How to run chkrootkit & rkhunter from Live CD

General Help
#1

This is my first post so please bear with me. I am running Zorin 12.4 32-bit.

I always ran rkhunter & chkrootkit right from the very operating system being tested. It comes to my attention, according to https://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/ that these things should be ran from a Live CD for the best result. It sounded like a decent idea to not test from what it is that you’re testing, so this didn’t strike me as paranoid. So this put a question mark on the validity of all of my rkhunter & chkrootkit results to date.

My question is… I put in a Live CD, but the installed chkrootkit is somewhere in the /usr directory of the subject OS, not anywhere on the Live CD. Same thing with rkhunter…

What commands would I use while in a Live CD to get to the functionality of chkrootkit & rkhunter that are installed on the OS being tested? I am confused about this operation and guidance would be greatly appreciated.

#2

Joe-S, welcome to the forum.
I believe that to run these tools as you wish, you would need to create a LiveCD with persistence. Then, install both tools to the persistent OS on the USB in the same manner as you would install them normally on the HDD of your OS.

EDIT:

1 Like
#3

That looks good. I’m going over it now.
I have a question about which Ubuntu ISO to use.
I’m running Zorin OS 12.4 32-bit.
I get the following result from running cat /proc/version :slight_smile:

Linux version 4.15.0-118-generic (buildd@lcy01-amd64-029) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #119~16.04.1-Ubuntu SMP Tue Sep 8 14:45:47 UTC 2020

Does that mean I should use Ubuntu 16.04 from https://releases.ubuntu.com/16.04.7/
for the Persistent Ubuntu USB?

#4

Yes, Zorin 12 is built off of Ubuntu 16.04 Xenial. However, You can use a copy of Zorin 12 as your LiveCD OS or any other 32bit ISO you would like to use, as well.

#5

Thank you kindly.

#6

#7

I did this and it worked out well. In the case of chkrootkit, it has the option to:

chkrootkit -r /mnt

on a mount point.

rkhunter used to have a similar

rkhunter -c -r /mnt

option, but I understand that it has been deprecated.