This tutorial intends to teach you to Install and Use the chkrootkit security scanner on Debian 12 Bookworm. chkrootkit is a top 10 Linux security scanner tool that is free and open-source. It is used to detect rootkit infections. A rootkit is a malicious application that may get access to a computer system without the user’s knowledge.
You can follow this guide to start your chkrootkit installation and use it from the Debian Linux command line interface.
How To Install and Use chkrootkit on Debian 12 Bookworm?
To complete this guide, you must have access to your server as a root user. Also, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.
Step 1 – Install chkrootkit on Debian 12
First, you must run the system update by using the following command:
The chkrootkit packages are available in the default Debian 12 repository. To install it, you can run the command below:
apt install chkrootkit -y
Then, verify your chkrootkit installation by checking its version:
Output chkrootkit version 0.57
Step 2 – How To Use chkrootkit Security Scanner Tool?
At this point, you will learn the basic usage of chkrootkit on Debian 12 Bookworm.
You can list all available tests by using the following command:
In your output you will see:
Output /usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
Now you can scan your server with the command below:
Output ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected ...
Also, you can use the chkrootkit command with the -q option to scan your server in quiet mode:
Example Output /usr/lib/libreoffice/share/.registry WARNING: output from chkwtmp: 1 deletion(s) between Mon Aug 16 02:35:57 2021 and Mon Aug 16 02:41:05 2021
To check all files with a specific directory, you can use the chrootkit command as shown below on Debian 12:
chkrootkit -r /opt
And you can create a bash script for scanning the server & send the scan details report to the mail address. To do this, you can use the vi editor to create the file:
Add the following lines:
#!/bin/sh ( chkrootkit ) | /bin/mail -s 'CHROOTKIT Daily Run (Server-Name)' [email protected]
To enable the daily Schedule check, edit the file below:
And change the line below as shown:
When you are done, save and close the file. This scans the server daily and reports the results to your email address.
For more information, you can visit chkrootkit’s official site.
At this point, you have learned to Install the chkrootkit security scanner tool on Debian 12 Bookworm and start to use it on your server. Hope you enjoy it.