|-b||Force brute-force tests even if previous tests found hidden PID(s). The brute force tests are skipped by default if the system is already identified as compromised.|
|-c num||Set the maximum number of double checks for suspicious PID(s). The lower the number, the more false positives you get. If you use 0, than the highest possible integer value is used. It stopps automatically after no changes were found between two runs. On low load systems even -c 1000 will just use two rounds.|
|-f||Search for process name fakes more sensitive. This will increase the rate of false positives! This option can be given multiple times.|
|If used revealrk will output itself as hidden. Most useful in combination with -s to see syslog output.|
|-h||Print help text on stdout with all options and exit.|
|-l||List all tests and exit. Tests with a leading + are activated, with - are disabled and _ are unavailable.|
|-m num||Manually set maximum pids to given number and disable auto detect.|
|-o||Omit the signature check.|
|-p||Set process priority to maximum (nice -20).|
|-q||Do not print any messages to stdout. Useful in combination with -s.|
|-r||System uses random PIDs, more brute force forking is needed. This option can be given multiple times.|
|-s||Log result also to syslog. See -q to suppress output on stdout.|
|-T secs||Set timeout to given number of seconds. This timeout is used for the entire run of revealrk and is disabled by default (see -t).|
|-t secs||Set timeout between checks to given number of seconds. This timeout is used by default to kill hanging revealrk processes or to identify systems where it takes too much time to complete the check. You cant mix -t with -T, but you can disable the timeout by using 0 seconds.|
|-v||Verbose outupt. This option can be given multiple times.|
|-w file||Write output to file instead of stdout.|
Print revealrk version and exit.
0 all ok, nothing found
1-99 number of hidden processes found
100 more than 99 hidden processes found
101 initializing errors
102 cant open /proc
103 out of memory
104 null pointer to bitmap
105 calling ps command failed
106 fork errors
107 found higher pid number than maxpid
108 timed out
Dont expect to find every rootkit with revealrk. So getting an OK doesnt mean your system is clean.
You may see false positives in some rare cases of zombies. You can avoid this by using -z option.
The brute force tests may cause false positives, too, especially on systems with fast forking processes. Random pids like on OpenBSD are also a source for false positives. You may reduce that by adding one or more -r options, which will slow down the entire check, or by using -c 0.
You can compile revealrk on more than Linux systems, but some tests arent available on every system. You can check that by calling revealrk with the -l option.
revealrk Basic call, will do the job in most cases.
revealrk -vv Increase verbosity for interactive calls.
revealrk -p -q -rr -s -t 900 Run with highest priority, write messages to syslog instead of stdout, do two more brute force cycles to reduce false positives and increase timeout.
revealrk -vfork -pthread +fake_name Disable brute force tests, but search for process name fakers. Fake process name detection will produce a lot of false positives, but you may find processes running in user space of compromised accounts.
RevealRK dont uses any configuration files.
Report revealrk bugs to Juergen.Kahnert@DESY.de
unhide(1), rkhunter(1), chkrootkit(1)
|Reveal RootKit 1.0||REVEALRK (1)||2012-12-13|