From: root Date: Tue, 9 Oct 2018 09:28:45 +0000 (+0200) Subject: committing changes in /etc after apt run X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=7ad1681633b53aea82023064f910f97f4bc53aae;p=zenbook committing changes in /etc after apt run Package changes: +aesfix 1.0.1-5 amd64 +aeskeyfind 1:1.0-4 amd64 +afflib-tools 3.7.16-2build2 amd64 +bruteforce-salted-openssl 1.4.0-1build1 amd64 +cewl 5.3-1 all +chaosreader 0.96-3 all +dc3dd 7.2.646-1 amd64 +dislocker 0.7.1-3build3 amd64 +dwarfdump 20180129-1 amd64 +ed2k-hash 0.3.3+deb2-3 amd64 +ewf-tools 20140608-6.1build1 amd64 +exif 0.6.21-2 amd64 +exifprobe 2.0.1+git20170416.3c2b769-1 amd64 +ext3grep 0.10.2-3ubuntu1 amd64 +ext4magic 0.3.2-7ubuntu1 amd64 +flac 1.3.2-1 amd64 +fonts-lato 2.0-2 all +forensic-artifacts 20170808-1 all +forensics-all 1.7 all +forensics-colorize 1.1-2 amd64 +galleta 1.0+20040505-8 amd64 +gpart 1:0.3-3 amd64 +grokevt 0.5.0-1 all +guymager 0.8.7-1 amd64 +hashdeep 4.4-4 amd64 +hashrat 1.8.12+dfsg-1 amd64 +ipython 5.5.0-1 all +libbde1 20170902-2 amd64 +libcapstone3 3.0.4-5 amd64 +libdislocker0.7 0.7.1-3build3 amd64 +libdistorm3-3 3.3.4-2 amd64 +libesedb1 20170121-4 amd64 +libevt1 20170120-2 amd64 +libevtx1 20170122-3 amd64 +libfsntfs1 20170315-2 amd64 +libfvde1 20180108-1 amd64 +libfwnt1 20180117-1 amd64 +libfwsi1 20171103-1 amd64 +libguytools2 2.0.5-1 amd64 +libjpeg-turbo-progs 1.5.2-0ubuntu5.18.04.1 amd64 +libjs-sphinxdoc 1.6.7-1ubuntu1 all +liblnk1 20171101-1 amd64 +libmcrypt4 2.5.8-3.3 amd64 +libmsiecf1 20170116-2 amd64 +libolecf1 20170825-2 amd64 +libout123-0 1.25.10-1 amd64 +libpff1 20120802-5.1 amd64 +libqcow1 20170222-3 amd64 +libregf1 20170130-2 amd64 +libregfi1 1.0.1+svn287-6 amd64 +libruby2.5 2.5.1-1ubuntu1 amd64 +libscca1 20170205-2 amd64 +libsigscan1 20170124-2 amd64 +libsmdev1 20171112-1 amd64 +libsmraw1 20180123-1 amd64 +libvhdi1 20170223-3 amd64 +libvmdk1 20170226-3 amd64 +libvshadow1 20170902-2 amd64 +libvslvm1 20160110-3 amd64 +libyara3 3.7.1-1ubuntu2 amd64 +mac-robber 1.02-5 amd64 +magicrescue 1.1.9-6 amd64 +memdump 1.01-7build1 amd64 +metacam 1.2-9 amd64 +missidentify 1.0-8 amd64 +mpg123 1.25.10-1 amd64 +myrescue 0.9.4-9 amd64 +nasty 0.6-3 amd64 +outguess 1:0.2-8 amd64 +pasco 20040505-2 amd64 +pff-tools 20120802-5.1 amd64 +pipebench 0.40-4 amd64 +plaso 1.5.1+dfsg-4 all +pompem 0.2.0-3 all +python-acora 2.0-2build3 amd64 +python-aff4 0.24.post1-3 all +python-arrow 0.10.0-1 all +python-artifacts 20170808-1 all +python-attr 17.4.0-2 all +python-backports-shutil-get-terminal-size 1.0.0-5 all +python-binplist 0.1.5-1 all +python-bittorrent 3.4.2-12 all +python-capstone 3.0.4-5 amd64 +python-configparser 3.5.0-1 all +python-construct.legacy 2.5.3-2 all +python-dateutil 2.6.1-1 all +python-decorator 4.1.2-1 all +python-dfdatetime 20180110-1 all +python-dfvfs 20171230-1ubuntu1 all +python-dfwinreg 20170706-2 all +python-distorm3 3.3.4-2 all +python-dpkt 1.8.r98-0.1 all +python-dumbnet 1.12-7build1 amd64 +python-efilter 1.5-2 all +python-et-xmlfile 1.0.1-2 all +python-funcsigs 1.0.2-4 all +python-future 0.15.2-4ubuntu2 all +python-hachoir-core 1.3.3-4 all +python-hachoir-metadata 1.3.3-2 all +python-hachoir-parser 1.3.4-2 all +python-intervaltree 2.1.0-2 all +python-ipaddr 2.2.0-1 all +python-ipython 5.5.0-1 all +python-ipython-genutils 0.2.0-1 all +python-isodate 0.6.0-1 all +python-jdcal 1.0-1.2 all +python-libbde 20170902-2 amd64 +python-libesedb 20170121-4 amd64 +python-libevt 20170120-2 amd64 +python-libevtx 20170122-3 amd64 +python-libewf 20140608-6.1build1 amd64 +python-libfsntfs 20170315-2 amd64 +python-libfvde 20180108-1 amd64 +python-libfwnt 20180117-1 amd64 +python-libfwsi 20171103-1 amd64 +python-liblnk 20171101-1 amd64 +python-libmsiecf 20170116-2 amd64 +python-libolecf 20170825-2 amd64 +python-libqcow 20170222-3 amd64 +python-libregf 20170130-2 amd64 +python-libscca 20170205-2 amd64 +python-libsigscan 20170124-2 amd64 +python-libsmdev 20171112-1 amd64 +python-libsmraw 20180123-1 amd64 +python-libvhdi 20170223-3 amd64 +python-libvmdk 20170226-3 amd64 +python-libvshadow 20170902-2 amd64 +python-libvslvm 20160110-3 amd64 +python-lzma 0.5.3-3 amd64 +python-mock 2.0.0-3 all +python-olefile 0.45.1-1 all +python-openpyxl 2.4.9-1 all +python-pathlib2 2.3.0-1 all +python-pbr 3.1.1-3ubuntu3 all +python-pefile 2017.11.5-2 all +python-pexpect 4.2.1-1 all +python-pickleshare 0.7.4-2 all +python-pil 5.1.0-1 amd64 +python-pluggy 0.6.0-1 all +python-prompt-toolkit 1.0.15-1 all +python-protobuf 3.0.0-9.1ubuntu1 amd64 +python-psutil 5.4.2-1 amd64 +python-ptyprocess 0.5.2-1 all +python-py 1.5.2-1 all +python-pyelftools 0.24-4 all +python-pygments 2.2.0+dfsg-1 all +python-pyparsing 2.2.0+dfsg1-2 all +python-pytest 3.3.2-2 all +python-rdflib 4.2.1-2 all +python-rekall-core 1.6.0+dfsg-2 all +python-scandir 1.7-1 amd64 +python-simplegeneric 0.8.1-1 all +python-sortedcontainers 1.5.7-1 all +python-sparqlwrapper 1.7.6-2 all +python-traitlets 4.3.2-1 all +python-tsk 20171108-1ubuntu1 amd64 +python-tz 2018.3-2 all +python-wcwidth 0.1.7+dfsg1-1 all +python-xlsxwriter 0.9.6-0.1 all +python-yaml 3.12-1build2 amd64 +python-yara 3.7.0+ds-1 amd64 +python-zmq 16.0.2-2build2 amd64 +rake 12.3.1-1 all +recoverdm 0.20-4 amd64 +recoverjpeg 2.6.1-1 amd64 +reglookup 1.0.1+svn287-6 amd64 +rekall-core 1.6.0+dfsg-2 all +rephrase 0.2-2 amd64 +rifiuti 20040505-1 amd64 +rifiuti2 0.6.1-5 amd64 +rkhunter 1.4.6-2~ubuntu18.04.1 all +rsakeyfind 1:1.0-4 amd64 +ruby 1:2.5.1 amd64 +ruby-did-you-mean 1.2.0-2 all +ruby-mime 0.4.4-1 all +ruby-mime-types 3.1-1 all +ruby-mime-types-data 3.2015.1120-1 all +ruby-mini-exiftool 2.9.0-1 all +ruby-minitest 5.10.3-1 all +ruby-net-http-digest-auth 1.4-2 all +ruby-net-telnet 0.1.1-2 all +ruby-nokogiri 1.8.2-1build1 amd64 +ruby-pkg-config 1.2.9-1 all +ruby-power-assert 0.3.0-1 all +ruby-spider 0.5.0-2 all +ruby-test-unit 3.2.5-1 all +ruby-zip 1.2.1-1 amd64 +ruby2.5 2.5.1-1ubuntu1 amd64 +rubygems-integration 1.11 all +safecopy 1.7-2 amd64 +scalpel 1.60-4 amd64 +scrounge-ntfs 0.9-8 amd64 +shed 1.15-3build1 amd64 +smartmontools 6.5+svn4324-1 amd64 +ssdeep 2.14-1 amd64 +steghide 0.5.1-12 amd64 +tableau-parm 0.2.0-4 amd64 +undbx 0.21-1 amd64 +unhide 20130526-1 amd64 +unhide.rb 22-2 all +vinetto 1:0.07-7 all +volatility 2.6+git20170711.b3db0cc-1 all +volatility-tools 2.6+git20170711.b3db0cc-1 all +winregfs 0.7-1 amd64 +wipe 0.24-2 amd64 +yara 3.7.1-1ubuntu2 amd64 --- diff --git a/.etckeeper b/.etckeeper index b5da9b5..b17c144 100755 --- a/.etckeeper +++ b/.etckeeper @@ -20,6 +20,7 @@ mkdir -p './davfs2/certs/private' mkdir -p './dbus-1/session.d' mkdir -p './fish/completions' mkdir -p './glvnd/egl_vendor.d' +mkdir -p './grokevt/systems' mkdir -p './guest-session' mkdir -p './initramfs-tools/hooks' mkdir -p './initramfs-tools/scripts/init-bottom' @@ -59,6 +60,7 @@ mkdir -p './psad/snort_rules' mkdir -p './request-key.d' mkdir -p './security/limits.d' mkdir -p './security/namespace.d' +mkdir -p './smartmontools/smartd_warning.d' mkdir -p './systemd/network' mkdir -p './systemd/user' mkdir -p './udev/hwdb.d' @@ -502,6 +504,7 @@ maybe chmod 0644 'apt/apt.conf.d/50command-not-found' maybe chmod 0644 'apt/apt.conf.d/50unattended-upgrades' maybe chmod 0644 'apt/apt.conf.d/60icons' maybe chmod 0644 'apt/apt.conf.d/70debconf' +maybe chmod 0644 'apt/apt.conf.d/90rkhunter' maybe chmod 0644 'apt/apt.conf.d/99update-notifier' maybe chmod 0755 'apt/preferences.d' maybe chmod 0664 'apt/sources.list' @@ -1133,6 +1136,7 @@ maybe chmod 0755 'cron.daily/mlocate' maybe chmod 0755 'cron.daily/ntp' maybe chmod 0755 'cron.daily/passwd' maybe chmod 0755 'cron.daily/popularity-contest' +maybe chmod 0755 'cron.daily/rkhunter' maybe chmod 0755 'cron.daily/rsnapshot' maybe chmod 0755 'cron.daily/ubuntu-advantage-tools' maybe chmod 0755 'cron.daily/update-notifier-common' @@ -1147,6 +1151,7 @@ maybe chmod 0755 'cron.weekly' maybe chmod 0644 'cron.weekly/.placeholder' maybe chmod 0755 'cron.weekly/0anacron' maybe chmod 0755 'cron.weekly/man-db' +maybe chmod 0755 'cron.weekly/rkhunter' maybe chmod 0755 'cron.weekly/rsnapshot' maybe chmod 0755 'cron.weekly/update-notifier-common' maybe chmod 0644 'crontab' @@ -1277,9 +1282,11 @@ maybe chmod 0644 'default/ntp' maybe chmod 0644 'default/openvpn' maybe chmod 0644 'default/psad' maybe chmod 0644 'default/rcS' +maybe chmod 0644 'default/rkhunter' maybe chmod 0644 'default/rsync' maybe chmod 0644 'default/rsyslog' maybe chmod 0644 'default/saned' +maybe chmod 0644 'default/smartmontools' maybe chmod 0644 'default/speech-dispatcher' maybe chmod 0644 'default/ssh' maybe chmod 0644 'default/ufw' @@ -1554,6 +1561,8 @@ maybe chmod 0644 'gnome/menus.blacklist' maybe chmod 0755 'groff' maybe chmod 0644 'groff/man.local' maybe chmod 0644 'groff/mdoc.local' +maybe chmod 0755 'grokevt' +maybe chmod 0755 'grokevt/systems' maybe chmod 0644 'group' maybe chmod 0644 'group-' maybe chmod 0755 'grub.d' @@ -1581,6 +1590,8 @@ maybe chmod 0755 'gtk-3.0' maybe chmod 0644 'gtk-3.0/im-multipress.conf' maybe chmod 0755 'gtk-3.0/settings.ini' maybe chmod 0755 'guest-session' +maybe chmod 0755 'guymager' +maybe chmod 0644 'guymager/guymager.cfg' maybe chmod 0644 'hdparm.conf' maybe chmod 0644 'host.conf' maybe chmod 0644 'hostname' @@ -1670,6 +1681,7 @@ maybe chmod 0755 'init.d/screen-cleanup' maybe chmod 0755 'init.d/sendsigs' maybe chmod 0755 'init.d/single' maybe chmod 0644 'init.d/skeleton' +maybe chmod 0755 'init.d/smartmontools' maybe chmod 0755 'init.d/speech-dispatcher' maybe chmod 0755 'init.d/ssh' maybe chmod 0755 'init.d/thermald' @@ -1871,6 +1883,7 @@ maybe chmod 0644 'logcheck/ignore.d.paranoid/cracklib-runtime' maybe chmod 0755 'logcheck/ignore.d.server' maybe chmod 0644 'logcheck/ignore.d.server/gpg-agent' maybe chmod 0644 'logcheck/ignore.d.server/libsasl2-modules' +maybe chmod 0644 'logcheck/ignore.d.server/rkhunter' maybe chmod 0644 'logcheck/ignore.d.server/rsyslog' maybe chmod 0644 'login.defs' maybe chmod 0644 'logrotate.conf' @@ -1885,6 +1898,7 @@ maybe chmod 0644 'logrotate.d/lightdm' maybe chmod 0644 'logrotate.d/mongodb-server' maybe chmod 0644 'logrotate.d/pm-utils' maybe chmod 0644 'logrotate.d/ppp' +maybe chmod 0644 'logrotate.d/rkhunter' maybe chmod 0644 'logrotate.d/rsnapshot' maybe chmod 0644 'logrotate.d/rsyslog' maybe chmod 0644 'logrotate.d/speech-dispatcher' @@ -2333,6 +2347,7 @@ maybe chmod 0755 'resolvconf/update-libc.d/avahi-daemon' maybe chmod 0755 'resolvconf/update-libc.d/postfix' maybe chmod 0755 'resolvconf/update.d' maybe chmod 0755 'resolvconf/update.d/libc' +maybe chmod 0644 'rkhunter.conf' maybe chmod 0755 'rmt' maybe chmod 0644 'rpc' maybe chmod 0644 'rsnapshot.conf' @@ -2423,6 +2438,8 @@ maybe chmod 0644 'sane.d/umax.conf' maybe chmod 0644 'sane.d/umax1220u.conf' maybe chmod 0644 'sane.d/umax_pp.conf' maybe chmod 0644 'sane.d/xerox_mfp.conf' +maybe chmod 0755 'scalpel' +maybe chmod 0644 'scalpel/scalpel.conf' maybe chmod 0644 'screenrc' maybe chmod 0644 'securetty' maybe chmod 0755 'security' @@ -2463,6 +2480,12 @@ maybe chmod 0644 'skel/.bash_logout' maybe chmod 0644 'skel/.bashrc' maybe chmod 0644 'skel/.profile' maybe chmod 0644 'skel/examples.desktop' +maybe chmod 0644 'smartd.conf' +maybe chmod 0755 'smartmontools' +maybe chmod 0755 'smartmontools/run.d' +maybe chmod 0755 'smartmontools/run.d/10mail' +maybe chmod 0755 'smartmontools/run.d/10powersave-notify' +maybe chmod 0755 'smartmontools/smartd_warning.d' maybe chmod 0644 'smi.conf' maybe chmod 0755 'speech-dispatcher' maybe chmod 0755 'speech-dispatcher/clients' diff --git a/alternatives/futurize b/alternatives/futurize new file mode 120000 index 0000000..0ec0a9c --- /dev/null +++ b/alternatives/futurize @@ -0,0 +1 @@ +/usr/bin/python2-futurize \ No newline at end of file diff --git a/alternatives/mp3-decoder b/alternatives/mp3-decoder new file mode 120000 index 0000000..551f036 --- /dev/null +++ b/alternatives/mp3-decoder @@ -0,0 +1 @@ +/usr/bin/mpg123.bin \ No newline at end of file diff --git a/alternatives/mp3-decoder.1.gz b/alternatives/mp3-decoder.1.gz new file mode 120000 index 0000000..bebdf3e --- /dev/null +++ b/alternatives/mp3-decoder.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/mpg123.bin.1.gz \ No newline at end of file diff --git a/alternatives/mpg123 b/alternatives/mpg123 new file mode 120000 index 0000000..551f036 --- /dev/null +++ b/alternatives/mpg123 @@ -0,0 +1 @@ +/usr/bin/mpg123.bin \ No newline at end of file diff --git a/alternatives/mpg123.1.gz b/alternatives/mpg123.1.gz new file mode 120000 index 0000000..bebdf3e --- /dev/null +++ b/alternatives/mpg123.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/mpg123.bin.1.gz \ No newline at end of file diff --git a/alternatives/pasteurize b/alternatives/pasteurize new file mode 120000 index 0000000..0d3dcda --- /dev/null +++ b/alternatives/pasteurize @@ -0,0 +1 @@ +/usr/bin/python2-pasteurize \ No newline at end of file diff --git a/alternatives/pbr b/alternatives/pbr new file mode 120000 index 0000000..a1a51d1 --- /dev/null +++ b/alternatives/pbr @@ -0,0 +1 @@ +/usr/bin/python2-pbr \ No newline at end of file diff --git a/apt/apt.conf.d/90rkhunter b/apt/apt.conf.d/90rkhunter new file mode 100644 index 0000000..6835b03 --- /dev/null +++ b/apt/apt.conf.d/90rkhunter @@ -0,0 +1,2 @@ +// Makes sure that rkhunter file properties database is updated after each remove or install only APT_AUTOGEN is enabled +DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ] && grep -qiE '^APT_AUTOGEN=.?(true|yes)' /etc/default/rkhunter; then /usr/share/rkhunter/scripts/rkhupd.sh; fi"; }; diff --git a/cron.daily/rkhunter b/cron.daily/rkhunter new file mode 100755 index 0000000..d32ceab --- /dev/null +++ b/cron.daily/rkhunter @@ -0,0 +1,42 @@ +#!/bin/sh + +RKHUNTER=/usr/bin/rkhunter + +test -x $RKHUNTER || exit 0 + +# source our config +. /etc/default/rkhunter + +if [ -z "$NICE" ]; then + NICE=0 +fi + +if [ -z "$RUN_CHECK_ON_BATTERY" ]; then + RUN_CHECK_ON_BATTERY="false" +fi + +# Do not run daily check if running on battery except if explicitely allowed +if [ -x /usr/bin/on_ac_power >/dev/null 2>&1 ]; then + on_ac_power >/dev/null 2>&1 + [ $? -eq 1 -a "$RUN_CHECK_ON_BATTERY" != "true" ] && exit 0 +fi + +case "$CRON_DAILY_RUN" in + [YyTt]*) + OUTFILE=`mktemp` || exit 1 + /usr/bin/nice -n $NICE $RKHUNTER --cronjob --report-warnings-only --appendlog > $OUTFILE + if [ -s "$OUTFILE" -a -n "$REPORT_EMAIL" ]; then + ( + echo "Subject: [rkhunter] $(hostname) - Daily report" + echo "To: $REPORT_EMAIL" + echo "" + cat $OUTFILE + ) | /usr/sbin/sendmail $REPORT_EMAIL + fi + rm -f $OUTFILE + ;; + *) + exit 0 + ;; +esac + diff --git a/cron.weekly/rkhunter b/cron.weekly/rkhunter new file mode 100755 index 0000000..6976920 --- /dev/null +++ b/cron.weekly/rkhunter @@ -0,0 +1,51 @@ +#!/bin/sh + +RKHUNTER=/usr/bin/rkhunter + +test -x $RKHUNTER || exit 0 + +# source our config +. /etc/default/rkhunter + +case "$CRON_DB_UPDATE" in + [YyTt]*) + + if [ ! -x /usr/bin/wget ] && [ ! -x /usr/bin/curl ] && [ ! -x /usr/bin/links ] && \ + [ ! -x /usr/bin/elinks ] && [ ! -x /usr/bin/lynx ]; then + echo "No tool with which to download rkhunter updates was found on your system. Please install wget, curl, (e)links or lynx" + exit 1 + fi + + OUTFILE=`mktemp` || exit 1 + + case "$DB_UPDATE_EMAIL" in + [YyTt]*) + ( + echo "Subject: [rkhunter] $(hostname) - Weekly database update" + echo "To: $REPORT_EMAIL" + echo "" + $RKHUNTER --versioncheck --nocolors --appendlog + $RKHUNTER --update --nocolors --appendlog + ) | /usr/sbin/sendmail $REPORT_EMAIL + ;; + *) + $RKHUNTER --versioncheck --appendlog 1>/dev/null 2>$OUTFILE + $RKHUNTER --update --appendlog 1>/dev/null 2>>$OUTFILE + ;; + esac + + if [ -s "$OUTFILE" ]; then + ( + echo "Subject: [rkhunter] $(hostname) - Weekly rkhunter database update" + echo "To: $REPORT_EMAIL" + echo "" + cat $OUTFILE + ) | /usr/sbin/sendmail $REPORT_EMAIL + fi + rm -f $OUTFILE + ;; + + *) + exit 0 + ;; +esac diff --git a/default/rkhunter b/default/rkhunter new file mode 100644 index 0000000..78df211 --- /dev/null +++ b/default/rkhunter @@ -0,0 +1,34 @@ +# Defaults for rkhunter automatic tasks +# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter +# +# This is a POSIX shell fragment +# + +# Set this to yes to enable rkhunter daily runs +# (default: false) +CRON_DAILY_RUN="" + +# Set this to yes to enable rkhunter weekly database updates +# (default: false) +CRON_DB_UPDATE="" + +# Set this to yes to enable reports of weekly database updates +# (default: false) +DB_UPDATE_EMAIL="false" + +# Set this to the email address where reports and run output should be sent +# (default: root) +REPORT_EMAIL="root" + +# Set this to yes to enable automatic database updates +# (default: false) +APT_AUTOGEN="false" + +# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) +# (default: 0) +NICE="0" + +# Should daily check be run when running on battery +# powermgmt-base is required to detect if running on battery or on AC power +# (default: false) +RUN_CHECK_ON_BATTERY="false" diff --git a/default/smartmontools b/default/smartmontools new file mode 100644 index 0000000..6cbd289 --- /dev/null +++ b/default/smartmontools @@ -0,0 +1,12 @@ +# Defaults for smartmontools initscript (/etc/init.d/smartmontools) +# This is a POSIX shell fragment + +# List of devices you want to explicitly enable S.M.A.R.T. for +# Not needed (and not recommended) if the device is monitored by smartd +#enable_smart="/dev/hda /dev/hdb" + +# uncomment to start smartd on system startup +#start_smartd=yes + +# uncomment to pass additional options to smartd on startup +#smartd_opts="--interval=1800" diff --git a/guymager/guymager.cfg b/guymager/guymager.cfg new file mode 100644 index 0000000..0f98dfd --- /dev/null +++ b/guymager/guymager.cfg @@ -0,0 +1,993 @@ +REM **************************************************************************** +REM Project: GUYMAGER +REM **************************************************************************** +REM Programmer: Guy Voncken +REM Police Grand-Ducale +REM Service de Police Judiciaire +REM Section Nouvelles Technologies +REM **************************************************************************** +REM Main configuration file +REM **************************************************************************** + +REM Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 +REM Guy Voncken +REM +REM This file is part of Guymager. +REM +REM Guymager is free software: you can redistribute it and/or modify +REM it under the terms of the GNU General Public License as published by +REM the Free Software Foundation, either version 2 of the License, or +REM (at your option) any later version. +REM +REM Guymager is distributed in the hope that it will be useful, +REM but WITHOUT ANY WARRANTY; without even the implied warranty of +REM MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +REM GNU General Public License for more details. +REM +REM You should have received a copy of the GNU General Public License +REM along with Guymager. If not, see . + + +REM ATTENTION +REM --------- +REM Do not edit this file; put all your changes into /etc/guymager/local.cfg instead! +REM See the notes at the end of this file. + +SECTION GUYMAGER + +REM How this configuration file works +REM --------------------------------- + + +REM Guymager user interface +REM ----------------------- +REM +REM The parameter Language contains the language code (for example 'de', 'fr', 'en'). If Guymager doesn't +REM find the corresponding language file it switches to english instead. Contact the author of Guymager if +REM your language is missing. The language files are named guymager_xx.qm, where xx is the language code. +REM If you installed a Debian package, they can be found in directory /usr/share/guymager. +REM Set the parameter Language to AUTO in order to detect the language in use on your system automatically. +REM +REM CheckRootRights decides whether or not Guymager shows the user a warning dialog when starting it without +REM root rights. +REM +REM The StartupXxx parameters configure the position and size of the main guymager window at startup. +REM StartupSize can be set to one of the following: +REM STANDARD Let the X-Window manager choose what it thinks is best +REM MAXIMISED or MAXIMIZED Maximum size +REM FULLSCREEN Maximum size and take away the title bar +REM MANUAL Use the values specified for StartupSizeManualX, StartupSizeManualY, +REM StartupSizeManualDx and StartupSizeManualDy. +REM The final result always slightly depends on the X-Window manager in use. For instance, there might be +REM window managers that can't distinguish MAXIMISED and FULLSCREEN. +REM +REM The dialog that appears when chooosing the image destination path can be adjusted in a similar way by +REM of the parameters FileDialogSize, FileDialogSizeManualDx, FileDialogSizeManualDy. Unfortunately, this +REM only works when using the alternative file dialog, not the Qt file dialog (see UseFileDialogFromQt +REM below). +REM +REM NumberStyle influences the way how numbers are displayed in guymager. There 3 possible values: +REM Locale Use the value of the system LOCALE to determine the format (set the LANG environment +REM correctly). +REM DecimalComma The format would look like 78.234,56 (normal format) +REM DecimalPoint The format would look like 78,234.56 (unusual american format) +REM Remark: Using Locale, more differences are possible. Thus, with the environment variable LANG set to +REM fr_FR, the number would be displayed as 78 234,56 (space as thousands separator). Setting NumberStyle +REM to something else than Locale is not recommended (you may use it if you are too lazy to set up your +REM LANG variable correctly). +REM +REM ScreenRefreshInterval [ms] Some screen fields (speed, remaining time, ...) are refreshed regularly. +REM ScreenRefreshInterval specifies how often this should occur. +REM +REM UseFileDialogFromQt When set to Yes, guymager uses the standard Qt file/directory selection dialogs. +REM There once was a Qt version with a bug in its dialog and an alternative dialog +REM was quickly added to guymager. The bug should have gone by now and this +REM configuration parameter should be set to Yes (the Qt dialogs are better then +REM the alternative programmed by the author of guymager). +REM Adjusting the dialog size (see configuration parameters FileDialogSize, +REM FileDialogSizeManualDx and FileDialogSizeManualDy) only works with the +REM alternative dialog. +REM +REM WarnAboutImageSize Check if image would fit uncompressed to the destination at the moment where +REM the acquisition is started. If not, show a warning. +REM +REM WarnAboutSegmentFileCount Check if the number of segment files would exceed 14972 if the data was stored +REM uncompressed in EWF format. If yes, show a warning. Remark: The 14972th segment +REM would have the file extension ZZZ and thus, more than 14972 segments may lead to +REM problems as there is no clear standard for EWF file names. +REM +REM AutoExit This parameter controls the default setting of the menu point "Misc/Exit" after +REM all acquisitions have completed. +REM +REM AutoExitCountdown = 60 If the autoexit feature becomes active (i.e. the menu flag is set and the acquisitions +REM end), a popup appears with a countdown. AutoExitCountdown allows to set start value +REM of the countdown (in seconds). + +Language='auto' +CheckRootRights=yes + +StartupSize = MANUAL +StartupSizeManualX = 130 +StartupSizeManualY = 250 +StartupSizeManualDx = 1000 +StartupSizeManualDy = 500 + +FileDialogSize = MANUAL +FileDialogSizeManualDx = 800 +FileDialogSizeManualDy = 500 + +NumberStyle=Locale + +ScreenRefreshInterval = 1500 + +UseFileDialogFromQt = Yes + +WarnAboutImageSize = Yes +WarnAboutSegmentFileCount = Yes + +AutoExit = Off +AutoExitCountdown = 60 + +REM Table Fonts +REM The font configuration table allows chosing own fonts for different GUI elements of Guymager. The left +REM most column of the table below specifies the object. It may be one of the following: +REM Menu The main Guymager menus, its submenus as well as the table popup menu. +REM Toolbar The toolbar just below the menu bar. +REM Table The main Guymager table and the table shown in the clone dialog. +REM InfoField The information field in the lower part of the Guymager window. +REM AcquisitionDialogs The dialogs for normally acquiting and cloning devices. +REM MessageDialogs Other message dialogs. +REM DialogData Dialogs with data areas (such as the device info dialog) use this font for +REM their data area. A monospaced font should be used, for example 'Courier' or +REM 'Ubuntu Mono'. All other parts of the dialog are using the font specified +REM under MessageDialogs. +REM The remaining table columns specify the font to use (Family, Size, Weight and Italic). Column 'Italic' +REM may contain YES or NO. Weight is a number between 0 and 100. The following weights are copied from +REM the Qt documentation: +REM Light 25 +REM Normal 50 +REM DemiBold 63 +REM Bold 75 +REM Black 87 +REM In order to use the default system font comment out the correspdong line or indicate an empty +REM family name. + +TABLE Fonts None + REM Object Family Size Weight Italic + REM --------------- -------------------------------------------- +REM Menu 'Arial' 8 75 no +REM Toolbar 'Arial' 8 75 no +REM Table 'Arial' 8 75 no +REM InfoField 'Arial' 8 75 no +REM AcquisitionDialogs 'Arial' 8 75 no +REM MessageDialogs 'Arial' 8 75 no +REM DialogData 'Courier' 8 50 no +ENDTABLE + + +REM Table Columns +REM This table controls the columns that are to be shown in the main Guymager table as well as in the clone +REM dialog. The table reflects the column order, i.e. the top most column in the configuration table is shown +REM as the first one left in the GUI. Columns may also be repeated in order to have them displayed more +REM than once. +REM ColumnName The column name reference. This may be one of the following: SerialNr, LinuxDevice, +REM Model, NativePath, ByPath, Interface, State, AdditionalStateInfo, Size, HiddenAreas, +REM BadSectors, Progress, AverageSpeed, TimeRemaining, FifoUsage, SectorSizeLog, SectorSizePhys, +REM CurrentSpeed, Examiner and UserField. See below for further details on column UserField. +REM Alignment Alignment inside the table cell: LEFT, RIGHT or CENTER. +REM MinWidth On startup, Guymager gives every column the size it needs for showing its contents. But +REM certain columns change their content length while Guymager is running. As it might be +REM annoying to enlarge the corresponding column manually everytime its text gets longer, +REM this parameter allows for setting a bigger intial width than the one used normally. +REM Set to 0 for default width. +REM ShowInMainTable Decides whether the column should be shown in the main table; set to ON or OFF. +REM ShowInCloneTable Decides whether the column should be shown in the clone dialog table; set to ON or OFF. +REM Eventhough each one of the columns might be set to ON, there's no sense in switching on +REM columns like CurrentSpeed, for example, as the clone dialog is not updated dynamically. +REM +REM The purpose of the special column UserField is to provide the user with a field for its own remarks. For +REM example, some people use Guymager in machines connected to disk racks. They take UserField for entering the +REM disk slot number in order to have a better overview. The column name may be configured to any string: +REM +REM UserFieldName Specify the name that should be displayed for the UserField column. If the string is left +REM empty, the column's name simply is 'UserField'. +REM +REM AdditionalStateInfoName Similar to UserFieldName, this parameter allows for changing the name of the +REM column AdditionalStateInfo. Leave it empty for the default name. + +TABLE Columns None + REM ColumnName Alignment MinWidth ShowIn ShowIn + REM MainTable CloneTable + REM ------------------------------------------------------------------------------ + 'SerialNr' LEFT 0 YES YES + 'LinuxDevice' LEFT 0 YES YES + 'Model' LEFT 0 YES YES + 'NativePath' LEFT 0 NO NO + 'ByPath' LEFT 0 NO NO + 'Interface' LEFT 0 NO NO + 'State' LEFT 200 YES NO + 'AdditionalStateInfo' LEFT 0 NO NO + 'Size' RIGHT 0 YES YES + 'HiddenAreas' RIGHT 0 YES NO + 'BadSectors' RIGHT 0 YES NO + 'Progress' LEFT 0 YES NO + 'AverageSpeed' RIGHT 0 YES NO + 'TimeRemaining' CENTER 0 YES NO + 'FifoUsage' LEFT 0 YES NO + 'SectorSizeLog' LEFT 0 NO NO + 'SectorSizePhys' LEFT 0 NO NO + 'CurrentSpeed' LEFT 0 NO NO + 'UserField' LEFT 0 NO NO + 'Examiner' LEFT 0 NO NO +ENDTABLE + +UserFieldName = '' +AdditionalStateInfoName = '' + +REM Table Colors +REM The table contains color settings for different items on the screen: +REM LocalDevices Color to be used for marking local devices (i.e. devices with serial numbers found in +REM configuration table LocalDevices, see above) in the user interface. The whole row gets +REM this color. +REM AdditionalStateX (where X is a number) Devices maybe marked by this color depending on the values in +REM the additional state info. See description of configuration parameter +REM CommandGetAddStateInfo for more information. +REM +REM All other entries refer to the colored dot of the acquisition state field for reflecting the current state: +REM StateIdle Nothing has been done with this device yet. +REM StateAcquire Acquisition running +REM StateAcquirePaused Acquisition interrupted (device cannot be accessed any longer) +REM StateVerify Verfication running +REM StateVerifyPaused Verfication interrupted (device cannot be accessed any longer) +REM StateCleanup Acquisition has been aborted by user and Guymager is removing partial files +REM StateFinished Finished successfully +REM StateFinishedBadVerify Finished, but the MD5 check while re-reading the source after acquisition failed. +REM This state only can occur if MD5 verification was switched on in the acquisition dialog. +REM StateAbortedUser Acquisition or verification aborted by user. Not an error, as it is the user's wish. +REM StateAbortedOther Acquisition or verification aborted for some other reason (for instance, if writing to +REM the destination fails). This is an error. + +TABLE Colors None + REM Color R G B + REM ---------------------------------------- + LocalDevices 255 197 189 + AdditionalState1 186 255 174 + AdditionalState2 255 254 137 + AdditionalState3 255 213 66 + AdditionalState4 255 126 126 + StateIdle 255 255 255 + StateQueued 186 206 253 + StateAcquire 15 73 205 + StateAcquirePaused 255 150 0 + StateVerify 78 132 255 + StateVerifyPaused 255 150 0 + StateCleanup 228 0 255 + StateFinished 54 255 0 + StateFinishedBadVerify 255 30 0 + StateFinishedDuplicateFailed 255 234 0 + StateAbortedUser 255 255 255 + StateAbortedOther 255 30 0 +ENDTABLE + + +REM Image creation +REM -------------- +REM +REM EwfFormat The EWF format (alias E01 format) differs depending on which software created +REM it. With this parameter, you can control which style guymager should follow. +REM Possible values are: Encase1, Encase2, Encase3, Encase4, Encase5, Encase6, Smart, +REM FTK, Linen5, Linen6 and Guymager. See libewf for more information. +REM When chosing "Guymager", the program uses its own EWF generation functions, which +REM require only very little RAM and still are as fast as libewf. With any other setting, +REM the program uses libewf i order to create the EWF images. +REM Select Guymager or Encase6 in order to be able to produce segment files bigger than 2GiB. +REM +REM EwfCompression The compression level for EWF images. Possible values are: +REM None No compression at all, images become very big. Not recommended. +REM Empty With this setting, Guymager does no compression, except if a block contains +REM zero bytes only. Such blocks are replaced by their compressed equivalent. +REM Optimal settings for slow systems. +REM Fast Fast Z compression. Optimal setting for most imagers. +REM Best Best Z compression. Images normally become slightly smaller than +REM with setting "Fast", but CPU load grows heavily. Not recommended. +REM +REM EwfCompressionThreshold This threshold indicates a minimal compression ratio that must be achieved or else the +REM data is stored uncompressed. The default value is 0.999 which means, that a chunk will +REM be stored compressed if the compressed data is less than 99.9% in size of the original +REM data. This parameter has been added to avoid mmessages about "inefficiency" in XWF. +REM +REM EwfNaming EWF images are subdivided into segments, starting with extension E01 for the first +REM segment. Subsequent segments get the filename extension E02-E99, then EAA-EZZ, then +REM FAA-ZZZ. After that, it is unclear how to continue (there is no clear standard for the +REM EWF file naming). +REM Guymager supports two ways for naming segments beyond ZZZ: +REM Old Continue with ZZZxxx, where xxx represents characters from 000 to ZZZ in base36 +REM notation (i.e. 0-9 and A-Z). After that, it would continue with ZZZxxxx and so on. +REM Guymager version <= 0.6.9 used this naming scheme. +REM FTK After ZZZ follows E14972, E14973 and so on. This naming system is the default for +REM Guymager version 0.6.10 and later. +REM Attention: This parameter only has effect if EwfFormat is set to Guymager. +REM +REM AffEnabled Simson Garfinkel, the inventor of the AFF format, recommends not to use AFF any longer. +REM Therefore, this switch has been introduced and it is 'false' by default. You might use EWF +REM instead. +REM Switch AffEnabled on in case you need to generate AFF images. +REM +REM AffCompression The compression level for AFF images. Valid range: 1 - 9. A value of 1 results in a +REM fast, minimal compression and 9 in a slow, high compression. +REM See aff documentation for more information. +REM +REM AffMarkBadSectors Aff supports a possibility for marking bad sectors. If this parameter is enabled and +REM a bad sector is encountered, then the bad sector is written with a special content to +REM the image ("BAD SECTOR\0" followed by 501 random bytes). If this parameter is disabled, +REM then bad sectors are replaced by 512 zero bytes. +REM This parameter only influences images in AFF format. +REM +REM SpecialFilenameChars By default, guymager only allows the characters a-z, A-Z, 0-9 and _ to figure +REM in the image filenames. If you wannt to allow special chars and you are sure +REM that your destination file system can handle them, you might add them to +REM the parameter SpecialFilenameChars. Example: SpecialFilenameChars = '.- ' +REM would allow you to use the characters . and - as well as spaces. +REM +REM CalcImageFileMD5 Switch the parameter on in order to have Guymager calculate the MD5 hashes of the image +REM file(s). The calculation is done over the whole file(s), not just the contents. +REM NOTE: The MD5 hashes are calculated during image verification and therefore, it only +REM is done if the checkbox for image verification is set in the acquisition dialog window. +REM Switching this parameter on is interesting for checking the individual files of an image. +REM +REM The Guymager info file can be passed directly to md5sum for image file verfication. In case +REM you want to do so, please observe one detail: The info file uses CR/LF for beginning a new +REM line (the reason is that many Windows applications fail badly when using the LF standard). +REM Therefore, do not use md5sum -c myimage.info but one of the following commands: +REM cat myimage.info | tr -d '\r' | md5sum -c +REM or +REM cat myimage.info | dos2unix | md5sum -c +REM Both do the same: Eliminate the DOS-CR and pass the rest to the md5sum command. You +REM may ignore md5sum's warnings about improperly formatted lines (these are simply the all +REM the other text lines found in the info file). +REM +REM DuplicateImage Enable Guymager to produce duplicate images, i.e. generate two identical images during +REM an acquisition. When switched on, the acquisition dialog has an additional button named +REM "Duplicate image...". +REM Switch this parameter off if you always want to do single images. +REM +REM DirectoryFieldEditing The destination directory for images and info files normally is selected by mouse by means +REM of a dialog and the directory field is not directy editable. This is the safest way as it +REM ensures that you never a select a non-existent directory. +REM Switch this parameter on if you like to be able to directly type the directory path into +REM the corresponding field. This might be a faster solution for people who know their +REM directories by heart. At the same time it's less safe in case of typos. +REM If ever you enter a non-existent directory then Guymager by default asks if you would like +REM to create it (see parameter ConfirmDirectoryCreation). +REM +REM AllowPathInFilename The parameter is switched off by default and entering parts of the path in the filename field +REM is forbidden. In case you think in relative paths it might be interesting to switch this +REM parameter on and thus allow entering parts of the path together with the filename. +REM Example: You set the directory field to "/mycases/case_0815/images" and enter the filename +REM "JohnDoe/Laptop". The image/info files would then be stored under +REM "/mycases/case_0815/images/JohnDoe/Laptop.xxx". +REM +REM ConfirmDirectoryCreation If ever the entered destination directory does not exist, Guymager tries to create it. If +REM this parameter is switched on then Guymager only does so after asking the user. When set to +REM 'off' it automatically creates the directories without asking. +REM Attention: Setting this parameters to 'off' might lead to uncontrolled directory creation in +REM case of typing errors. +REM Normally, this parameter only has an effect if DirectoryFieldEditing or AllowPathInFilename +REM are switched on. Otherwise, the destination directory should always exist as it has been selected +REM by the file selection dialog and thus doesn't need to be created (except in the unlikely case +REM where the directory had been deleted in the meantime). +REM +REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and +REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF +REM if you don't work with Encase (default setting). Set it to ON if ever you work with +REM Encase and want to avoid the Encase problems. +REM +REM AvoidCifsProblems Some NAS systems have problems for closing files (function fclose) when running under heavy +REM load (i.e., running several acquisitions in parallel, for example). This may result in +REM acquisitions aborting with errors. The problem only has been observed on systems attached via +REM Cifs/Samba so far. NFS systems seem to run fine. When switching parameter AvoidCifsProblems +REM on, Guymager flushes and synchronizes buffers before closing image files. The thus can be +REM avoided. The downside is a performance loss, which can be reduced by choosing a large image +REM file segment size. + +EwfFormat = Guymager +EwfCompression = FAST +EwfCompressionThreshold = 0.999 +EwfNaming = FTK +AffEnabled = false +AffCompression = 1 +AffMarkBadSectors = TRUE +SpecialFilenameChars = '' +CalcImageFileMD5 = off +DuplicateImage = on +DirectoryFieldEditing = off +AllowPathInFilename = off +ConfirmDirectoryCreation = on + +AvoidEncaseProblems = off +AvoidCifsProblems = off + +REM Acquisition dialog +REM ------------------ + +REM DefaultFormat This parameter decides, which forensic format should be chosen by default for the +REM first acquisition after starting Guymager. For subsequent acquisitions, the format +REM of the previous acquisition will be selected by default. +REM Possible values are DD, AFF and EWF. + +DefaultFormat = EWF + +REM InfoFieldsForDd The dd format has no possibility for storing meta information about an image. Hence, the +REM fields examiner, notes, etc. usually are greyed out in the acquisition dialog when selecting +REM dd format. By switching on this parameter, those entry fields become available for dd images +REM also. The strings entered will then be written to the info file. + +InfoFieldsForDd = disabled + +REM The parameters below all refer to the acquisition dialog entry fields. Let us explain the different +REM fields first. There are 2 fields related to image file fragmentation: +REM SplitFileSwitch Decides whether the image file fragmentation is on or off. For EWF images, it +REM is always on and for AFF images always off. For DD images, the user may choose +REM himself. +REM SplitFileSize The max. size of the fragments (sometimes called segments) in MiB. The maximum +REM value for EWF images is 2047. +REM 2047 is a good choice. For EWF images, the number of files will be reduced to +REM the minimum. For DD images, the fragments stay below the FAT limitation (2GiB). + +REM There are 5 fields defined by the EWF file format, their names are self-explaining: +REM EwfCaseNumber +REM EwfEvidenceNumber +REM EwfExaminer +REM EwfDescription +REM EwfNotes +REM Guymager uses these fields when choosing the EWF or the AFF format. When choosing the dd format, they +REM are of no use and decativated. +REM +REM There are 4 other important entry fields in the acquisition dialog: +REM DestImageDirectory The directory that will be used for storing the image files +REM DestInfoDirectory The directory that will be used for storing the info file +REM DestImageFilename The filename of the image files (without the extension) +REM DestInfoFilename The filename of the info file (without the extension) +REM +REM Finally, there are some checkboxes in the acquisition dialog that are controlled by the following +REM entry fields: +REM HashCalcMD5 The checkbox for MD5 hash +REM HashCalcSHA1 The checkbox for SHA-1 hash +REM HashCalcSHA256 The checkbox for SHA-256 hash +REM HashVerifySrc The checkbox for the source verification (re-read source and chek if it +REM returns the same data than during acquisition) +REM HashVerifyDst The checkbox for the imager verification (read and check the image after +REM the acquisition has been done) +REM +REM For each one of these fields, there is an entry in configuration table DlgAcquireField. It has the +REM following structure: +REM FieldName The name of the field, as indicated above +REM +REM EntryMode Determine the bevahiour of each field; the following entry modes are available: +REM Hide The corresponding field is not shown in the acquisition dialog. +REM Nevertheless, it exists and it is always set to its default value +REM (see below). This mode useful if a certain EWF field always should +REM be filled in with the same standard value. +REM +REM ShowDefault The field is visible in the acquisiton dialog and it is automatically +REM filled in with the default value. +REM +REM ShowLast The field is shown in the acquisiton dialog. When the acquisition +REM dialog is opened for the first time after guymager startup, the field +REM is filled in with the default value. On subsequent acquisition dialog +REM appearances, the field contains the value entered previously (which +REM may still be the default value, if it was not edited). +REM +REM DefaultValue The default value for the field. It may contain any text you like (for the checkboxes: See +REM below). Guymager knows several special sequences, that will be replaced automatically. +REM See "Special Tokens" below. +REM +REM Checkboxes: Simply put '1' if you want to have the checkbox enabled or '0' for having it +REM disabled. Attention: Putting other values may lead to unpredictable results. +REM +REM Note that each and every field must be contained exactely once in the configuration table DlgAcquireField. +REM +REM *** Example A *** +REM TABLE DlgAcquireField NoName +REM REM Field Entry Default +REM REM name mode value +REM REM ------------------------------------------------------------------------- +REM ... +REM 'EwfNotes' Hide 'Acquisition done by guymager %version%' +REM ... +REM ENDTABLE +REM The field EwfNotes would not be shown in the acquisition dialog. As it has a default value, it would always +REM be initialised with that string. The special sequence %version% would be replaced and the string written to +REM the EWF image files would be sometheing like 'Acquisition done by guymager 0.3.1' +REM +REM *** Example B ** +REM TABLE DlgAcquireField NoName +REM REM Field Entry Default +REM REM name mode value +REM REM ------------------------------------------------------------------------- +REM ... +REM 'EwfExaminer' Show 'Marc Murrsky acquired it on %d%. %MMMM% %yyyy%' +REM ... +REM ENDTABLE +REM With this setting, the acquisition dialog would open up with the examiner field preset to +REM something similar to 'Marc Murrsky acquired it on 5. December 2007' + +TABLE DlgAcquireField NoName + REM Field Entry mode Entry mode Default + REM name image clone value + REM ------------------------------------------------------------------------------------ + 'SplitFileSwitch' ShowLast Hide '1' + 'SplitFileSize' ShowLast Hide '2047' + 'SplitFileUnit' ShowLast Hide 'MiB' + 'EwfCaseNumber' ShowLast Hide '' + 'EwfEvidenceNumber' ShowDefault Hide '' + 'EwfExaminer' ShowLast Hide '' + 'EwfDescription' ShowDefault Hide '' + 'EwfNotes' ShowDefault Hide '%serial%' + 'UserField' Hide Hide '' + 'DestImageDirectory' ShowLast Hide '' + 'DestInfoDirectory' Hide ShowLast '' + 'DestImageFilename' ShowDefault Hide '' + 'DestInfoFilename' ShowDefault ShowDefault '' + 'HashCalcMD5' ShowLast ShowLast '1' + 'HashCalcSHA1' ShowLast ShowLast '0' + 'HashCalcSHA256' ShowLast ShowLast '0' + 'HashVerifySrc' ShowLast ShowLast '0' + 'HashVerifyDst' ShowLast ShowLast '1' +ENDTABLE + + +REM There is a another configuration table, DlgAcquireRule, which allows to copy the contents of some +REM fields automatically to others while typing. The entries in this table are processed one after the +REM other everytime you hit a key in any of the 8 fields. +REM +REM TriggerFieldName The trigger field is field where the action happens (i.e. which has the focus +REM while you are typing). If the trigger field name doesn't match, the the line +REM is ignored. If it matches, we have a trigger and Guymager does what the rest +REM of the line says. +REM +REM DestinationFieldName On trigger, this field will be filled in with the value indicated in column +REM Value. +REM +REM Value The string to be written to the field DestinationFieldName if there's a trigger. +REM The value may contain the same special sequences than the ones described +REM above. Additionally, there are special sequences for referring to other fields. +REM These are constructed by putting the field name between two percent signs (for +REM example '%EwfNotes%') +REM +REM *** Example A *** +REM The info filename should always be the same than the image filename, i.e. when typing in the field +REM for the image filename, the contents should automatically be copied to the field for the info +REM filename: +REM TABLE DlgAcquireRule NoName +REM REM Trigger Destination Value +REM REM field name field name +REM REM ---------------------------------------------------------------------- +REM 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%' +REM ENDTABLE +REM Read the entry like this: Everytime a key in DestImageFilename is hit, refresh DestInfoFilename with the +REM value %DestImageFilename%, which would be interpreted as a special sequence and corresponds to the +REM contents of DestImageFilename. +REM It still would be possible to edit the info filename separately and thus different image and info +REM filenames. +REM +REM *** Example B *** +REM Like example A, but do the same when editing te info filename; when typing in it, the image filename +REM should be changed to the new name typed for the info file: +REM TABLE DlgAcquireRule NoName +REM REM Trigger Destination Value +REM REM field name field name +REM REM --------------------------------------------------------------------- +REM 'DestInfoFilename' 'DestImageFilename' '%DestImageFilename%' +REM ENDTABLE +REM +REM *** Example C *** +REM Set the info field to the examiner name, the case name plus the date: +REM TABLE DlgAcquireRule NoName +REM REM Trigger Destination Value +REM REM field name field name +REM REM ---------------------------------------------------------------------------------------------- +REM 'EwfExaminer' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%' +REM 'EwfCaseNumber' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%' +REM ENDTABLE +REM Note that we have to enter the same value twice here, as we have 2 triggers. + +TABLE DlgAcquireRule NoName + REM Trigger Destination Value + REM field name field name + REM ---------------------------------------------------------------------- + 'DestImageDirectory' 'DestInfoDirectory' '%DestImageDirectory%' + 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%' +ENDTABLE + + +REM Special tokens +REM -------------- + +REM Guymager uses special tokens whenever text needs to replaced automatically according to the user's instructions. +REM Currently, these tokens are used in the configuration tables DlgAcquireRule and DlgAcquireField, RunStats module +REM and configuration parameter CommandAcquisitionEnd. + +REM Date and time tokens +REM %d% the day as a number without a leading zero (1 to 31) +REM %dd% the day as a number with a leading zero (01 to 31) +REM %ddd% the abbreviated localized day name (e.g. 'Mon' to 'Sun') +REM %dddd% the long localized day name (e.g. 'Monday' to 'Sunday') +REM %M% the month as a number without a leading zero (1-12) +REM %MM% the month as a number with a leading zero (01-12) +REM %MMM% the abbreviated localized month name (e.g. 'Jan' to 'Dec') +REM %MMMM% the long localized month name (e.g. 'January' to 'December') +REM %yy% the year as two digit number (00-99) +REM %yyyy% the year as four digit number +REM +REM %h% the hour without a leading zero (0 to 23 or 1 to 12 if AM/PM display) +REM %hh% the hour with a leading zero (00 to 23 or 01 to 12 if AM/PM display) +REM %m% the minute without a leading zero (0 to 59) +REM %mm% the minute with a leading zero (00 to 59) +REM %s% the second without a leading zero (0 to 59) +REM %ss% the second with a leading zero (00 to 59) +REM %z% the milliseconds without leading zeroes (0 to 999) +REM %zzz% the milliseconds with leading zeroes (000 to 999) +REM %AP% use AM/PM display. %AP% will be replaced by either "AM" or "PM". +REM %ap% use am/pm display. %ap% will be replaced by either "am" or "pm". +REM Remark: The date/time tokens have been copied from Trolltech's Qt documentation. +REM +REM Static tokens +REM %Version% Guymager software version +REM %MacAddr% MAC address of the 1st ethernet card found +REM %HostName% Computer's host name +REM +REM Device / acquisition related tokens +REM %Dev% Device, for example /dev/sdf +REM %Size% Device size in bytes +REM %SizeHuman% Device size in human readable format (e.g. '247G', '32M') +REM %SizeHumanNoSep% Like %SizeHuman%, but wihtout thousands separator +REM %State% The acquisition state +REM %ExtendedState% The acquisition state as shwon in the main GUI +REM %Serial% Serial number of the device +REM %Model% Device model +REM %LocalDevice% Device is part of the local PC, value is YES or NO (see configutaion table LocalDevices) +REM %CurrentSpeed% Current speed, unit MB/s +REM %AverageSpeed% Average speed, unit MB/s +REM %Progress% Progress, unit % +REM %TimeRemaining% Estimated time remaining to accomplish acquisition (format hh:mm:ss) +REM %BadSectors% Number of bad sectors +REM %HiddenAreas% The information about hidden areas as shown in the GUI +REM %SplitFileSize% File size of image fragmnets +REM %VerifySrc% Verify source, value is YES or NO +REM %CalcMD5% MD5 calculation enabled, value is YES or NO +REM %CalcSHA1% SHA1 calculation enabled, value is YES or NO +REM %CalcSHA256% SHA256 calculation enabled, value is YES or NO +REM %Clone% Device is cloned, MD5 value is YES or NO +REM %Duplicate% A duplicate image is written, value is YES or NO +REM %UserField% Contents of the user field +REM %AddStateInfo% Additional state information +REM The following tokens are related to the acquisition dialog input fields. They all exist a second time with a "2" +REM appended, for example "%CaseNumber%" and "%CaseNumber2%". The second one only is set if %Duplicate% is YES. It's empty +REM otherwise. +REM %CaseNumber% Case number \ +REM %Examiner% Examiner | as entered in the +REM %EvidenceNumber% Evidence number | corresponding field +REM %Description% Description | of the acqusition dialog +REM %Notes% Notes / +REM %Image% Path and file name of image +REM %InfoFile% Path and file name of .info file +REM %VerifyDst% Verify image, value is YES or NO +REM +REM Not all tokens are meaningful in every position. For example, there's no sense in specifying token %Progress% +REM in configuration table DlgAcquireRule, as the acquisition is not even started yet when the acquisition dialog +REM is shown. +REM +REM The special token %DEVICE_BLOCK% only can be used for the Runstats module. See the description of the RunStats +REM module below. + + +REM Guymager internals +REM ------------------ +REM +REM Device list scanning +REM -------------------- +REM DeviceScanMethod Guymager knows 3 methods for getting the list of the available memory devices: The old one, +REM that uses libparted, the new one that uses DBUS/HAL and the even newer one that uses +REM DeviceKit-Disks. Select your method by setting this parameter to: +REM +REM libudev The newest method (recommended for Ubuntu >= 15.10). See remarks for +REM UDisks below. +REM +REM DBusDevKit or UDisks Recommended for 9.04 <= Ubuntu <= 15.04. You need a Linux system +REM supporting UDisks for this setting. In older versions, UDisks was named +REM DeviceKit (in Ubuntu 9.04 and 9.10 for instance). From guymager's point +REM view, UDisks and DeviceKit are both the same. Newer distributions switched +REM from UDisks to UDisks2, but UDisks2 is incompatible and unusable. Guymager +REM therefore should be run with libudev on those systems. +REM +REM DBusHAL Use the previous method (recommended for systems like Ubuntu 8.10). +REM +REM libparted Use the old method. It was observed that the internal scan function hung +REM while an acquisition was running. This leads to the problem that the devices +REM shown in guymager possibly cannot be updated while an acquisition is running. +REM When using this method, the command specified in configuration parameter +REM CommandGetSerialNumber (see below) is used for finding the serial number of +REM each device (not really elegant). Again, DBusHAL is the recommended setting. +REM When chossing an unsupported scan method, Guymager shows the user a dialog asking to fall back +REM to a supported one. +REM +REM CommandGetSerialNumber is used to extract the serial number from a device when setting DeviceScanMethod to libparted (not +REM recommended). When chosing another scan method, the command will never be called, except if parameter +REM ForceCommandGetSerialNumber is set (see below). The placeholder %dev in the command string will be replaced +REM by the device (/dev/hda or /dev/sdc for instance). Examples: +REM CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' +REM CommandGetSerialNumber = 'bash -c "hdparm -I %dev | grep -i ''Serial Number'' | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' +REM +REM ForceCommandGetSerialNumber Use CommandGetSerialNumber not only when DeviceScanMethod is libparted, but also for others. This +REM can be interesting in case wrong serial numbers are displayed, which was observed to happen with +REM certain USB adapter devices. +REM +REM CommandGetAddStateInfo contains the command to be executed in order to gather additional state information. By default, CommandGetAddStateInfo +REM simply is an empty string and no additional information is read nor displayed. If set, the command executed +REM is expected to return its information in three separate lines (separated by \n): +REM 1st line: Information text. This text is displayed in the device specific screen area of Guymager +REM (bottom area of the main window). +REM 2nd line: A value of 0 tells Guymager that the device cannot be acquired. Guymager forbids the +REM acquisition of the device in that case. Any other value enables device acquisition. +REM If this parameter is missing, the device can be acquired. +REM 3rd line: An integer number indicating the color to be used for marking the device. The number +REM refers to the colors named AdditionalStateX in the configuration table Colors (see +REM above), where X corresponds to the color returned by the command. If this parameter +REM is missing, the default color (wite) is used. +REM The command may include the two placeholders %dev and %local which will be replaced accordingly. See +REM the description of CommandGetSerialNumber above for the use of %dev. %local will be replaced by 1 +REM if the %dev refers to a local device and 0 otherwise. +REM +REM If you plan to use this feature, you may do a first test with the configuration setting +REM CommandGetAddStateInfo='bash -c "/usr/share/guymager/stateinfo.sh %dev"' +REM where the file /usr/share/guymager/stateinfo.sh is executable and contains the lines +REM echo "Moie Welt! - $1" +REM echo "0" +REM echo "2" +REM +REM CommandAcquisitionEnd The command given is called whenever an acquisition ends. Guymager knows several special tokens (chraracter sequences) +REM that will be replaced automatically. See "Special tokens" above. +REM The parameter is left empty by default and no script called in that case. +REM +REM ScanInterval Speficies how often an automatic device scan (for detecting newly connected devices) +REM should launched. Unit: Seconds. Keep in mind, that the device scan can be launched as well manually. +REM +REM QueryDeviceMediaInfo Guymager has the possibility to gather extended media info about the connected devices. The media info +REM mainly includes HPA/DCO settings. Some non-standard devices do not expect the corresponding ATA +REM commands and may even need to be resetted when trying to query media info. In such cases, +REM QueryDeviceMediaInfo may be switched off. By default, it is on. +REM +REM DirectIO Decides whether Guymager reads data in direct IO mode or not. Normally, direct mode should be a little +REM faster, but it was observed that reading from SSDSs may be much slower in direct mode. The default +REM setting therefore is "off". +REM IMPORTANT: +REM 1) DirectIO only can be switched on if parameter FifoMemoryManager is also on. +REM 2) Linux does not read single sectors when DirectIO is off. While this is good for speed, it's a +REM problem for disks with bad sectors ("contagious error"). Therefore, Guymager switches DirectIO +REM on when it encounters bad sectors, disregarding the DirectIO configuration parameter. After +REM the bad sectors area has been read, it switched back to the configured DirectIO mode. +REM See also www.elsevierscitech.com/pdfs/Contagious_errors.pdf for more information about the +REM contagious error problem. + +DeviceScanMethod = libudev +CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' +ForceCommandGetSerialNumber = false +CommandGetAddStateInfo = '' +CommandAcquisitionEnd = '' + +ScanInterval = 6000 +QueryDeviceMediaInfo = on +DirectIO = off + + +REM The RunStats module allows to forward information about Guymager's current state to users or applications. +REM Principally, Guymager takes a user provided template file, modifies its contents according to the +REM instructions given in the template file and writes the result to the output file. The template and output +REM are specified by the parameters RunStatsTemplateActive and RunStatsOutput. +REM +REM RunStatsTemplateActive contains the filename for the active template, i.e. the template used when Guymager +REM is running. When Guymager ends, it modifies the output file one last time just before exiting according to +REM the contents of another template file, specified by parameter RunStatsTemplateEnded. If parameter +REM RunStatsTemplateEnded is empty or doesn't point to a valid file, Guymager leaves the output with the content +REM it last wrote before exiting. +REM +REM The template file may contain special tokens which are to be replaced by Guymager. All other text is +REM transferred directly to the output file. Tokens always start and end with the % character, see "Token list" +REM above. +REM +REM The token %DEVICE_BLOCK% is specififc to the Runstats module. This token must appear twice in the RunStats +REM template file. The part in between is repeated as many times as there are devices shown in Guymager's main +REM device table. +REM +REM If you installed Guymager from a Debian package (usual way for installing programs on a Debian, Ubuntu +REM or other Debian based system) you find examples of RunStats template files in /usr/share/doc/guymager/ +REM or /usr/share/doc/guymager-beta/ . +REM +REM Parameter RunStatsInterval specifies how often the output file is to be updated (unit: seconds). Guymager +REM reads the template at startup and after every 10 output file updates, thus allowing for template file changes +REM to in the appear in the output file without restarting Guymager. +REM +REM In order to switch off the Runstats module, set RunStatsInterval to 0 ot set the active template or output +REM file to an empty string. + +RunStatsTemplateActive = '' +RunStatsTemplateEnded = '' +RunStatsOutput = '' +RunStatsInterval = 60 + +REM Other settings +REM -------------- +REM Block sizes: Guymager works internally with threads for doing the different jobs (read, hash calculation, compression, +REM write) and forwards the data in blocks through fifos from one thread to another. The block size may be adjusted individually +REM for the different forensic formats. There's only one exception: When using EWF with mult-threaded compression the block size +REM is 32768 bytes (32KB). +REM It is recommended to use a multiple of kilobytes or megabytes for the block sizes, because the block size corresponds to size +REM of the data read at once from the source drive and most drive's caches perform best with such "round" numbers. So, if you want +REM to work with a block size of 10 kilobyte, specify 10240 (instead of 10000). +REM +REM FifoBlockSizeDD The block size for dd images (in bytes). Recommended value: 262144 (256K). +REM +REM FifoBlockSizeEWF The block size for EWF images (in bytes). Recommended value: 32768 (32K). ATTENTION: Tests have shown +REM that the software "X-Ways Forensics" is not able to handle EWF images with a block size above 256K. Thus, +REM the recommended maximum value for FifoBlockSizeEWF is 262144. +REM +REM FifoBlockSizeAFF The block size for AFF images (in bytes). Recommended value: 16777216 (16M). +REM +REM FifoMaxMem The amount of memory used for the internal FIFO queues of an acquisition. The value is indicated in +REM Megabytes. If you set it to 0, Guymager uses 1/8 of the available RAM, maximally 64MB per acquisition. +REM Keep in mind, that the total amount of memory used by Guymager may be much higher: With a value of +REM 256 and 4 acquisitions running in parallel, a total of 1GB RAM would be used by Guymager - only for +REM the FIFOs, not counting the overhead required by Guymager and the libs it uses (Qt, libewf, ...). +REM The recommended value is 0 (automatic memory usage calculation). +REM +REM FifoMemoryManager Set to on to use the internal FIFO memory manager. If switched off, the classical C functions malloc and +REM free are used. FifoMemoryManager must be switched on in order to use direct IO (see parameter DirectIO). +REM It should be switched off for debug purposes only. +REM +REM UseSeparatehashThread The hash calculation can be done in a separate thread or in the read thread (i.e. the thread reading +REM the data from the source). Using a separate thread led to a slight performance advantage on the +REM developer's machine. +REM +REM CompressionThreads The number of threads for parallel compression. The recommended value is the number of processors. +REM This parameter has a significant performance influence when working with compressed file format +REM (EWF format). It has no impact on other formats (dd). +REM Set to AUTO will use the number of CPUs installed in the system (recommended). +REM Set to 0 for disabling multi-threaded compression and build EWF file the conventional way. +REM +REM BadSectorLogThreshold This parameter has been introduced in order to prevent Guymager from writing excessively big log files +REM when acquiring devices with many (millions) bad sectors. As soon as the threshold has been reached, +REM Guymager does not any longer log every single bad sector it encounters but only logs from time to time. +REM The number of log entries after reaching BadSectorLogThreshold depends on parameter BadSectorLogModulo. +REM When setting BadSectorLogModulo to 1000, then only every 1000th bad sector will be logged after reaching +REM BadSectorLogThreshold. +REM A value of 0 deactivates the bad sector log threshold feature. +REM +REM BadSectorLogModulo Only active if BadSectorLogThreshold is not zero. +REM See BadSectorLogThreshold for explanations. +REM +REM LimitJobs Limit the number of acquisitions running in parallel to the value specified in this parameter. If +REM the number of acquisitions started exceeds the value given by LimitJobs, the ones started last are +REM queued and will be held until a former acquisition ends. +REM The reason for this parameter is that some users observed degraded performance with heavy SATA IO load. +REM They claimed, that the overall performance is better when limiting the number of parallel jobs. However, +REM the author of Guymager has not been presented any performance test results up until now. +REM Setting this parameter OFF results in starting acqusitions immediately. A value of AUTO corresponds +REM to half the number of CPUs installed, with a maximum of value 4. +REM +REM JobMaxBadSectors Only active if LimitJobs is ON. +REM With the introduction of the job queue, a problem arises with faulty disks. It could happen that healthy +REM disks are not going to be acquired because of faulty disks blocking the job queue. JobMaxBadSectors prevents +REM from this by ending acquisitions exceeding the given number of bad sectors. +REM Set JobMaxBadSectors to 0 in order not to end acquisitions because of bad sectors. +REM +REM JobDisconnectTimeout Only active if LimitJobs is ON. +REM See remarks for JobMaxBadSectors. JobDisconnectTimeout works in a similar way. It ends acquisitions +REM which have been in state "disconnected" (i.e. which can no longer be accessed) for too long. +REM Set JobDisconnectTimeout to 0 in order not to end acquisitions because of switching to state +REM disconnected. Unit: Seconds. + + +FifoBlockSizeDD = 262144 +FifoBlockSizeEWF = 32768 +FifoBlockSizeAFF = 16777216 +FifoMaxMem = 0 +FifoMemoryManager = On + +UseSeparatehashThread = Yes +CompressionThreads = AUTO + +BadSectorLogThreshold = 0 +BadSectorLogModulo = 1000 + +LimitJobs = OFF +JobMaxBadSectors = 200 +JobDisconnectTimeout = 10000 + +REM Debug settings +REM -------------- +REM SignalHandling For debug purpose only. Switch off SignalHandling only when working with debuggers (gdb). +REM Recommended value: Enabled. +REM +REM WriteToDevNull For debug purpose only. Writes image to /dev/null instead of the indicated file. This switch can +REM be used for performance tests. Only used when creating a dd images. +REM +REM UseMemWatch For debug purpose only. Uses the memwatch malloc/free functions for finding dynamic memory problems. +REM Creates a file named memwatch.log when enabled in the directory where guymager is started. MemWatch +REM may slow down guymager significantly. +REM +REM VerboseLibewf For debug purpose only. Have libewf output internal messages to stderr. +REM +REM CheckEwfData For debug purpose only. When using the EWF format and working with separate compression thread(s), +REM Guymager does a special check on the data if this parameter is set. The check is done just before +REM passing the data to the EWF library function that writes it to the image. It checks if the data can +REM be uncompressed correctly, if the lengths match and if the CRC is ok. + +SignalHandling = Enabled +WriteToDevNull = false +UseMemWatch = false +VerboseLibewf = false +CheckEwfData = false + + +REM Device info commands +REM -------------------- +REM In order to get a complete set of information for each acquired drives, guymager executes several standard Linux +REM commands. These commands are contained in the list named DeviceInfoCommands, see below. They are executed when +REM - selecting the "Info" menu point for a device (results are shown in a dialog window) +REM - starting an acquisition (results are written to the .info file) +REM They are executed in the order they appear. The string %dev will be replaced by the corresponding device path +REM (i.e. /dev/sdb for instance). Examples of interesting commands: +REM 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' -- for switching SMART interface on and showing SMART info +REM 'bash -c "hdparm -I %dev"' -- for showing other identification info + +TABLE DeviceInfoCommands NoName + REM Command + REM ------------------------------------------- + 'bash -c "search="`basename %dev`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for %dev""' + 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' + 'bash -c "hdparm -I %dev"' + REM 'bash -c disk_stat %dev' +ENDTABLE + + + +REM Tables LocalDevices and HiddenDevices +REM The local devices may be entered here. Guymager will mark them colored and will not allow to acquire them. The +REM table allows for entering the Linux device path, serial number, model, native path or by path. Examples: +REM '/dev/sda' +REM 'S042J10XC57542' +REM +REM Table HiddenDevices works the same way, except that devices listed here won't appear at all in the Guymaer GUI. +REM +REM LocalHiddenDevicesUseRegExp defines whether the given strings for local and hidden devices should be interpreted +REM as regular expressions or not. Example: With LocalHiddenDevicesUseRegExp switched on, the following string would +REM match all loop devices in the range 10-15 (i.e. /dev/loop10 .. /dev/loop15): +REM '/dev/loop1[0-5]' +REM +REM For both (reg. exp. on and off) the comparison is case independent. + +LocalHiddenDevicesUseRegExp = false + +TABLE LocalDevices NoName + REM Device + REM ------------------------------------------- + +ENDTABLE + +TABLE HiddenDevices NoName + REM Device + REM ------------------------------------------- + +ENDTABLE + + +REM Below we include a local configuration file. All entries in the local configuration file will override the ones above. +REM +REM If ever you want to change some of the settings above, don't do it directly here, as all your changes would be +REM gone when installing a new version of guymager. Edit /etc/guymager/local.cfg instead. + +INCLUDE_OPTIONAL /etc/guymager/local.cfg +INCLUDE_OPTIONAL ./local.cfg + +ENDSECTION diff --git a/init.d/smartmontools b/init.d/smartmontools new file mode 100755 index 0000000..a64b0e6 --- /dev/null +++ b/init.d/smartmontools @@ -0,0 +1,137 @@ +#!/bin/sh -e +# +# smartmontools init.d startup script +# +# (C) 2003,04,07 Guido Günther +# +# loosely based on the init script that comes with smartmontools which is +# copyrighted 2002 by Bruce Allen +# +### BEGIN INIT INFO +# Provides: smartmontools +# Required-Start: $syslog $remote_fs +# Required-Stop: $syslog $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 1 +# Short-Description: SMART monitoring daemon +### END INIT INFO + +SMARTCTL=/usr/sbin/smartctl +DAEMON=/usr/sbin/smartd +PIDFILE=/var/run/smartd.pid +[ -x $SMARTCTL ] || exit 0 +[ -x $DAEMON ] || exit 0 +. /lib/lsb/init-functions + +RET=0 + +[ -r /etc/default/rcS ] && . /etc/default/rcS +[ -r /etc/default/smartmontools ] && . /etc/default/smartmontools + +smartd_opts="--pidfile $PIDFILE $smartd_opts" + +enable_smart() { + log_action_begin_msg "Enabling S.M.A.R.T." + for device in $enable_smart; do + log_action_cont_msg "$device" + if ! $SMARTCTL --quietmode=errorsonly --smart=on $device; then + log_action_cont_msg "(failed)" + RET=2 + fi + done + log_action_end_msg 0 +} + +check_start_smartd_option() { + if [ ! "$start_smartd" = "yes" ]; then + [ "$VERBOSE" = "yes" ] && log_warning_msg "Not starting S.M.A.R.T. daemon smartd, disabled via /etc/default/smartmontools" + return 1 + else + return 0 + fi +} + +running_pid() +{ + # Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` + # Is this the expected child? + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() +{ +# Check if the process is running looking at /proc +# (works for all users) + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + # Obtain the pid and check it against the binary name + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +case "$1" in + start) + [ -n "$enable_smart" ] && enable_smart + if check_start_smartd_option; then + + log_daemon_msg "Starting S.M.A.R.T. daemon" "smartd" + if running; then + log_progress_msg "already running" + log_end_msg 0 + exit 0 + fi + rm -f $PIDFILE + if start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- $smartd_opts; then + log_end_msg 0 + else + log_end_msg 1 + RET=1 + fi + fi + ;; + stop) + log_daemon_msg "Stopping S.M.A.R.T. daemon" "smartd" + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE + log_end_msg 0 + ;; + reload|force-reload) + log_daemon_msg "Reloading S.M.A.R.T. daemon" "smartd" + if start-stop-daemon --stop --quiet --signal 1 \ + --pidfile $PIDFILE; then + log_end_msg 0 + else + log_end_msg 1 + RET=1 + fi + ;; + restart) + if check_start_smartd_option; then + log_daemon_msg "Restarting S.M.A.R.T. daemon" "smartd" + start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile $PIDFILE + rm -f $PIDFILE + if start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- $smartd_opts; then + log_end_msg 0 + else + log_end_msg 1 + RET=1 + fi + fi + ;; + status) + status_of_proc $DAEMON smartd && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/smartmontools {start|stop|restart|reload|force-reload|status}" + exit 1 +esac + +exit $RET diff --git a/logcheck/ignore.d.server/rkhunter b/logcheck/ignore.d.server/rkhunter new file mode 100644 index 0000000..ae0df8e --- /dev/null +++ b/logcheck/ignore.d.server/rkhunter @@ -0,0 +1,2 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rkhunter: Rootkit hunter check started \(version [0-9.]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rkhunter: Scanning took ([0-9]+ minutes? and )?[0-9]+ seconds?$ diff --git a/logrotate.d/rkhunter b/logrotate.d/rkhunter new file mode 100644 index 0000000..00ac5d6 --- /dev/null +++ b/logrotate.d/rkhunter @@ -0,0 +1,9 @@ +/var/log/rkhunter.log { + weekly + missingok + rotate 4 + compress + delaycompress + notifempty + create 640 root adm +} diff --git a/mailcap b/mailcap index 9dee4a7..3af1b15 100644 --- a/mailcap +++ b/mailcap @@ -72,6 +72,7 @@ image/jpeg; gthumb '%s'; test=test -n "$DISPLAY" image/gif; gthumb '%s'; test=test -n "$DISPLAY" image/png; gthumb '%s'; test=test -n "$DISPLAY" application/x-info; /usr/bin/info -f '%s'; needsterminal; description=GNU Info document +audio/mpeg; mpg123 -q %s; needsterminal application/mxf; /usr/bin/mplayer %s; description="MXF video" application/x-netshow-channel; /usr/bin/mplayer %s; description="Windows Media Station file" application/ogg; /usr/bin/mplayer %s; description="Ogg multimedia file" diff --git a/rc1.d/K01smartmontools b/rc1.d/K01smartmontools new file mode 120000 index 0000000..c4259b5 --- /dev/null +++ b/rc1.d/K01smartmontools @@ -0,0 +1 @@ +../init.d/smartmontools \ No newline at end of file diff --git a/rc2.d/S03smartmontools b/rc2.d/S03smartmontools new file mode 120000 index 0000000..c4259b5 --- /dev/null +++ b/rc2.d/S03smartmontools @@ -0,0 +1 @@ +../init.d/smartmontools \ No newline at end of file diff --git a/rc3.d/S03smartmontools b/rc3.d/S03smartmontools new file mode 120000 index 0000000..c4259b5 --- /dev/null +++ b/rc3.d/S03smartmontools @@ -0,0 +1 @@ +../init.d/smartmontools \ No newline at end of file diff --git a/rc4.d/S03smartmontools b/rc4.d/S03smartmontools new file mode 120000 index 0000000..c4259b5 --- /dev/null +++ b/rc4.d/S03smartmontools @@ -0,0 +1 @@ +../init.d/smartmontools \ No newline at end of file diff --git a/rc5.d/S03smartmontools b/rc5.d/S03smartmontools new file mode 120000 index 0000000..c4259b5 --- /dev/null +++ b/rc5.d/S03smartmontools @@ -0,0 +1 @@ +../init.d/smartmontools \ No newline at end of file diff --git a/rkhunter.conf b/rkhunter.conf new file mode 100644 index 0000000..2b65362 --- /dev/null +++ b/rkhunter.conf @@ -0,0 +1,1351 @@ +# +# This is the main configuration file for Rootkit Hunter. +# +# You can modify this file directly, or you can create a local configuration +# file. The local file must be named 'rkhunter.conf.local', and must reside +# in the same directory as this file. Alternatively you can create a directory, +# named 'rkhunter.d', which also must be in the same directory as this +# configuration file. Within the 'rkhunter.d' directory you can place further +# configuration files. There is no restriction on the file names used, other +# than they must end in '.conf'. +# +# Please modify the configuration file(s) to your own requirements. It is +# recommended that the command 'rkhunter -C' is run after any changes have +# been made. +# +# Please review the documentation before posting bug reports or questions. +# To report bugs, provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the 'rkhunter-users' mailing list. +# Note that this is a moderated list, so please subscribe before posting. +# +# In the configuration files, lines beginning with a hash (#), and blank lines, +# are ignored. Also, end-of-line comments are not supported. +# +# Any of the configuration options may appear more than once. However, several +# options only take one value, and so the last one seen will be used. Some +# options are allowed to appear more than once, and the text describing the +# option will say if this is so. These configuration options will, in effect, +# have their values concatenated together. To delete a previously specified +# option list, specify the option with no value (that is, a null string). +# +# Some of the options are space-separated lists, others, typically those +# specifying pathnames, are newline-separated lists. These must be entered +# as one item per line. Quotes must not be used to surround the pathname. +# +# For example, to specify two pathnames, '/tmp/abc' and '/tmp/xyz', for an +# option: XXX=/tmp/abc (correct) +# XXX=/tmp/xyz +# +# XXX="/tmp/abc" (incorrect) +# XXX="/tmp/xyz" +# +# XXX=/tmp/abc /tmp/xyz (incorrect) +# or XXX="/tmp/abc /tmp/xyz" (incorrect) +# or XXX="/tmp/abc" "/tmp/xyz" (incorrect) +# +# The last three examples are being configured as space-separated lists, +# which is incorrect, generally, for options specifying pathnames. They +# should be configured with one entry per line as in the first example. +# +# If wildcard characters (globbing) are allowed for an option, then the +# text describing the option will say so. Any globbing character explicitly +# required in a pathname should be escaped. +# +# Space-separated lists may be enclosed by quotes, although they are not +# required. If they are used, then they must only appear at the start and +# end of the list, not in the middle. +# +# For example: XXX=abc def gh (correct) +# XXX="abc def gh" (correct) +# XXX="abc" "def" "gh" (incorrect) +# +# Space-separated lists may also be entered simply as one entry per line. +# +# For example: XXX=abc (correct) +# XXX=def +# XXX="gh" +# +# If a configuration option is never set, then the program will assume a +# default value. The text describing the option will state the default value. +# If there is no default, then rkhunter will calculate a value or pathname +# to use. If a value is set for a configuration option, then the default +# value is ignored. If it is wished to keep the default value, as well as +# any other set value, then the default must be explicitly set. +# + + +# +# If this option is set to '1', it specifies that the mirrors file +# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' +# options are used, is to be rotated. Rotating the entries in the file allows +# a basic form of load-balancing between the mirror sites whenever the above +# options are used. +# +# If the option is set to '0', then the mirrors will be treated as if in a +# priority list. That is, the first mirror listed will always be used first. +# The second mirror will only be used if the first mirror fails, the third +# mirror will only be used if the second mirror fails, and so on. +# +# If the mirrors file is read-only, then the '--versioncheck' command-line +# option can only be used if this option is set to '0'. +# +# The default value is '1'. +# +#ROTATE_MIRRORS=1 + +# +# If this option is set to '1', it specifies that when the '--update' option is +# used, then the mirrors file is to be checked for updates as well. If the +# current mirrors file contains any local mirrors, these will be prepended to +# the updated file. If this option is set to '0', the mirrors file can only be +# updated manually. This may be useful if only using local mirrors. +# +# The default value is '1'. +# +UPDATE_MIRRORS=0 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be used when +# the '--update' or '--versioncheck' command-line options are given. +# Possible values are: +# 0 - use any mirror +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors file by using the +# 'local=' and 'remote=' keywords respectively. +# +# The default value is '0'. +# +MIRRORS_MODE=1 + +# +# Email a message to this address if a warning is found when the system is +# being checked. Multiple addresses may be specified simply be separating +# them with a space. To disable the option, simply set it to the null string +# or comment it out. +# +# The option may be specified more than once. +# +# The default value is the null string. +# +# Also see the MAIL_CMD option. +# +#MAIL-ON-WARNING=root + +# +# This option specifies the mail command to use if MAIL-ON-WARNING is set. +# +# NOTE: Double quotes are not required around the command, but are required +# around the subject line if it contains spaces. +# +# The default is to use the 'mail' command, with a subject line +# of '[rkhunter] Warnings found for ${HOST_NAME}'. +# +#MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# This option specifies the directory to use for temporary files. +# +# NOTE: Do not use '/tmp' as your temporary directory. Some important files +# will be written to this directory, so be sure that the directory permissions +# are secure. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. +# +TMPDIR=/var/lib/rkhunter/tmp + +# +# This option specifies the database directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will assume a +# default directory beneath the installation directory. +# +DBDIR=/var/lib/rkhunter/db + +# +# This option specifies the script directory to use. +# +# The installer program will set the default directory. If this default is +# subsequently commented out or removed, then the program will not run. +# +SCRIPTDIR=/usr/share/rkhunter/scripts + +# +# This option can be used to modify the command directory list used by rkhunter +# to locate commands (that is, its PATH). By default this will be the root PATH, +# and an internal list of some common command directories. +# +# Any directories specified here will, by default, be appended to the default +# list. However, if a directory name begins with the '+' character, then that +# directory will be prepended to the list (that is, it will be put at the start +# of the list). +# +# This is a space-separated list of directory names. The option may be +# specified more than once. +# +# The default value is based on the root account PATH environment variable. +# +#BINDIR=/bin /usr/bin /sbin /usr/sbin +#BINDIR=+/usr/local/bin +/usr/local/sbin + +# +# This option specifies the default language to use. This should be similar to +# the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +# The default language is 'en' (English). +# +#LANGUAGE=en + +# +# This option is a space-separated list of the languages that are to be updated +# when the '--update' option is used. If unset, then all the languages will be +# updated. If none of the languages are to be updated, then set this option to +# just 'en'. +# +# The default language, specified by the LANGUAGE option, and the English (en) +# language file will always be updated regardless of this option. +# +# This option may be specified more than once. +# +# The default value is the null string, indicating that all the language files +# will be updated. +# +UPDATE_LANG="en" + +# +# This option specifies the log file pathname. The file will be created if it +# does not initially exist. If the option is unset, then the program will +# display a message each time it is run saying that the default value is being +# used. +# +# The default value is '/var/log/rkhunter.log'. +# +LOGFILE=/var/log/rkhunter.log + +# +# Set this option to '1' if the log file is to be appended to whenever rkhunter +# is run. A value of '0' will cause a new log file to be created whenever the +# program is run. +# +# The default value is '0'. +# +#APPEND_LOG=0 + +# +# Set the following option to '1' if the log file is to be copied when rkhunter +# finishes and an error or warning has occurred. The copied log file name will +# be appended with the current date and time (in YYYY-MM-DD_HH:MM:SS format). +# For example: rkhunter.log.2009-04-21_00:57:51 +# If the option value is '0', then the log file will not be copied regardless +# of whether any errors or warnings occurred. +# +# The default value is '0'. +# +#COPY_LOG_ON_ERROR=0 + +# +# Set the following option to enable the rkhunter check start and finish times +# to be logged by syslog. Warning messages will also be logged. The value of +# the option must be a standard syslog facility and priority, separated by a +# dot. For example: +# +# USE_SYSLOG=authpriv.warning +# +# Setting the value to 'NONE', or just leaving the option commented out, +# disables the use of syslog. +# +# The default value is not to use syslog. +# +USE_SYSLOG=authpriv.warning + +# +# Set the following option to '1' if the second colour set is to be used. This +# can be useful if your screen uses black characters on a white background +# (for example, a PC instead of a server). A value of '0' will cause the default +# colour set to be used. +# +# The default value is '0'. +# +#COLOR_SET2=0 + +# +# Set the following option to '0' if rkhunter should not detect if X is being +# used. If X is detected as being used, then the second colour set will +# automatically be used. If set to '1', then the use of X will be detected. +# +# The default value is '0'. +# +AUTO_X_DETECT=1 + +# +# Set the following option to '1' if it is wanted that any 'Whitelisted' results +# are shown in white rather than green. For colour set 2 users, setting this +# option will cause the result to be shown in black. Setting the option to '0' +# causes whitelisted results to be displayed in green. +# +# The default value is '0'. +# +#WHITELISTED_IS_WHITE=0 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not match. +# However, if a value has not been set in the SSH configuration file, then a +# value here of 'unset' can be used to avoid warning messages. +# +# The default value is 'no'. +# +#ALLOW_SSH_ROOT_USER=no + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. A value of '0' indicates that the use of +# SSH-1 is not allowed. +# +# The default value is '0'. +# +ALLOW_SSH_PROT_V1=2 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. If unset, this setting will be worked out by rkhunter, and so should +# not usually need to be set. +# +# This option has no default value. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. The ENABLE_TESTS +# option can use the word 'ALL' to refer to all of the available tests. The +# DISABLE_TESTS option can use the word 'NONE' to mean that no tests are +# disabled. The list of disabled tests is applied to the list of enabled tests. +# +# Both options are space-separated lists of test names, and both options may +# be specified more than once. The currently available test names can be seen +# by using the command 'rkhunter --list tests'. +# +# The supplied configuration file has some tests already disabled, and these +# are tests that will be used only occasionally, can be considered 'advanced' +# or that are prone to produce more than the average number of false-positives. +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +# The default values are to enable all tests and to disable none. However, if +# either of the options below are specified, then they will override the +# program defaults. +# +ENABLE_TESTS=ALL +DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps + +# +# The HASH_CMD option can be used to specify the command to use for the file +# properties hash value check. It can be specified as just the command name or +# the full pathname. If just the command name is given, and it is one of MD5, +# SHA1, SHA224, SHA256, SHA384 or SHA512, then rkhunter will first look for the +# relevant command, such as 'sha256sum', and then for 'sha256'. If neither of +# these are found, it will then look to see if a perl module has been installed +# which will support the relevant hash function. To see which perl modules have +# been installed use the command 'rkhunter --list perl'. +# +# Systems using prelinking are restricted to using either the SHA1 or MD5 +# function. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that no hash +# function should be used. Rkhunter will detect this, and automatically disable +# the file properties hash check test. +# +# Examples: +# For Solaris 9 : HASH_CMD=gmd5sum +# For Solaris 10: HASH_CMD=sha1sum +# For AIX (>5.2): HASH_CMD="csum -hMD5" +# For NetBSD : HASH_CMD="cksum -a sha512" +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the SHA256 function, unless prelinking is used in +# which case it defaults to the SHA1 function. +# +# Also see the HASH_FLD_IDX option. In addition, note the comments under +# the PKGMGR option relating to the use of HASH_CMD. +# +#HASH_CMD=SHA256 + +# +# The HASH_FLD_IDX option specifies which field from the HASH_CMD command +# output contains the hash value. The fields are assumed to be space-separated. +# +# The option value must be an integer greater than zero. +# +# The default value is '1', but for *BSD users rkhunter will, by default, use a +# value of '4' if the HASH_CMD option has not been set. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager to +# obtain the file property information. This is used when updating the file +# properties file ('rkhunter.dat'), and when running the file properties check. +# For RedHat/RPM-based systems, 'RPM' can be used to get information from the +# RPM database. For Debian-based systems 'DPKG' can be used, for *BSD systems +# 'BSD' can be used, or for *BSD systems with the 'pkg' command 'BSDng' can be +# used, and for Solaris systems 'SOLARIS' can be used. No value, or a value of +# 'NONE', indicates that no package manager is to be used. +# +# The package managers obtain each file hash value using a hash function. The +# Solaris package manager includes a 16-bit checksum value, but this is not +# used by default (see USE_SUNSUM below). The 'RPM' and 'BSDng' package managers +# currently use a SHA256 hash function. Other package managers will, typically, +# use an MD5 hash function. +# +# The 'DPKG', 'BSD' and 'BSDng' package managers only provide a file hash value. +# The 'RPM' package manager additionally provides values for the inode, file +# permissions, uid, gid and other values. The 'SOLARIS' package manager also +# provides most of the values, similar to 'RPM', but not the inode number. +# +# For any file not part of a package, rkhunter will revert to using the +# HASH_CMD hash function instead. This means that if the HASH_CMD option +# is set, and PKGMGR is set, then the HASH_CMD hash function is only used, +# and stored, for non-packaged files. All packaged files will use, and store, +# whatever hash function the relevant package manager uses. So, for example, +# with the 'RPM' package manager, packaged files will be stored with their +# SHA256 value regardless of the value of the HASH_CMD option. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is 'NONE'. +# +# Also see the PKGMGR_NO_VRFY and USE_SUNSUM options. +# +# NONE is the default for Debian as well, as running --propupd takes +# about 4 times longer when it's set to DPKG +# +#PKGMGR=NONE + +# +# It is possible that a file, which is part of a package, may have been +# modified by the administrator. Typically this occurs for configuration +# files. However, the package manager may list the file as being modified. +# For the RPM package manager this may well depend on how the package was +# built. This option specifies a pathname which is to be exempt from the +# package manager verification process, and which will be treated +# as a non-packaged file. As such, the file properties are still checked. +# +# This option only takes effect if the PKGMGR option has been set, and +# is not 'NONE'. +# +# This option may be specified more than once. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the null string. +# +#PKGMGR_NO_VRFY="" + +# +# If the 'SOLARIS' package manager is used, then it is possible to use the +# checksum (hash) value stored for a file. However, this is only a 16-bit +# checksum, and as such is not nearly as secure as, for example, a SHA-2 value. +# If the option is set to '0', then the checksum is not used and the hash +# function given by HASH_CMD is used instead. To enable this option, set its +# value to '1'. The Solaris 'sum' command must be present on the system if this +# option is used. +# +# The default value is '0'. +# +#USE_SUNSUM=0 + +# +# This option can be used to tell rkhunter to ignore any prelink dependency +# errors for the given commands. However, a warning will also be issued if the +# error does not occur for a given command. As such this option must only be +# used on commands which experience a persistent problem. +# +# Short-term prelink dependency errors can usually be resolved simply by +# running the 'prelink' command on the given pathname. +# +# This is a space-separated list of command pathnames. The option can be +# specified more than once. +# +# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run. +# +# The default value is the null string. +# +#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top + +# +# These options specify a command, directory or file pathname which will be +# included or excluded in the file properties checks. +# +# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example, +# 'top' - and directory names are added to the internal list of directories to +# be searched for each of the command names in the command list. Additionally, +# full pathnames to files, which need not be commands, may be given. Any files +# or directories which are already part of the internal lists will be silently +# ignored from the configuration. +# +# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for +# simple command names. +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# +# To extend the use of wildcards to include recursive checking of directories, +# see the GLOBSTAR configuration option. +# +# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS +# option. Wildcards may be used with this option. +# +# By combining these two options, and using wildcards, whole directories can be +# excluded. For example: +# +# USER_FILEPROP_FILES_DIRS=/etc/* +# USER_FILEPROP_FILES_DIRS=/etc/*/* +# EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/* +# +# This will look for files in the first two directory levels of '/etc'. However, +# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be +# excluded. +# +# NOTE: Only files and directories which have been added by the user, and are +# not part of the internal lists, can be excluded. So, for example, it is not +# possible to exclude the 'ps' command by using '/bin/ps'. These will be +# silently ignored from the configuration. +# +# Both options can be specified more than once. +# +# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run. +# +# The default value for both options is the null string. +# +#USER_FILEPROP_FILES_DIRS=top +#USER_FILEPROP_FILES_DIRS=/usr/local/sbin +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local +#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.d/* +#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps* + +# +# This option whitelists files and directories from existing, or not existing, +# on the system at the time of testing. This option is used when the +# configuration file options themselves are checked, and during the file +# properties check, the hidden files and directories checks, and the filesystem +# check of the '/dev' directory. +# +# This option may be specified more than once, and may use wildcards. +# Be aware though that this is probably not what you want to do as the +# wildcarding will be expanded after files have been deleted. As such +# deleted files won't be whitelisted if wildcarded. +# +# NOTE: The user must take into consideration how often the file will appear +# and disappear from the system in relation to how often rkhunter is run. If +# the file appears, and disappears, too often then rkhunter may not notice +# this. All it will see is that the file has changed. The inode number and DTM +# will certainly be different for each new file, and rkhunter will report this. +# +# The default value is the null string. +# +#EXISTWHITELIST="" + +# +# Whitelist various attributes of the specified file. The attributes are those +# of the 'attributes' test. Specifying a file name here does not include it +# being whitelisted for the write permission test (see below). +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ATTRWHITELIST=/usr/bin/date + +# +# Allow the specified file to have the 'others' (world) permission have the +# write-bit set. For example, files with permissions r-xr-xrwx or rwxrwxrwx. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#WRITEWHITELIST=/usr/bin/date + +# +# Allow the specified file to be a script. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +SCRIPTWHITELIST=/bin/egrep +SCRIPTWHITELIST=/bin/fgrep +SCRIPTWHITELIST=/bin/which +SCRIPTWHITELIST=/usr/bin/ldd +#SCRIPTWHITELIST=/usr/bin/lwp-request +SCRIPTWHITELIST=/usr/sbin/adduser +#SCRIPTWHITELIST=/usr/sbin/prelink +#SCRIPTWHITELIST=/usr/sbin/unhide.rb + +# +# Allow the specified file to have the immutable attribute set. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#IMMUTWHITELIST=/sbin/ifdown + +# +# If this option is set to '1', then the immutable-bit test is reversed. That +# is, the files are expected to have the bit set. A value of '0' means that the +# immutable-bit should not be set. +# +# The default value is '0'. +# +#IMMUTABLE_SET=0 + +# +# If this option is set to '1', then any changed inode value is ignored in +# the file properties check. The inode test itself still runs, but it will +# always return that no inodes have changed. +# +# This option may be useful for filesystems such as Btrfs, which handle inodes +# slightly differently than other filesystems. +# +# The default value is '0'. +# +#SKIP_INODE_CHECK=0 + +# +# Allow the specified hidden directory to be whitelisted. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWHIDDENDIR=/etc/.java +#ALLOWHIDDENDIR=/etc/.git +#ALLOWHIDDENDIR=/dev/.lxc + +# +# Allow the specified hidden file to be whitelisted. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz +#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac +#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac +#ALLOWHIDDENFILE=/usr/lib/.libfipscheck.so.1.1.0.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha1hmac.hmac +#ALLOWHIDDENFILE=/usr/lib/hmaccalc/sha256hmac.hmac +#ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac +#ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz +#ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz +#ALLOWHIDDENFILE=/etc/.gitignore +#ALLOWHIDDENFILE=/etc/.bzrignore +#ALLOWHIDDENFILE=/etc/.etckeeper + +# +# Allow the specified process to use deleted files. The process name may be +# followed by a colon-separated list of full pathnames (which have been +# deleted). The process will then only be whitelisted if it is using one of +# the given pathnames. For example: +# +# ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz +# +# This option may be specified more than once. It may also use wildcards, but +# only in the deleted file pathnames, not in the process name. The use of +# extended pattern matching in pathname expansion (for example, '**') is not +# supported for this option. However, the option itself extends globbing when +# the '*' character is used by matching zero or more characters in the +# pathname, including those in sub-directories. For example, the pathname +# '/tmp/abc/def/xyz' would not be matched by shell globbing using '/tmp/*/xyz' +# but is matched when used in this option. Similarly, using '/tmp/*' will +# match any file found in the '/tmp' directory or any sub-directories. +# +# The default value is the null string. +# +#ALLOWPROCDELFILE=/sbin/cardmgr +#ALLOWPROCDELFILE=/usr/lib/libgconf2-4/gconfd-2 +#ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* +#ALLOWPROCDELFILE=/usr/lib/iceweasel/iceweasel +#ALLOWPROCDELFILE=/usr/bin/file-roller + +# +# Allow the specified process to listen on any network interface. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWPROCLISTEN=/sbin/dhclient +#ALLOWPROCLISTEN=/usr/bin/dhcpcd +#ALLOWPROCLISTEN=/usr/sbin/tcpdump +#ALLOWPROCLISTEN=/usr/sbin/snort-plain + +# +# Allow the specified network interfaces to be in promiscuous mode. +# +# This is a space-separated list of interface names. The option may be +# specified more than once. +# +# The default value is the null string. +# +#ALLOWPROMISCIF=eth0 + +# +# This option specifies how rkhunter should scan the '/dev' directory for +# suspicious files. The only allowed values are 'THOROUGH' and 'LAZY'. +# +# A THOROUGH scan will increase the overall runtime of rkhunter. Despite this, +# it is highly recommended that this value is used. +# +# The default value is 'THOROUGH'. +# +# Also see the ALLOWDEVFILE option. +# +#SCAN_MODE_DEV=THOROUGH + +# +# Allow the specified file to be present in the '/dev' directory, and not +# regarded as suspicious. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWDEVFILE=/dev/shm/pulse-shm-* +#ALLOWDEVFILE=/dev/shm/sem.ADBE_* + +# +# Allow the specified process pathnames to use shared memory segments. +# +# This option may be specified more than once, and may use wildcard characters. +# +# The default value is the null string. +# +#ALLOWIPCPROC=/usr/bin/firefox +#ALLOWIPCPROC=/usr/bin/vlc + +# +# Allow the specified memory segment creator PIDs to use shared memory segments. +# +# This is a space-separated list of PID numbers (as given by the +# 'ipcs -p' command). This option may be specified more than once. +# +# The default value is the null string. +# +#ALLOWIPCPID=12345 6789 + +# +# Allow the specified account names to use shared memory segments. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#ALLOWIPCUSER=usera userb + +# +# This option can be used to set the maximum shared memory segment size +# (in bytes) that is not considered suspicious. Any segment above this size, +# and with 600 or 666 permissions, will be considered suspicious during the +# shared memory check. +# +# The default is 1048576 (1M) bytes. +# +#IPC_SEG_SIZE=1048576 + +# +# This option is used to indicate if the Phalanx2 test is to perform a basic +# check, or a more thorough check. If the option is set to '0', then a basic +# check is performed. If it is set to '1', then all the directories in the +# '/etc' and '/usr' directories are scanned. +# +# NOTE: Setting this option to '1' will cause the test to take longer +# to complete. +# +# The default value is '0'. +# +#PHALANX2_DIRTEST=0 + +# +# This option tells rkhunter where the inetd configuration file is located. +# +# The default value is the null string. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# This option allows the specified enabled inetd services. +# +# This is a space-separated list of service names. The option may be specified +# more than once. +# +# For non-Solaris users the simple service name should be used. +# For example: +# +# INETD_ALLOWED_SVC=echo +# +# For Solaris 9 users the simple service name should also be used, but +# if it is an RPC service, then the executable pathname should be used. +# For example: +# +# INETD_ALLOWED_SVC=imaps +# INETD_ALLOWED_SVC=/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd +# +# For Solaris 10 users the service/FMRI name should be used. For example: +# +# INETD_ALLOWED_SVC=/network/rpc/meta +# INETD_ALLOWED_SVC=/network/rpc/metamed +# INETD_ALLOWED_SVC=/application/font/stfsloader +# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +# +# The default value is the null string. +# +#INETD_ALLOWED_SVC=echo + +# +# This option tells rkhunter where the xinetd configuration file is located. +# +# The default value is the null string. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# This option allows the specified enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing we only have +# the pathname available. As such, these entries are the xinetd file pathnames. +# +# This is a space-separated list of service names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo + +# +# This option tells rkhunter the local system startup file pathnames. The +# directories will be searched for files. If unset, then rkhunter will try +# and determine were the startup files are located. If the option is set to +# 'NONE' then certain tests will be skipped. +# +# This is a space-separated list of file and directory pathnames. The option +# may be specified more than once, and may use wildcard characters. +# +# This option has no default value. +# +#STARTUP_PATHS=/etc/init.d /etc/rc.local + +# +# This option tells rkhunter the pathname to the file containing the user +# account passwords. If unset, this setting will be worked out by rkhunter, +# and so should not usually need to be set. Users of TCB shadow files should +# not set this option. +# +# This option has no default value. +# +#PASSWORD_FILE=/etc/shadow + +# +# This option allows the specified accounts to be root equivalent. These +# accounts will have a UID value of zero. The 'root' account does not need +# to be listed as it is automatically whitelisted. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# NOTE: For *BSD systems you will probably need to use this option for the +# 'toor' account. +# +# The default value is the null string. +# +#UID0_ACCOUNTS=toor rooty sashroot + +# +# This option allows the specified accounts to have no password. NIS/YP entries +# do not need to be listed as they are automatically whitelisted. +# +# This is a space-separated list of account names. The option may be specified +# more than once. +# +# The default value is the null string. +# +#PWDLESS_ACCOUNTS=abc + +# +# This option tells rkhunter the pathname to the syslog configuration file. +# If unset, this setting will be worked out by rkhunter, and so should not +# usually need to be set. A value of 'NONE' can be used to indicate that +# there is no configuration file, but that the syslog daemon process may +# be running. +# +# This is a space-separated list of pathnames. The option may be specified +# more than once. +# +# This option has no default value. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# If this option is set to '1', then the use of syslog remote logging is +# permitted. A value of '0' disallows the use of remote logging. +# +# The default value is '0'. +# +#ALLOW_SYSLOG_REMOTE_LOGGING=0 + +# +# This option allows the specified applications, or a specific version of an +# application, to be whitelisted. If a specific version is to be whitelisted, +# then the name must be followed by a colon and then the version number. +# For example: +# +# APP_WHITELIST=openssl:0.9.7d gpg httpd:1.3.29 +# +# This is a space-separated list of pathnames. The option may be specified +# more than once. +# +# The default value is the null string. +# +#APP_WHITELIST="" + +# +# Set this option to scan for suspicious files in directories which pose a +# relatively higher risk due to user write access. +# +# Please do not enable the 'suspscan' test by default as it is CPU and I/O +# intensive, and prone to producing false positives. Do review all settings +# before usage. Also be aware that running 'suspscan' in combination with +# verbose logging on, rkhunter's default, will show all ignored files. +# +# Please consider adding all directories the user the (web)server runs as, +# and has write access to, including the document root (e.g: '/var/www') and +# log directories (e.g: '/var/log/httpd'). +# +# This is a space-separated list of directory pathnames. The option may be +# specified more than once. +# +# The default value is the '/tmp' and '/var/tmp' directories. +# +#SUSPSCAN_DIRS=/tmp /var/tmp + +# +# This option specifies the directory for temporary files used by the +# 'suspscan' test. A memory-based directory, such as a tempfs filesystem, is +# better (faster). Do not use a directory name that is listed in SUSPSCAN_DIRS +# as that is highly likely to cause false-positive results. +# +# The default value is '/dev/shm'. +# +#SUSPSCAN_TEMP=/dev/shm + +# +# This option specifies the 'suspscan' test maximum filesize in bytes. Files +# larger than this will not be inspected. Do make sure you have enough space +# available in your temporary files directory. +# +# The default value is '1024000'. +# +#SUSPSCAN_MAXSIZE=1024000 + +# +# This option specifies the 'suspscan' test score threshold. Below this value +# no hits will be reported. +# +# The default value is '200'. +# +#SUSPSCAN_THRESH=200 + +# +# This option may be used to whitelist file pathnames from the suspscan test. +# +# Shell globbing may be used in the pathname. Also see the GLOBSTAR configuration +# option. +# +# This option may be specified more than once. +# +# The default value is the null string. +# +#SUSPSCAN_WHITELIST="" + +# +# The following options can be used to whitelist network ports which are known +# to have been used by malware. +# +# The PORT_WHITELIST option is a space-separated list of one or more of two +# types of whitelisting. These are: +# +# 1) a 'protocol:port' pair +# 2) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number must be +# between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable which rkhunter can +# locate as a command, is whitelisted. (Also see BINDIR) +# +# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting. +# These are: +# +# 1) a pathname to an executable +# 2) a combined pathname, protocol and port +# +# As above, the protocol can only be TCP or UDP, and the port number must be +# between 1 and 65535 inclusive. +# +# Examples: +# +# PORT_WHITELIST=TCP:2001 UDP:32011 +# PORT_PATH_WHITELIST=/usr/sbin/squid +# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801 +# +# NOTE: In order to whitelist a pathname, or use the asterisk option, the +# 'lsof' command must be present. +# +# Both options may be specified more than once. +# +# The default value for both options is the null string. +# +#PORT_WHITELIST="" +#PORT_PATH_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating system +# 'release' file is located. This file contains information specifying the +# current O/S version. RKH will store this information, and check to see if it +# has changed between each run. If it has changed, then the user is warned that +# RKH may issue warning messages until RKH has been run with the '--propupd' +# option. +# +# Since the contents of the file vary according to the O/S distribution, RKH +# will perform different actions when it detects the file itself. As such, this +# option should not be set unless necessary. If this option is specified, then +# RKH will assume the O/S release information is on the first non-blank line of +# the file. +# +# This option has no default value. +# +# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options. +# +#OS_VERSION_FILE=/etc/debian_version + +# +# Set the following option to '0' if you do not want to receive a warning if any +# O/S information has changed since the last run of 'rkhunter --propupd'. The +# warnings occur during the file properties check. Setting a value of '1' will +# cause rkhunter to issue a warning if something has changed. +# +# The default value is '1'. +# +#WARN_ON_OS_CHANGE=1 + +# +# Set the following option to '1' if you want rkhunter to automatically run a +# file properties update ('--propupd') if the O/S has changed. Detection of an +# O/S change occurs during the file properties check. Setting a value of '0' +# will cause rkhunter not to do an automatic update. +# +# WARNING: Only set this option if you are sure that the update will work +# correctly. That is, that the database directory is writeable, that a valid +# hash function is available, and so on. This can usually be checked simply by +# running 'rkhunter --propupd' at least once. +# +# The default value is '0'. +# +#UPDT_ON_OS_CHANGE=0 + +# +# The following two options can be used to whitelist files and directories that +# would normally be flagged with a warning during the various rootkit and +# malware checks. Only existing files and directories can be specified, and +# these must be full pathnames not links. +# +# Additionally, the RTKT_FILE_WHITELIST option may include a string after the +# file name (separated by a colon). This will then only whitelist that string +# in that file (as part of the malware checks). For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm +# +# If the option list includes the filename on its own as well, then the file +# will be whitelisted from rootkit checks of the files existence, but still +# only the specific string within the file will be whitelisted. For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local:hdparm +# +# To whitelist a file from the existence checks, but not from the strings +# checks, then include the filename on its own and on its own but with just +# a colon appended. For example: +# +# RTKT_FILE_WHITELIST=/etc/rc.local +# RTKT_FILE_WHITELIST=/etc/rc.local: +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# Both of these options may be specified more than once. +# +# For both options the default value is the null string. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# The following option can be used to whitelist shared library files that would +# normally be flagged with a warning during the preloaded shared library check. +# These library pathnames usually exist in the '/etc/ld.so.preload' file or in +# the LD_PRELOAD environment variable. +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# This option is a space-separated list of library pathnames. The option may be +# specified more than once. +# +# The default value is the null string. +# +#SHARED_LIB_WHITELIST=/lib/snoopy.so + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command the following two options can be used. The value must be set to +# 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +# For both options the default value is the null string. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +# +# In the file properties test any modification date/time is displayed as the +# number of epoch seconds. Rkhunter will try and use the 'date' command, or +# failing that the 'perl' command, to display the date and time in a +# human-readable format as well. This option may be used if some other command +# should be used instead. The given command must understand the '%s' and +# 'seconds ago' options found in the GNU 'date' command. +# +# A value of 'NONE' may be used to request that only the epoch seconds be shown. +# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if +# it is present. +# +# This option has no default value. +# +#EPOCH_DATE_CMD="" + +# +# This setting tells rkhunter the directory containing the available Linux +# kernel modules. If unset, this setting will be worked out by rkhunter, and +# so should not usually need to be set. +# +# This option has no default value. +# +#MODULES_DIR="" + +# +# The following option can be set to a command which rkhunter will use when +# downloading files from the Internet - that is, when the '--update' or +# '--versioncheck' option is used. The command can take options. +# +# This allows the user to use a command other than the one automatically +# selected by rkhunter, but still one which it already knows about. +# For example: +# +# WEB_CMD=curl +# +# Alternatively, the user may specify a completely new command. However, note +# that rkhunter expects the downloaded file to be written to stdout, and that +# everything written to stderr is ignored. For example: +# +# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" +# +# *BSD users may want to use the 'ftp' command, provided that it supports the +# HTTP protocol: +# +# WEB_CMD="ftp -o -" +# +# This option has no default value. +# +WEB_CMD="/bin/false" + +# +# Set the following option to '1' if locking is to be used when rkhunter runs. +# The lock is set just before logging starts, and is removed when the program +# ends. It is used to prevent items such as the log file, and the file +# properties file, from becoming corrupted if rkhunter is running more than +# once. The mechanism used is to simply create a lock file in the LOCKDIR +# directory. If the lock file already exists, because rkhunter is already +# running, then the current process simply loops around sleeping for 10 seconds +# and then retrying the lock. A value of '0' means not to use locking. +# +# The default value is '0'. +# +# Also see the LOCKDIR, LOCK_TIMEOUT and SHOW_LOCK_MSGS options. +# +#USE_LOCKING=0 + +# +# This option specifies the directory to be used when locking is enabled. +# If the option is unset, then the directory to be used will be worked out +# by rkhunter. In that instance the directories '/run/lock', '/var/lock', +# '/var/run/lock', '/run' and '/var/run' will be checked in turn. If none +# of those can be found, or are not read/writeable, then the TMPDIR directory +# will be used. +# +# To avoid the lock file persisting across a server reboot, the directory +# used should be memory-resident. +# +# This option has no default value. +# +#LOCKDIR="" + +# +# If locking is used, then rkhunter may have to wait to get the lock file. +# This option sets the total amount of time, in seconds, that rkhunter should +# wait. It will retry the lock every 10 seconds, until either it obtains the +# lock or the timeout value has been reached. +# +# The default value is 300 seconds (5 minutes). +# +#LOCK_TIMEOUT=300 + +# +# If locking is used, then rkhunter may be doing nothing for some time if it +# has to wait for the lock. If this option is set to '1', then some simple +# messages are echoed to the users screen to let them know that rkhunter is +# waiting for the lock. Set this option to '0' if the messages are not to be +# displayed. +# +# The default value is '1'. +# +#SHOW_LOCK_MSGS=1 + +# +# If this option is set to 'THOROUGH' then rkhunter will search (on a per +# rootkit basis) for filenames in all of the directories (as defined by the +# result of running 'find / -xdev'). While still not optimal, as it still +# searches for only file names as opposed to file contents, this is one step +# away from the rigidity of searching in known (evidence) or default +# (installation) locations. +# +# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. +# +# You should only activate this feature as part of a more thorough +# investigation, which should be based on relevant best practices and +# procedures. +# +# Enabling this feature implies you have the knowledge to interpret the +# results properly. +# +# The default value is the null string. +# +#SCANROOTKITMODE=THOROUGH + +# +# The following option can be set to the name(s) of the tests the 'unhide' +# command is to use. Options such as '-m' and '-v' may be specified, but will +# only take effect when they are seen. The test names are a space-separated +# list, and will be executed in the order given. +# +# This option may be specified more than once. +# +# The default value is 'sys' in order to maintain compatibility with older +# versions of 'unhide'. +# +#UNHIDE_TESTS=sys + +# +# The following option can be used to set options for the 'unhide-tcp' command. +# The options are space-separated. +# +# This option may be specified more than once. +# +# The default value is the null string. +# +#UNHIDETCP_OPTS="" + +# +# This option can be set to either '0' or '1'. If set to '1' then the summary, +# shown after rkhunter has run, will display the actual number of warnings +# found. If it is set to '0', then the summary will simply indicate that +# 'One or more' warnings were found. If no warnings were found, and this option +# is set to '1', then a "0" will be shown. If the option is set to '0', then +# the words 'No warnings' will be shown. +# +# The default value is '0'. +# +#SHOW_SUMMARY_WARNINGS_NUMBER=0 + +# +# This option is used to determine where, if anywhere, the summary scan time is +# displayed. A value of '0' indicates that it should not be displayed anywhere. +# A value of '1' indicates that the time should only appear on the screen, and a +# value of '2' that it should only appear in the log file. A value of '3' +# indicates that the time taken should appear both on the screen and in the log +# file. +# +# The default value is '3'. +# +#SHOW_SUMMARY_TIME=3 + +# +# The two options below may be used to check if a file is missing or empty +# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check +# if the file is missing, since that can be interpreted as a file of no size. +# However, the file will only be reported as missing if the MISSING_LOGFILES +# option hasn't already done this. +# +# Both options are space-separated lists of pathnames, and may be specified +# more than once. +# +# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is +# perfectly possible for the file to be either missing or empty. As such these +# options may produce false-positive warnings when log files are rotated. +# +# For both options the default value is the null string. +# +#EMPTY_LOGFILES="" +#MISSING_LOGFILES="" + +# +# This option can be set to either '0' or '1'. If set to '1' then the globbing +# characters '**' can be used to allow the recursive checking of directories. +# This can be useful, for example, with the USER_FILEPROP_FILES_DIRS option. +# For example: +# +# USER_FILEPROP_FILES_DIRS=/etc/**/*.conf +# +# This will check all '.conf' files within the '/etc' directory, and any +# sub-directories (at any level). If GLOBSTAR is not set, then the shell will +# interpret '**' as '*' and only one level of sub-directories will be checked. +# +# NOTE: This option is only valid for those shells which support the 'globstar' +# option. Typically this will be 'bash' (version 4 and above) via the 'shopt' command, +# and 'ksh' via the 'set' command. +# +# The default value is '0'. +# +#GLOBSTAR=0 + +INSTALLDIR=/usr + diff --git a/scalpel/scalpel.conf b/scalpel/scalpel.conf new file mode 100644 index 0000000..cdada67 --- /dev/null +++ b/scalpel/scalpel.conf @@ -0,0 +1,239 @@ +# Scalpel configuration file + +# This configuration file controls the +# types and sizes of files that are carved by Scalpel. Currently, +# Scalpel can read Foremost 0.69 configuration files, but Scalpel +# configuration files may not be backwards-compatible with Foremost. +# In particular, maximum file carve size under Foremost 0.69 is 4GB, +# while in the current version of Scalpel, it's 16EB (16 exabytes). + +# For each file type, the configuration file +# describes the file's extension, whether the header and footer are +# case sensitive, the maximum file size, and the header and footer for +# the file. The footer field is optional, but header, size, case +# sensitivity, and extension are required. Any line that begins with a +# '#' is considered a comment and ignored. Thus, to skip a file type +# just put a '#' at the beginning of that line + +# Headers and footers are decoded before use. To specify a value in +# hexadecimal use \x[0-f][0-f] and for octal use \[0-3][0-7][0-7]. +# Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes +# to "OSI CCI". # To match any single character (aka a wildcard) use +# a '?'. If you need to search for the '?' character, you will need to +# change the 'wildcard' line *and* every occurrence of the old +# wildcard character in the configuration file. ' +# +# Note: ?' is equal to 0x3f and \063. +# +# If you want files carved without filename extensions, +# use "NONE" in the extension column. + +# The REVERSE keyword after a footer causes a search +# backwards starting from [size] bytes beyond the location of the header +# This is useful for files like PDFs that may contain multiple copies of +# the footer throughout the file. When using the REVERSE keyword you will +# extract bytes from the header to the LAST occurence of the footer (and +# including the footer in the carved file). +# +# The NEXT keyword after a footer results in file carves that +# include the header and all data BEFORE the first occurence of the +# footer (the footer is not included in the carved file). If no +# occurrence of the footer is discovered within maximum carve size bytes +# from the header, then a block of the disk image including the header +# and with length equal to the maximum carve size is carved. Use NEXT +# when there is no definitive footer for a file type, but you know which +# data should NOT be included in a carved file--e.g., the beginning of +# a subsequent file of the same type. +# +# FORWARD_NEXT is the default carve type and this keyword may be +# included after the footer, but is not required. For FORWARD_NEXT +# carves, a block of data including the header and the first footer +# (within the maximum carve size) are carved. If no footer appears +# after the header within the maximum carve size, then no carving is +# performed UNLESS the -b command line option is supplied. In this case, +# a block of max carve size bytes, including the header, is carved and a +# notation is made in the Scalpel log that the file was chopped. + +# To redefine the wildcard character, change the setting below and all +# occurences in the formost.conf file. +# +#wildcard ? + +# case size header footer +#extension sensitive +# +#--------------------------------------------------------------------- +# EXAMPLE WITH NO SUFFIX +#--------------------------------------------------------------------- +# +# Here is an example of how to use the no extension option. Any files +# beginning with the string "FOREMOST" are carved and no file extensions +# are used. No footer is defined and the max carve size is 1000 bytes. +# +# NONE y 1000 FOREMOST +# +#--------------------------------------------------------------------- +# GRAPHICS FILES +#--------------------------------------------------------------------- +# +# +# AOL ART files +# art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb +# art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00 +# +# GIF and JPG files (very common) +# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b +# gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b +# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 +# +# +# PNG +# png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe +# +# +# BMP (used by MSWindows, use only if you have reason to think there are +# BMP files worth digging for. This often kicks back a lot of false +# positives +# +# bmp y 100000 BM??\x00\x00\x00 +# +# TIFF +# tif y 200000000 \x49\x49\x2a\x00 +# TIFF +# tif y 200000000 \x4D\x4D\x00\x2A +# +#--------------------------------------------------------------------- +# ANIMATION FILES +#--------------------------------------------------------------------- +# +# AVI (Windows animation and DiVX/MPEG-4 movies) +# avi y 50000000 RIFF????AVI +# +# Apple Quicktime +# These needles are based on the file command's magic. I don't +# recommend uncommenting the 4th and 5th Quicktime needles unless +# you're sure you need to, because they generate HUGE numbers of +# false positives. +# +# mov y 10000000 ????moov +# mov y 10000000 ????mdat +# mov y 10000000 ????widev +# mov y 10000000 ????skip +# mov y 10000000 ????free +# mov y 10000000 ????idsc +# mov y 10000000 ????pckg +# +# MPEG Video +# mpg y 50000000 \x00\x00\x01\xba \x00\x00\x01\xb9 +# mpg y 50000000 \x00\x00\x01\xb3 \x00\x00\x01\xb7 +# +# Macromedia Flash +# fws y 4000000 FWS +# +#--------------------------------------------------------------------- +# MICROSOFT OFFICE +#--------------------------------------------------------------------- +# +# Word documents +# +# +# doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT +# doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1 +# +# Outlook files +# pst y 500000000 \x21\x42\x4e\xa5\x6f\xb5\xa6 +# ost y 500000000 \x21\x42\x44\x4e +# +# Outlook Express +# dbx y 10000000 \xcf\xad\x12\xfe\xc5\xfd\x74\x6f +# idx y 10000000 \x4a\x4d\x46\x39 +# mbx y 10000000 \x4a\x4d\x46\x36 +# +#--------------------------------------------------------------------- +# WORDPERFECT +#--------------------------------------------------------------------- +# +# wpc y 1000000 ?WPC +# +#--------------------------------------------------------------------- +# HTML +#--------------------------------------------------------------------- +# +# htm n 50000 +# +#--------------------------------------------------------------------- +# ADOBE PDF +#--------------------------------------------------------------------- +# +# pdf y 5000000 %PDF %EOF\x0d REVERSE +# pdf y 5000000 %PDF %EOF\x0a REVERSE +# +#--------------------------------------------------------------------- +# AOL (AMERICA ONLINE) +#--------------------------------------------------------------------- +# +# AOL Mailbox +# mail y 500000 \x41\x4f\x4c\x56\x4d +# +# +# +#--------------------------------------------------------------------- +# PGP (PRETTY GOOD PRIVACY) +#--------------------------------------------------------------------- +# +# PGP Disk Files +# pgd y 500000 \x50\x47\x50\x64\x4d\x41\x49\x4e\x60\x01 +# +# Public Key Ring +# pgp y 100000 \x99\x00 +# Security Ring +# pgp y 100000 \x95\x01 +# pgp y 100000 \x95\x00 +# Encrypted Data or ASCII armored keys +# pgp y 100000 \xa6\x00 +# (there should be a trailer for this...) +# txt y 100000 -----BEGIN\040PGP +# +# +#--------------------------------------------------------------------- +# RPM (Linux package format) +#--------------------------------------------------------------------- +# rpm y 1000000 \xed\xab +# +# +#--------------------------------------------------------------------- +# SOUND FILES +#--------------------------------------------------------------------- +# +# wav y 200000 RIFF????WAVE +# +# Real Audio Files +# ra y 1000000 \x2e\x72\x61\xfd +# ra y 1000000 .RMF +# +#--------------------------------------------------------------------- +# WINDOWS REGISTRY FILES +#--------------------------------------------------------------------- +# +# Windows NT registry +# dat y 4000000 regf +# Windows 95 registry +# dat y 4000000 CREG +# +# +#--------------------------------------------------------------------- +# MISCELLANEOUS +#--------------------------------------------------------------------- +# +# zip y 10000000 PK\x03\x04 \x3c\xac +# +# java y 1000000 \xca\xfe\xba\xbe +# +#--------------------------------------------------------------------- +# ScanSoft PaperPort "Max" files +#--------------------------------------------------------------------- +# max y 1000000 \x56\x69\x47\x46\x6b\x1a\x00\x00\x00\x00 \x00\x00\x05\x80\x00\x00 +#--------------------------------------------------------------------- +# PINs Password Manager program +#--------------------------------------------------------------------- +# pins y 8000 \x50\x49\x4e\x53\x20\x34\x2e\x32\x30\x0d diff --git a/smartd.conf b/smartd.conf new file mode 100644 index 0000000..4cdede7 --- /dev/null +++ b/smartd.conf @@ -0,0 +1,149 @@ +# Sample configuration file for smartd. See man smartd.conf. + +# Home page is: http://www.smartmontools.org + +# smartd will re-read the configuration file if it receives a HUP +# signal + +# The file gives a list of devices to monitor using smartd, with one +# device per line. Text after a hash (#) is ignored, and you may use +# spaces and tabs for white space. You may use '\' to continue lines. + +# You can usually identify which hard disks are on your system by +# looking in /proc/ide and in /proc/scsi. + +# The word DEVICESCAN will cause any remaining lines in this +# configuration file to be ignored: it tells smartd to scan for all +# ATA and SCSI devices. DEVICESCAN may be followed by any of the +# Directives listed below, which will be applied to all devices that +# are found. Most users should comment out DEVICESCAN and explicitly +# list the devices that they wish to monitor. +DEVICESCAN -d removable -n standby -m root -M exec /usr/share/smartmontools/smartd-runner + +# Alternative setting to ignore temperature and power-on hours reports +# in syslog. +#DEVICESCAN -I 194 -I 231 -I 9 + +# Alternative setting to report more useful raw temperature in syslog. +#DEVICESCAN -R 194 -R 231 -I 9 + +# Alternative setting to report raw temperature changes >= 5 Celsius +# and min/max temperatures. +#DEVICESCAN -I 194 -I 231 -I 9 -W 5 + +# First ATA/SATA or SCSI/SAS disk. Monitor all attributes, enable +# automatic online data collection, automatic Attribute autosave, and +# start a short self-test every day between 2-3am, and a long self test +# Saturdays between 3-4am. +#/dev/sda -a -o on -S on -s (S/../.././02|L/../../6/03) + +# Monitor SMART status, ATA Error Log, Self-test log, and track +# changes in all attributes except for attribute 194 +#/dev/sdb -H -l error -l selftest -t -I 194 + +# Monitor all attributes except normalized Temperature (usually 194), +# but track Temperature changes >= 4 Celsius, report Temperatures +# >= 45 Celsius and changes in Raw value of Reallocated_Sector_Ct (5). +# Send mail on SMART failures or when Temperature is >= 55 Celsius. +#/dev/sdc -a -I 194 -W 4,45,55 -R 5 -m admin@example.com + +# An ATA disk may appear as a SCSI device to the OS. If a SCSI to +# ATA Translation (SAT) layer is between the OS and the device then +# this can be flagged with the '-d sat' option. This situation may +# become common with SATA disks in SAS and FC environments. +# /dev/sda -a -d sat + +# A very silent check. Only report SMART health status if it fails +# But send an email in this case +#/dev/sdc -H -C 0 -U 0 -m admin@example.com + +# First two SCSI disks. This will monitor everything that smartd can +# monitor. Start extended self-tests Wednesdays between 6-7pm and +# Sundays between 1-2 am +#/dev/sda -d scsi -s L/../../3/18 +#/dev/sdb -d scsi -s L/../../7/01 + +# Monitor 4 ATA disks connected to a 3ware 6/7/8000 controller which uses +# the 3w-xxxx driver. Start long self-tests Sundays between 1-2, 2-3, 3-4, +# and 4-5 am. +# NOTE: starting with the Linux 2.6 kernel series, the /dev/sdX interface +# is DEPRECATED. Use the /dev/tweN character device interface instead. +# For example /dev/twe0, /dev/twe1, and so on. +#/dev/sdc -d 3ware,0 -a -s L/../../7/01 +#/dev/sdc -d 3ware,1 -a -s L/../../7/02 +#/dev/sdc -d 3ware,2 -a -s L/../../7/03 +#/dev/sdc -d 3ware,3 -a -s L/../../7/04 + +# Monitor 2 ATA disks connected to a 3ware 9000 controller which +# uses the 3w-9xxx driver (Linux, FreeBSD). Start long self-tests Tuesdays +# between 1-2 and 3-4 am. +#/dev/twa0 -d 3ware,0 -a -s L/../../2/01 +#/dev/twa0 -d 3ware,1 -a -s L/../../2/03 + +# Monitor 2 SATA (not SAS) disks connected to a 3ware 9000 controller which +# uses the 3w-sas driver (Linux). Start long self-tests Tuesdays +# between 1-2 and 3-4 am. +# On FreeBSD /dev/tws0 should be used instead +#/dev/twl0 -d 3ware,0 -a -s L/../../2/01 +#/dev/twl0 -d 3ware,1 -a -s L/../../2/03 + +# Same as above for Windows. Option '-d 3ware,N' is not necessary, +# disk (port) number is specified in device name. +# NOTE: On Windows, DEVICESCAN works also for 3ware controllers. +#/dev/hdc,0 -a -s L/../../2/01 +#/dev/hdc,1 -a -s L/../../2/03 +# +# Monitor 2 disks connected to the first HP SmartArray controller which +# uses the cciss driver. Start long tests on Sunday nights and short +# self-tests every night and send errors to root +#/dev/cciss/c0d0 -d cciss,0 -a -s (L/../../7/02|S/../.././02) -m root +#/dev/cciss/c0d0 -d cciss,1 -a -s (L/../../7/03|S/../.././03) -m root + +# Monitor 3 ATA disks directly connected to a HighPoint RocketRAID. Start long +# self-tests Sundays between 1-2, 2-3, and 3-4 am. +#/dev/sdd -d hpt,1/1 -a -s L/../../7/01 +#/dev/sdd -d hpt,1/2 -a -s L/../../7/02 +#/dev/sdd -d hpt,1/3 -a -s L/../../7/03 + +# Monitor 2 ATA disks connected to the same PMPort which connected to the +# HighPoint RocketRAID. Start long self-tests Tuesdays between 1-2 and 3-4 am +#/dev/sdd -d hpt,1/4/1 -a -s L/../../2/01 +#/dev/sdd -d hpt,1/4/2 -a -s L/../../2/03 + +# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE. +# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS +# +# -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N +# -T TYPE set the tolerance to one of: normal, permissive +# -o VAL Enable/disable automatic offline tests (on/off) +# -S VAL Enable/disable attribute autosave (on/off) +# -n MODE No check. MODE is one of: never, sleep, standby, idle +# -H Monitor SMART Health Status, report if failed +# -l TYPE Monitor SMART log. Type is one of: error, selftest +# -f Monitor for failure of any 'Usage' Attributes +# -m ADD Send warning email to ADD for -H, -l error, -l selftest, and -f +# -M TYPE Modify email warning behavior (see man page) +# -s REGE Start self-test when type/date matches regular expression (see man page) +# -p Report changes in 'Prefailure' Normalized Attributes +# -u Report changes in 'Usage' Normalized Attributes +# -t Equivalent to -p and -u Directives +# -r ID Also report Raw values of Attribute ID with -p, -u or -t +# -R ID Track changes in Attribute ID Raw value with -p, -u or -t +# -i ID Ignore Attribute ID for -f Directive +# -I ID Ignore Attribute ID for -p, -u or -t Directive +# -C ID Report if Current Pending Sector count non-zero +# -U ID Report if Offline Uncorrectable count non-zero +# -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit +# -v N,ST Modifies labeling of Attribute N (see man page) +# -a Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198 +# -F TYPE Use firmware bug workaround. Type is one of: none, samsung +# -P TYPE Drive-specific presets: use, ignore, show, showall +# # Comment: text after a hash sign is ignored +# \ Line continuation character +# Attribute ID is a decimal integer 1 <= ID <= 255 +# except for -C and -U, where ID = 0 turns them off. +# All but -d, -m and -M Directives are only implemented for ATA devices +# +# If the test string DEVICESCAN is the first uncommented text +# then smartd will scan for devices. +# DEVICESCAN may be followed by any desired Directives. diff --git a/smartmontools/run.d/10mail b/smartmontools/run.d/10mail new file mode 100755 index 0000000..f921a33 --- /dev/null +++ b/smartmontools/run.d/10mail @@ -0,0 +1,13 @@ +#!/bin/bash -e + +# Send mail if /usr/bin/mail exists +if ! [ -x /usr/bin/mail ]; then + echo "Your system does not have /usr/bin/mail. Install the mailx or mailutils package" + exit 1 +fi + +input=$1 +shift + +/usr/bin/mail "$@" < $input + diff --git a/smartmontools/run.d/10powersave-notify b/smartmontools/run.d/10powersave-notify new file mode 100755 index 0000000..4aaebbc --- /dev/null +++ b/smartmontools/run.d/10powersave-notify @@ -0,0 +1,8 @@ +#! /bin/sh + +# Send message if /usr/lib/powersave/powersave-notify exists or exit silently +[ -x /usr/lib/powersave/powersave-notify ] || exit 0 + +/usr/lib/powersave/powersave-notify "Your hard disk drive is failing! +S.M.A.R.T. message: +$SMARTD_MESSAGE" diff --git a/systemd/system/multi-user.target.wants/smartd.service b/systemd/system/multi-user.target.wants/smartd.service new file mode 120000 index 0000000..2e3d023 --- /dev/null +++ b/systemd/system/multi-user.target.wants/smartd.service @@ -0,0 +1 @@ +/lib/systemd/system/smartd.service \ No newline at end of file