1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
.TH chkrootkit 8 "Oct 23, 2021"
.SH NAME
chkrootkit
\- Scan the system for signs of rootkits
.SH SYNOPSIS
\fBchkrootkit\fR [\fIOPTIONS\fR] [\fITEST\fR...]
.SH DESCRIPTION
.B chkrootkit
examines the target system for signs that it has been tampered
with. Some tools which
.B chkrootkit
uses can be found in
.BR /usr/lib/chkrootkit .
.SH OPTIONS
Unlike usual programmes, options cannot be 'combined', so you need to
write '\fB\-q \-n\fR' instead of '\fB\-qn\fR'
.TP
.B \-q
Enter quiet mode. This suppresses output of tests that find nothing suspicious.
.TP
.B \-x
Enter expert mode. This makes many tests produces additional output
showing what they have found.
.TP
.B \-d
Enter debug mode. This shows exactly what chkrootkit is doing at every
step (it includes running chkrootkit with \fBset \-x\fR).
.TP
\fB\-e \&"\fIFILE1\fR[ \fIFILE2\fR...]\fB\&"
Exclude listed files from the results of some tests. The list should
be space-separated (which will generally require quoting when run from
a shell). You can also specify
.B \-e
several times. Use this to remove false positives from the result of
many tests - see
.BR /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz .
.TP
\fB\-s\fR \fIREGEXP\fR
Similar to
.B \-e
but only applies to the result of the sniffer test. This test will
class standard network managers like
.BR systemd-networkd (1),
.BR NetworkManager (1)
or
.BR wpa_supplicant (1)
as packet sniffers. You can remove such messages from the output
with something like
.B chkrootkit \-s '(systemd-networkd|NetworkManager|wpa_supplicant)'
(you may want to use a more precise regular expression, see
.BR /etc/chkrootkit/chkrootkit.conf ).
The argument can be any regular expression understood by
.BR egrep (1)
and is applied to every line of the output of the
.B ifpromisc
test .
.TP
\fB\-p\fR \fIDIR1\fR[\fB:\fR\fIDIR2\fR...]
Specify an alternative
.IR $PATH .
.B chkrootkit
assumes that standard programmes, like
.IR find (1)
.RI and grep (1),
are uncompromised. The intention is that you place trusted copies of
such binaries where they cannot be modified and invoke with something
like
.B chkrootkit \-p /media/usb
.
.TP
\fB\-r\fR \fIDIR\fR
Use
.I DIR
as the root directory. For example, you might mount a compromised disk on an
uncompromised system and run \fBchkrootkit -r /mnt\fR.
.TP
.B \-n
make some tests ignore NFS-mounted directories.
.TP
\fB\-T\fR \fIFSTYPE\fB
make some tests ignore file systems of type \fIFSTYPE\fR. This uses
.BR find (1)'s
\fB\-fstype\fR option.
.TP
.B \-l
Print available tests.
.TP
.B \-h
Print a short help message and exit.
.TP
.B \-V
Print version information and exit.
.SH "AUTHOR"
Manual page written by
Yotam Rubin <yotam@makif.omer.k12.il>,
Marcos Fouces <marcos@debian.org>,
Lantz Moore <lmoore@debian.org>,
and
Richard Lewis <richard.lewis.debian@googlemail.com>
for the Debian project. It may be used by others.
.SH SEE ALSO
.BR strings (1)
.BR chklastlog (8)
.BR chkwtmp (8)
|
