November 26, 2007 Leave a comment
chkrootkit operates sort of like a virus scanners for windows in a way – in that it looks for infected files from signatures.
From the man page:
chkrootkit examines certain elements of the target system and determines whether they have been tampered with. Some tools which chkrootkit applies while analyzing binaries and log file can be found at /usr/lib/chkrootkit.
I installed using apt-get.
By default, it logs to a file. I like to check my logs over email every morning, so I changed the cron job to reflect this. I added the MAILTO: root line, and the /usr/bin/chkrootkit at the end (the standard output is what gets mailed).Â The following entry is /etc/cron.daily/chkrootkit. So it gets logged and mailed.
#!/bin/sh -e CHKROOTKIT=/usr/sbin/chkrootkit CF=/etc/chkrootkit.conf LOG_DIR=/var/cache/chkrootkit MAILTO=root if [ ! -x $CHKROOTKIT ]; then exit 0 fi if [ -f $CF ]; then . $CF fi if [ "$RUN_DAILY" = "true" ]; then if [ "$DIFF_MODE" = "true" ]; then $CHKROOTKIT $RUN_DAILY_OPTS > $LOG_DIR/log.new 2>&1 if [ ! -f $LOG_DIR/log.old ] \ || ! diff -q $LOG_DIR/log.old $LOG_DIR/log.new > /dev/null 2>&1; then cat $LOG_DIR/log.new fi mv $LOG_DIR/log.new $LOG_DIR/log.old else $CHKROOTKIT $RUN_DAILY_OPTS fi fi /usr/sbin/chkrootkit
chkrootkit seems like it has quite a bit of promise. I use chkrootkit with tripwire, selinux, iptables, fail2ban, and good service configuration for a functional system that is still fairly secure.