Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am looking for a tool that can sweep a system (linux for now) that can find all of the binaries, ID their version info, and then report on if it's outdated and/or needs a patch. And, if the file has no good meta data info just flag it in a report as "suspect".
Does anything like this exist? If not, how would you create a script that can do it?
Last edited by Linux_Kidd; 05-06-2020 at 02:04 PM.
Use the package system of the Linux distro. Is this not sufficient? This is exactly what package management systems are supposed to do. What distribution of Linux are you running?
That's only good if the binary was installed via the package system. We are doing threat hunting, and native package tools are rather useless if a "bad" (un-wanted) binary is copied down to the filesystem, like via gunzip or other ways, etc.
Take a look at OpenVAS. IIRC, it did some amount of scanning for non-managed binaries, but only on a few popular distros. This requires that an ssh account be created so that the tool can log in and check. Its quite complicated, and may be more than you're looking for.
Some thoughts:
"Binaries" means (to me) a compiled program, so "not a text file" One could use find to identify such. See the -type test
Scripts are not necessarily compiled, but may be executable. Again the find command has an -executable test.
Use find to search for what's present; compare to a list of what should be present*. Things it finds that are not on the list are suspect.
*That's going to be the hard part. Maybe build a "clean" system and compile the list from that?
Finding the file type is not the ask here. I can find what I want, then need to strip out the meta data of the file, and then somehow go lookup if there's a newer version or not, or perhaps just a patch available. Everything past the 'find' part is the challenge.
Can essentially also do some reverse weeding, try and ID the package the file came from, and then see if that package has updates available or not, but for items that did not come from a package install, need to somehow see if it perhaps has associated vulns, and if such item has updates or patches available.
It's not an ez task, and it's a gap my sec team has identified. Sure, we can flag it as "suspicious" if it did not come from a package, but doing all the manual work beyond that is not very practical when you look at enterprise scale. And it's why I was looking for any existing COTS tools that may do it.
We will look at OpenVAS to see what it can/cannot do.
Last edited by Linux_Kidd; 05-08-2020 at 05:52 PM.
Originally Posted by Linux_Kidd
I am looking for a tool that (...) can find all of the binaries
That implies a certain file type - that of a binary.
No, I wrote:
Quote:
I am looking for a tool that can sweep a system (linux for now) that can find all of the binaries, ID their version info, and then report on if it's outdated and/or needs a patch.
Yes, file type of binary. So what's your question?
VT has some new threat intel stuff going, but I don't yet see they have what I am looking for, I reached out to them.
I mean, if binary file was infected app will send some data to hacker. Is it possible to check transfer via socket? Can i know if you found the solution?
I mean, if binary file was infected app will send some data to hacker. Is it possible to check transfer via socket? Can i know if you found the solution?
Will let network and/or HIDS technology try to detect that.
I am only looking to ID programs that may have vulns associated with them, and the availability of a fix.
No solution just yet. We use Qualys for a lot of scanning/compliance/reporting, and we are a var-partner and are working with them to get this feature put into their product. Some development work is in motion but nobody wants to commit to an ETA.
Distribution: Ubuntu based stuff for the most part
Posts: 1,173
Rep:
The hard part of your ask is identifying the unmanaged binary and then cheeking if it is current.
If you find a binary named foxitreader.bin, how do you expect to get version info? I would imagine you need to use strings or some such program to try to determine the version info. Then figure out the website and check what is current.
What about some Python file just named runme.py inside a directory named for some legit sounding project. Technically not a binary, so you may need to expand your search. Python 2 is being phased out, will checking for Python 3 versions be included?
I don't think there is any open source tool that can do this. Seems like something a security company builds and charges people to use.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,803
Rep:
Quote:
Originally Posted by JJJCR
Normally, is there a specific extension for those binaries? Or a file can exist without extension but is considered a binary file?
File extensions are mostly a crutch for humans. Much of UNIX and Linux doesn't, in general, rely on file extensions to determine what to do with files [1]. My scripts -- shell, Perl, or Python (except modules) -- tend to not have file extensions (see file(1)). Compiled programs? The same---although file(1) is unable to tell you what the source language was.
I'm not sure if there's any easier way to check for packages that need an update/patch than to issue something like:
Code:
zypper list-updates -a
or whatever the equivalent is on your systems' distributions.
As for those "suspect" executables, if you're considering a roll-your-own solution: Don't package managers have the ability to list all the files contained in a specified package? Comparing a list of all files that are part of each installed package against a list of all executables found on the system ought to reveal those "suspects". Something like:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.