How to Install Chkrootkit on Fedora 44

Rootkit checks matter most before a suspicious Fedora system becomes the only evidence you trust. To install Chkrootkit on Fedora, start with the signed DNF package, then use the upstream source build only when you need the latest checks and accept manual maintenance. Chkrootkit looks for known rootkit signatures, hidden-process symptoms, suspicious binaries, and network-interface warnings, but its findings still need careful review because false positives are common.

Current Fedora releases package Chkrootkit 0.58, while the official Chkrootkit site publishes the newer 0.59 source tarball on its official download page. The package name is chkrootkit, not chrootkit or checkrootkit, which helps when searching DNF output or troubleshooting a missing package.

Install Chkrootkit on Fedora

The Fedora DNF package is the safest default because Fedora handles package signing, dependency tracking, and future updates. It installs the scanner plus helper binaries under a versioned package directory.

Refresh repositories and apply available package updates first:

sudo dnf upgrade --refresh

These commands use sudo for package installation and system-wide scan configuration. If your account does not have administrator access yet, use a root shell or follow the guide to add a user to sudoers on Fedora before continuing.

Install the Fedora repository package:

sudo dnf install chkrootkit

Verify the installed RPM and the scanner version. Fedora’s packaged -V option prints the version but returns a nonzero status, so the command includes || true to keep copy-paste scripts from stopping after the version check:

rpm -q chkrootkit
sudo chkrootkit -V || true

On Fedora 44, the package-version check returns:

chkrootkit-0.58-3b.fc44.x86_64
chkrootkit version 0.58b

Compare Chkrootkit Install Methods on Fedora

Use the DNF package unless you specifically need the current upstream source release. Source builds are useful for version recency, but they bypass Fedora’s normal package update and removal tracking.

Method	Current Version	Best Fit	Tradeoff
Fedora DNF package	0.58-3b.fc44 on Fedora 44, 0.58-1b.fc43 on Fedora 43	Most desktops, servers, and routine monitoring setups	Uses Fedora package signing and DNF updates, but may lag upstream
Upstream source build	0.59 from the official Chkrootkit tarball	Users who need the newest upstream checks and accept manual maintenance	Downloads from the upstream FTP source tarball, uses only an MD5 integrity file, and installs outside the RPM database

Build Chkrootkit from Source on Fedora

The source method installs a separate command named chkrootkit-source so it does not silently replace Fedora’s package-managed launcher. Pick one scanner path for routine checks, then keep the matching update and removal commands together.

The upstream download page publishes an MD5 sidecar for the source archive, not a modern signature. Use the source method when version recency matters, but prefer the DNF package when Fedora package signing and RPM ownership are more important than the newest upstream release.

Install the download and build tools first. The upstream build uses a statically linked helper, so glibc-static is part of the Fedora build dependency set:

sudo dnf install curl tar gcc make glibc-static

Create a repeatable updater under /usr/local/bin. The same helper performs the first source install and future source updates by downloading the official tarball with curl, verifying the upstream MD5 file, building the helper programs, and replacing only the source-installed tree under /usr/local/share/chkrootkit:

cat <<'EOF' | sudo tee /usr/local/bin/update-chkrootkit >/dev/null
#!/usr/bin/env bash
set -euo pipefail

if [ "$(id -u)" -ne 0 ]; then
    echo "Run this updater with sudo."
    exit 1
fi

for tool in curl tar make gcc md5sum grep awk install cp dirname mktemp chmod rm mv; do
    if ! command -v "$tool" >/dev/null; then
        echo "Missing required tool: $tool"
        echo "Install required tools with: sudo dnf install curl tar gcc make glibc-static"
        exit 1
    fi
done

SOURCE_URL="ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz"
SUM_URL="ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.md5"
BUILD_DIR="$(mktemp -d "${TMPDIR:-/tmp}/chkrootkit-build.XXXXXX")"
BACKUP_DIR="$BUILD_DIR/previous-install"
trap 'rm -rf "$BUILD_DIR"' EXIT

write_wrapper() {
    cat >/usr/local/bin/chkrootkit-source <<'WRAPPER'
#!/usr/bin/env bash
cd /usr/local/share/chkrootkit || exit 1
exec ./chkrootkit "$@"
WRAPPER
    chmod 0755 /usr/local/bin/chkrootkit-source
}

rollback_install() {
    rm -rf /usr/local/share/chkrootkit
    if [ -d "$BACKUP_DIR" ]; then
        mv "$BACKUP_DIR" /usr/local/share/chkrootkit
        write_wrapper
        echo "Restored the previous source-installed chkrootkit tree."
    fi
}

cd "$BUILD_DIR"
echo "Downloading chkrootkit source..."
curl -fsSLO "$SOURCE_URL"
curl -fsSLO "$SUM_URL"

echo "Verifying upstream MD5 file..."
md5sum -c chkrootkit.md5

tar -xzf chkrootkit.tar.gz
cd chkrootkit-*/

NEW_VERSION="$(awk -F"'" '/^CHKROOTKIT_VERSION=/{print $2; exit}' chkrootkit)"
if [ -z "$NEW_VERSION" ]; then
    echo "Could not detect the downloaded chkrootkit version."
    exit 1
fi

CURRENT_VERSION=""
if [ -x /usr/local/share/chkrootkit/chkrootkit ]; then
    CURRENT_VERSION="$(/usr/local/share/chkrootkit/chkrootkit -V 2>&1 | grep -oE 'version [0-9.]+[[:alnum:]]*' | awk '{print $2}' || true)"
fi

if [ -n "$CURRENT_VERSION" ] && [ "$CURRENT_VERSION" = "$NEW_VERSION" ]; then
    echo "Source-installed Chkrootkit $CURRENT_VERSION is already current."
    write_wrapper
    exit 0
fi

echo "Building chkrootkit $NEW_VERSION..."
make sense

echo "Installing to /usr/local/share/chkrootkit..."
if [ -d /usr/local/share/chkrootkit ]; then
    mv /usr/local/share/chkrootkit "$BACKUP_DIR"
fi
install -d -m 0755 /usr/local/share/chkrootkit
if ! cp -a . /usr/local/share/chkrootkit/; then
    echo "Install copy failed."
    rollback_install
    exit 1
fi
write_wrapper

VERIFY_VERSION="$(/usr/local/share/chkrootkit/chkrootkit -V 2>&1 | grep -oE 'version [0-9.]+[[:alnum:]]*' | awk '{print $2}' || true)"
if [ "$VERIFY_VERSION" != "$NEW_VERSION" ]; then
    echo "Installed chkrootkit failed its version check."
    rollback_install
    exit 1
fi

rm -rf "$BACKUP_DIR"

echo "Installed version:"
/usr/local/bin/chkrootkit-source -V 2>&1 || true
EOF
sudo chmod 0755 /usr/local/bin/update-chkrootkit

The final chmod command makes the updater executable. The helper also writes a small chkrootkit-source wrapper that changes into the source install directory before running the scanner, which lets Chkrootkit find its helper binaries.

Run the updater to perform the first source installation:

sudo update-chkrootkit

A successful first run ends with output similar to this trimmed example:

Downloading chkrootkit source...
Verifying upstream MD5 file...
chkrootkit.tar.gz: OK
Building chkrootkit 0.59...
Installing to /usr/local/share/chkrootkit...
Installed version:
chkrootkit version 0.59

Fedora’s GCC 16 can print an old-style function definition warning while compiling chkwtmp.c. That warning does not necessarily block the build when the installed version check still passes.

If the source-installed tree is already current, the updater exits without rebuilding it:

Source-installed Chkrootkit 0.59 is already current.

Do not run source-build updates from cron. Network failures, changed upstream archives, or compiler errors need manual review, especially for a security scanner.

Run Chkrootkit Scans on Fedora

Run Chkrootkit only on systems you own or administer. The checks are local and read-only, but the results can expose sensitive paths, process names, and service details that should stay out of public logs or screenshots.

For the Fedora DNF package, run scans from the package helper directory so the scanner can find binaries such as strings-static, ifpromisc, and chkproc:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit'

For day-to-day checks, quiet mode is usually easier to review because it prints only findings, warnings, and suspicious paths instead of every clean test:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit -q'

If you installed the source build, use the wrapper created by update-chkrootkit:

sudo chkrootkit-source -q

Quiet output is not guaranteed to be empty on a clean Fedora system. Normal system paths and NetworkManager’s packet socket can appear in quiet output and need review rather than immediate deletion:

RTNETLINK answers: Invalid argument

/usr/lib/.build-id /usr/lib/debug/.dwz
ens160: PF_PACKET(/usr/bin/NetworkManager)

Chkrootkit Command Options on Fedora

The Fedora package exposes these commonly used options:

Option	What It Does
-q	Quiet mode, prints only findings and warnings
-x	Expert mode, prints extra diagnostic data for individual tests
-r dir	Scans a mounted root directory instead of /
-p dir1:dir2	Uses trusted external command directories instead of the live system path
-n	Skips NFS mount points
-T fstype	Skips mount points with the supplied file-system type
-l	Lists available Chkrootkit tests

List all tests from the Fedora package with:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit -l'

Configure Automatic Chkrootkit Scans on Fedora

Automated scans are useful when you want a local audit trail, but they should not replace manual review after an incident. Install or confirm cronie, then enable the cron daemon:

sudo dnf install cronie
sudo systemctl enable --now crond.service

Confirm that cron is active:

systemctl is-active crond.service

active

Create a root-owned scan script that works with either the source install path or Fedora’s DNF package path:

cat <<'EOF' | sudo tee /usr/local/bin/chkrootkit_scan.sh >/dev/null
#!/usr/bin/env bash
set -eu

if [ "$(id -u)" -ne 0 ]; then
    echo "Run this script as root."
    exit 1
fi

LOG="/var/log/chkrootkit.log"
CHKROOTKIT_BIN=""

for candidate in /usr/local/share/chkrootkit/chkrootkit /usr/lib64/chkrootkit-*/chkrootkit; do
    if [ -x "$candidate" ]; then
        CHKROOTKIT_BIN="$candidate"
        break
    fi
done

if [ -z "$CHKROOTKIT_BIN" ]; then
    echo "Could not find a supported chkrootkit binary directory." >&2
    exit 1
fi

{
    printf '===== Chkrootkit Scan: %s =====\n' "$(date -Is)"
    cd "$(dirname "$CHKROOTKIT_BIN")"
    ./chkrootkit -q
} >>"$LOG" 2>&1
EOF
sudo chmod 0755 /usr/local/bin/chkrootkit_scan.sh

Run the script manually before scheduling it:

sudo /usr/local/bin/chkrootkit_scan.sh
sudo head -30 /var/log/chkrootkit.log

Relevant log lines include the timestamp header and scanner findings:

===== Chkrootkit Scan: 2026-05-16T09:59:14+08:00 =====
RTNETLINK answers: Invalid argument
/usr/lib/.build-id /usr/lib/debug/.dwz

Open the root crontab and add the job after the manual test succeeds:

sudo crontab -e

This schedule runs the scan every day at 2:00 AM:

0 2 * * * /usr/local/bin/chkrootkit_scan.sh

The five fields are minute, hour, day of month, month, and day of week. Adjust the first two values if another maintenance window fits your system better.

Confirm the root crontab contains the scan job:

sudo crontab -l

0 2 * * * /usr/local/bin/chkrootkit_scan.sh

Interpret Chkrootkit Results on Fedora

Chkrootkit reports each test as not infected, not found, warning text, or INFECTED. not found usually means Fedora does not have that optional daemon or command installed. INFECTED deserves immediate investigation, but it is still a signal to verify, not a command to delete files blindly.

When a finding names a normal-looking Fedora path or process, start by checking package ownership. For example, NetworkManager can appear in packet-sniffer output because it monitors interfaces:

rpm -qf /usr/bin/NetworkManager
rpm -V NetworkManager

NetworkManager-1.56.0-1.fc44.x86_64

No output from rpm -V NetworkManager means RPM did not find package-file changes for that package. If the verification command prints changes, or if Chkrootkit reports a high-risk test, compare the result with logs, package checksums, backups, and another scanner before changing the system.

A suspected compromise changes the trust model. A rootkit can tamper with commands such as ps, ls, netstat, or strings, which Chkrootkit may rely on during a local scan. For stronger evidence, boot from trusted live media, mount the suspect system read-only, and scan that mounted root with trusted binaries. Use the command form that matches your install method:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit -r /mnt/suspect-root -p /mnt/trusted-bin:/mnt/trusted-sbin'
sudo chkrootkit-source -r /mnt/suspect-root -p /mnt/trusted-bin:/mnt/trusted-sbin

Chkrootkit does not detect every rootkit or every form of compromise. It works best as one layer beside file-integrity checks, package verification, logs, network review, and malware scanners such as ClamAV scanning on Fedora.

Troubleshoot Chkrootkit on Fedora

Fix Missing Helper Warnings in Chkrootkit

If Fedora prints messages such as can't exec ./strings-static or not tested: can't exec ./ifpromisc, the scanner is running outside its helper directory. Run the DNF package from its versioned directory, or use the chkrootkit-source wrapper for a source install:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit -q'
sudo chkrootkit-source -q

Fix Cron Jobs That Do Not Run Chkrootkit

If automated scans stop updating /var/log/chkrootkit.log, check the cron daemon, the root crontab, and the script permissions:

systemctl is-active crond.service
sudo crontab -l
sudo ls -l /usr/local/bin/chkrootkit_scan.sh

Start cron again if it is inactive:

sudo systemctl enable --now crond.service

The cron entry must be in root’s crontab because the scan needs root privileges and writes to /var/log/chkrootkit.log. Edit it with sudo crontab -e, not your regular user’s crontab -e.

Fix Permission Errors in Chkrootkit

Running Chkrootkit without root privileges can trigger permission errors or an authentication prompt from Fedora’s consolehelper wrapper. Use sudo for scans and for the scan script:

sudo sh -c 'cd /usr/lib64/chkrootkit-* && ./chkrootkit -q'
sudo /usr/local/bin/chkrootkit_scan.sh

Update Chkrootkit on Fedora

For the Fedora package, keep Chkrootkit updated through DNF:

sudo dnf upgrade chkrootkit

For a source installation, rerun the source updater manually:

sudo update-chkrootkit

Remove Chkrootkit from Fedora

Use the removal path that matches how you installed Chkrootkit. The automated scan script and log are separate local files, so remove them only if you created that scheduled scan.

Remove the Fedora DNF Package

Remove the RPM package:

sudo dnf remove chkrootkit

Confirm that the package is no longer installed:

rpm -q chkrootkit || echo "chkrootkit is not installed"

package chkrootkit is not installed
chkrootkit is not installed

Remove a Source-Built Chkrootkit Install

These commands permanently delete the source-installed Chkrootkit tree and the local update helper. Keep a backup first if you modified any source files or local scripts under these paths.

sudo rm -rf /usr/local/share/chkrootkit
sudo rm -f /usr/local/bin/chkrootkit-source
sudo rm -f /usr/local/bin/update-chkrootkit

Clear your shell’s command cache, then confirm the source wrapper no longer resolves:

hash -r
command -v chkrootkit-source || echo "chkrootkit-source command not found"

chkrootkit-source command not found

Remove Chkrootkit Cron Configuration

Edit root’s crontab and delete the line that runs /usr/local/bin/chkrootkit_scan.sh:

sudo crontab -e

Then remove the scan script and log file if you no longer need the scan history:

sudo rm -f /usr/local/bin/chkrootkit_scan.sh
sudo rm -f /var/log/chkrootkit.log

Conclusion

Chkrootkit is ready on Fedora through either the DNF package or a source-built 0.59 wrapper, with cron available when you want recurring local scan logs. Treat each finding as an investigation lead, then compare results with package verification, logs, ClamAV malware scans on Fedora, and Fail2Ban with firewalld on Fedora for exposed services.