Fedora

How to Install Chkrootkit on Fedora Linux

Last updated Sunday, February 15, 2026 2:00 pm Joshua James 7 min read
Fedora Linux logo connected to a security shield with padlock, representing Chkrootkit rootkit detection and system security
Fedora Linux logo connected to a security shield with padlock, representing Chkrootkit rootkit detection and system security

Chkrootkit is a rootkit detection tool that scans for rootkits, worms, and malicious kernel modules hiding on Linux systems. Unlike antivirus software that targets file-based malware, chkrootkit focuses specifically on detecting compromised system binaries and kernel-level threats. By the end of this guide, you will have chkrootkit installed on Fedora, running on-demand scans, and logging automated daily results to /var/log/chkrootkit.log for review.

Chkrootkit is available from the Fedora default repository or compiled from the latest source release when you need the newest detection signatures. Both methods are covered below.

On this page hide
Choose Your Chkrootkit Installation Method on Fedora
Method 1: Install Chkrootkit with DNF on Fedora
Method 2: Install Chkrootkit from Source on Fedora
Run and Configure Chkrootkit Scans on Fedora
Troubleshoot Common Chkrootkit Issues on Fedora
Remove Chkrootkit from Fedora
Frequently Asked Questions
Conclusion

Choose Your Chkrootkit Installation Method on Fedora

Chkrootkit offers two installation paths on Fedora: the distribution package provides stability and automatic updates through DNF, while source compilation gives you access to the newest rootkit detection signatures immediately after upstream releases.

MethodChannelVersionUpdatesBest For
DNF packageFedora AppStreamDistribution defaultAutomatic via dnf upgradeMost users who want automatic updates and minimal maintenance
Source archiveOfficial siteLatest stableManual recompilationSecurity researchers needing cutting-edge detection rules

The DNF method is recommended for most users because it provides automatic security updates and integrates with system package management. Compile from source only when you need detection signatures unavailable in the repository version or when investigating a suspected compromise requires the absolute latest scanning logic.

Method 1: Install Chkrootkit with DNF on Fedora

Update Fedora System Packages

Refresh the package database and upgrade installed packages before installing new software:

sudo dnf upgrade --refresh

This guide uses sudo for commands that need root privileges. If your user is not in the sudoers file yet, follow the guide on how to add and manage sudo users on Fedora.

Install Chkrootkit via DNF

Install chkrootkit from the Fedora repository:

sudo dnf install chkrootkit

Verify Chkrootkit DNF Installation

Confirm the installation by checking the version:

chkrootkit -V

Expected output:

chkrootkit version 0.58b

The Fedora repository version may lag slightly behind the latest upstream release. This is normal and recommended for most users since Fedora tests packages for compatibility before shipping them.

Method 2: Install Chkrootkit from Source on Fedora

Install Build Dependencies for Chkrootkit

Install the compiler and libraries required to build chkrootkit from source:

sudo dnf install gcc make glibc-static

Download Chkrootkit Source Code

Download the latest chkrootkit source archive from the official FTP server:

curl -LO ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz

Fedora ships wget2 which does not support FTP downloads, so this guide uses curl instead. The version number 0.59 used throughout this section is an example current at the time of writing. Check the official chkrootkit download page for the latest release and substitute accordingly.

Compile and Install Chkrootkit from Source

Extract the archive, identify the version directory, and compile:

tar -xzf chkrootkit.tar.gz
ls -d chkrootkit-*/

Expected output showing the extracted directory:

chkrootkit-0.59/

Enter the directory and compile:

cd chkrootkit-0.59
make sense

Replace 0.59 with your extracted directory name if different. The make sense target compiles all chkrootkit binaries.

Set Up Chkrootkit for Global Access

Move the compiled files to a standard system location and create a symlink so you can run chkrootkit from any directory:

cd ..
sudo mv chkrootkit-0.59 /usr/local/share/chkrootkit
sudo ln -sf /usr/local/share/chkrootkit/chkrootkit /usr/local/bin/chkrootkit

Verify Source Chkrootkit Installation

Confirm the symlink works and chkrootkit is globally accessible:

chkrootkit -V

Expected output:

chkrootkit version 0.59

Run and Configure Chkrootkit Scans on Fedora

Run a Rootkit Scan with Chkrootkit

Chkrootkit requires root privileges to scan system directories and processes. Run a full scan:

sudo chkrootkit

For a streamlined output that shows only potential threats, use quiet mode:

sudo chkrootkit -q

Sample output from a clean system:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected

Lines showing “not infected” or “not found” indicate a clean system. Any line showing “INFECTED” requires immediate investigation.

Chkrootkit Command Reference

Chkrootkit supports several flags for different scanning scenarios:

FlagDescription
-qQuiet mode, shows only potential threats
-xExpert mode, displays additional diagnostic data
-r dirUse a custom root directory for scanning (useful for mounted drives)
-nSkip NFS mount points during the scan
-lList all available rootkit tests
-dDebug mode for troubleshooting scan issues

Access the full help and manual pages:

chkrootkit -h
man chkrootkit

Configure Automated Chkrootkit Scans with Cron

Automated daily scans log results for review without requiring manual intervention. Fedora does not include cronie by default, so install it first:

sudo dnf install cronie
sudo systemctl enable crond.service --now

Verify the cron service is running:

sudo systemctl status crond.service

Expected output:

● crond.service - Command Scheduler
     Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled)
     Active: active (running)

Create the Chkrootkit Scan Script

Create a script that runs chkrootkit and appends timestamped results to a log file:

sudo nano /usr/local/bin/chkrootkit_scan.sh

Add the following content:

#!/bin/bash
LOG="/var/log/chkrootkit.log"
CHKROOTKIT=$(command -v chkrootkit)
echo "===== Chkrootkit Scan: $(date) =====" >> "$LOG"
"$CHKROOTKIT" >> "$LOG" 2>&1

The script uses command -v chkrootkit to automatically find the correct binary path, whether you installed via DNF (/usr/bin/chkrootkit) or from source (/usr/local/bin/chkrootkit).

Save the file (Ctrl+O, then Enter) and exit (Ctrl+X). Make the script executable:

sudo chmod +x /usr/local/bin/chkrootkit_scan.sh

Schedule Daily Chkrootkit Scans

Open the root crontab to add the scheduled scan:

sudo crontab -e

Add this line to schedule a scan every day at 2:00 AM:

0 2 * * * /usr/local/bin/chkrootkit_scan.sh

The five time fields are: minute (0), hour (2), day of month (*), month (*), day of week (*). Adjust the first two values to change the schedule. Results append to /var/log/chkrootkit.log with timestamps for each scan.

Test the Chkrootkit Scan Script

Run the script manually and check the log to confirm everything works:

sudo /usr/local/bin/chkrootkit_scan.sh
sudo head -20 /var/log/chkrootkit.log

Expected output showing a clean scan:

===== Chkrootkit Scan: Sat Feb 15 02:00:00 UTC 2026 =====
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected

Troubleshoot Common Chkrootkit Issues on Fedora

False Positives in Chkrootkit Scans

Chkrootkit occasionally flags legitimate system files as suspicious, particularly on modern Linux distributions with security features like FIPS integrity checksums.

Common false positive example:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libcrypto.so.1.1.hmac
/usr/lib/.libssl.so.1.1.hmac

These .hmac files are FIPS integrity checksums used by OpenSSL and are legitimate system files. Before taking action on any “INFECTED” warning, research the specific file or process flagged. Cross-reference findings with the official chkrootkit documentation for known false positives.

Cron Job Not Executing Chkrootkit Scans

If automated scans are not running, verify the cron service and job configuration:

sudo systemctl status crond.service

If inactive, start and enable it:

sudo systemctl enable crond.service --now

Verify your cron job is registered:

sudo crontab -l

Expected output:

0 2 * * * /usr/local/bin/chkrootkit_scan.sh

If the log file is empty or missing recent entries, check that the script path and permissions are correct with ls -l /usr/local/bin/chkrootkit_scan.sh. The script must be executable and the crontab must belong to root (sudo crontab -e, not your regular user account).

Permission Denied Errors with Chkrootkit

Chkrootkit requires root privileges to scan system directories and processes. Running without sudo produces errors:

chkrootkit: cannot open `/proc/kcore' for reading: Permission denied

Always run scans with elevated privileges:

sudo chkrootkit

Remove Chkrootkit from Fedora

Remove DNF-Installed Chkrootkit

sudo dnf remove chkrootkit

Remove Source-Compiled Chkrootkit

The following commands permanently delete the source-compiled chkrootkit installation from /usr/local/share/chkrootkit.

sudo rm /usr/local/bin/chkrootkit
sudo rm -rf /usr/local/share/chkrootkit

Remove Automated Scan Configuration

Remove the cron job by editing the root crontab and deleting the chkrootkit line:

sudo crontab -e

Delete the line containing /usr/local/bin/chkrootkit_scan.sh, then remove the script and log file:

sudo rm /usr/local/bin/chkrootkit_scan.sh
sudo rm /var/log/chkrootkit.log

Frequently Asked Questions

How do I read chkrootkit scan results?

Chkrootkit tests each system binary and kernel module individually. Lines showing “not infected” or “not found” are normal. “not found” means the binary does not exist on your system, which is expected for services you have not installed. “INFECTED” flags require investigation but are not always genuine threats. Run sudo chkrootkit -x on the specific test for detailed diagnostic output before taking action.

Does chkrootkit detect all types of rootkits?

No. Chkrootkit detects known rootkit signatures and suspicious binary modifications, but it cannot detect zero-day rootkits or advanced kernel-level rootkits that actively hide from scanning tools. Chkrootkit works best as one layer in a defense-in-depth strategy alongside ClamAV for malware scanning and AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring.

Conclusion

You now have chkrootkit installed on Fedora with either the DNF package or compiled from source, along with automated daily scans logging results to /var/log/chkrootkit.log. Run sudo chkrootkit -q periodically for quick checks that surface only potential threats.

For a more comprehensive security posture, pair chkrootkit with ClamAV for malware scanning on Fedora, Fail2Ban with Firewalld for intrusion prevention on Fedora, Firewalld configuration on Fedora for network filtering, and SSH hardening on Fedora for secure remote access. Together, these tools cover different attack vectors and complement rootkit detection.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffee Buy me a coffee

How to Install Composer on Debian Linux

How to Install HandBrake on Fedora

Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Leave a Comment

We read and reply to every comment - let us know how we can help or improve this guide.

Let us know you are human: