grub-btrfs automount issue with chkrootkit (Kali default)

[uduntuntu]

┌──(utu㉿siem)-[~]
└─$ sensors                        
coretemp-isa-0000
Adapter: ISA adapter
Package id 0:  +96.0°C  (high = +86.0°C, crit = +100.0°C)
Core 0:        +91.0°C  (high = +86.0°C, crit = +100.0°C)
Core 1:        +96.0°C  (high = +86.0°C, crit = +100.0°C)

acpitz-acpi-0
Adapter: ACPI interface
temp1:        +95.0°C  

thinkpad-isa-0000
Adapter: ISA adapter
fan1:        4394 RPM
pwm1:            128%

BAT0-acpi-0
Adapter: ACPI interface
in0:          12.35 V  
power1:        0.00 W  

                                                                                                 
┌──(utu㉿siem)-[~]
└─$ ps H -eo pid,user,cmd --sort=-%cpu | head -n 25
    PID USER     CMD
  23578 root     /usr/bin/dpkg-query --search -- /tmp/grub-btrfs.UWTpTukADN/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/hardware/webapps/35751.pl
      1 root     /usr/lib/systemd/systemd --system --deserialize=66 splash
   9996 root     /usr/bin/find /tmp/ -executable -type f -print0
    643 root     /usr/lib/systemd/systemd-logind
    263 root     [kworker/u16:5-btrfs-endio]
     42 root     [kworker/u16:3-btrfs-endio-write]
     66 root     [kswapd0]
    336 root     [btrfs-transaction]
     12 root     [kworker/u16:0-btrfs-endio-write]
     41 root     [kworker/u16:2-btrfs-flush_delalloc]
    265 root     [kworker/u16:7-btrfs-endio]
   2866 utu      -zsh
    640 message+ /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
     52 root     [kcompactd0]
   6257 root     [kworker/u16:12-btrfs-flush_delalloc]
    196 root     [kworker/3:1H-kblockd]
    266 root     [kworker/u16:8-btrfs-endio-write]
     15 root     [rcu_preempt]
   9997 root     /usr/bin/xargs -0 -I@ ./check_if_debian @ /usr/bin/dpkg-query
   4611 root     [kworker/u16:10-btrfs-endio-write]
     36 root     [ksoftirqd/3]
   2775 utu      sshd-session: utu@pts/0
   2865 utu      sshd-session: utu@pts/2
     14 root     [ksoftirqd/0]
                                                                                                 
┌──(utu㉿siem)-[~]
└─$ sudo pkill -f chkrootkit       
                                                                                                 
┌──(utu㉿siem)-[~]
└─$ sudo umount /tmp/grub-btrfs.UWTpTukADN         

I have installed snapper, grub-btrfs and btrfs-progs. The platform is old laptop and I've noticed very high temperatures and laggy UI. When debugging issues, I noticed that there's always mountpoint under /tmp with name grub-btrfs. and that's issue because Kali have chkrootkit software installed by default which scans executables in /tmp. Because there's snapshot of root filesystem which is not tmp filesystem, it check all executables against vulnerability database and that's pretty costly for CPU.

AI (ChatGPT) suggested to add into /etc/default/grub-btrfs/config a line "GRUB_BTRFS_AUTO_MOUNT=false" which is doing nothing.

Is it possible to disable automounting entirely? I've tested snapper rollback which creates RW copy of RO snapshot and allows boot into that snapshot. I'm pretty sure that I'm nowadays running live filesystem without specific branching and snapper timeline snapshots are working well. Also this grub-btrfs. uuid-like string is different in every boot, so I think grub-btrfs is just mounting newest snapshot under /tmp for some reason I don't undestand.

Meanwhile after last copypaste I noticed that there's new grub-btrfs-mountpoint:

┌──(utu㉿siem)-[~]
└─$ mount           
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=5957376k,nr_inodes=1489344,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=600,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1212868k,mode=755,inode64)
/dev/sda4 on / type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=333,subvol=/@)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=41,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=8272)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,pagesize=2M)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
/dev/sda4 on /.snapshots type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=257,subvol=/@.snapshots)
/dev/sda4 on /root type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@root)
/dev/sda4 on /home type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@home)
/dev/sda4 on /srv type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=260,subvol=/@srv)
/dev/sda4 on /var/log type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=263,subvol=/@var@log)
/dev/sda4 on /usr/local type btrfs (rw,relatime,ssd,discard=async,space_cache=v2,subvolid=262,subvol=/@usr@local)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,inode64)
/dev/sda3 on /boot type ext4 (rw,relatime)
/dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1212864k,nr_inodes=303216,mode=700,uid=1000,gid=1000,inode64)
none on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
none on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,inode64,noswap)
/dev/sda4 on /tmp/grub-btrfs.aUsx8nshS5 type btrfs (ro,relatime,ssd,discard=async,space_cache=v2,subvolid=5,subvol=/)

[uduntuntu]

Actually it looks like after "apt full-upgrade" and reboot, unmount is happening as intended and problem is non-existent anymore.

[uduntuntu]

Aaaand yet again.....

┌──(utu㉿siem)-[~]
└─$ journalctl -xeu grub-btrfs.service             
Dec 03 00:00:31 siem bash[111005]: Found snapshot: 2025-10-31 09:52:04 | @.snapshots/605/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 09:51:41 | @.snapshots/604/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 09:26:12 | @.snapshots/603/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-31 00:00:03 | @.snapshots/593/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-30 00:00:03 | @.snapshots/569/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-29 00:00:04 | @.snapshots/545/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 12:00:57 | @.snapshots/413/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 12:00:47 | @.snapshots/412/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found snapshot: 2025-10-23 08:23:56 | @.snapshots/407/snapshot                  >
Dec 03 00:00:32 siem bash[111005]: Found 50 snapshot(s)
Dec 03 00:00:32 siem bash[112581]: submenu 'Kali GNU/Linux snapshots' {
Dec 03 00:00:32 siem bash[112581]:     configfile "${prefix}/grub-btrfs.cfg"
Dec 03 00:00:32 siem bash[112581]: }
Dec 03 00:00:50 siem bash[111005]: Unmount /tmp/grub-btrfs.XH5N5bmuoH ...........
Dec 03 00:00:50 siem bash[111005]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.XH5N5bmuoH
Dec 03 00:00:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit grub-btrfs.service has successfully entered the 'dead' state.
Dec 03 00:00:50 siem systemd[1]: Finished grub-btrfs.service - Regenerate grub-btrfs.cfg.
░░ Subject: A start job for unit grub-btrfs.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit grub-btrfs.service has finished successfully.
░░ 
░░ The job identifier is 9536.
Dec 03 00:00:50 siem systemd[1]: grub-btrfs.service: Consumed 2.071s CPU time over 20.006s wall clock time, 6.2M me>
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit grub-btrfs.service completed and consumed the indicated resources.

I have no idea how I should configure things correctly using Kali. There's seemingly a combination with systemd-scheduled snapper, cron-scheduled chkrootkit and grub-btrfs running update-grub in same time when chkrootkit is starting to scan filesystem. I kinda want to keep chkrootkit running if planning to run siem on old laptop. It's most likely that I'm going to uninstall grub-btrfs is that cannot generate exclude rule for chkrootkit for it's RO /tmp mount during update-grub.

┌──(utu㉿siem)-[~]
└─$ ps H -eo pid,user,cmd --sort=-%cpu | head -n 25
    PID USER     CMD
 174363 root     /bin/dpkg-query --search -- /tmp/grub-btrfs.XH5N5bmuoH/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/linux/webapps/17941.rb
 174318 root     /usr/bin/dpkg-query --search -- /tmp/grub-btrfs.XH5N5bmuoH/@.snapshots/6/snapshot/usr/share/exploitdb/exploits/linux/dos/24951.pl
 126078 root     /bin/sh /usr/sbin/lynis audit system --cronjob
  13473 xrdp     /usr/sbin/xrdp
  13685 utu      x-terminal-emulator
  13803 utu      top
  13479 utu      /usr/lib/xorg/Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log
 115337 root     /bin/find /tmp/ -executable -type f -print0
  13553 utu      i3bar --bar_id=bar-0 --socket=/run/user/1000/i3/ipc-socket.13478
 107249 root     [kworker/u16:1-btrfs-endio-write]
 118094 root     /usr/bin/find /tmp/ -executable -type f -print0
 107251 root     [kworker/u16:5-btrfs-endio-write]
  15322 utu      x-terminal-emulator
  13561 utu      i3blocks
 115338 root     /bin/xargs -0 -I@ ./check_if_debian @ /bin/dpkg-query
 118095 root     /usr/bin/xargs -0 -I@ ./check_if_debian @ /usr/bin/dpkg-query
  97880 root     [kworker/u16:6-events_unbound]
  92946 root     [kworker/3:2-events]
      1 root     /usr/lib/systemd/systemd --system --deserialize=63 splash
  15325 utu      /usr/bin/zsh
     15 root     [rcu_preempt]
  13622 utu      x-terminal-emulator
    336 root     [btrfs-transaction]
 109969 root     /bin/sh /sbin/chkrootkit -q

sensors:

coretemp-isa-0000
Adapter: ISA adapter
Package id 0:  +97.0°C  (high = +86.0°C, crit = +100.0°C)
Core 0:        +97.0°C  (high = +86.0°C, crit = +100.0°C)
Core 1:        +95.0°C  (high = +86.0°C, crit = +100.0°C)

acpitz-acpi-0
Adapter: ACPI interface
temp1:        +96.0°C

thinkpad-isa-0000
Adapter: ISA adapter
fan1:        4389 RPM
pwm1:            128%

BAT0-acpi-0
Adapter: ACPI interface
in0:          12.35 V
power1:        0.00 W

[uduntuntu]

It looks to me like chkrootkit is scanning filesystem occasionally in same moment when grub-btrfs is generating grub.cfg. Is it possible to somehow mount snapshots into /tmp with mountoption -noexec ?

I think that way chkrootkit could skip the mountpoint entirely.

┌──(utu㉿siem)-[~]
└─$ journalctl -u grub-btrfs.service --since "3 days ago" | grep -A1 Unmount
Dec 02 15:35:04 siem bash[1049]: Unmount /tmp/grub-btrfs.UWTpTukADN ...........
Dec 02 15:35:04 siem bash[1049]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.UWTpTukADN
--
Dec 02 15:37:33 siem bash[2981]: Unmount /tmp/grub-btrfs.lIvHQODeOM .. Success
Dec 02 15:37:33 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 15:47:15 siem bash[21280]: Unmount /tmp/grub-btrfs.qXxFNQLwcX .. Success
Dec 02 15:47:15 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 16:00:21 siem bash[24380]: Unmount /tmp/grub-btrfs.aUsx8nshS5 ...........
Dec 02 16:00:21 siem bash[24380]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.aUsx8nshS5
--
Dec 02 16:19:50 siem bash[820]: Unmount /tmp/grub-btrfs.baoGEuWmno .. Success
Dec 02 16:19:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 16:29:50 siem bash[4991]: Unmount /tmp/grub-btrfs.QkGkCHCODp .. Success
Dec 02 16:29:50 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 17:00:10 siem bash[6496]: Unmount /tmp/grub-btrfs.CYG8R8tIO1 .. Success
Dec 02 17:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 18:00:10 siem bash[10190]: Unmount /tmp/grub-btrfs.BetBki3ANa .. Success
Dec 02 18:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 19:00:10 siem bash[11713]: Unmount /tmp/grub-btrfs.yKhOssW4Pu .. Success
Dec 02 19:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 20:00:32 siem bash[28353]: Unmount /tmp/grub-btrfs.dp3g4MTLwF .. Success
Dec 02 20:00:32 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 21:00:10 siem bash[48367]: Unmount /tmp/grub-btrfs.joQ4J1pLSE .. Success
Dec 02 21:00:10 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 22:00:32 siem bash[68653]: Unmount /tmp/grub-btrfs.hqtkpp7kqT .. Success
Dec 02 22:00:32 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 02 23:00:20 siem bash[88720]: Unmount /tmp/grub-btrfs.u949EPEvut .. Success
Dec 02 23:00:20 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 00:00:50 siem bash[111005]: Unmount /tmp/grub-btrfs.XH5N5bmuoH ...........
Dec 03 00:00:50 siem bash[111005]: Warning: Unable to unmount /dev/sda4 in /tmp/grub-btrfs.XH5N5bmuoH
--
Dec 03 11:31:24 siem bash[895]: Unmount /tmp/grub-btrfs.DRxYiRxmpB .. Success
Dec 03 11:31:24 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 11:41:19 siem bash[2501]: Unmount /tmp/grub-btrfs.WZFHen3lTl .. Success
Dec 03 11:41:19 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 12:00:07 siem bash[4117]: Unmount /tmp/grub-btrfs.pdf0xkF8wh .. Success
Dec 03 12:00:07 siem systemd[1]: grub-btrfs.service: Deactivated successfully.
--
Dec 03 13:00:03 siem bash[7915]: Unmount /tmp/grub-btrfs.hbGQCTHmkp .. Success
Dec 03 13:00:03 siem systemd[1]: grub-btrfs.service: Deactivated successfully.

[uduntuntu]

I patched the 41_snapshots-btrfs script to mount snapshots with noexec flag and created a pull request. Then I noticed that same chkrootkit is then checking php files which lead myself to their upstream and try continue debugging with their developers. The issue could be rooted to defectdojo software which comes with Kali linux by default.

I think that my patch is valid still.