On Thu, 2007-11-22 at 13:48 -0500, Eric Belanger wrote:
I am not a security expert but isn't the reason that chkrootkit is not being installed in a directory in the PATH a security reason so that malware can't find the executables to modify/delete them? Maybe keeping it out of /usr would accomplish this better.
There's no reason to install it in a different prefix, if people have root to your machine they can even hide it for chkrootkit if they want by changing vital binaries or installing a kernel module that hides processes. I made a mix of Knark and Adore LKM and succeeded to bypass these check tools a few years ago. If you have root, you can do anything to a system, including the disabling of cronjobs that run chkrootkit. Another thing: whenever you suspect you have a rootkit, you make a fresh install of chkrootkit and don't rely on a single tool, there's also rkhunter for example.