Automic VaultAutomic Vault

brew

Install chkrootkit with Homebrew, apt, dnf, MacPorts

Rootkit detector. Version 0.59 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install chkrootkit

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install chkrootkit

MacPorts ports tree · sysutils/chkrootkit/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install chkrootkit

Debian stable package indexes · chkrootkit · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install chkrootkit

Fedora Rawhide package metadata · chkrootkit · source: dl.fedoraproject.org

overview

Package summary

Rootkit detector

Commands and aliases

  • check_wtmpx
  • chkdirs
  • chklastlog
  • chkproc
  • chkrootkit
  • chkutmp
  • chkwtmp
  • ifpromisc
  • strings-static

history

Project history and usage

chkrootkit is a long-running Unix rootkit detector that locally checks for signs of modified system binaries, log tampering, promiscuous interfaces, and kernel-module trojans.

Project history

The official README for version 0.59 credits Nelson Murilo as main author and Klaus Steding-Jessen as co-author. It describes chkrootkit as a shell-script front end plus C helpers including ifpromisc, chklastlog, chkwtmp, chkproc, chkdirs, check_wtmpx, chkutmp, and a strings replacement.

Adoption history

The README lists testing across Linux, FreeBSD, OpenBSD, NetBSD, Solaris, HP-UX, Tru64, BSDI, and Mac OS X, which explains why it became common in Unix security packaging. The input package facts show it in Homebrew, Debian, Ubuntu, Fedora/DNF, and MacPorts.

How it is used

chkrootkit is intended to be run as root, either as ./chkrootkit for all tests or with named tests such as ps, ls, and sniffer. Options include quiet mode, expert mode, an alternate root directory, and an alternate command path for checking mounted disks or avoiding possibly compromised system binaries.

Why package nerds care

For package nerds, chkrootkit is a classic security-admin utility: small, scriptable, portable, and old enough to appear in many Unix package collections. It also shows why some security tools remain tarball-first rather than source-control-first in package metadata.

Timeline

  • 2000s: README documents support for Linux 2.0 through 2.6, early BSD releases, Solaris, HP-UX, Tru64, BSDI, and Mac OS X.
  • 2026: Official README identifies version 0.59.
  • 2026: Homebrew packages chkrootkit 0.59 from the official chkrootkit.org FTP tarball.

Related projects

  • The README credits DFN-CERT tools chklastlog and chkwtmp and small portions of ifconfig by Fred N. van Kempen. It is often compared with other host compromise scanners, but its official documentation focuses on its bundled tests.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
check_wtmpxcliglobal executable
chkdirscliglobal executable
chklastlogcliglobal executable
chkproccliglobal executable
chkrootkitcliglobal executable
chkutmpcliglobal executable
chkwtmpcliglobal executable
ifpromisccliglobal executable
strings-staticcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.59
manager updated
local dataok
upstreamnot checked
latest detectednot detected

https://www.chkrootkit.org/

  • infoNo package-manager update timestamp was available.low confidence
  • infoRelease/tag comparison is only available for GitHub repositories.https://www.chkrootkit.org/none confidence

install metadata

Package metadata

Package keybrew:chkrootkit
Version0.59
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/chkrootkit
Homepagehttps://www.chkrootkit.org/
Upstream docshttps://www.chkrootkit.org/
LicenseGPL-2.0-or-later
Source archiveftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit-0.59.tar.gz
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namechkrootkit
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

chkrootkit 0.58b-5+b7

rootkit detector

https://www.chkrootkit.org/

sudo apt install chkrootkit
  • Section: misc
  • Architecture: amd64
  • Source Package: chkrootkit
  • 3 dependencies
  • 9 optional deps
  • normalized package name match
  • Matched by: Chkrootkit
Debian stable package indexes · deb.debian.org · Debian stable package indexes: chkrootkit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Ubuntu apt95%

chkrootkit 0.58b-1

rootkit detector

https://www.chkrootkit.org/

sudo apt install chkrootkit
  • Section: universe/misc
  • Architecture: amd64
  • 1 dependencies
  • 11 optional deps
  • normalized package name match
  • Matched by: Chkrootkit
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: chkrootkit from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

chkrootkit 0.58-3b.fc44

Tool to locally check for signs of a rootkit

http://www.chkrootkit.org

sudo dnf install chkrootkit
  • License: BSD-2-Clause AND GPL-2.0-or-later
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: chkrootkit
  • 6 dependencies
  • 3 provides
  • normalized package name match
  • Matched by: Chkrootkit
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: chkrootkit from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
MacPorts95%

chkrootkit

sudo port install chkrootkit
  • normalized package name match
  • Matched by: Chkrootkit
MacPorts ports tree · api.github.com · MacPorts ports tree: sysutils/chkrootkit/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment