chkrootkit config file options

Question

I have installed the chkrootkit package with sudo apt-get install chkrootkit. When going to the /etc/chkrootkit.conf config file I see the following options:

RUN_DAILY="false"
RUN_DAILY_OPTS="-q"
DIFF_MODE="false"

I assume that the RUN_DAILY option if enabled would get chkrootkit to run an automated scan daily, and that the RUN_DAILY_OPTS sets what kind of scan the daily scan is in terms of which option it is using. Am I correct here? And if so then these automated scans, where are the results logged and how often do these scans occur?

Also, what does the DIFF_MODE option do? And should I enable it?

I have read the README file here and found nothing to do with this config file.

score 5 · Accepted Answer · answered Feb 22 '15 at 18:46

RUN_DAILY

If "yes" it runs daily automatically, it "no" you need to run it manually. Als have a look at /etc/cron.daily/chkrootkit. Here you can add something like it sending the report to an e-mail address.

RUN_DAILY_OPTS

These are options you can include. -q means quiet so it does not print anything on screen when running.

DIFF_MODE

If this is set to "yes" chrootkit compares the files /var/log/chkrootkit/log.expected with /var/log/chkrootkit/log.today.

Have a look at /etc/cron.daily/chkrootkit and $CHKROOTKIT $RUN_DAILY_OPTS. You can expand this with a | mail -s $HOSTNAME $YOUR_EMAIL_ADDRESS (untested!) to have it send mails after the scan is done.

score 0 · Answer 2 · answered Jan 03 '23 at 10:11

Had to google around to get all this info...

edit /etc/cron.daily/chkrootkit

#        eval $CHKROOTKIT $RUN_DAILY_OPTS | (egrep -v -f "${IGNORE_FILE}" || true)
$CHKROOTKIT > $LOG_DIR/chkrootkit.log #Run chkrootkit and save the logfile
(
echo "Subject: [chkrootkit] $(hostname -f) - Daily report" #Create subject line using the hostname
echo "To: $REPORT_EMAIL" #Insert To: delivery email address using the variable defined in chkrootkit.conf
echo ""
cat $LOG_DIR/chkrootkit.log #Concat the logfile to the output
) | /usr/sbin/sendmail $REPORT_EMAIL #Send out the email!

edit /etc/chkrootkit.conf

RUN_DAILY="true"
RUN_DAILY_OPTS="-q"
DIFF_MODE="false"
REPORT_EMAIL="[email protected]"

edit/create /etc/logrotate.d/chkroot

/var/log/chkrootkit/*.log {
  daily
  rotate 15
  dateext
  delaycompress
  missingok
  notifempty
}

run chkrootkit to generate a baseline

/etc/cron.daily/chkrootkit

Copy the existing log to the log expected file

cp /var/log/chkrootkit/chkrootkit.log /var/log/chkrootkit/log.expected

Should be good to go.

chkrootkit config file options

2 Answers2