Provided by: chkrootkit_0.58b-4_amd64 bug

NAME
       chkrootkit - Scan the system for signs of rootkits


SYNOPSIS
       chkrootkit [OPTIONS] [TEST...]


DESCRIPTION
       chkrootkit  examines  the  target  system  for  signs  that  it  has been tampered with. Some tools which
       chkrootkit uses can be found in /usr/lib/chkrootkit.


OPTIONS
       Unlike usual programmes, options cannot be 'combined', so you need to write '-q -n' instead of '-qn'

       -q     Enter quiet mode. This suppresses output of tests that find nothing suspicious.

       -x     Enter expert mode. This makes many tests produces additional output showing what they have found.

       -d     Enter debug mode. This shows exactly what chkrootkit is doing at every step (it  includes  running
              chkrootkit with set -x).

       -e "FILE1[ FILE2...]"
              Exclude  listed  files  from  the results of some tests. The list should be space-separated (which
              will generally require quoting when run from a shell). You can also specify -e several times.  Use
              this    to    remove    false    positives    from    the    result    of   many   tests   -   see
              /usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz.

       -s REGEXP
              Similar to -e but only applies to the result of the sniffer test.  This test will  class  standard
              network  managers  like  systemd-networkd(1),  NetworkManager(1)  or  wpa_supplicant(1)  as packet
              sniffers. You can remove  such  messages  from  the  output  with  something  like  chkrootkit  -s
              '(systemd-networkd|NetworkManager|wpa_supplicant)'  (you  may  want  to use a more precise regular
              expression, see /etc/chkrootkit/chkrootkit.conf).  The argument  can  be  any  regular  expression
              understood by egrep(1) and is applied to every line of the output of the ifpromisc test .

       -p DIR1[:DIR2...]
              Specify  an  alternative  $PATH.   chkrootkit  assumes  that  standard  programmes,  like  find(1)
              andgrep(1), are uncompromised. The intention is that you place trusted  copies  of  such  binaries
              where they cannot be modified and invoke with something like chkrootkit -p /media/usb

       -r DIR Use DIR as the root directory. For example, you might mount a compromised disk on an uncompromised
              system and run chkrootkit -r /mnt.

       -n     make some tests ignore NFS-mounted directories.

       -T FSTYPE
              make some tests ignore file systems of type FSTYPE. This uses find(1)'s -fstype option.

       -l     Print available tests.

       -h     Print a short help message and exit.

       -V     Print version information and exit.


AUTHOR
       Manual  page  written  by Yotam Rubin <yotam@makif.omer.k12.il>, Marcos Fouces <marcos@debian.org>, Lantz
       Moore  <lmoore@debian.org>,  and  Richard  Lewis  <richard.lewis.debian@googlemail.com>  for  the  Debian
       project. It may be used by others.


SEE ALSO
       strings(1) chklastlog(8) chkwtmp(8)

                                                  Oct 23, 2021                                     chkrootkit(8)