diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cbb3a13
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+*.rpm
+*.log
+*spec-20*
+*.tar.gz
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..62fe4a4
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,21 @@
+# Makefile for source rpm: smeserver-rkhunter
+# $Id: Makefile,v 1.1 2020/10/09 14:26:36 brianr Exp $
+NAME := smeserver-rkhunter
+SPECFILE = $(firstword $(wildcard *.spec))
+
+define find-makefile-common
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+endef
+
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
+
+ifeq ($(MAKEFILE_COMMON),)
+# attept a checkout
+define checkout-makefile-common
+test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
+endef
+
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
+endif
+
+include $(MAKEFILE_COMMON)
diff --git a/README.md b/README.md
index 1e1f30b..43cec3e 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,15 @@
-# smeserver-rkhunter
+# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-rkhunter
 
-SMEServer Koozali developed git repo for smeserver-rkhunter smecontribs
\ No newline at end of file
+SMEServer Koozali developed git repo for smeserver-rkhunter smecontribs
+
+## Wiki
+<br />https://wiki.koozali.org/Rkhunter
+
+## Bugzilla
+Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-rkhunter&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
+
+## Description
+
+<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
+*Once it has been checked, then this comment will be deleted*
+<br />
diff --git a/contriborbase b/contriborbase
new file mode 100644
index 0000000..9b7fd51
--- /dev/null
+++ b/contriborbase
@@ -0,0 +1 @@
+contribs10
diff --git a/createlinks b/createlinks
new file mode 100644
index 0000000..787820e
--- /dev/null
+++ b/createlinks
@@ -0,0 +1,35 @@
+#!/usr/bin/perl -w
+use esmith::Build::CreateLinks qw(:all);
+# our event specific for updating with yum without reboot
+$event = 'smeserver-rkhunter-update';
+#add here the path to your templates needed to expand
+#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
+
+foreach my $file (qw(
+                /etc/systemd/system-preset/49-koozali.preset
+))
+{
+    templates2events( $file, $event );
+}
+#action needed in case we have a systemd unit
+event_link('systemd-default', $event, '10');
+event_link('systemd-reload', $event, '50');
+#action specific to this package
+#event_link('action', $event, '30');
+#services we need to restart
+#safe_symlink('restart',root/etc/e-smith/events/$event/services2adjust/service);
+#and Server Manager panel link
+#panel_link('somefunction', 'manager');
+
+for my $event (qw(
+    bootstrap-console-save
+    remoteaccess-update
+    smeserver-rkhunter-update
+    ))
+{
+    templates2events("/etc/rkhunter.conf", $event);
+    templates2events("/etc/sysconfig/rkhunter", $event);
+    templates2events("/etc/cron.daily/rkhunter", $event);
+}
+
+safe_symlink("../../../../templates-default/template-begin-shell","root/etc/e-smith/templates/etc/cron.daily/rkhunter/template-begin");
diff --git a/root/etc/e-smith/db/configuration/defaults/rkhunter/DisableTests b/root/etc/e-smith/db/configuration/defaults/rkhunter/DisableTests
new file mode 100644
index 0000000..5242f95
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/rkhunter/DisableTests
@@ -0,0 +1 @@
+apps,suspscan,system_commands
diff --git a/root/etc/e-smith/db/configuration/defaults/rkhunter/status b/root/etc/e-smith/db/configuration/defaults/rkhunter/status
new file mode 100644
index 0000000..86981e6
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/rkhunter/status
@@ -0,0 +1 @@
+enabled
diff --git a/root/etc/e-smith/db/configuration/defaults/rkhunter/type b/root/etc/e-smith/db/configuration/defaults/rkhunter/type
new file mode 100644
index 0000000..24e1098
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/rkhunter/type
@@ -0,0 +1 @@
+service
diff --git a/root/etc/e-smith/events/remoteaccess-update/templates2expand/etc/rkhunter.conf b/root/etc/e-smith/events/remoteaccess-update/templates2expand/etc/rkhunter.conf
new file mode 100644
index 0000000..e69de29
diff --git a/root/etc/e-smith/templates.metadata/etc/cron.daily/rkhunter b/root/etc/e-smith/templates.metadata/etc/cron.daily/rkhunter
new file mode 100644
index 0000000..6bbf39b
--- /dev/null
+++ b/root/etc/e-smith/templates.metadata/etc/cron.daily/rkhunter
@@ -0,0 +1 @@
+PERMS=0755
diff --git a/root/etc/e-smith/templates/etc/cron.daily/rkhunter/10script b/root/etc/e-smith/templates/etc/cron.daily/rkhunter/10script
new file mode 100644
index 0000000..c137589
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/cron.daily/rkhunter/10script
@@ -0,0 +1,58 @@
+#!/bin/sh
+# 01-rkhunter  A shell script to update and run rkhunter via CRON
+
+XITVAL=0
+
+# Get a secure tempfile
+TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1
+
+if [ ! -e /var/lock/subsys/rkhunter ]; then
+
+  # Try to keep the SysInit boot scan from colliding with us (highly unlikely)
+  /bin/touch /var/lock/subsys/rkhunter
+
+  # Source system configuration parameters.
+  if [ -e /etc/sysconfig/rkhunter ] ; then
+    . /etc/sysconfig/rkhunter
+  else
+    { my $mail = $rkhunter{'mail'} || "root"; $OUT .= "MAILTO= $mail";}
+  fi
+
+  # If a diagnostic mode scan was requested, setup the parameters
+  if [ "$DIAG_SCAN" == "yes" ]; then
+    RKHUNTER_FLAGS="--checkall --skip-keypress --nocolors --quiet --appendlog --display-logfile"
+  else
+    RKHUNTER_FLAGS="--cronjob --nocolors --report-warnings-only"
+  fi
+
+  # Set a few critical parameters
+  RKHUNTER=/usr/bin/rkhunter
+  LOGFILE=/var/log/rkhunter/rkhunter.log
+
+  # Run RootKit Hunter if available
+  if [ -x $RKHUNTER ]; then
+    /bin/echo -e "\n--------------------- Start Rootkit Hunter Update ---------------------" \
+      > $TMPFILE1
+    /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1
+    /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \
+      >> $TMPFILE1
+    /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1
+    XITVAL=$?
+    /bin/echo -e "\n----------------------- End Rootkit Hunter Scan -----------------------" \
+      >> $TMPFILE1
+
+    if [ $XITVAL != 0 ]; then
+         /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
+    fi
+    /bin/cat $TMPFILE1 >> $LOGFILE
+  fi
+
+  # Delete the gating lockfile
+  /bin/rm -f /var/lock/subsys/rkhunter
+fi
+
+# Delete the secure tempfile
+/bin/rm -f $TMPFILE1
+
+exit $XITVAL
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/000header b/root/etc/e-smith/templates/etc/rkhunter.conf/000header
new file mode 100644
index 0000000..0fd322b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/000header
@@ -0,0 +1,20 @@
+#
+# This is the configuration file for Rootkit Hunter.
+#
+# Please modify it to your own requirements.
+#
+# Please review the documentation before posting bug reports or questions.
+# To report bugs, obtain updates, or provide patches or comments, please go to:
+# http://rkhunter.sourceforge.net
+#
+# To ask questions about rkhunter, please use the rkhunter-users mailing list.
+# Note this is a moderated list: please subscribe before posting.
+#
+# Lines beginning with a hash (#), and blank lines, are ignored.
+# End-of-line comments are not supported.
+#
+# Most of the following options need only be specified once. If
+# they appear more than once, then the last one seen will be used.
+# Some options are allowed to appear more than once, and the text
+# describing the option will say if this is so.
+#
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors10rotate b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors10rotate
new file mode 100644
index 0000000..1362f5a
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors10rotate
@@ -0,0 +1,15 @@
+#
+# If this option is set to 1, it specifies that the mirrors file
+# ('mirrors.dat'), which is used when the '--update' and '--versioncheck'
+# options are used, is to be rotated. Rotating the entries in the file
+# allows a basic form of load-balancing between the mirror sites whenever
+# the above options are used.
+# If the option is set to 0, then the mirrors will be treated as if in
+# a priority list. That is, the first mirror listed will always be used
+# first. The second mirror will only be used if the first mirror fails,
+# the third mirror will only be used if the second mirror fails, and so on.
+#
+# If the mirrors file is read-only, then the '--versioncheck' command-line
+# option can only be used if this option is set to 0.
+#
+ROTATE_MIRRORS=1
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors20update b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors20update
new file mode 100644
index 0000000..f8750e3
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors20update
@@ -0,0 +1,9 @@
+#
+# If this option is set to 1, it specifies that when the '--update'
+# option is used, then the mirrors file is to be checked for updates
+# as well. If the current mirrors file contains any local mirrors,
+# these will be prepended to the updated file.
+# If this option is set to 0, the mirrors file can only be updated
+# manually. This may be useful if only using local mirrors.
+#
+UPDATE_MIRRORS=1
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors30mode b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors30mode
new file mode 100644
index 0000000..f598e21
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/005mirrors30mode
@@ -0,0 +1,12 @@
+#
+# The MIRRORS_MODE option tells rkhunter which mirrors are to be
+# used when the '--update' or '--versioncheck' command-line options
+# are given. Possible values are:
+#     0 - use any mirror (the default)
+#     1 - only use local mirrors
+#     2 - only use remote mirrors
+#
+# Local and remote mirrors can be defined in the mirrors file
+# by using the 'local=' and 'remote=' keywords respectively.
+#
+MIRRORS_MODE=0
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/010mail10onwarning b/root/etc/e-smith/templates/etc/rkhunter.conf/010mail10onwarning
new file mode 100644
index 0000000..cb21b8c
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/010mail10onwarning
@@ -0,0 +1,13 @@
+#
+# Email a message to this address if a warning is found when the
+# system is being checked. Multiple addresses may be specified
+# simply be separating them with a space. Setting this option to
+# null disables the option.
+#
+# NOTE: This option should be present in the configuration file.
+#
+#MAIL-ON-WARNING=me@mydomain   root@mydomain
+{
+my $mailWarn = $rkhunter{'mailWarn'} || "";
+$OUT .= "MAIL-ON-WARNING=\"$mailWarn\"\n";
+}
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/010mail20mailcmd b/root/etc/e-smith/templates/etc/rkhunter.conf/010mail20mailcmd
new file mode 100644
index 0000000..0f38238
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/010mail20mailcmd
@@ -0,0 +1,6 @@
+#
+# Specify the mail command to use if MAIL-ON-WARNING is set.
+# NOTE: Double quotes are not required around the command, but
+# are required around the subject line if it contains spaces.
+#
+MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir10tmp b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir10tmp
new file mode 100644
index 0000000..6a810de
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir10tmp
@@ -0,0 +1,8 @@
+#
+# Specify the temporary directory to use.
+#
+# NOTE: Do not use /tmp as your temporary directory. Some
+# important files will be written to this directory, so be
+# sure that the directory permissions are tight.
+#
+TMPDIR=/var/lib/rkhunter/
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir20db b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir20db
new file mode 100644
index 0000000..7eff4ba
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir20db
@@ -0,0 +1,4 @@
+#
+# Specify the database directory to use.
+#
+DBDIR=/var/lib/rkhunter/db
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir30script b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir30script
new file mode 100644
index 0000000..9b5eda6
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir30script
@@ -0,0 +1,4 @@
+#
+# Specify the script directory to use.
+#
+SCRIPTDIR=/usr/share/rkhunter/scripts
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir40root b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir40root
new file mode 100644
index 0000000..9a96f71
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir40root
@@ -0,0 +1,4 @@
+#
+# Specify the root directory to use.
+#
+#ROOTDIR=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir50bind b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir50bind
new file mode 100644
index 0000000..6491eb4
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir50bind
@@ -0,0 +1,5 @@
+#
+# Specify the command directories to be checked. This is a
+# space-separated list of directories.
+#
+#BINDIR="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir60modules b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir60modules
new file mode 100644
index 0000000..0f7c950
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir60modules
@@ -0,0 +1,6 @@
+#
+# This setting tells rkhunter the directory containing the available
+# kernel modules. This setting will be worked out by rkhunter, and
+# so should not usually need to be set.
+#
+#MODULES_DIR=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/015dir70install b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir70install
new file mode 100644
index 0000000..f6e6f1b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/015dir70install
@@ -0,0 +1 @@
+INSTALLDIR="/usr"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/020language b/root/etc/e-smith/templates/etc/rkhunter.conf/020language
new file mode 100644
index 0000000..a4d8e84
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/020language
@@ -0,0 +1,10 @@
+#
+# Specify the language to use. This should be similar
+# to the ISO 639 language code.
+#
+# NOTE: Please ensure that the language you specify is supported.
+#       For a list of supported languages use the following command:
+#
+#           rkhunter --lang en --list languages
+#
+#LANGUAGE=en
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/025log10file b/root/etc/e-smith/templates/etc/rkhunter.conf/025log10file
new file mode 100644
index 0000000..c915856
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/025log10file
@@ -0,0 +1,6 @@
+#
+# Specify the log file pathname.
+#
+# NOTE: This option should be present in the configuration file.
+#
+LOGFILE=/var/log/rkhunter/rkhunter.log
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/025log20append b/root/etc/e-smith/templates/etc/rkhunter.conf/025log20append
new file mode 100644
index 0000000..c648406
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/025log20append
@@ -0,0 +1,5 @@
+#
+# Set the following option to 1 if the log file is to be appended to
+# whenever rkhunter is run.
+#
+APPEND_LOG=1
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/025log30syslog b/root/etc/e-smith/templates/etc/rkhunter.conf/025log30syslog
new file mode 100644
index 0000000..6cd47c2
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/025log30syslog
@@ -0,0 +1,12 @@
+#
+# Set the following option to enable the rkhunter check start and finish
+# times to be logged by syslog. Warning messages will also be logged.
+# The value of the option must be a standard syslog facility and
+# priority, separated by a dot.
+#
+# For example: USE_SYSLOG=authpriv.warning
+#
+# Setting the value to 'none', or just leaving the option commented out,
+# disables the use of syslog.
+#
+#USE_SYSLOG=authpriv.notice
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/030colorset2 b/root/etc/e-smith/templates/etc/rkhunter.conf/030colorset2
new file mode 100644
index 0000000..ddb2366
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/030colorset2
@@ -0,0 +1,6 @@
+#
+# Set the following option to 1 if the second colour set is to be used.
+# This can be useful if your screen uses black characters on a white
+# background (for example, a PC instead of a server).
+#
+COLOR_SET2=0
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/035autoXdetect b/root/etc/e-smith/templates/etc/rkhunter.conf/035autoXdetect
new file mode 100644
index 0000000..c9dc3fe
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/035autoXdetect
@@ -0,0 +1,6 @@
+#
+# Set the following option to 0 if rkhunter should not detect if X is
+# being used. If X is detected as being used, then the second colour
+# set will automatically be used.
+#
+AUTO_X_DETECT=1
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh10AllowRootUser b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh10AllowRootUser
new file mode 100644
index 0000000..7954a02
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh10AllowRootUser
@@ -0,0 +1,21 @@
+#
+# The following option is checked against the SSH configuration file
+# 'PermitRootLogin' option. A warning will be displayed if they do not
+# match. However, if a value has not been set in the SSH configuration
+# file, then a value here of 'yes' or 'unset' will not cause a warning.
+# This option has a default value of 'no'.
+#
+{
+    my $PermitRootLogin = $sshd{'PermitRootLogin'} || "no";
+    my $status = $sshd{'status'} || 'disabled';
+    $OUT .= "ALLOW_SSH_ROOT_USER=";
+    if ( $status ne 'enabled' ) {
+        $OUT .= 'no';
+    } elsif ( $PermitRootLogin eq 'yes' ) {
+        $OUT .= 'yes';
+    } elsif ( $PermitRootLogin eq 'key' || $PermitRootLogin eq 'nopass' ) {
+        $OUT .= 'without-password';
+    } else {
+        $OUT .= 'no';
+    }
+}
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh20AllowSSH1 b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh20AllowSSH1
new file mode 100644
index 0000000..a2e4247
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh20AllowSSH1
@@ -0,0 +1,10 @@
+#
+# Set this option to '1' to allow the use of the SSH-1 protocol, but note
+# that theoretically it is weaker, and therefore less secure, than the
+# SSH-2 protocol. Do not modify this option unless you have good reasons
+# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4
+# authentication). If the 'Protocol' option has not been set in the SSH
+# configuration file, then a value of '2' may be set here in order to
+# suppress a warning message. This option has a default value of '0'.
+#
+ALLOW_SSH_PROT_V1=0
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh30configdir b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh30configdir
new file mode 100644
index 0000000..430f656
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/040ssh30configdir
@@ -0,0 +1,6 @@
+#
+# This setting tells rkhunter the directory containing the SSH configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+#SSH_CONFIG_DIR=/etc/ssh
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/045tests10enable b/root/etc/e-smith/templates/etc/rkhunter.conf/045tests10enable
new file mode 100644
index 0000000..571bf6d
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/045tests10enable
@@ -0,0 +1,20 @@
+#
+# These two options determine which tests are to be performed.
+# The ENABLE_TESTS option can use the word 'all' to refer to all the
+# available tests. The DISABLE_TESTS option can use the word 'none' to
+# mean that no tests are disabled. The list of disabled tests is applied to
+# the list of enabled tests. Both options are space-separated lists of test
+# names. The currently available test names can be seen by using the command
+# 'rkhunter --list tests'.
+#
+# The program defaults are to enable all tests and disable none. However, if
+# either option is specified in this file, then it overrides the program
+# default. The supplied rkhunter.conf file has some tests already disabled,
+# and these are tests that will be used only incidentally, can be considered
+# "advanced" or those that are prone to produce more than the "average" number
+# of "false positives".
+#
+# Please read the README file for more details about enabling and disabling
+# tests, the test names, and how rkhunter behaves when these options are used.
+#
+ENABLE_TESTS="all"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/045tests20disable b/root/etc/e-smith/templates/etc/rkhunter.conf/045tests20disable
new file mode 100644
index 0000000..2486fa0
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/045tests20disable
@@ -0,0 +1,5 @@
+{
+    my $DisableTests = $rkhunter{'DisableTests'};
+
+    $OUT .= 'DISABLE_TESTS=' . join(" ", split(/[ ;,]/, $DisableTests));
+}
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/050hash10func b/root/etc/e-smith/templates/etc/rkhunter.conf/050hash10func
new file mode 100644
index 0000000..77756cb
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/050hash10func
@@ -0,0 +1,23 @@
+#
+# The HASH_FUNC option can be used to specify the command to use
+# for the file hash value check. It can be specified as just
+# the command name or the full pathname. Systems using prelinking
+# are restricted to using either SHA1 or MD5 functions. To get rkhunter
+# to look for the sha1(sum)/md5(sum) command, or to use the supplied
+# perl scripts, simply specify this option as 'SHA1' or 'MD5' in
+# uppercase. The default is SHA1, or MD5 if SHA1 cannot be found.
+#
+# A value of 'NONE' (in uppercase) can be specified to indicate that
+# no hash function should be used. Rootkit Hunter will detect this and
+# automatically disable the file hash checks.
+#
+# Examples:
+#   For Solaris 9 : HASH_FUNC=gmd5sum
+#   For Solaris 10: HASH_FUNC=sha1sum
+#   For AIX (>5.2): HASH_FUNC="csum -hMD5"
+#   For NetBSD    : HASH_FUNC="cksum -a sha512"
+#
+# NOTE: If the hash function is changed then you MUST run rkhunter with
+#       the '--propupd' option to rebuild the file properties database.
+#
+#HASH_FUNC=sha1sum
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/050hash20fldidx b/root/etc/e-smith/templates/etc/rkhunter.conf/050hash20fldidx
new file mode 100644
index 0000000..28419f1
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/050hash20fldidx
@@ -0,0 +1,8 @@
+#
+# The HASH_FLD_IDX option specifies which field from the HASH_FUNC
+# command output contains the hash value. The fields are assumed to
+# be space-separated. The default value is one, but for *BSD users
+# rkhunter will, by default, use a value of 4 if the HASH_FUNC option
+# has not been set. The option value must be a positive integer.
+#
+#HASH_FLD_IDX=4
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/055pkgmgr b/root/etc/e-smith/templates/etc/rkhunter.conf/055pkgmgr
new file mode 100644
index 0000000..82948b6
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/055pkgmgr
@@ -0,0 +1,21 @@
+#
+# The PKGMGR option tells rkhunter to use the specified package manager
+# to obtain the file property information. This is used when updating
+# the file properties file ('rkhunter.dat'), and when running the file
+# properties check. For RedHat/RPM-based systems, 'RPM' can be used
+# to get information from the RPM database. For Debian-based systems
+# 'DPKG' can be used, and for *BSD systems 'BSD' can be used.
+# No value, or a value of 'NONE', indicates that no package manager
+# is to be used. The default is 'NONE'.
+#
+# The current package managers store the file hash values using an
+# MD5 hash function.
+#
+# The 'DPKG' and 'BSD' package managers only provide MD5 hash values.
+# The 'RPM' package manager additionally provides values for the inode,
+# file permissions, uid, gid and other values.
+#
+# For any file not part of a package, rkhunter will revert to using
+# the HASH_FUNC hash function instead.
+#
+PKGMGR=RPM
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist10hash b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist10hash
new file mode 100644
index 0000000..bb6f8c4
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist10hash
@@ -0,0 +1,8 @@
+#
+# Whitelist the hash (content) for the specified files.  Only useful
+# for cases where e.g. the package manager is unable to verify the
+# content, or where the content is known to change
+# otherwise. Specifying a file name here does not include it being
+# whitelisted for the attribute/write/script tests below.  One command
+# per line (use multiple HASHWHITELIST lines).
+#HASHWHITELIST=/usr/bin/lsattr
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist20attr b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist20attr
new file mode 100644
index 0000000..3f4297f
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist20attr
@@ -0,0 +1,8 @@
+#
+# Whitelist various attributes of the specified files.
+# The attributes are those of the 'attributes' test.
+# Specifying a file name here does not include it being
+# whitelisted for the write permission test below.
+# One command per line (use multiple ATTRWHITELIST lines).
+#
+#ATTRWHITELIST=/bin/ps
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist30write b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist30write
new file mode 100644
index 0000000..11d25d3
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist30write
@@ -0,0 +1,10 @@
+#
+# Allow the specified commands to have the 'others'
+# (world) permission have the write-bit set.
+#
+# For example, files with permissions r-xr-xrwx
+# or rwxrwxrwx.
+#
+# One command per line (use multiple WRITEWHITELIST lines).
+#
+#WRITEWHITELIST=/bin/ps
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist40scripts b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist40scripts
new file mode 100644
index 0000000..66f1e27
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist40scripts
@@ -0,0 +1,13 @@
+#
+# Allow the specified commands to be scripts.
+# One command per line (use multiple SCRIPTWHITELIST lines).
+#
+#SCRIPTWHITELIST=/sbin/ifup
+#SCRIPTWHITELIST=/sbin/ifdown
+#SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/whatis
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/groups
+SCRIPTWHITELIST=/usr/bin/GET
+SCRIPTWHITELIST=/sbin/ifup
+SCRIPTWHITELIST=/sbin/ifdown
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist50immut b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist50immut
new file mode 100644
index 0000000..71a1568
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist50immut
@@ -0,0 +1,5 @@
+#
+# Allow the specified commands to have the immutable attribute set.
+# One command per line (use multiple IMMUTWHITELIST lines).
+#
+#IMMUTWHITELIST=/sbin/ifup
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist60app b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist60app
new file mode 100644
index 0000000..e38c921
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist60app
@@ -0,0 +1,9 @@
+#
+# Allow the following applications, or a specific version of an application,
+# to be whitelisted. This option is a space-separated list consisting of the
+# application names. If a specific version is to be whitelisted, then the
+# name must be followed by a colon and then the version number.
+#
+# For example: APP_WHITELIST="openssl:0.9.7d gpg"
+#
+#APP_WHITELIST=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist70port b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist70port
new file mode 100644
index 0000000..9774e0d
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist70port
@@ -0,0 +1,22 @@
+#
+# The following option can be used to whitelist network ports which
+# are known to have been used by malware. The option is a space-
+# separated list of one or more of three types of whitelisting.
+# These are:
+#
+#   1) a 'protocol:port' pair       (e.g. TCP:25)
+#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
+#   3) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number
+# must be between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable in a trusted
+# path directory will be whitelisted. A trusted path directory is one which
+# rkhunter uses to locate commands. It is composed of the root PATH
+# environment variable, and the BINDIR command-line or configuration
+# file option.
+#
+# For example: PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
+#
+#PORT_WHITELIST=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktdir b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktdir
new file mode 100644
index 0000000..b331094
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktdir
@@ -0,0 +1,8 @@
+#
+# The following two options can be used to whitelist files and directories
+# that would normally be flagged with a warning during the rootkit checks.
+# If the file or directory name contains a space, then the percent character
+# ('%') must be used instead. Only existing files and directories can be
+# specified.
+#
+#RTKT_DIR_WHITELIST=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktfile b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktfile
new file mode 100644
index 0000000..3bea1a5
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/060whitelist80rtktfile
@@ -0,0 +1 @@
+#RTKT_FILE_WHITELIST=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/065allow10hiddendir b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow10hiddendir
new file mode 100644
index 0000000..dd6e1ba
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow10hiddendir
@@ -0,0 +1,11 @@
+#
+# Allow the specified hidden directories.
+# One directory per line (use multiple ALLOWHIDDENDIR lines).
+#
+#ALLOWHIDDENDIR=/etc/.java
+ALLOWHIDDENDIR=/dev/.udev
+#ALLOWHIDDENDIR=/dev/.udevdb
+#ALLOWHIDDENDIR=/dev/.udev.tdb
+#ALLOWHIDDENDIR=/dev/.static
+#ALLOWHIDDENDIR=/dev/.initramfs
+#ALLOWHIDDENDIR=/dev/.SRC-unix
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/065allow20hiddenfile b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow20hiddenfile
new file mode 100644
index 0000000..bfccaed
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow20hiddenfile
@@ -0,0 +1,8 @@
+#
+# Allow the specified hidden files.
+# One file per line (use multiple ALLOWHIDDENFILE lines).
+#
+#ALLOWHIDDENFILE=/etc/.java
+ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
+#ALLOWHIDDENFILE=/etc/.pwd.lock
+#ALLOWHIDDENFILE=/etc/.init.state
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/065allow30procdelfile b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow30procdelfile
new file mode 100644
index 0000000..5409379
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow30procdelfile
@@ -0,0 +1,21 @@
+#
+# Allow the specified processes to use deleted files.
+# One process per line (use multiple ALLOWPROCDELFILE lines).
+#
+# The process name may be followed by a colon-separated list
+# of full pathnames. The process will then only be whitelisted
+# if it is using one of the given files. For example:
+#
+#     ALLOWPROCDELFILE=/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz
+#
+#ALLOWPROCDELFILE=/sbin/cardmgr
+#ALLOWPROCDELFILE=/usr/sbin/gpm
+#ALLOWPROCDELFILE=/usr/libexec/gconfd-2
+#ALLOWPROCDELFILE=/usr/sbin/mysqld
+ALLOWPROCDELFILE=(deleted)
+ALLOWPROCDELFILE=/usr/bin/freshclam
+ALLOWPROCDELFILE=/usr/bin/perl
+ALLOWPROCDELFILE=/usr/bin/python
+ALLOWPROCDELFILE=/usr/libexec/dovecot/imap
+ALLOWPROCDELFILE=/usr/sbin/asterisk
+ALLOWPROCDELFILE=/usr/sbin/httpd
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/065allow40proclisten b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow40proclisten
new file mode 100644
index 0000000..291829f
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow40proclisten
@@ -0,0 +1,11 @@
+#
+# Allow the specified processes to listen on any network interface.
+# One process per line (use multiple ALLOWPROCLISTEN lines).
+#
+ALLOWPROCLISTEN=/sbin/dhclient
+ALLOWPROCLISTEN=/usr/sbin/dhcpd
+#ALLOWPROCLISTEN=/usr/bin/dhcpcd
+ALLOWPROCLISTEN=/usr/sbin/pppoe
+#ALLOWPROCLISTEN=/usr/sbin/tcpdump
+#ALLOWPROCLISTEN=/usr/sbin/snort-plain
+#ALLOWPROCLISTEN=/usr/local/bin/wpa_supplicant
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/065allow50devfile b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow50devfile
new file mode 100644
index 0000000..caf5907
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/065allow50devfile
@@ -0,0 +1,7 @@
+#
+# Allow the specified files to be present in the /dev directory,
+# and not regarded as suspicious. One file per line (use multiple
+# ALLOWDEVFILE lines).
+#
+#ALLOWDEVFILE=/dev/abc
+ALLOWDEVFILE=/dev/shm/pulse-shm-*
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/070scanmode10dev b/root/etc/e-smith/templates/etc/rkhunter.conf/070scanmode10dev
new file mode 100644
index 0000000..0b3d57b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/070scanmode10dev
@@ -0,0 +1,8 @@
+#
+# SCAN_MODE_DEV governs how we scan /dev for suspicious files.
+# The two allowed options are: THOROUGH or LAZY.
+# If commented out we do a THOROUGH scan which will increase the runtime.
+# Even though this adds to the running time it is highly recommended to
+# leave it like this.
+#
+#SCAN_MODE_DEV=THOROUGH
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd10conf b/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd10conf
new file mode 100644
index 0000000..3cddc4d
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd10conf
@@ -0,0 +1,5 @@
+#
+# This setting tells rkhunter where the inetd configuration
+# file is located.
+#
+#INETD_CONF_PATH=/etc/inetd.conf
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd20allowedsvc b/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd20allowedsvc
new file mode 100644
index 0000000..c255fd0
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/075inetd20allowedsvc
@@ -0,0 +1,30 @@
+#
+# Allow the following enabled inetd services.
+# Only one service per line (use multiple INETD_ALLOWED_SVC lines).
+#
+# Below are some Solaris 9 and 10 services that may want to be whitelisted.
+#
+#INETD_ALLOWED_SVC=echo
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.ttdbserverd
+#INETD_ALLOWED_SVC=/usr/openwin/lib/fs.auto
+#INETD_ALLOWED_SVC=/usr/lib/smedia/rpc.smserverd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metad
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamhd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.metamedd
+#INETD_ALLOWED_SVC=/usr/sbin/rpc.mdcommd
+#INETD_ALLOWED_SVC=/usr/dt/bin/dtspcd
+#INETD_ALLOWED_SVC=/usr/dt/bin/rpc.cmsd
+#INETD_ALLOWED_SVC=/usr/lib/gss/gssd
+#INETD_ALLOWED_SVC=/usr/lib/ST/stfsloader
+#INETD_ALLOWED_SVC=/usr/lib/fs/cachefs/cachefsd
+#INETD_ALLOWED_SVC=/network/rpc/mdcomm
+#INETD_ALLOWED_SVC=/network/rpc/meta
+#INETD_ALLOWED_SVC=/network/rpc/metamed
+#INETD_ALLOWED_SVC=/network/rpc/metamh
+#INETD_ALLOWED_SVC=/network/security/ktkt_warn
+#INETD_ALLOWED_SVC=/application/x11/xfs
+#INETD_ALLOWED_SVC=/application/print/rfc1179
+#INETD_ALLOWED_SVC=/application/font/stfsloader
+#INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
+#INETD_ALLOWED_SVC=/network/rpc-100083_1/rpc_tcp
+#INETD_ALLOWED_SVC=/network/rpc-100068_2-5/rpc_udp
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd10conf b/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd10conf
new file mode 100644
index 0000000..7c35254
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd10conf
@@ -0,0 +1,5 @@
+#
+# This setting tells rkhunter where the xinetd configuration
+# file is located.
+#
+#XINETD_CONF_PATH=/etc/xinetd.conf
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd20allowedsvc b/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd20allowedsvc
new file mode 100644
index 0000000..117e381
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/080xinetd20allowedsvc
@@ -0,0 +1,8 @@
+#
+# Allow the following enabled xinetd services. Whilst it would be
+# nice to use the service names themselves, at the time of testing
+# we only have the pathname available. As such, these entries are
+# the xinetd file pathnames.
+# Only one service (file) per line (use multiple XINETD_ALLOWED_SVC lines).
+#
+#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/085paths10startup b/root/etc/e-smith/templates/etc/rkhunter.conf/085paths10startup
new file mode 100644
index 0000000..eee0376
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/085paths10startup
@@ -0,0 +1,8 @@
+#
+# This option tells rkhunter the local system startup file pathnames.
+# It is a space-separated list of files and directories. The directories
+# will be searched for files. By default rkhunter will use certain
+# filenames and directories. If the option is set to 'none', then
+# certain tests will be skipped.
+#
+#STARTUP_PATHS="/etc/rc.d /etc/rc.local"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/085paths20syslogconf b/root/etc/e-smith/templates/etc/rkhunter.conf/085paths20syslogconf
new file mode 100644
index 0000000..40beb74
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/085paths20syslogconf
@@ -0,0 +1,6 @@
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/090passwordfile b/root/etc/e-smith/templates/etc/rkhunter.conf/090passwordfile
new file mode 100644
index 0000000..00e497b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/090passwordfile
@@ -0,0 +1,7 @@
+#
+# This setting tells rkhunter the pathname to the file containing the
+# user account passwords. This setting will be worked out by rkhunter,
+# and so should not usually need to be set. Users of TCB shadow files
+# should not set this option.
+#
+#PASSWORD_FILE=/etc/shadow
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts10uid0 b/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts10uid0
new file mode 100644
index 0000000..9bd6dd8
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts10uid0
@@ -0,0 +1,9 @@
+#
+# Allow the following accounts to be root equivalent. These accounts
+# will have a UID value of zero. This option is a space-separated list
+# of account names. The 'root' account does not need to be listed as it
+# is automatically whitelisted.
+#
+# NOTE: For *BSD systems you may need to enable this for the 'toor' account.
+#
+#UID0_ACCOUNTS="toor rooty"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts20pwdless b/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts20pwdless
new file mode 100644
index 0000000..62e8615
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/095accounts20pwdless
@@ -0,0 +1,6 @@
+#
+# Allow the following accounts to have no password. This option is a
+# space-separated list of account names. NIS/YP entries do not need to
+# be listed as they are automatically whitelisted.
+#
+#PWDLESS_ACCOUNTS="abc"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog10configfile b/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog10configfile
new file mode 100644
index 0000000..40beb74
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog10configfile
@@ -0,0 +1,6 @@
+#
+# This setting tells rkhunter the pathname to the syslog configuration
+# file. This setting will be worked out by rkhunter, and so should not
+# usually need to be set.
+#
+SYSLOG_CONFIG_FILE=/etc/rsyslog.conf
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog20allowremotelogin b/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog20allowremotelogin
new file mode 100644
index 0000000..3a3a374
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/100syslog20allowremotelogin
@@ -0,0 +1,4 @@
+#
+# This option permits the use of syslog remote logging.
+#
+ALLOW_SYSLOG_REMOTE_LOGGING=0
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/105osversionfile b/root/etc/e-smith/templates/etc/rkhunter.conf/105osversionfile
new file mode 100644
index 0000000..c84c424
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/105osversionfile
@@ -0,0 +1,15 @@
+#
+# The following option can be used to tell rkhunter where the operating
+# system 'release' file is located. This file contains information
+# specifying the current O/S version. RKH will store this information
+# itself, and check to see if it has changed between each run. If it has
+# changed, then the user is warned that RKH may issue warning messages
+# until RKH has been run with the '--propupd' option.
+#
+# Since the contents of the file vary according to the O/S distribution,
+# RKH will perform different actions when it detects the file itself. As
+# such, this option should not be set unless necessary. If this option is
+# specified, then RKH will assume the O/S release information is on the
+# first non-blank line of the file.
+#
+OS_VERSION_FILE="/etc/redhat-release"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan10dirs b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan10dirs
new file mode 100644
index 0000000..f8dddd7
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan10dirs
@@ -0,0 +1,14 @@
+#
+# Scan for suspicious files in directories containing temporary files and
+# directories posing a relatively higher risk due to user write access.
+# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
+# producing false positives. Do review all settings before usage.
+# Also be aware that running suspscan in combination with verbose logging on,
+# RKH's default, will show all ignored files.
+# Please consider adding all directories the user the (web)server runs as has
+# write access to including the document root (example: "/var/www") and log
+# directories (example: "/var/log/httpd").
+#
+# A space-separated list of directories to scan.
+#
+SUSPSCAN_DIRS="/tmp /var/tmp"
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan20temp b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan20temp
new file mode 100644
index 0000000..b4f926b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan20temp
@@ -0,0 +1,6 @@
+#
+# Directory for temporary files. A memory-based one is better (faster).
+# Do not use a directory name that is listed in SUSPSCAN_DIRS.
+# Please make sure you have a tempfs mounted and the directory exists.
+#
+SUSPSCAN_TEMP=/dev/shm
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan30maxsize b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan30maxsize
new file mode 100644
index 0000000..190dcec
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan30maxsize
@@ -0,0 +1,5 @@
+#
+# Maximum filesize in bytes. Files larger than this will not be inspected.
+# Do make sure you have enough space left in your temporary files directory.
+#
+SUSPSCAN_MAXSIZE=10240000
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan40treshold b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan40treshold
new file mode 100644
index 0000000..4ed8625
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/105supscan40treshold
@@ -0,0 +1,6 @@
+#
+# Score threshold. Below this value no hits will be reported.
+# A value of "200" seems "good" after testing on malware. Please adjust
+# locally if necessary.
+#
+SUSPSCAN_THRESH=200
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd10stat b/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd10stat
new file mode 100644
index 0000000..251cafc
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd10stat
@@ -0,0 +1,8 @@
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd20readlink b/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd20readlink
new file mode 100644
index 0000000..251cafc
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/110cmd20readlink
@@ -0,0 +1,8 @@
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command, then the following two options can be used. The value must be
+# set to 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+#STAT_CMD=BUILTIN
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120FilesPropertiesChecks b/root/etc/e-smith/templates/etc/rkhunter.conf/120FilesPropertiesChecks
new file mode 100644
index 0000000..ceb9a0a
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120FilesPropertiesChecks
@@ -0,0 +1,50 @@
+#
+# These options specify a command, directory or file pathname which will be
+# included or excluded in the file properties checks.
+#
+# For the USER_FILEPROP_FILES_DIRS option, simple command names - for example,
+# 'top' - and directory names are added to the internal list of directories to
+# be searched for each of the command names in the command list. Additionally,
+# full pathnames to files, which need not be commands, may be given. Any files
+# or directories which are already part of the internal lists will be silently
+# ignored from the configuration.
+#
+# For the USER_FILEPROP_FILES_DIRS option, wildcards are allowed, except for
+# simple command names.
+# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed.
+#
+# Specific files may be excluded by using the EXCLUDE_USER_FILEPROP_FILES_DIRS
+# option. Wildcards may be used with this option.
+#
+# By combining these two options, and using wildcards, whole directories can be
+# excluded. For example:
+#
+#     USER_FILEPROP_FILES_DIRS=/etc/*
+#     USER_FILEPROP_FILES_DIRS=/etc/*/*
+#     EXCLUDE_USER_FILEPROP_FILES_DIRS=/etc/rc?.d/*
+#
+# This will look for files in the first two directory levels of '/etc'. However,
+# anything in '/etc/rc0.d', '/etc/rc1.d', '/etc/rc2.d' and so on, will be
+# excluded.
+#
+# NOTE: Only files and directories which have been added by the user, and are
+# not part of the internal lists, can be excluded. So, for example, it is not
+# possible to exclude the 'ps' command by using '/bin/ps'. These will be
+# silently ignored from the configuration.
+#
+# Both options can be specified more than once.
+#
+# NOTE: Whenever these options are changed 'rkhunter --propupd' must be run.
+#
+# The default value for both options is the null string.
+#
+#USER_FILEPROP_FILES_DIRS=top
+#USER_FILEPROP_FILES_DIRS=/usr/local/sbin
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
+#USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
+#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/*
+#USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/i18n/*
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/opt/ps*
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/mirrors.dat
+#EXCLUDE_USER_FILEPROP_FILES_DIRS=/var/lib/rkhunter/db/rkhunter*
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120IgnorePrelink b/root/etc/e-smith/templates/etc/rkhunter.conf/120IgnorePrelink
new file mode 100644
index 0000000..7e7fe7a
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120IgnorePrelink
@@ -0,0 +1,18 @@
+#
+# This option can be used to tell rkhunter to ignore any prelink dependency
+# errors for the given commands. However, a warning will also be issued if the
+# error does not occur for a given command. As such this option must only be
+# used on commands which experience a persistent problem.
+#
+# Short-term prelink dependency errors can usually be resolved simply by
+# running the 'prelink' command on the given pathname.
+#
+# This is a space-separated list of command pathnames. The option can be
+# specified more than once.
+#
+# NOTE: Whenever this option is changed 'rkhunter --propupd' must be run.
+#
+# The default value is the null string.
+#
+#IGNORE_PRELINK_DEP_ERR=/bin/ps /usr/bin/top
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120LookTimeDate b/root/etc/e-smith/templates/etc/rkhunter.conf/120LookTimeDate
new file mode 100644
index 0000000..d0a40c6
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120LookTimeDate
@@ -0,0 +1,16 @@
+#
+# In the file properties test any modification date/time is displayed as the
+# number of epoch seconds. Rkhunter will try and use the 'date' command, or
+# failing that the 'perl' command, to display the date and time in a
+# human-readable format as well. This option may be used if some other command
+# should be used instead. The given command must understand the '%s' and
+# 'seconds ago' options found in the GNU 'date' command.
+#
+# A value of 'NONE' may be used to request that only the epoch seconds be shown.
+# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
+# it is present.
+#
+# This option has no default value.
+#
+#EPOCH_DATE_CMD=""
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120OperatingSystem b/root/etc/e-smith/templates/etc/rkhunter.conf/120OperatingSystem
new file mode 100644
index 0000000..0988bb7
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120OperatingSystem
@@ -0,0 +1,45 @@
+#
+# The following option can be used to tell rkhunter where the operating system
+# 'release' file is located. This file contains information specifying the
+# current O/S version. RKH will store this information, and check to see if it
+# has changed between each run. If it has changed, then the user is warned that
+# RKH may issue warning messages until RKH has been run with the '--propupd'
+# option.
+#
+# Since the contents of the file vary according to the O/S distribution, RKH
+# will perform different actions when it detects the file itself. As such, this
+# option should not be set unless necessary. If this option is specified, then
+# RKH will assume the O/S release information is on the first non-blank line of
+# the file.
+#
+# This option has no default value.
+#
+# Also see the WARN_ON_OS_CHANGE and UPDT_ON_OS_CHANGE options.
+#
+#OS_VERSION_FILE=/etc/release
+
+#
+# Set the following option to '0' if you do not want to receive a warning if any
+# O/S information has changed since the last run of 'rkhunter --propupd'. The
+# warnings occur during the file properties check. Setting a value of '1' will
+# cause rkhunter to issue a warning if something has changed.
+#
+# The default value is '1'.
+#
+#WARN_ON_OS_CHANGE=1
+
+#
+# Set the following option to '1' if you want rkhunter to automatically run a
+# file properties update ('--propupd') if the O/S has changed. Detection of an
+# O/S change occurs during the file properties check. Setting a value of '0'
+# will cause rkhunter not to do an automatic update.
+#
+# WARNING: Only set this option if you are sure that the update will work
+# correctly. That is, that the database directory is writeable, that a valid
+# hash function is available, and so on. This can usually be checked simply by
+# running 'rkhunter --propupd' at least once.
+#
+# The default value is '0'.
+#
+#UPDT_ON_OS_CHANGE=0
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterDownload b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterDownload
new file mode 100644
index 0000000..a18cb80
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterDownload
@@ -0,0 +1,25 @@
+#
+# The following option can be set to a command which rkhunter will use when
+# downloading files from the Internet - that is, when the '--update' or
+# '--versioncheck' option is used. The command can take options.
+#
+# This allows the user to use a command other than the one automatically
+# selected by rkhunter, but still one which it already knows about.
+# For example:
+#
+#     WEB_CMD=curl
+#
+# Alternatively, the user may specify a completely new command. However, note
+# that rkhunter expects the downloaded file to be written to stdout, and that
+# everything written to stderr is ignored. For example:
+#
+#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
+#
+# *BSD users may want to use the 'ftp' command, provided that it supports the
+# HTTP protocol:
+#
+#     WEB_CMD="ftp -o -"
+#
+# This option has no default value.
+#
+#WEB_CMD=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLocking b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLocking
new file mode 100644
index 0000000..cdd9529
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLocking
@@ -0,0 +1,37 @@
+#
+# Set the following option to '1' if locking is to be used when rkhunter runs.
+# The lock is set just before logging starts, and is removed when the program
+# ends. It is used to prevent items such as the log file, and the file
+# properties file, from becoming corrupted if rkhunter is running more than
+# once. The mechanism used is to simply create a lock file in the TMPDIR
+# directory. If the lock file already exists, because rkhunter is already
+# running, then the current process simply loops around sleeping for 10 seconds
+# and then retrying the lock. A value of '0' means not to use locking.
+#
+# The default value is '0'.
+#
+# Also see the LOCK_TIMEOUT and SHOW_LOCK_MSGS options.
+#
+#USE_LOCKING=0
+
+#
+# If locking is used, then rkhunter may have to wait to get the lock file.
+# This option sets the total amount of time, in seconds, that rkhunter should
+# wait. It will retry the lock every 10 seconds, until either it obtains the
+# lock or the timeout value has been reached.
+#
+# The default value is 300 seconds (5 minutes).
+#
+#LOCK_TIMEOUT=300
+
+#
+# If locking is used, then rkhunter may be doing nothing for some time if it
+# has to wait for the lock. If this option is set to '1', then some simple
+# messages are echoed to the users screen to let them know that rkhunter is
+# waiting for the lock. Set this option to '0' if the messages are not to be
+# displayed.
+#
+# The default value is '1'.
+#
+#SHOW_LOCK_MSGS=1
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLogFile b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLogFile
new file mode 100644
index 0000000..60dd4da
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterLogFile
@@ -0,0 +1,18 @@
+#
+# The two options below may be used to check if a file is missing or empty
+# (that is, it has a size of zero). The EMPTY_LOGFILES option will also check
+# if the file is missing, since that can be interpreted as a file of no size.
+# However, the file will only be reported as missing if the MISSING_LOGFILES
+# option hasn't already done this.
+#
+# Both options are space-separated lists of pathnames, and may be specified
+# more than once.
+#
+# NOTE: Log files are usually 'rotated' by some mechanism. At that time it is
+# perfectly possible for the file to be either missing or empty. As such these
+# options may produce false-positive warnings when log files are rotated.
+#
+# For both options the default value is the null string.
+#
+#EMPTY_LOGFILES=""
+#MISSING_LOGFILES=""
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterSummary b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterSummary
new file mode 100644
index 0000000..7dab06a
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterSummary
@@ -0,0 +1,23 @@
+#
+# This option can be set to either '0' or '1'. If set to '1' then the summary,
+# shown after rkhunter has run, will display the actual number of warnings
+# found. If it is set to '0', then the summary will simply indicate that
+# 'One or more' warnings were found. If no warnings were found, and this option
+# is set to '1', then a "0" will be shown. If the option is set to '0', then
+# the words 'No warnings' will be shown.
+#
+# The default value is '0'.
+#
+#SHOW_SUMMARY_WARNINGS_NUMBER=0
+
+#
+# This option is used to determine where, if anywhere, the summary scan time is
+# displayed. A value of '0' indicates that it should not be displayed anywhere.
+# A value of '1' indicates that the time should only appear on the screen, and a
+# value of '2' that it should only appear in the log file. A value of '3'
+# indicates that the time taken should appear both on the screen and in the log
+# file.
+#
+# The default value is '3'.
+#
+#SHOW_SUMMARY_TIME=3
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterTHOROUGH b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterTHOROUGH
new file mode 100644
index 0000000..8267490
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterTHOROUGH
@@ -0,0 +1,20 @@
+#
+# If this option is set to 'THOROUGH' then rkhunter will search (on a per
+# rootkit basis) for filenames in all of the directories (as defined by the
+# result of running 'find / -xdev'). While still not optimal, as it still
+# searches for only file names as opposed to file contents, this is one step
+# away from the rigidity of searching in known (evidence) or default
+# (installation) locations.
+#
+# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
+#
+# You should only activate this feature as part of a more thorough
+# investigation, which should be based on relevant best practices and
+# procedures. 
+#
+# Enabling this feature implies you have the knowledge to interpret the
+# results properly. 
+#
+# The default value is the null string.
+#
+#SCANROOTKITMODE=THOROUGH
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterUnhide b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterUnhide
new file mode 100644
index 0000000..9b0e982
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120RkhunterUnhide
@@ -0,0 +1,37 @@
+#
+# The following option can be set to the name(s) of the tests the 'unhide'
+# command is to use. Options such as '-m' and '-v' may be specified, but will
+# only take effect when they are seen. The test names are a space-separated
+# list, and will be executed in the order given.
+#
+# This option may be specified more than once.
+#
+# The default value is 'sys' in order to maintain compatibility with older
+# versions of 'unhide'.
+#
+#UNHIDE_TESTS=sys
+
+#
+# The following option can be used to set options for the 'unhide-tcp' command.
+# The options are space-separated.
+#
+# This option may be specified more than once.
+#
+# The default value is the null string.
+#
+#UNHIDETCP_OPTS=""
+
+#
+# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system,
+# then it is possible to disable the execution of one of the programs if
+# desired. By default rkhunter will look for both programs, and execute each
+# of them as they are found. If the value of this option is '0', then both
+# programs will be executed if they are present. A value of '1' will disable
+# execution of the C 'unhide' program, and a value of '2' will disable the Ruby
+# 'unhide.rb' program. To disable both programs, then disable the
+# 'hidden_procs' test.
+#
+# The default value is '0'.
+#
+#DISABLE_UNHIDE=0
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistExistingFilesFolders b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistExistingFilesFolders
new file mode 100644
index 0000000..b2cbbc8
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistExistingFilesFolders
@@ -0,0 +1,28 @@
+
+#
+# This option whitelists files and directories from existing, or not existing,
+# on the system at the time of testing. This option is used when the
+# configuration file options themselves are checked, and during the file
+# properties check, the hidden files and directories checks, and the filesystem
+# check of the '/dev' directory.
+#
+# This option may be specified more than once, and may use wildcards.
+# Be aware though that this is probably not what you want to do as the
+# wildcarding will be expanded after files have been deleted. As such
+# deleted files won't be whitelisted if wildcarded.
+#
+# NOTE: The user must take into consideration how often the file will appear
+# and disappear from the system in relation to how often rkhunter is run. If
+# the file appears, and disappears, too often then rkhunter may not notice
+# this. All it will see is that the file has changed. The inode-number and DTM
+# will certainly be different for each new file, and rkhunter will report this.
+#
+# The default value is the null string.
+#
+#EXISTWHITELIST=""
+#EXISTWHITELIST=/var/log/pki-ca/system
+# FreeIPA Certificate Authority
+#EXISTWHITELIST=/var/log/pki/pki-tomcat/ca/system
+# Some non default installed files we check
+#EXISTWHITELIST=/usr/bin/GET
+#EXISTWHITELIST=/usr/bin/whatis
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistFoldersFiles b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistFoldersFiles
new file mode 100644
index 0000000..809029b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistFoldersFiles
@@ -0,0 +1,41 @@
+#
+# The following two options can be used to whitelist files and directories that
+# would normally be flagged with a warning during the various rootkit and
+# malware checks. Only existing files and directories can be specified, and
+# these must be full pathnames not links.
+#
+# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
+# file name (separated by a colon). This will then only whitelist that string
+# in that file (as part of the malware checks). For example:
+#
+#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
+#
+# If the option list includes the filename on its own as well, then the file
+# will be whitelisted from rootkit checks of the files existence, but still
+# only the specific string within the file will be whitelisted. For example:
+#
+#     RTKT_FILE_WHITELIST=/etc/rc.local
+#     RTKT_FILE_WHITELIST=/etc/rc.local:hdparm
+#
+# To whitelist a file from the existence checks, but not from the strings
+# checks, then include the filename on its own and on its own but with just
+# a colon appended. For example:
+#
+#     RTKT_FILE_WHITELIST=/etc/rc.local
+#     RTKT_FILE_WHITELIST=/etc/rc.local:
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# Both of these options may be specified more than once.
+#
+# For both options the default value is the null string.
+#
+#RTKT_DIR_WHITELIST=""
+#RTKT_FILE_WHITELIST=""
+# FreeIPA Certificate Authority
+#RTKT_FILE_WHITELIST=/var/log/pki-ca/system
+# FreeIPA Certificate Authority
+#RTKT_FILE_WHITELIST=/var/log/pki/pki-tomcat/ca/system
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistNetwork b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistNetwork
new file mode 100644
index 0000000..99e1445
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistNetwork
@@ -0,0 +1,41 @@
+#
+# The following options can be used to whitelist network ports which are known
+# to have been used by malware. 
+#
+# The PORT_WHITELIST option is a space-separated list of one or more of two
+# types of whitelisting. These are:
+#
+#   1) a 'protocol:port' pair
+#   2) an asterisk ('*')
+#
+# Only the UDP or TCP protocol may be specified, and the port number must be
+# between 1 and 65535 inclusive.
+#
+# The asterisk can be used to indicate that any executable which rkhunter can
+# locate as a command, is whitelisted. (Also see BINDIR)
+#
+# The PORT_PATH_WHITELIST option specifies one of two types of whitelisting.
+# These are:
+#
+#   1) a pathname to an executable
+#   2) a combined pathname, protocol and port
+#
+# As above, the protocol can only be TCP or UDP, and the port number must be
+# between 1 and 65535 inclusive.
+#
+# Examples:
+#
+#     PORT_WHITELIST=TCP:2001 UDP:32011
+#     PORT_PATH_WHITELIST=/usr/sbin/squid
+#     PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
+#
+# NOTE: In order to whitelist a pathname, or use the asterisk option, the
+# 'lsof' command must be present.
+#
+# Both options may be specified more than once.
+#
+# The default value for both options is the null string.
+#
+#PORT_WHITELIST=""
+#PORT_PATH_WHITELIST=""
+
diff --git a/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistSharedLibrary b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistSharedLibrary
new file mode 100644
index 0000000..ea3a4ed
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rkhunter.conf/120WhitelistSharedLibrary
@@ -0,0 +1,29 @@
+#
+# The following option can be used to whitelist shared library files that would
+# normally be flagged with a warning during the preloaded shared library check.
+# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
+# the LD_PRELOAD environment variable.
+#
+# NOTE: It is recommended that if you whitelist any files, then you include
+# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
+# configuration option.
+#
+# This option is a space-separated list of library pathnames. The option may be
+# specified more than once.
+#
+# The default value is the null string.
+#
+#SHARED_LIB_WHITELIST=/lib/snoopy.so
+
+#
+# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
+# command the following two options can be used. The value must be set to
+# 'BUILTIN'.
+#
+# NOTE: IRIX users will probably need to enable STAT_CMD.
+#
+# For both options the default value is the null string.
+#
+#STAT_CMD=BUILTIN
+#READLINK_CMD=BUILTIN
+
diff --git a/root/etc/e-smith/templates/etc/sysconfig/rkhunter/09warning b/root/etc/e-smith/templates/etc/sysconfig/rkhunter/09warning
new file mode 100644
index 0000000..a066640
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/sysconfig/rkhunter/09warning
@@ -0,0 +1,11 @@
+#------------------------------------------------------------
+#              !!DO NOT MODIFY THIS FILE!!
+#
+# Manual changes will be lost when this file is regenerated.
+#
+# Please read the developer's guide, which is available
+# at http://www.contribs.org/development/
+#
+# Copyright (C) 1999-2006 Mitel Networks Corporation
+#------------------------------------------------------------
+
diff --git a/root/etc/e-smith/templates/etc/sysconfig/rkhunter/10config b/root/etc/e-smith/templates/etc/sysconfig/rkhunter/10config
new file mode 100644
index 0000000..7161998
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/sysconfig/rkhunter/10config
@@ -0,0 +1,19 @@
+# System configuration file for Rootkit Hunter which
+# stores RPM system specifics for cron run, etc.
+#
+#    MAILTO= <email address to send scan report>
+# DIAG_SCAN= no  - perform  normal  report scan
+#            yes - perform detailed report scan
+#                  (includes application check)
+
+{
+my $mailRK = $rkhunter{'mail'} || "root";
+$OUT .= "MAILTO=$mailRK\n";
+
+my $diagScan = $rkhunter{'DIAG_SCAN'} || "no";
+
+$OUT .= "DIAG_SCAN=$diagScan\n";
+
+}
+
+
diff --git a/smeserver-rkhunter.spec b/smeserver-rkhunter.spec
new file mode 100644
index 0000000..2b42677
--- /dev/null
+++ b/smeserver-rkhunter.spec
@@ -0,0 +1,100 @@
+# $Id: smeserver-rkhunter.spec,v 1.4 2021/03/29 17:49:09 brianr Exp $
+
+Summary: rkhunter for SME Server
+Name: smeserver-rkhunter
+%define version 1.4.0
+%define release 8
+%define displayversion %{version}
+Version: %{version}
+Release: %{release}%{?dist}
+License: GPL
+Group: Applications/System
+Source: smeserver-rkhunter-%{version}.tar.xz
+BuildArchitectures: noarch
+BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
+Requires: rkhunter
+#Patch2: smeserver-rkhunter-1.4.0.bz10376.disableupdate.patch
+BuildRequires: perl, e-smith-devtools
+
+%description
+rkhunter for SME Server
+
+%changelog
+* Sat Sep 07 2024 cvs2git.sh aka Brian Read <brianr@koozali.org> 1.4.0-8.sme
+- Roll up patches and move to git repo [SME: 12338]
+
+* Sat Sep 07 2024 BogusDateBot
+- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
+  by assuming the date is correct and changing the weekday.
+
+* Mon Mar 29 2021 Brian Read <brianr@bjsystems.co.uk> 1.4.0-7.sme
+- Add Update event to createlinks [SME: 11025]
+
+* Mon Mar 29 2021 BogusDateBot
+- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
+  by assuming the date is correct and changing the weekday.
+
+* Wed Dec 30 2020 Brian Read <brianr@bjsystems.co.uk> 1.4.0-6.sme
+- Revert patch to suppress update as the exploit has been fixed [SME:11025]
+
+* Fri Oct 09 2020 Brian Read <brianr@bjsystems.co.uk> 1.4.0-5.sme
+- Import in SME10 tree [SME: 11025 ]
+
+* Thu Jul 06 2017 Jean-Philipe Pialasse <tests@pialasse.com> 1.4.0-4.sme
+- disabling as default update for rkh because of CVE-2017-7480 [SME: 10376]
+- added property updateMirrors to handle this 
+
+* Tue Aug 18 2015 stephane de Labrusse <stephdl@de-labrusse.fr> 1.4.0-3.sme
+- add smeserver-rkhunter-1.4.0.more_options2rkhunter-conf.patch
+
+* Thu Aug 13 2015 stephane de Labrusse <stephdl@de-labrusse.fr> 1.4.0-2.sme
+- change path to rsyslog.conf
+
+* Thu Aug 13 2015 stephane de Labrusse <stephdl@de-labrusse.fr> 1.4.0-1.sme
+- First Import to contribs9
+
+* Tue Sep 17 2013 JP Pialasse <tests@pialasse.com> 1.2.0-10
+- Add Update event to createlinks not run in cron daily  [SME: 7800]
+- typos in patchs
+
+* Tue Jul 02 2013 JP Pialasse <tests@pialasse.com> 1.2.0-7
+- Add Update event to createlinks typo patch correct
+- Add Update event to createlinks spare space
+
+* Sun Jun 23 2013 JP Pialasse <tests@pialasse.com> 1.2.0-5
+- Add Update event to createlinks email error root@localhost [SME: 7103] 
+- adding option for warning mail in .conf
+- Patch2
+
+* Thu Jun 20 2013 JP Pialasse <tests@pialasse.com>
+- Add Update event to createlinks email error root@localhost [SME: 7103]
+- you can set the mail you want with key mail and default is root
+
+* Thu May 14 2009 Jonathan Martens <smeserver-contribs@snetram.nl> 1.2.0-3
+- Bump version number in order to move package to SME Contribs [SME: 5172]
+
+* Tue Apr  7 2009 Jonathan Martens <smeserver-contribs@snetram.nl> 1.2.0-2
+- Remove quotes in DISABLE_TESTS setting [SME: 5149]
+
+* Fri Apr  3 2009 Jonathan Martens <smeserver-contribs@snetram.nl> 1.2.0-1
+- Initial draft of rkhunter for SME Server
+- Adjust ALLOW_SSH_ROOT_USER according to sshd PermitRootLogin setting [SME: 3718]
+
+%prep
+%setup
+#%patch2 -p1
+
+%build
+perl createlinks
+
+%install
+rm -rf $RPM_BUILD_ROOT
+(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
+rm -f %{name}-%{version}-filelist
+/sbin/e-smith/genfilelist $RPM_BUILD_ROOT > %{name}-%{version}-filelist
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f %{name}-%{version}-filelist
+%defattr(-,root,root)