be considered 'advanced'
+# or that are prone to produce more than the average number of false-positives.
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+# The default values are to enable all tests and to disable none. However, if
+# either of the options below are specified, then they will override the
+# program defaults.
+#
+ENABLE_TESTS=ALL
+DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps
+
+#
+# The HASH_CMD option can be used to specify the command to use for the file
+# properties hash value check. It can be specified as just the command name or
+# the full pathname. If just the command name is given, and it is one of MD5,
+# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the
+# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of
+# these are found, it will then look to see if a perl module has been installed
+# which will support the relevant hash function. To see which perl modules have
+# been installed use the command 'rkhunter --list perl'.
+#
+# Systems using prelinking are restricted to using either the SHA1 or MD5
+# function.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that no hash
+# function should be used. Rkhunter will detect this, and automatically disable
+# the file properties hash check test.
+#
+# Examples:
+# For Solaris 9 : HASH_CMD=gmd5sum
+# For Solaris 10: HASH_CMD=sha1sum
+# For AIX (>5.2): HASH_CMD="csum -hMD5"
+# For NetBSD : HASH_CMD="cksum -a sha512"
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is the SHA256 function, unless prelinking is used in
+# which case it defaults to the SHA1 function.
+#
+# Also see the HASH_FLD_IDX option. In addition, note the comments under
+# the PKGMGR option relating to the use of HASH_CMD.
+#
+#HASH_CMD=SHA256
+
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_CMD command
+# output contains the hash value. The fields are assumed to be space-separated.
+#
+# The option value must be an integer greater than zero.
+#
+# The default value is '1', but for *BSD users rkhunter will, by default, use a
+# value of '4' if the HASH_CMD option has not been set.
+#
+#HASH_FLD_IDX=4
+
+#
+# The PKGMGR option tells rkhunter to use the specified package manager to
+# obtain the file property information. This is used when updating the file
+# properties file ('rkhunter.dat'), and when running the file properties check.
+# For RedHat/RPM-based systems, 'RPM' can be used to get information from the
+# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems
+# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be
+# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of
+# 'NONE', indicates that no package manager is to be used.
+#
+# The package managers obtain each file hash value using a hash function. The
+# Solaris package manager includes a 16-bit checksum value, but this is not
+# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers
+# currently use a SHA256 hash function. Other package managers will, typically,
+# use an MD5 hash function.
+#
+# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value.
+# The 'RPM' package manager additionally provides values for the inode, file
+# permissions, uid, gid and other values. The 'SOLARIS' package manager also
+# provides most of the values, similar to 'RPM', but not the inode number.
+#
+# For any file not part of a package, rkhunter will revert to using the
+# HASH_CMD hash function instead. This means that if the HASH_CMD option
+# is set, and PKGMGR is set, then the HASH_CMD hash function is only used,
+# and stored, for non-packaged files. All packaged files will use, and store,
+# whatever hash function the relevant package manager uses. So, for example,
+# with the 'RPM' package manager, packaged files will be stored with their
+# SHA256 value regardless of the value of the HASH_CMD option.
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is 'NONE'.
+#
+# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options.
+#
+# NONE is the default for Debian as well, as running --propupd takes
+# about 4 times longer when it's set to DPKG
+#
+#PKGMGR=NONE
+
+#
+# It is possible that a file, which is part of a package, may have been
+# modified by the administrator. Typically this occurs for configuration
+# files. However, the package manager may list the file as being modified.
+# For the RPM package manager this may well depend on how the package was
+# built. This option specifies a pathname which is to be exempt from the
+# package manager verification process, and which will be treated
+# as a non-packaged file. As such, the file properties are still checked.
+#
+# This option only takes effect if the PKGMGR option has been set, and
+# is not 'NONE'.
+#
+# This option may be specified more than once.
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is the null string.
+#
+#PKGMGR_NO_VRFY=""
+
+#
+# If the 'SOLARIS' package manager is used, then it is possible to use the
+# checksum (hash) value stored for a file. However, this is only a 16-bit
+# checksum, and as such is not nearly as secure as, for example, a SHA-2 value.
+# If the option is set to '0', then the checksum is not used and the hash
+# function given by HASH_CMD is used instead. To enable this option, set its
+# value to '1'. The Solaris 'sum' command must be present on the system if this
+# option is used.
+#
+# The default value is '0'.
+#
+#USE_SUNSUM=0
+
+#
+# This option can be used to tell rkhunter to ignore any prelink dependency
+# errors for the given commands. However, a warning will also be issued if the
+# error does not occur for a given command. As such this option must only be
+# used on commands which experience a persistent problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the 'prelink' command on the given pathname.
+#
+# This is a space-separated list of command pathnames. The option can be
+# specified more than once.
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is the null string.
+#
+#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
+
+#
+# These options specify a command, directory or file pathname which will be
+# included or excluded in the file properties checks.
+#
+# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
+# 'top' - and directory names are added to the internal list of directories to
+# be searched for each of the command names in the command list. Additionally,
+# full pathnames to files, which need not be commands, may be given. Any files
+# or directories which are already part of the internal lists will be silently
+# ignored from the configuration.
+#
+# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
+# simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# To extend the use of wildcards to include recursive checking of directories,
+# see the GLOBSTAR configuration option.
+#
+# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
+# option. Wildcards may be used with this option.
+#
+# By combining these two options, and using wildcards, whole directories can be
+# excluded. For example:
+#
+# USER_FILEPROP_FILES_DIRS=/etc/*
+# USER_FILEPROP_FILES_DIRS=/etc/*/*
+# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
+#
+# This will look for files in the first two directory levels of '/etc'. However,
+# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
+# excluded.
+#
+# NOTE: Only files and directories which have been added by the user, and are
+# not part of the internal lists, can be excluded. So, for example, it is not
+# possible to exclude the 'ps' command by using '/bin/ps'. These will be
+# silently ignored from the configuration.
+#
+# Both options can be specified more than once.
+#
+# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
+#
+# The default value for both options is the null string.
+#
+#USER_FILEPROP_FILES_DIRS=top
+#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/*
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
+
+#
+# This option whitelists files and directories from existing, or not existing,
+# on the system at the time of testing. This option is used when the
+# configuration file options themselves are checked, and during the file
+# properties check, the hidden files and directories checks, and the filesystem
+# check of the '/dev' directory.
+#
+# This option may be specified more than once, and may use wildcards.
+# Be aware though that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As such
+# deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will appear
+# and disappear from the system in relation to how often rkhunter is run. If
+# the file appears, and disappears, too often then rkhunter may not notice
+# this. All it will see is that the file has changed. The inode number and DTM
+# will certainly be different for each new file, and rkhunter will report this.
+#
+# The default value is the null string.
+#
+#EXISTWHITELIST=""
+
+#
+# Whitelist various attributes of the specified file. The attributes are those
+# of the 'attributes' test. Specifying a file name here does not include it
+# being whitelisted for the write permission test (see below).
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ATTRWHITELIST=/usr/bin/date
+
+#
+# Allow the specified file to have the 'others' (world) permission have the
+# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#WRITEWHITELIST=/usr/bin/date
+
+#
+# Allow the specified file to be a script.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+SCRIPTWHITELIST=/bin/egrep
+SCRIPTWHITELIST=/bin/fgrep
+SCRIPTWHITELIST=/bin/which
+SCRIPTWHITELIST=/usr/bin/ldd
+#SCRIPTWHITELIST=/usr/bin/lwp-request
+SCRIPTWHITELIST=/usr/sbin/adduser
+#SCRIPTWHITELIST=/usr/sbin/prelink
+#SCRIPTWHITELIST=/usr/sbin/unhide.rb
+
+#
+# Allow the specified file to have the immutable attribute set.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#IMMUTWHITELIST=/sbin/ifdown
+
+#
+# If this option is set to '1', then the immutable-bit test is reversed. That
+# is, the files are expected to have the bit set. A value of '0' means that the
+# immutable-bit should not be set.
+#
+# The default value is '0'.
+#
+#IMMUTABLE_SET=0
+
+#
+# If this option is set to '1', then any changed inode value is ignored in
+# the file properties check. The inode test itself still runs, but it will
+# always return that no inodes have changed.
+#
+# This option may be useful for filesystems such as Btrfs, which handle inodes
+# slightly differently than other filesystems.
+#
+# The default value is '0'.
+#
+#SKIP_INODE_CHECK=0
+
+#
+# Allow the specified hidden directory to be whitelisted.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWHIDDENDIR=/etc/.java
+#ALLOWHIDDENDIR=/etc/.git
+#ALLOWHIDDENDIR=/dev/.lxc
+
+#
+# Allow the specified hidden file to be whitelisted.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
+#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac
+#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac
+#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
+#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
+#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
+#ALLOWHIDDENFILE=/etc/.gitignore
+#ALLOWHIDDENFILE=/etc/.bzrignore
+#ALLOWHIDDENFILE=/etc/.etckeeper
+
+#
+# Allow the specified process to use deleted files. The process name may be
+# followed by a colon-separated list of full pathnames (which have been
+# deleted). The process will then only be whitelisted if it is using one of
+# the given pathnames. For example:
+#
+# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
+#
+# This option may be specified more than once. It may also use wildcards, but
+# only in the deleted file pathnames, not in the process name. The use of
+# extended pattern matching in pathname expansion (for example, '**') is not
+# supported for this option. However, the option itself extends globbing when
+# the '*' character is used by matching zero or more characters in the
+# pathname, including those in sub-directories. For example, the pathname
+# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz'
+# but is matched when used in this option. Similarly, using '/tmp/*' will
+# match any file found in the '/tmp' directory or any sub-directories.
+#
+# The default value is the null string.
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib*
+#ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel
+#ALLOWPROCDELFILE=/usr/bin/file-roller
+
+#
+# Allow the specified process to listen on any network interface.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWPROCLISTEN=/sbin/dhclient
+#ALLOWPROCLISTEN=/usr/bin/dhcpcd
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
+
+#
+# Allow the specified network interfaces to be in promiscuous mode.
+#
+# This is a space-separated list of interface names. The option may be
+# specified more than once.
+#
+# The default value is the null string.
+#
+#ALLOWPROMISCIF=eth0
+
+#
+# This option specifies how rkhunter should scan the '/dev' directory for
+# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'.
+#
+# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this,
+# it is highly recommended that this value is used.
+#
+# The default value is 'THOROUGH'.
+#
+# Also see the ALLOWDEVFILE option.
+#
+#SCAN_MODE_DEV=THOROUGH
+
+#
+# Allow the specified file to be present in the '/dev' directory, and not
+# regarded as suspicious.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWDEVFILE=/dev/shm/pulse-shm-*
+#ALLOWDEVFILE=/dev/shm/sem.ADBE_*
+
+#
+# Allow the specified process pathnames to use shared memory segments.
+#
+# This option may be specified more than once, and may use wildcard characters.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPROC=/usr/bin/firefox
+#ALLOWIPCPROC=/usr/bin/vlc
+
+#
+# Allow the specified memory segment creator PIDs to use shared memory segments.
+#
+# This is a space-separated list of PID numbers (as given by the
+# 'ipcs -p' command). This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCPID=12345 6789
+
+#
+# Allow the specified account names to use shared memory segments.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#ALLOWIPCUSER=usera userb
+
+#
+# This option can be used to set the maximum shared memory segment size
+# (in bytes) that is not considered suspicious. Any segment above this size,
+# and with 600 or 666 permissions, will be considered suspicious during the
+# shared memory check.
+#
+# The default is 1048576 (1M) bytes.
+#
+#IPC_SEG_SIZE=1048576
+
+#
+# This option is used to indicate if the Phalanx2 test is to perform a basic
+# check, or a more thorough check. If the option is set to '0', then a basic
+# check is performed. If it is set to '1', then all the directories in the
+# '/etc' and '/usr' directories are scanned.
+#
+# NOTE: Setting this option to '1' will cause the test to take longer
+# to complete.
+#
+# The default value is '0'.
+#
+#PHALANX2_DIRTEST=0
+
+#
+# This option tells rkhunter where the inetd configuration file is located.
+#
+# The default value is the null string.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
+
+#
+# This option allows the specified enabled inetd services.
+#
+# This is a space-separated list of service names. The option may be specified
+# more than once.
+#
+# For non-Solaris users the simple service name should be used.
+# For example:
+#
+# INETD_ALLOWED_SVC=echo
+#
+# For Solaris 9 users the simple service name should also be used, but
+# if it is an RPC service, then the executable pathname should be used.
+# For example:
+#
+# INETD_ALLOWED_SVC=imaps
+# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
+#
+# For Solaris 10 users the service/FMRI name should be used. For example:
+#
+# INETD_ALLOWED_SVC=/network/rpc/meta
+# INETD_ALLOWED_SVC=/network/rpc/metamed
+# INETD_ALLOWED_SVC=/application/font/stfsloader
+# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#
+# The default value is the null string.
+#
+#INETD_ALLOWED_SVC=echo
+
+#
+# This option tells rkhunter where the xinetd configuration file is located.
+#
+# The default value is the null string.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
+
+#
+# This option allows the specified enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing we only have
+# the pathname available. As such, these entries are the xinetd file pathnames.
+#
+# This is a space-separated list of service names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
+
+#
+# This option tells rkhunter the local system startup file pathnames. The
+# directories will be searched for files. If unset, then rkhunter will try
+# and determine were the startup files are located. If the option is set to
+# 'NONE' then certain tests will be skipped.
+#
+# This is a space-separated list of file and directory pathnames. The option
+# may be specified more than once, and may use wildcard characters.
+#
+# This option has no default value.
+#
+#STARTUP_PATHS=/etc/init.d /etc/rc.local
+
+#
+# This option tells rkhunter the pathname to the file containing the user
+# account passwords. If unset, this setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files should
+# not set this option.
+#
+# This option has no default value.
+#
+#PASSWORD_FILE=/etc/shadow
+
+#
+# This option allows the specified accounts to be root equivalent. These
+# accounts will have a UID value of zero. The 'root' account does not need
+# to be listed as it is automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
+#
+# NOTE: For *BSD systems you will probably need to use this option for the
+# 'toor' account.
+#
+# The default value is the null string.
+#
+#UID0_ACCOUNTS=toor rooty sashroot
+
+#
+# This option allows the specified accounts to have no password. NIS/YP entries
+# do not need to be listed as they are automatically whitelisted.
+#
+# This is a space-separated list of account names. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#PWDLESS_ACCOUNTS=abc
+
+#
+# This option tells rkhunter the pathname to the syslog configuration file.
+# If unset, this setting will be worked out by rkhunter, and so should not
+# usually need to be set. A value of 'NONE' can be used to indicate that
+# there is no configuration file, but that the syslog daemon process may
+# be running.
+#
+# This is a space-separated list of pathnames. The option may be specified
+# more than once.
+#
+# This option has no default value.
+#
+#SYSLOG_CONFIG_FILE=/etc/syslog.conf
+
+#
+# If this option is set to '1', then the use of syslog remote logging is
+# permitted. A value of '0' disallows the use of remote logging.
+#
+# The default value is '0'.
+#
+#ALLOW_SYSLOG_REMOTE_LOGGING=0
+
+#
+# This option allows the specified applications, or a specific version of an
+# application, to be whitelisted. If a specific version is to be whitelisted,
+# then the name must be followed by a colon and then the version number.
+# For example:
+#
+# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29
+#
+# This is a space-separated list of pathnames. The option may be specified
+# more than once.
+#
+# The default value is the null string.
+#
+#APP_WHITELIST=""
+
+#
+# Set this option to scan for suspicious files in directories which pose a
+# relatively higher risk due to user write access.
+#
+# Please do not enable the 'suspscan' test by default as it is CPU and I/O
+# intensive, and prone to producing false positives. Do review all settings
+# before usage. Also be aware that running 'suspscan' in combination with
+# verbose logging on, rkhunter's default, will show all ignored files.
+#
+# Please consider adding all directories the user the (web)server runs as,
+# and has write access to, including the document root (e.g: '/var/www') and
+# log directories (e.g: '/var/log/httpd').
+#
+# This is a space-separated list of directory pathnames. The option may be
+# specified more than once.
+#
+# The default value is the '/tmp' and '/var/tmp' directories.
+#
+#SUSPSCAN_DIRS=/tmp /var/tmp
+
+#
+# This option specifies the directory for temporary files used by the
+# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is
+# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS
+# as that is highly likely to cause false-positive results.
+#
+# The default value is '/dev/shm'.
+#
+#SUSPSCAN_TEMP=/dev/shm
+
+#
+# This option specifies the 'suspscan' test maximum filesize in bytes. Files
+# larger than this will not be inspected. Do make sure you have enough space
+# available in your temporary files directory.
+#
+# The default value is '1024000'.
+#
+#SUSPSCAN_MAXSIZE=1024000
+
+#
+# This option specifies the 'suspscan' test score threshold. Below this value
+# no hits will be reported.
+#
+# The default value is '200'.
+#
+#SUSPSCAN_THRESH=200
+
+#
+# This option may be used to whitelist file pathnames from the suspscan test.
+#
+# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration
+# option.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#SUSPSCAN_WHITELIST=""
+
+#
+# The following options can be used to whitelist network ports which are known
+# to have been used by malware.
+#
+# The PORT_WHITELIST option is a space-separated list of one or more of two
+# types of whitelisting. These are:
+#
+# 1) a 'protocol:port' pair
+# 2) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number must be
+# between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable which rkhunter can
+# locate as a command, is whitelisted. (Also see BINDIR)
+#
+# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
+# These are:
+#
+# 1) a pathname to an executable
+# 2) a combined pathname, protocol and port
+#
+# As above, the protocol can only be TCP or UDP, and the port number must be
+# between 1 and 65535 inclusive.
+#
+# Examples:
+#
+# PORT_WHITELIST=TCP:2001 UDP:32011
+# PORT_PATH_WHITELIST=/usr/sbin/squid
+# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option, the
+# 'lsof' command must be present.
+#
+# Both options may be specified more than once.
+#
+# The default value for both options is the null string.
+#
+#PORT_WHITELIST=""
+#PORT_PATH_WHITELIST=""
+
+#
+# The following option can be used to tell rkhunter where the operating system
+# 'release' file is located. This file contains information specifying the
+# current O/S version. RKH will store this information, and check to see if it
+# has changed between each run. If it has changed, then the user is warned that
+# RKH may issue warning messages until RKH has been run with the '--propupd'
+# option.
+#
+# Since the contents of the file vary according to the O/S distribution, RKH
+# will perform different actions when it detects the file itself. As such, this
+# option should not be set unless necessary. If this option is specified, then
+# RKH will assume the O/S release information is on the first non-blank line of
+# the file.
+#
+# This option has no default value.
+#
+# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
+#
+#OS_VERSION_FILE=/etc/debian_version
+
+#
+# Set the following option to '0' if you do not want to receive a warning if any
+# O/S information has changed since the last run of 'rkhunter --propupd'. The
+# warnings occur during the file properties check. Setting a value of '1' will
+# cause rkhunter to issue a warning if something has changed.
+#
+# The default value is '1'.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to '1' if you want rkhunter to automatically run a
+# file properties update ('--propupd') if the O/S has changed. Detection of an
+# O/S change occurs during the file properties check. Setting a value of '0'
+# will cause rkhunter not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply by
+# running 'rkhunter --propupd' at least once.
+#
+# The default value is '0'.
+#
+#UPDT_ON_OS_CHANGE=0
+
+#
+# The following two options can be used to whitelist files and directories that
+# would normally be flagged with a warning during the various rootkit and
+# malware checks. Only existing files and directories can be specified, and
+# these must be full pathnames not links.
+#
+# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
+# file name (separated by a colon). This will then only whitelist that string
+# in that file (as part of the malware checks). For example:
+#
+# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
+#
+# If the option list includes the filename on its own as well, then the file
+# will be whitelisted from rootkit checks of the files existence, but still
+# only the specific string within the file will be whitelisted. For example:
+#
+# RTKT_FILE_WHITELIST=/etc/rc.local
+# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
+#
+# To whitelist a file from the existence checks, but not from the strings
+# checks, then include the filename on its own and on its own but with just
+# a colon appended. For example:
+#
+# RTKT_FILE_WHITELIST=/etc/rc.local
+# RTKT_FILE_WHITELIST=/etc/rc.local:
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# Both of these options may be specified more than once.
+#
+# For both options the default value is the null string.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
+# the LD_PRELOAD environment variable.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# This option is a space-separated list of library pathnames. The option may be
+# specified more than once.
+#
+# The default value is the null string.
+#
+#SHARED_LIB_WHITELIST=/lib/snoopy.so
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command the following two options can be used. The value must be set to
+# 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+# For both options the default value is the null string.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU 'date' command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+# This option has no default value.
+#
+#EPOCH_DATE_CMD=""
+
+#
+# This setting tells rkhunter the directory containing the available Linux
+# kernel modules. If unset, this setting will be worked out by rkhunter, and
+# so should not usually need to be set.
+#
+# This option has no default value.
+#
+#MODULES_DIR=""
+
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+# For example:
+#
+# WEB_CMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored. For example:
+#
+# WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
+#
+# *BSD users may want to use the 'ftp' command, provided that it supports the
+# HTTP protocol:
+#
+# WEB_CMD="ftp -o -"
+#
+# This option has no default value.
+#
+WEB_CMD="/bin/false"
+
+#
+# Set the following option to '1' if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the LOCKDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock. A value of '0' means not to use locking.
+#
+# The default value is '0'.
+#
+# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
+#
+#USE_LOCKING=0
+
+#
+# This option specifies the directory to be used when locking is enabled.
+# If the option is unset, then the directory to be used will be worked out
+# by rkhunter. In that instance the directories '/run/lock', '/var/lock',
+# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none
+# of those can be found, or are not read/writeable, then the TMPDIR directory
+# will be used.
+#
+# To avoid the lock file persisting across a server reboot, the directory
+# used should be memory-resident.
+#
+# This option has no default value.
+#
+#LOCKDIR=""
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached.
+#
+# The default value is 300 seconds (5 minutes).
+#
+#LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. If this option is set to '1', then some simple
+# messages are echoed to the users screen to let them know that rkhunter is
+# waiting for the lock. Set this option to '0' if the messages are not to be
+# displayed.
+#
+# The default value is '1'.
+#
+#SHOW_LOCK_MSGS=1
+
+#
+# If this option is set to 'THOROUGH' then rkhunter will search (on a per
+# rootkit basis) for filenames in all of the directories (as defined by the
+# result of running 'find / -xdev'). While still not optimal, as it still
+# searches for only file names as opposed to file contents, this is one step
+# away from the rigidity of searching in known (evidence) or default
+# (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
+#
+# You should only activate this feature as part of a more thorough
+# investigation, which should be based on relevant best practices and
+# procedures.
+#
+# Enabling this feature implies you have the knowledge to interpret the
+# results properly.
+#
+# The default value is the null string.
+#
+#SCANROOTKITMODE=THOROUGH
+
+#
+# The following option can be set to the name(s) of the tests the 'unhide'
+# command is to use. Options such as '-m' and '-v' may be specified, but will
+# only take effect when they are seen. The test names are a space-separated
+# list, and will be executed in the order given.
+#
+# This option may be specified more than once.
+#
+# The default value is 'sys' in order to maintain compatibility with older
+# versions of 'unhide'.
+#
+#UNHIDE_TESTS=sys
+
+#
+# The following option can be used to set options for the 'unhide-tcp' command.
+# The options are space-separated.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#UNHIDETCP_OPTS=""
+
+#
+# This option can be set to either '0' or '1'. If set to '1' then the summary,
+# shown after rkhunter has run, will display the actual number of warnings
+# found. If it is set to '0', then the summary will simply indicate that
+# 'One or more' warnings were found. If no warnings were found, and this option
+# is set to '1', then a "0" will be shown. If the option is set to '0', then
+# the words 'No warnings' will be shown.
+#
+# The default value is '0'.
+#
+#SHOW_SUMMARY_WARNINGS_NUMBER=0
+
+#
+# This option is used to determine where, if anywhere, the summary scan time is
+# displayed. A value of '0' indicates that it should not be displayed anywhere.
+# A value of '1' indicates that the time should only appear on the screen, and a
+# value of '2' that it should only appear in the log file. A value of '3'
+# indicates that the time taken should appear both on the screen and in the log
+# file.
+#
+# The default value is '3'.
+#
+#SHOW_SUMMARY_TIME=3
+
+#
+# The two options below may be used to check if a file is missing or empty
+# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
+# if the file is missing, since that can be interpreted as a file of no size.
+# However, the file will only be reported as missing if the MISSING_LOGFILES
+# option hasn't already done this.
+#
+# Both options are space-separated lists of pathnames, and may be specified
+# more than once.
+#
+# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
+# perfectly possible for the file to be either missing or empty. As such these
+# options may produce false-positive warnings when log files are rotated.
+#
+# For both options the default value is the null string.
+#
+#EMPTY_LOGFILES=""
+#MISSING_LOGFILES=""
+
+#
+# This option can be set to either '0' or '1'. If set to '1' then the globbing
+# characters '**' can be used to allow the recursive checking of directories.
+# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option.
+# For example:
+#
+# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf
+#
+# This will check all '.conf' files within the '/etc' directory, and any
+# sub-directories (at any level). If GLOBSTAR is not set, then the shell will
+# interpret '**' as '*' and only one level of sub-directories will be checked.
+#
+# NOTE: This option is only valid for those shells which support the 'globstar'
+# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command,
+# and 'ksh' via the 'set' command.
+#
+# The default value is '0'.
+#
+#GLOBSTAR=0
+
+INSTALLDIR=/usr
+
--- /dev/null
+# Scalpel configuration file
+
+# This configuration file controls the
+# types and sizes of files that are carved by Scalpel. Currently,
+# Scalpel can read Foremost 0.69 configuration files, but Scalpel
+# configuration files may not be backwards-compatible with Foremost.
+# In particular, maximum file carve size under Foremost 0.69 is 4GB,
+# while in the current version of Scalpel, it's 16EB (16 exabytes).
+
+# For each file type, the configuration file
+# describes the file's extension, whether the header and footer are
+# case sensitive, the maximum file size, and the header and footer for
+# the file. The footer field is optional, but header, size, case
+# sensitivity, and extension are required. Any line that begins with a
+# '#' is considered a comment and ignored. Thus, to skip a file type
+# just put a '#' at the beginning of that line
+
+# Headers and footers are decoded before use. To specify a value in
+# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7].
+# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes
+# to "OSI CCI". # To match any single character (aka a wildcard) use
+# a '?'. If you need to search for the '?' character, you will need to
+# change the 'wildcard' line *and* every occurrence of the old
+# wildcard character in the configuration file. '
+#
+# Note: ?' is equal to 0x3f and \063.
+#
+# If you want files carved without filename extensions,
+# use "NONE" in the extension column.
+
+# The REVERSE keyword after a footer causes a search
+# backwards starting from [size] bytes beyond the location of the header
+# This is useful for files like PDFs that may contain multiple copies of
+# the footer throughout the file. When using the REVERSE keyword you will
+# extract bytes from the header to the LAST occurence of the footer (and
+# including the footer in the carved file).
+#
+# The NEXT keyword after a footer results in file carves that
+# include the header and all data BEFORE the first occurence of the
+# footer (the footer is not included in the carved file). If no
+# occurrence of the footer is discovered within maximum carve size bytes
+# from the header, then a block of the disk image including the header
+# and with length equal to the maximum carve size is carved. Use NEXT
+# when there is no definitive footer for a file type, but you know which
+# data should NOT be included in a carved file--e.g., the beginning of
+# a subsequent file of the same type.
+#
+# FORWARD_NEXT is the default carve type and this keyword may be
+# included after the footer, but is not required. For FORWARD_NEXT
+# carves, a block of data including the header and the first footer
+# (within the maximum carve size) are carved. If no footer appears
+# after the header within the maximum carve size, then no carving is
+# performed UNLESS the -b command line option is supplied. In this case,
+# a block of max carve size bytes, including the header, is carved and a
+# notation is made in the Scalpel log that the file was chopped.
+
+# To redefine the wildcard character, change the setting below and all
+# occurences in the formost.conf file.
+#
+#wildcard ?
+
+# case size header footer
+#extension sensitive
+#
+#---------------------------------------------------------------------
+# EXAMPLE WITH NO SUFFIX
+#---------------------------------------------------------------------
+#
+# Here is an example of how to use the no extension option. Any files
+# beginning with the string "FOREMOST" are carved and no file extensions
+# are used. No footer is defined and the max carve size is 1000 bytes.
+#
+# NONE y 1000 FOREMOST
+#
+#---------------------------------------------------------------------
+# GRAPHICS FILES
+#---------------------------------------------------------------------
+#
+#
+# AOL ART files
+# art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
+# art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
+#
+# GIF and JPG files (very common)
+# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
+# gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b
+# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
+#
+#
+# PNG
+# png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
+#
+#
+# BMP (used by MSWindows, use only if you have reason to think there are
+# BMP files worth digging for. This often kicks back a lot of false
+# positives
+#
+# bmp y 100000 BM??\x00\x00\x00
+#
+# TIFF
+# tif y 200000000 \x49\x49\x2a\x00
+# TIFF
+# tif y 200000000 \x4D\x4D\x00\x2A
+#
+#---------------------------------------------------------------------
+# ANIMATION FILES
+#---------------------------------------------------------------------
+#
+# AVI (Windows animation and DiVX/MPEG-4 movies)
+# avi y 50000000 RIFF????AVI
+#
+# Apple Quicktime
+# These needles are based on the file command's magic. I don't
+# recommend uncommenting the 4th and 5th Quicktime needles unless
+# you're sure you need to, because they generate HUGE numbers of
+# false positives.
+#
+# mov y 10000000 ????moov
+# mov y 10000000 ????mdat
+# mov y 10000000 ????widev
+# mov y 10000000 ????skip
+# mov y 10000000 ????free
+# mov y 10000000 ????idsc
+# mov y 10000000 ????pckg
+#
+# MPEG Video
+# mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9
+# mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7
+#
+# Macromedia Flash
+# fws y 4000000 FWS
+#
+#---------------------------------------------------------------------
+# MICROSOFT OFFICE
+#---------------------------------------------------------------------
+#
+# Word documents
+#
+#
+# doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
+# doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1
+#
+# Outlook files
+# pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
+# ost y 500000000 \x21\x42\x44\x4e
+#
+# Outlook Express
+# dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f
+# idx y 10000000 \x4a\x4d\x46\x39
+# mbx y 10000000 \x4a\x4d\x46\x36
+#
+#---------------------------------------------------------------------
+# WORDPERFECT
+#---------------------------------------------------------------------
+#
+# wpc y 1000000 ?WPC
+#
+#---------------------------------------------------------------------
+# HTML
+#---------------------------------------------------------------------
+#
+# htm n 50000 <html </html>
+#
+#---------------------------------------------------------------------
+# ADOBE PDF
+#---------------------------------------------------------------------
+#
+# pdf y 5000000 %PDF %EOF\x0d REVERSE
+# pdf y 5000000 %PDF %EOF\x0a REVERSE
+#
+#---------------------------------------------------------------------
+# AOL (AMERICA ONLINE)
+#---------------------------------------------------------------------
+#
+# AOL Mailbox
+# mail y 500000 \x41\x4f\x4c\x56\x4d
+#
+#
+#
+#---------------------------------------------------------------------
+# PGP (PRETTY GOOD PRIVACY)
+#---------------------------------------------------------------------
+#
+# PGP Disk Files
+# pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01
+#
+# Public Key Ring
+# pgp y 100000 \x99\x00
+# Security Ring
+# pgp y 100000 \x95\x01
+# pgp y 100000 \x95\x00
+# Encrypted Data or ASCII armored keys
+# pgp y 100000 \xa6\x00
+# (there should be a trailer for this...)
+# txt y 100000 -----BEGIN\040PGP
+#
+#
+#---------------------------------------------------------------------
+# RPM (Linux package format)
+#---------------------------------------------------------------------
+# rpm y 1000000 \xed\xab
+#
+#
+#---------------------------------------------------------------------
+# SOUND FILES
+#---------------------------------------------------------------------
+#
+# wav y 200000 RIFF????WAVE
+#
+# Real Audio Files
+# ra y 1000000 \x2e\x72\x61\xfd
+# ra y 1000000 .RMF
+#
+#---------------------------------------------------------------------
+# WINDOWS REGISTRY FILES
+#---------------------------------------------------------------------
+#
+# Windows NT registry
+# dat y 4000000 regf
+# Windows 95 registry
+# dat y 4000000 CREG
+#
+#
+#---------------------------------------------------------------------
+# MISCELLANEOUS
+#---------------------------------------------------------------------
+#
+# zip y 10000000 PK\x03\x04 \x3c\xac
+#
+# java y 1000000 \xca\xfe\xba\xbe
+#
+#---------------------------------------------------------------------
+# ScanSoft PaperPort "Max" files
+#---------------------------------------------------------------------
+# max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00
+#---------------------------------------------------------------------
+# PINs Password Manager program
+#---------------------------------------------------------------------
+# pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d
--- /dev/null
+# Sample configuration file for smartd. See man smartd.conf.
+
+# Home page is: http://www.smartmontools.org
+
+# smartd will re-read the configuration file if it receives a HUP
+# signal
+
+# The file gives a list of devices to monitor using smartd, with one
+# device per line. Text after a hash (#) is ignored, and you may use
+# spaces and tabs for white space. You may use '\' to continue lines.
+
+# You can usually identify which hard disks are on your system by
+# looking in /proc/ide and in /proc/scsi.
+
+# The word DEVICESCAN will cause any remaining lines in this
+# configuration file to be ignored: it tells smartd to scan for all
+# ATA and SCSI devices. DEVICESCAN may be followed by any of the
+# Directives listed below, which will be applied to all devices that
+# are found. Most users should comment out DEVICESCAN and explicitly
+# list the devices that they wish to monitor.
+DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner
+
+# Alternative setting to ignore temperature and power-on hours reports
+# in syslog.
+#DEVICESCAN -I 194 -I 231 -I 9
+
+# Alternative setting to report more useful raw temperature in syslog.
+#DEVICESCAN -R 194 -R 231 -I 9
+
+# Alternative setting to report raw temperature changes >= 5 Celsius
+# and min/max temperatures.
+#DEVICESCAN -I 194 -I 231 -I 9 -W 5
+
+# First ATA/SATA or SCSI/SAS disk. Monitor all attributes, enable
+# automatic online data collection, automatic Attribute autosave, and
+# start a short self-test every day between 2-3am, and a long self test
+# Saturdays between 3-4am.
+#/dev/sda -a -o on -S on -s (S/../.././02|L/../../6/03)
+
+# Monitor SMART status, ATA Error Log, Self-test log, and track
+# changes in all attributes except for attribute 194
+#/dev/sdb -H -l error -l selftest -t -I 194
+
+# Monitor all attributes except normalized Temperature (usually 194),
+# but track Temperature changes >= 4 Celsius, report Temperatures
+# >= 45 Celsius and changes in Raw value of Reallocated_Sector_Ct (5).
+# Send mail on SMART failures or when Temperature is >= 55 Celsius.
+#/dev/sdc -a -I 194 -W 4,45,55 -R 5 -m admin@example.com
+
+# An ATA disk may appear as a SCSI device to the OS. If a SCSI to
+# ATA Translation (SAT) layer is between the OS and the device then
+# this can be flagged with the '-d sat' option. This situation may
+# become common with SATA disks in SAS and FC environments.
+# /dev/sda -a -d sat
+
+# A very silent check. Only report SMART health status if it fails
+# But send an email in this case
+#/dev/sdc -H -C 0 -U 0 -m admin@example.com
+
+# First two SCSI disks. This will monitor everything that smartd can
+# monitor. Start extended self-tests Wednesdays between 6-7pm and
+# Sundays between 1-2 am
+#/dev/sda -d scsi -s L/../../3/18
+#/dev/sdb -d scsi -s L/../../7/01
+
+# Monitor 4 ATA disks connected to a 3ware 6/7/8000 controller which uses
+# the 3w-xxxx driver. Start long self-tests Sundays between 1-2, 2-3, 3-4,
+# and 4-5 am.
+# NOTE: starting with the Linux 2.6 kernel series, the /dev/sdX interface
+# is DEPRECATED. Use the /dev/tweN character device interface instead.
+# For example /dev/twe0, /dev/twe1, and so on.
+#/dev/sdc -d 3ware,0 -a -s L/../../7/01
+#/dev/sdc -d 3ware,1 -a -s L/../../7/02
+#/dev/sdc -d 3ware,2 -a -s L/../../7/03
+#/dev/sdc -d 3ware,3 -a -s L/../../7/04
+
+# Monitor 2 ATA disks connected to a 3ware 9000 controller which
+# uses the 3w-9xxx driver (Linux, FreeBSD). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+#/dev/twa0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twa0 -d 3ware,1 -a -s L/../../2/03
+
+# Monitor 2 SATA (not SAS) disks connected to a 3ware 9000 controller which
+# uses the 3w-sas driver (Linux). Start long self-tests Tuesdays
+# between 1-2 and 3-4 am.
+# On FreeBSD /dev/tws0 should be used instead
+#/dev/twl0 -d 3ware,0 -a -s L/../../2/01
+#/dev/twl0 -d 3ware,1 -a -s L/../../2/03
+
+# Same as above for Windows. Option '-d 3ware,N' is not necessary,
+# disk (port) number is specified in device name.
+# NOTE: On Windows, DEVICESCAN works also for 3ware controllers.
+#/dev/hdc,0 -a -s L/../../2/01
+#/dev/hdc,1 -a -s L/../../2/03
+#
+# Monitor 2 disks connected to the first HP SmartArray controller which
+# uses the cciss driver. Start long tests on Sunday nights and short
+# self-tests every night and send errors to root
+#/dev/cciss/c0d0 -d cciss,0 -a -s (L/../../7/02|S/../.././02) -m root
+#/dev/cciss/c0d0 -d cciss,1 -a -s (L/../../7/03|S/../.././03) -m root
+
+# Monitor 3 ATA disks directly connected to a HighPoint RocketRAID. Start long
+# self-tests Sundays between 1-2, 2-3, and 3-4 am.
+#/dev/sdd -d hpt,1/1 -a -s L/../../7/01
+#/dev/sdd -d hpt,1/2 -a -s L/../../7/02
+#/dev/sdd -d hpt,1/3 -a -s L/../../7/03
+
+# Monitor 2 ATA disks connected to the same PMPort which connected to the
+# HighPoint RocketRAID. Start long self-tests Tuesdays between 1-2 and 3-4 am
+#/dev/sdd -d hpt,1/4/1 -a -s L/../../2/01
+#/dev/sdd -d hpt,1/4/2 -a -s L/../../2/03
+
+# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE.
+# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS
+#
+# -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N
+# -T TYPE set the tolerance to one of: normal, permissive
+# -o VAL Enable/disable automatic offline tests (on/off)
+# -S VAL Enable/disable attribute autosave (on/off)
+# -n MODE No check. MODE is one of: never, sleep, standby, idle
+# -H Monitor SMART Health Status, report if failed
+# -l TYPE Monitor SMART log. Type is one of: error, selftest
+# -f Monitor for failure of any 'Usage' Attributes
+# -m ADD Send warning email to ADD for -H, -l error, -l selftest, and -f
+# -M TYPE Modify email warning behavior (see man page)
+# -s REGE Start self-test when type/date matches regular expression (see man page)
+# -p Report changes in 'Prefailure' Normalized Attributes
+# -u Report changes in 'Usage' Normalized Attributes
+# -t Equivalent to -p and -u Directives
+# -r ID Also report Raw values of Attribute ID with -p, -u or -t
+# -R ID Track changes in Attribute ID Raw value with -p, -u or -t
+# -i ID Ignore Attribute ID for -f Directive
+# -I ID Ignore Attribute ID for -p, -u or -t Directive
+# -C ID Report if Current Pending Sector count non-zero
+# -U ID Report if Offline Uncorrectable count non-zero
+# -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit
+# -v N,ST Modifies labeling of Attribute N (see man page)
+# -a Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198
+# -F TYPE Use firmware bug workaround. Type is one of: none, samsung
+# -P TYPE Drive-specific presets: use, ignore, show, showall
+# # Comment: text after a hash sign is ignored
+# \ Line continuation character
+# Attribute ID is a decimal integer 1 <= ID <= 255
+# except for -C and -U, where ID = 0 turns them off.
+# All but -d, -m and -M Directives are only implemented for ATA devices
+#
+# If the test string DEVICESCAN is the first uncommented text
+# then smartd will scan for devices.
+# DEVICESCAN may be followed by any desired Directives.
--- /dev/null
+#!/bin/bash -e
+
+# Send mail if /usr/bin/mail exists
+if ! [ -x /usr/bin/mail ]; then
+ echo "Your system does not have /usr/bin/mail. Install the mailx or mailutils package"
+ exit 1
+fi
+
+input=$1
+shift
+
+/usr/bin/mail "$@" < $input
+
--- /dev/null
+#! /bin/sh
+
+# Send message if /usr/lib/powersave/powersave-notify exists or exit silently
+[ -x /usr/lib/powersave/powersave-notify ] || exit 0
+
+/usr/lib/powersave/powersave-notify "<b>Your hard disk drive is failing!</b>
+S.M.A.R.T. message:
+$SMARTD_MESSAGE"
--- /dev/null
+/lib/systemd/system/smartd.service
\ No newline at end of file
projects / zenbook / commitdiff