### This file is used to configure the daily cron job for chkrootkit(1)
## It is sourced by chkrootkit-daily so needs to be a valid
## shell script.
##
## The majority of the options allow the output of chkrootkit to be
## filtered (changed) and/or ignored to hide false positives.

## Whether the daily cron job should run chkrootkit at all
# true/false, default: true
RUN_DAILY="true"

## Arguments to pass to chkrootkit (default: "").
# See chkrootkit(1) for details, but particularly useful are
#  "-q" (especially useful if you set DIFF_MODE=false above )
#  "-e" and "-s" (which are yet another way to hide output)
# The default is to pass no arguments so you see all output: this is
# particularly useful with DIFF_MODE=true as it gives context when the
# output changes, but DIFF_MODE hides the text that does not change
RUN_DAILY_OPTS=""

## Whether to show changes since last run (true/false, default: true)
# true means you will see how the entire differs (using diff(1)) to
# the 'expected' output in /var/log/chkrootkit/log.expected
# if that file does not exist you will see the whole output.
#
# If set to false you see the whole output every day - if you do set
# DIFF_MODE to "false" you probably also want RUN_DAILY_OPTS="-q"
#
DIFF_MODE="true"

### The results of chkrootkit are passed through $FILTER and $IGNORE_FILE

## FILTER is a way of changing output to make it stable or hide it
## completely (especially useful when DIFF_MODE=true
#
# FILTER can be any shell command which will be piped unfiltered output
# on stdin and anything written to stdout will become the new,
# filtered, output.
#
# The default uses sed to do two things
# 1) stops message (from ifpromisc, run by the 'sniffer' test) about
#     'usual' network managers changing if their pid, interface name,
#     or order changes
# 2) stops list of processes not using utmp (from chkutmp) changing if
#     their pid changes
# To disable both of these defaults you can set this to "" or "cat"
FILTER="sed -re 's![[:alnum:]]+: PACKET SNIFFER\(((/usr/lib/systemd/systemd-networkd|/usr/sbin/(dhclient|dhcpc?d[0-9]*|wpa_supplicant|NetworkManager))\[[0-9]+\](, )?)+\)!<interface>: PACKET SNIFFER\([systemd-networkd|dhclient|dhcpd|dhcpcd|wpa_supplicant|NetworkManager]{PID}\)!' -e 's/(! [[:alnum:]+-]+)\s+[0-9]+/\1 {PID}/'"

## If $IGNORE_FILE exists then lines of output matching patterns that
## appear in $IGNORE_FILE are removed from the output. Each line in
## $IGNORE_FILE interpreted as an extended regexp, see grep(1). If
## $IGNORE_FILE is empty (the default) or does not exist then no
## filtering is done.
#
# This is done after $FILTER - you can use either or both. IGNORE_FILE
# is slightly simpler but slightly less powerfull than FILTER as you
# can only hide, not change output.
#
# The default is /etc/chkrootkit/chkrootkit.ignore (which is empty by
# default, meaning nothing is ignored)
IGNORE_FILE="/etc/chkrootkit/chkrootkit.ignore"

## Email address to which output is sent.
#  If empty, no email is sent by chkrootkit-daily: output is left on stdout
#  (if running under cron stdout may be emailed)
MAILTO="root"


### The remaining options are commented out as the defaults are likely
### to be fine for most users, but you can edit these as well:

## Subject of email
# SUBJECT="[chkrootkit] alert for $(hostname --fqdn 2>/dev/null || hostname --short 2>/dev/null || echo "localhost")"

## The chkrootkit(1) scanner that is run
# what is actually run is: eval "$IONICE" "$CHKROOTKIT" "$RUN_DAILY_OPTS"
#CHKROOTKIT=/usr/sbin/chkrootkit

## Where output is saved
#LOG_DIR=/var/log/chkrootkit

## 'Clean' output (after FILTER and IGNORE_FILE)
#OUTPUT="$LOG_DIR/log.today"

## 'Raw' output is saved here
#RAW_OUTPUT="$OUTPUT.raw"

## 'Expected' output (only used if DIFF_MODE=true)
#EXPECTED_OUTPUT="$LOG_DIR/log.expected"

## The default is to run using ionice if possible.
## If you do not want to use ionice at all, set IONICE="" instead
#if [ -x /usr/bin/ionice ] && /usr/bin/ionice -c3 true 2>/dev/null; then
#		IONICE="/usr/bin/ionice -c3"
#else
#		IONICE=""
#fi