How to Install Chkrootkit on Debian 12, 11, or 10

For those prioritizing security while working with Debian-based systems, learning to install Chkrootkit on Debian 12 Bookworm, Debian 11 Bullseye, or Debian 10 Buster is crucial. Chkrootkit is a lightweight, open-source tool designed for detecting rootkits, which are stealthy and malicious software tools often used by attackers to gain unauthorized access to systems.

Key Features of Chkrootkit:

  • Lightweight and Portable: With its minimalistic design, Chkrootkit occupies little disk space and efficiently uses system resources.
  • Command-Line Based: The tool operates via the command line, offering users complete control and the ability to automate tasks through scripting.
  • Versatile Detection Methods: Chkrootkit effectively identifies and flags potential rootkits using various techniques, including signature analysis and behavior monitoring.
  • Open Source: Being open-source, Chkrootkit invites community collaboration, resulting in a tool that is not only more secure but also consistently improved and updated.
  • Regular Updates: Active maintenance of Chkrootkit ensures it can detect the latest rootkits and remains a reliable tool for system administrators and security professionals.

Understanding how to install and use Chkrootkit is an important step in improving the security of your Debian systems. This guide will help you learn to install and use Chkrootkit so you can protect your systems from rootkits and similar security threats.

Check For Updates Before Chkrootkit Installation

First, update the package lists on your Debian Linux system to install Chkrootkit. Updating the package lists gives your system the latest information on available packages and their versions and the newest security patches and software updates.

Run this command in the terminal to update the package lists:

sudo apt update && sudo apt upgrade

This command retrieves the most recent package information from the repositories and upgrades any installed packages to the latest versions if available.

Method 1: Install Chkrootkit via Debian’s Default Repository

Install Chkrootkit via APT Command

The APT package manager is Debian’s default software management system. It makes software installation easy. Use the following command to install Chkrootkit with APT:

sudo apt install chkrootkit

Confirm Chkrootkit Installation on Debian via APT

After installing Chkrootkit, check if the installation was successful and set up correctly. This step ensures that everything is working properly. To do this, enter the Chkrootkit version command in the terminal:

chkrootkit -V

Depending on the version of Debian you are using, you might need a newer version of Chkrootkit. The second method is for users comfortable downloading and manually installing Chkrootkit updates.

Method 2: Install Chkrootkit via source

Download Chkrootkit Source

First, download the Chkrootkit source code from its official website. This ensures you get the latest version, which may have new features or security updates. Open the terminal and go to the directory where you want to save the source code. Then, run the command below to download the Chkrootkit source code archive:

wget ftp://chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

This command fetches the Chkrootkit source code in a compressed archive format, storing it in your specified directory.

Extract Chkrootkit Source Archive

After downloading the archive, the next step is to extract the source code. This step is essential because it allows you to access the files and directories needed for compiling and installing.

To extract the source code, run this command:

tar -xvzf chkrootkit.tar.gz

Configure and Build Chkrootkit

Before compiling Chkrootkit, ensure your Debian Linux system has the necessary packages. For the compilation process, you need the GNU Compiler Collection (GCC) and the make utility.

To install them, use the following command:

sudo apt install gcc make build-essential

Please note that the correct package name is build-essential and not build-essentials.

Now, navigate to the directory containing the extracted Chkrootkit source code. Use the cd command as shown below, but make sure to replace {your-version-number} with the actual version number of the downloaded Chkrootkit source code:

cd chkrootkit-{your-version-number}
make sense

This command compiles the Chkrootkit source code, generating an executable binary file.

Confirm Chkrootkit Installation

After compiling and setting up Chkrootkit, judiciously validate the installation process’s successful completion. This confirmation ensures Chkrootkit’s preparedness and readiness for utilization. Execute the Chkrootkit version command below to do this:

./chkrootkit -V

This command shows the installed Chkrootkit version, verifying the software’s correct installation and operation.

Move Chkrootkit for System Global Access on Debian

After compiling Chkrootkit, it’s best to move it to a standard location in the file system and make the executable accessible system-wide. A common practice is to place such software in /usr/local/bin for global accessibility.

Start by moving the Chkrootkit directory to /usr/local/share. First, make sure you are in the parent directory of the Chkrootkit directory (one level above chkrootkit-{your-version-number}). Then, run the following command:

sudo mv chkrootkit-{your-version-number} /usr/local/share/chkrootkit

Next, create a symbolic link to the Chkrootkit executable in /usr/local/bin. This makes Chkrootkit accessible anywhere in the system without navigating to its directory.

Execute the following command to create the symbolic link:

sudo ln -s /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Now, Chkrootkit is globally accessible. You can verify this by simply running the Chkrootkit version command from anywhere in the terminal:

chkrootkit -V

This step makes using Chkrootkit simple and standard for managing software on Linux systems.

Basic Commands with Chkrootkit for Rootkit Detection

Before starting the steps, it’s important to know that you will usually need to run Chkrootkit with sudo. This is because Chkrootkit needs higher permissions to check all parts of your Debian Linux system, including those that normal users cannot access. Running Chkrootkit with sudo ensures it can scan for rootkits everywhere in the system.

Now, let’s move on to using and scanning with Chkrootkit.

Initiate Rootkit Scanning Using Chkrootkit

With Chkrootkit installed, it’s time to utilize its features to safeguard your Debian Linux system. A primary feature of Chkrootkit is to scan your system for any rootkits. Rootkits are malicious software that can give unauthorized access and control over your system. In a terminal, use this command to perform a thorough scan:

sudo chkrootkit

This command starts a detailed scan, checking different parts of the system for signs of rootkits.

If you want a simpler output that only shows potential problems, use the quiet mode:

sudo chkrootkit -q

This limits the output, making it easier to spot any red flags.

Create an Automatic Scanning Regimen with Chkrootkit

Maintaining a secure environment requires continuous vigilance. Configure Chkrootkit to perform daily scans automatically by tweaking its configuration file.

Open the configuration file using this command:

sudo nano /etc/chkrootkit/chkrootkit.conf

In this file, search for the RUN_DAILY attribute and make sure its value is set to TRUE. This typically is the default setting, but confirming ensures that automated daily scans are active.

RUN_DAILY="true"

After editing, save the file by pressing CTRL + O and exit the editor by pressing CTRL + X.

If you installed Chkrootkit from source, as opposed to installing it from the Debian repositories, it does not come with a default configuration file like chkrootkit.conf. The chkrootkit.conf file is generally part of the packaged version of Chkrootkit that comes with Debian repositories.

When manually installing Chkrootkit from the source, you can run the tool directly without a configuration file. However, if you want to automate or configure the scans, you must create your script or cron job.

For example, if you want to create a daily cron job to run Chkrootkit, you could create a simple shell script to run the desired chkrootkit command, and then schedule this script using cron.

Here’s an example of how you can do it:

Create a script file, e.g., daily_chkrootkit.sh:

#!/bin/bash
/usr/local/bin/chkrootkit

Make the script executable:

chmod +x daily_chkrootkit.sh

Edit the crontab file to schedule the script to run daily:

sudo crontab -e

Add the following line to the crontab file to run the script daily at a specific time (e.g., 2:00 AM):

0 2 * * * /path/to/daily_chkrootkit.sh

This way, you can effectively automate Chkrootkit scans even when installing from source.

Explore Chkrootkit’s Commands and Documentation

For a tool as potent as Chkrootkit, understanding its capabilities is crucial. Chkrootkit comes with various commands and options tailored to specific scanning needs.

Access the Help menu to get an overview of commands by executing:

chkrootkit -h

This provides a quick reference guide to Chkrootkit’s options and functionalities.

For an in-depth understanding, consider studying Chkrootkit’s manual page, accessible through:

man chkrootkit

This opens a wealth of information, explaining commands, options, and use cases for Chkrootkit.

Experimenting with Advanced Scanning Options

Chkrootkit offers specialized options for customized, enhanced scanning. You can check for a specific rootkit by specifying its name:

sudo chkrootkit wormscan

This command scans for worms.

Another advanced command lets you check for the last modification date of the network service binaries:

sudo chkrootkit -l /sbin

This example command inspects the /sbin directory for any modifications.

Using Chkrootkit effectively requires learning and experimenting with its various options to align the scans with your security objectives. Customizing the depth and focus of your scans allows for more robust and focused protection.

Conclusion

This guide walked you through installing and setting up Chkrootkit on Debian Linux (versions 12, 11, and 10), from extracting the source code to compiling and installing the tool. We also showed you how to use Chkrootkit to scan for rootkits and protect your system. It’s important to set up automated scans and learn the advanced options to boost your security. Remember, using Chkrootkit is just one part of staying secure. Keep your software updated and stay informed about best security practices.

Joshua James
Follow me
Latest posts by Joshua James (see all)

Leave a Comment