«
»

chkrootkit

November 26th, 2007 by webstersprodigy

chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.

From the man page:

chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file  can be found  at  /usr/lib/chkrootkit.

I installed using apt-get.

By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed).  The following entry is /etc/cron.daily/chkrootkit.  So it gets logged and mailed.

#!/bin/sh -e

CHKROOTKIT=/usr/sbin/chkrootkit
CF=/etc/chkrootkit.conf
LOG_DIR=/var/cache/chkrootkit
MAILTO=root

if [ ! -x $CHKROOTKIT ]; then
exit 0
fi

if [ -f $CF ]; then
. $CF
fi

if [ "$RUN_DAILY" = "true" ]; then
if [ "$DIFF_MODE" = "true" ]; then
$CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1
if [ ! -f $LOG_DIR/log.old ] \
|| ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then
cat $LOG_DIR/log.new
fi
mv $LOG_DIR/log.new $LOG_DIR/log.old
else
$CHKROOTKIT $RUN_DAILY_OPTS
fi
fi
/usr/sbin/chkrootkit

chkrootkit is a great addition to any security policy.  I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.

This entry was posted on Monday, November 26th, 2007 at 03:37 and is filed under Linux, Security Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

No computers were harmed in the 0.258 seconds it took to produce this page.