- Install chkrootkit from trusted distribution repositories.
- Run checks from read-only trusted media when investigating compromised hosts.
- Verify binary checksums when sourcing outside package repositories.
¶ Scheduling and Noise Control
- Run daily scans via cron/systemd timer with controlled log output.
- Baseline expected warnings per host role to reduce false positives.
- Alert only on new or changed high-confidence indicators.
¶ Incident Handling
- Treat positive hits as investigation triggers, not automatic proof.
- Cross-check findings with additional tools (AIDE, rkhunter, EDR).
- Preserve forensic artifacts before any remediation action.