refactor(scanrootkit): tighten ksym match, drop dead Suckit check

- kernel symbol matching now uses exact set membership instead of a
  substring search (fixes false positives on legitimate symbols that
  happen to contain a rootkit signature as a substring)
- remove the in-depth Suckit check and the rootkit_extra perfdata
  field; the check was dead code and could never detect a real
  getdents-hooking rootkit
- catch yaml.YAMLError broadly so a single broken signature file no
  longer crashes the whole check
- remove rootkit_extra from the Grafana panel
- document the signature scope in the README (IoC scanner, not
  defense-in-depth) and add a maintainer note with curated sources
  for new rootkit signatures

Author: markuslf

CHANGELOG.md

@@ -95,6 +95,7 @@ Monitoring Plugins:
 * php-status: always assume http://localhost/monitoring.php and, if not found, be tolerant
 * redis-status, valkey-status: modernize code and unify both plugins again after [PR #954](https://github.com/Linuxfabrik/monitoring-plugins/pull/954)
 * rocketchat-stats: improve output
+* scanrootkit: kernel symbol matching is now exact per symbol instead of a substring search, so a signature like `is_invisible` no longer accidentally matches an unrelated legitimate symbol named `is_invisible_helper`. False positives on clean systems that previously had such symbol-name collisions will disappear.
 * statuspal: replace `flatdict` dependency with a recursive approach ([#1044](https://github.com/Linuxfabrik/monitoring-plugins/issues/1044))
 * systemd-units-failed: show failed unit names in the first output line for better dashboard and SMS alert readability ([#967](https://github.com/Linuxfabrik/monitoring-plugins/issues/967))
 * updates: adapt to updated powershell.py library
@@ -105,6 +106,7 @@ Monitoring Plugins:
 Monitoring Plugins:
 
 * cpu-usage: remove `--top` parameter (the top N processes by CPU time are now reported by the procs check via `--top`)
+* scanrootkit: remove the in-depth Suckit rootkit check and the `rootkit_extra` perfdata field. The Suckit check was dead code (it created a harmless test file and then re-read it from the same Python process, which cannot detect file-hiding rootkits that hook `getdents`), and the `rootkit_extra` perfdata is no longer produced. Update Grafana panels and alerting that rely on `rootkit_extra`.
 
 
 Tools:
@@ -161,6 +163,7 @@ Monitoring Plugins:
 * redis-status, valkey-status: the `key_count` perfdata now reports the total key count across all databases instead of just the last database's key count ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * rocketchat-stats: fix crash (`AttributeError`) when reporting the user count
 * sap-open-concur-com: `--service` now validates the service name against the allowed list; previously any value was silently accepted ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* scanrootkit: a single signature file that fails any YAML parse stage (scanner, constructor, etc.) no longer crashes the whole check. Any `yaml.YAMLError` subclass is now caught and reported as a scan-file error, leaving the remaining signatures to scan normally.
 * starface-java-memory-usage: fix corrupted overall state in the heap and non-heap memory checks (could previously report CRIT when only WARN thresholds were exceeded, or produce an out-of-range state integer) ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * updates: fix crash on Python 3.9 when pending updates are reported
 * users: fix incorrect TTY count when SSH clients connect via IPv6 ([#989](https://github.com/Linuxfabrik/monitoring-plugins/issues/989))

check-plugins/scanrootkit/README.md

@@ -3,10 +3,11 @@
 
 ## Overview
 
-Scans the system for approximately 100 known rootkits by checking for their characteristic files, directories, and kernel symbols. New rootkit definitions can be added by dropping YAML files into the `assets` folder. Additionally performs in-depth checks for the Suckit rootkit (link count of `/sbin/init` and hidden file detection).
+Scans the system for approximately 100 known rootkits by checking for their characteristic files, directories, and kernel symbols. New rootkit definitions can be added by dropping YAML files into the `assets` folder.
 
 **Important Notes:**
 
+* This check is an indicator-of-compromise (IoC) scanner for *known* rootkits. It catches rootkits whose file paths, directory names or kernel symbol names appear in the signature list. It does not catch unknown rootkits, eBPF-based rootkits, in-memory-only implants, or rootkits that only replace existing binaries without creating new files. Treat it as one layer of defense-in-depth, not a complete anti-rootkit solution. Complement it with file integrity monitoring (AIDE, Tripwire), package verification (`rpm --verify`, `debsums`), kernel auditing (auditd), and runtime security (falco, tetragon).
 * Rootkit YAML file structure (example from `assets/scanrootkit-kbeast.yml`):
 
     ```yaml
@@ -24,15 +25,30 @@ Scans the system for approximately 100 known rootkits by checking for their char
     cl: 100
     ```
 
-* Feel free to add more rootkit definitions by submitting a pull request
+* `cl` is the confidence level in percent. Signatures with `cl < 100` are reported as "possible" rootkit items (state WARN) instead of confirmed findings. If `cl` is omitted, the signature is treated as 100% confident.
+* Kernel symbol matching is exact per symbol (using `/proc/kallsyms`), so a signature like `is_invisible` will not accidentally match an unrelated legitimate symbol named `is_invisible_helper`.
+* Feel free to add more rootkit definitions by submitting a pull request.
 * Inspired by the [Rootkit Hunter Project](https://rkhunter.sourceforge.net/), which has been inactive since 2018. All rkhunter rootkit definitions have been translated to YAML and made available with this check plugin.
 
+**Note for maintainers - sources for new rootkit signatures:**
+
+Because rkhunter is no longer updated, file-path and kernel-symbol signatures for rootkits released after ~2018 have to be collected from current threat research. When extending the signature set, prefer sources that publish concrete on-disk indicators (full file paths, directory names, kernel module names, exported symbol names). Good starting points, in alphabetical order:
+
+* [CISA cybersecurity advisories](https://www.cisa.gov/news-events/cybersecurity-advisories) - joint IoC reports, often Linux-specific
+* [ESET welivesecurity](https://www.welivesecurity.com/) - Linux malware teardowns (Ebury, FontOnLake, Kobalos) typically include an IoC appendix
+* [Intezer blog](https://intezer.com/blog/) - Linux threat analyses
+* [Kaspersky Securelist](https://securelist.com/) - Symbiote, HiatusRAT and similar
+* [MITRE ATT&CK T1014 Rootkit](https://attack.mitre.org/techniques/T1014/) and linked software entries
+* [Sandfly Security blog](https://sandflysecurity.com/blog) - specializes in Linux forensics, regularly publishes file-path IoCs
+* [Sysdig threat research](https://sysdig.com/blog/topic/threat-research/), [CrowdStrike](https://www.crowdstrike.com/en-us/blog/category/threat-intel-research/), [Mandiant](https://cloud.google.com/security/resources/insights) - mixed IoC quality, worth checking
+
+Signatures should be strong enough to avoid false positives on a clean system. Prefer uncommon, rootkit-specific file paths (e.g. `/usr/_h4x_/`) over generic ones (`/tmp/.X11-unix`) and exact kernel symbol names over substrings. If a signature is only partially reliable, set `cl` below 100 so the plugin reports it as "possible" instead of "confirmed".
+
 **Data Collection:**
 
 * Loads rootkit definitions from YAML files in the `assets` directory
 * Checks for rootkit-specific files and directories on the filesystem
 * Scans kernel symbols (`/proc/kallsyms` or `/proc/ksyms`) for rootkit indicators
-* Performs extra checks for Suckit rootkit (link count of `/sbin/init`, hidden file detection via `.xrk` and `.mem` suffixes)
 
 
 ## Fact Sheet
@@ -76,7 +92,7 @@ options:
 Output:
 
 ```text
-Found 1 rootkit item and 0 extra items. 3 possible rootkit items found. 
+Found 1 rootkit item. 3 possible rootkit items found. [CRITICAL]
 Rootkits:
 * ENYE LKM v1.1, v1.2: /etc/.enyelkmHIDE^IT.ko (File)
 Possible Rootkits:
@@ -89,7 +105,7 @@ Possible Rootkits:
 ## States
 
 * OK if no rootkit indicators are found.
-* WARN or CRIT (depending on `--severity`, default: CRIT) if confirmed rootkit items or in-depth scan items are found.
+* WARN or CRIT (depending on `--severity`, default: CRIT) if confirmed rootkit items are found.
 * WARN if only possible rootkit items are found (confidence level below 100%), regardless of the selected severity.
 * UNKNOWN if no rootkit definition files are found in the `assets` directory.
 
@@ -98,7 +114,6 @@ Possible Rootkits:
 
 | Name | Type | Description |
 |----|----|----|
-| rootkit_extra | Number | Number of rootkit items found by the in-depth scan. |
 | rootkit_items | Number | The number of confirmed rootkit items found on the system. |
 | rootkit_possible | Number | Number of possible rootkit items found on the system. |
 

check-plugins/scanrootkit/grafana/scanrootkit.yml

@@ -109,33 +109,6 @@ spec:
         operator: '='
         value: rootkit_items
 
-    - alias: rootkit_extra
-      refId: rootkit_extra
-      groupBy:
-      - params:
-        - $interval
-        type: time
-      measurement: $command
-      resultFormat: time_series
-      select:
-      - - params:
-          - value
-          type: field
-        - params: []
-          type: mean
-      tags:
-      - key: hostname
-        operator: '='
-        value: $hostname
-      - condition: AND
-        key: service
-        operator: '='
-        value: $service
-      - condition: AND
-        key: metric
-        operator: '='
-        value: rootkit_extra
-
     - alias: rootkit_possible
       refId: rootkit_possible
       groupBy:

check-plugins/scanrootkit/scanrootkit

@@ -28,10 +28,10 @@ except ImportError:
 
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026040801'
+__version__ = '2026041301'
 
 DESCRIPTION = """Scans the system for approximately 100 known rootkits by checking for their
-characteristic files, directories, and kernel modules. New rootkit definitions can
+characteristic files, directories, and kernel symbols. New rootkit definitions can
 be added by dropping YAML files into the assets folder.
 Alerts when rootkit indicators are found."""
 
@@ -63,40 +63,24 @@ def parse_args():
     return args
 
 
-def extra_rootkit_checks():
-    """This function carries out some extra checks for rootkits.
-    Return '' if nothing is found, else a string indicating what has been found.
+def load_kernel_symbols():
+    """Read `/proc/kallsyms` (or legacy `/proc/ksyms`) and return the set of
+    exact kernel symbol names. Using a set gives us whole-symbol matching
+    instead of the substring matching a raw `str in file` would do, which
+    previously triggered on partial matches like `is_invisible_helper`
+    shadowing the `is_invisible` rootkit signature.
     """
-    result = []
-
-    # === Extra checks for Suckit rootkit
-
-    # Check the link count of the '/sbin/init' file.
-    #    1 is okay
-    #   >1 means that suckit may be installed
-    try:
-        stat_info = os.stat('/sbin/init')
-    except FileNotFoundError:
-        return result
-    except Exception:
-        return result
-    if stat_info.st_nlink > 1:
-        result.append('* More than one link in `/sbin/init`. Check for Suckit Rootkit.')
-
-    # Check to see if certain files are being hidden. These files have the '.xrk' or '.mem' suffix.
-    files = [
-        lib.disk.get_tmpdir() + '/linuxfabrik-monitoring-plugins-scanrootdir.mem',
-        lib.disk.get_tmpdir() + '/linuxfabrik-monitoring-plugins-scanrootdir.xrk',
-    ]
-    for file in files:
-        lib.base.coe(lib.disk.write_file(file, 'suckitexttest'))
-        if not lib.disk.file_exists(file):
-            result.append(
-                f'* `{file}` created and is now hidden. Check for Suckit Rootkit.'
-            )
-        _, _ = lib.disk.rm_file(file)
-
-    return result
+    content = ''
+    if lib.disk.file_exists('/proc/kallsyms', allow_empty=True):
+        content = lib.base.coe(lib.disk.read_file('/proc/kallsyms'))
+    elif lib.disk.file_exists('/proc/ksyms', allow_empty=True):
+        content = lib.base.coe(lib.disk.read_file('/proc/ksyms'))
+    ksyms = set()
+    for line in content.splitlines():
+        parts = line.split()
+        if len(parts) >= 3:
+            ksyms.add(parts[2])
+    return ksyms
 
 
 def main():
@@ -126,13 +110,8 @@ def main():
         relative=False,
     )
 
-    # get the kernel symbols file
-    if lib.disk.file_exists('/proc/kallsyms', allow_empty=True):
-        ksyms_file = lib.base.coe(lib.disk.read_file('/proc/kallsyms'))
-    elif lib.disk.file_exists('/proc/ksyms', allow_empty=True):
-        ksyms_file = lib.base.coe(lib.disk.read_file('/proc/ksyms'))
-    else:
-        ksyms_file = ''
+    # get the set of exact kernel symbol names
+    ksyms = load_kernel_symbols()
 
     # analyze system
     for rootkit in rootkits:
@@ -159,48 +138,43 @@ def main():
                         rkfound.append(f'* {rk["name"]}: {item} (Dir)')
 
             # scan kernel symbols for signs of rootkits or other malicious software
-            if not ksyms_file:
+            if not ksyms:
                 continue
             for item in rk['ksyms']:
-                if item in ksyms_file:
+                if item in ksyms:
                     if 'cl' in rk and rk['cl'] < 100:
                         rkpossible.append(f'* {rk["name"]}: {item} (Kernel Symbol)')
                     else:
                         rkfound.append(f'* {rk["name"]}: {item} (Kernel Symbol)')
 
         except KeyError as e:
-            # missing an yaml attribute like 'files' or 'dirs'
+            # missing a yaml attribute like 'files' or 'dirs'
             errors.append(f'* {os.path.basename(rootkit)}: Key Error {e}')
-        except yaml.parser.ParserError:
-            # got yaml file that is syntactically wrong
-            errors.append(f'* {os.path.basename(rootkit)}: YAML syntax error')
-
-    rkextra = extra_rootkit_checks()
+        except yaml.YAMLError as e:
+            # got a yaml file that is broken in any way
+            errors.append(f'* {os.path.basename(rootkit)}: YAML error: {e}')
 
     # build the message
     if rkscanned == 0:
         lib.base.cu(f'No rootkit definition files found in `{rkdef_path}`.')
-    if not rkfound and not rkpossible and not rkextra:
+    if not rkfound and not rkpossible:
         msg += (
             f'Everything is ok. Scanned for {rkscanned}'
             f' {lib.txt.pluralize("rootkit", rkscanned)}.'
         )
     else:
         if rkpossible:
             state = lib.base.get_worst(state, STATE_WARN)
-        if rkfound or rkextra:
+        if rkfound:
             state = lib.base.get_worst(state, lib.base.str2state(args.SEVERITY))
         msg += (
             f'Found {len(rkfound)} rootkit'
-            f' {lib.txt.pluralize("item", len(rkfound))}'
-            f' and {len(rkextra)} extra'
-            f' {lib.txt.pluralize("item", len(rkextra))}.'
+            f' {lib.txt.pluralize("item", len(rkfound))}.'
             f' {len(rkpossible)} possible rootkit'
             f' {lib.txt.pluralize("item", len(rkpossible))}'
             f' found. {lib.base.state2str(state)}'
         )
         msg += '\nRootkits:\n' + '\n'.join(rkfound) if rkfound else ''
-        msg += '\nIn-depth scan:\n' + '\n'.join(rkextra) if rkextra else ''
         msg += '\nPossible Rootkits:\n' + '\n'.join(rkpossible) if rkpossible else ''
     msg += '\nScanfile Errors:\n' + '\n'.join(errors) if errors else ''
 
@@ -209,11 +183,6 @@ def main():
         len(rkfound),
         _min=0,
     )
-    perfdata += lib.base.get_perfdata(
-        'rootkit_extra',
-        len(rkextra),
-        _min=0,
-    )
     perfdata += lib.base.get_perfdata(
         'rootkit_possible',
         len(rkpossible),

check-plugins/scanrootkit/unit-test/run

@@ -34,7 +34,7 @@ class TestCheck(unittest.TestCase):
         lib.disk.write_file('/tmp/.cinik', 'test02')
         stdout, stderr, retc = lib.base.coe(lib.shell.shell_exec(self.check))
         self.assertIn(
-            'Found 2 rootkit items and 0 extra items. 0 possible rootkit items found. [CRITICAL]',
+            'Found 2 rootkit items. 0 possible rootkit items found. [CRITICAL]',
             stdout,
         )
         self.assertIn('Rootkits:', stdout)
@@ -51,7 +51,7 @@ class TestCheck(unittest.TestCase):
         )
 
         self.assertIn(
-            'Found 2 rootkit items and 0 extra items. 0 possible rootkit items found. [WARNING]',
+            'Found 2 rootkit items. 0 possible rootkit items found. [WARNING]',
             stdout,
         )
         self.assertIn('Rootkits:', stdout)