# Install chkrootkit with Homebrew, apt, dnf, MacPorts

Rootkit detector. Version 0.59 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:chkrootkit
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install chkrootkit
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install chkrootkit
```

  Evidence: MacPorts ports tree: sysutils/chkrootkit/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install chkrootkit
```

  Evidence: Debian stable package indexes: chkrootkit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install chkrootkit
```

  Evidence: Fedora Rawhide package metadata: chkrootkit from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

## Package facts

- **Package key:** brew:chkrootkit
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/chkrootkit>
- **Version:** 0.59
- **Source summary:** Rootkit detector
- **Homepage:** <https://www.chkrootkit.org/>
- **Upstream docs:** <https://www.chkrootkit.org/>
- **License:** GPL-2.0-or-later
- **Source archive:** ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit-0.59.tar.gz
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- check_wtmpx (cli)
- chkdirs (cli)
- chklastlog (cli)
- chkproc (cli)
- chkrootkit (cli)
- chkutmp (cli)
- chkwtmp (cli)
- ifpromisc (cli)
- strings-static (cli)
- check_wtmpx (alias)
- chkdirs (alias)
- chklastlog (alias)
- chkproc (alias)
- chkrootkit (alias)
- chkutmp (alias)
- chkwtmp (alias)
- ifpromisc (alias)
- strings-static (alias)

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.59
- Local data: ok
- Upstream repository: https://www.chkrootkit.org/
- info: No package-manager update timestamp was available.
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

chkrootkit is a long-running Unix rootkit detector that locally checks for signs of modified system binaries, log tampering, promiscuous interfaces, and kernel-module trojans.

### Project history

The official README for version 0.59 credits Nelson Murilo as main author and Klaus Steding-Jessen as co-author. It describes chkrootkit as a shell-script front end plus C helpers including ifpromisc, chklastlog, chkwtmp, chkproc, chkdirs, check_wtmpx, chkutmp, and a strings replacement.

### Adoption history

The README lists testing across Linux, FreeBSD, OpenBSD, NetBSD, Solaris, HP-UX, Tru64, BSDI, and Mac OS X, which explains why it became common in Unix security packaging. The input package facts show it in Homebrew, Debian, Ubuntu, Fedora/DNF, and MacPorts.

### How it is used

chkrootkit is intended to be run as root, either as ./chkrootkit for all tests or with named tests such as ps, ls, and sniffer. Options include quiet mode, expert mode, an alternate root directory, and an alternate command path for checking mounted disks or avoiding possibly compromised system binaries.

### Why package nerds care

For package nerds, chkrootkit is a classic security-admin utility: small, scriptable, portable, and old enough to appear in many Unix package collections. It also shows why some security tools remain tarball-first rather than source-control-first in package metadata.

### Timeline

- 2000s: README documents support for Linux 2.0 through 2.6, early BSD releases, Solaris, HP-UX, Tru64, BSDI, and Mac OS X.
- 2026: Official README identifies version 0.59.
- 2026: Homebrew packages chkrootkit 0.59 from the official chkrootkit.org FTP tarball.

### Related projects

- The README credits DFN-CERT tools chklastlog and chkwtmp and small portions of ifconfig by Fred N. van Kempen. It is often compared with other host compromise scanners, but its official documentation focuses on its bundled tests.

### Sources

- <https://www.chkrootkit.org/README>
- <https://www.chkrootkit.org/>
- <https://formulae.brew.sh/api/formula/chkrootkit.json>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** chkrootkit
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - chkrootkit - 0.58b-5+b7: normalized package name match | Debian stable package indexes: chkrootkit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | rootkit detector | https://www.chkrootkit.org/
- Ubuntu apt - chkrootkit - 0.58b-1: normalized package name match | Ubuntu 24.04 LTS package indexes: chkrootkit from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | rootkit detector | https://www.chkrootkit.org/
- dnf - chkrootkit - 0.58-3b.fc44: normalized package name match | Fedora Rawhide package metadata: chkrootkit from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Tool to locally check for signs of a rootkit | http://www.chkrootkit.org
- MacPorts - chkrootkit: normalized package name match | MacPorts ports tree: sysutils/chkrootkit/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [clamav](https://www.automicvault.com/pkg/brew/clamav/) - Shares av.db curated category or tags: cli, malware-detection, security.
- [rkhunter](https://www.automicvault.com/pkg/brew/rkhunter/) - Shares av.db curated category or tags: cli, malware-detection, rootkit, security.
- [duo_unix](https://www.automicvault.com/pkg/brew/duo-unix/) - Shares av.db curated category or tags: cli, security, unix.
- [jailkit](https://www.automicvault.com/pkg/brew/jailkit/) - Shares av.db curated category or tags: cli, security, unix.
- [john](https://www.automicvault.com/pkg/brew/john/) - Shares av.db curated category or tags: cli, security, unix.
- [pwgen](https://www.automicvault.com/pkg/brew/pwgen/) - Shares av.db curated category or tags: cli, security, unix.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/chkrootkit.yml](https://github.com/automic-vault/db/blob/main/combined/chkrootkit.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
