I am looking for a tool that can sweep a system (linux for now) that can find all of the binaries, ID their version info, and then report on if it's outdated and/or needs a patch. And, if the file has no good meta data info just flag it in a report as "suspect".

Does anything like this exist? If not, how would you create a script that can do it?

Use the package system of the Linux distro. Is this not sufficient? This is exactly what package management systems are supposed to do. What distribution of Linux are you running?

That's only good if the binary was installed via the package system. We are doing threat hunting, and native package tools are rather useless if a "bad" (un-wanted) binary is copied down to the filesystem, like via gunzip or other ways, etc.

Take a look at OpenVAS. IIRC, it did some amount of scanning for non-managed binaries, but only on a few popular distros. This requires that an ssh account be created so that the tool can log in and check. Its quite complicated, and may be more than you're looking for.

1 members found this post helpful.

Normally, is there a specific extension for those binaries? Or a file can exist without extension but is considered a binary file?

Some thoughts:
"Binaries" means (to me) a compiled program, so "not a text file" One could use find to identify such. See the -type test
Scripts are not necessarily compiled, but may be executable. Again the find command has an -executable test.

Use find to search for what's present; compare to a list of what should be present*. Things it finds that are not on the list are suspect.

*That's going to be the hard part. Maybe build a "clean" system and compile the list from that?

Finding the file type is not the ask here. I can find what I want, then need to strip out the meta data of the file, and then somehow go lookup if there's a newer version or not, or perhaps just a patch available. Everything past the 'find' part is the challenge.

Can essentially also do some reverse weeding, try and ID the package the file came from, and then see if that package has updates available or not, but for items that did not come from a package install, need to somehow see if it perhaps has associated vulns, and if such item has updates or patches available.

It's not an ez task, and it's a gap my sec team has identified. Sure, we can flag it as "suspicious" if it did not come from a package, but doing all the manual work beyond that is not very practical when you look at enterprise scale. And it's why I was looking for any existing COTS tools that may do it.

We will look at OpenVAS to see what it can/cannot do.

But you yourself wrote:
That implies a certain file type - that of a binary.

1 members found this post helpful.

No, I wrote:
Yes, file type of binary. So what's your question?

VT has some new threat intel stuff going, but I don't yet see they have what I am looking for, I reached out to them.

https://support.virustotal.com/hc/en...e-Introduction

1 members found this post helpful.

I am wonder if raw socket can be used for that reason. Can system owner find "bad" program activity with unix/internet sockets?

What makes you think a binary has a socket?

I mean, if binary file was infected app will send some data to hacker. Is it possible to check transfer via socket? Can i know if you found the solution?

Will let network and/or HIDS technology try to detect that.

I am only looking to ID programs that may have vulns associated with them, and the availability of a fix.

No solution just yet. We use Qualys for a lot of scanning/compliance/reporting, and we are a var-partner and are working with them to get this feature put into their product. Some development work is in motion but nobody wants to commit to an ETA.

1 members found this post helpful.

The hard part of your ask is identifying the unmanaged binary and then cheeking if it is current.
If you find a binary named foxitreader.bin, how do you expect to get version info? I would imagine you need to use strings or some such program to try to determine the version info. Then figure out the website and check what is current.

What about some Python file just named runme.py inside a directory named for some legit sounding project. Technically not a binary, so you may need to expand your search. Python 2 is being phased out, will checking for Python 3 versions be included?

I don't think there is any open source tool that can do this. Seems like something a security company builds and charges people to use.

File extensions are mostly a crutch for humans. Much of UNIX and Linux doesn't, in general, rely on file extensions to determine what to do with files [1]. My scripts -- shell, Perl, or Python (except modules) -- tend to not have file extensions (see file(1)). Compiled programs? The same---although file(1) is unable to tell you what the source language was.

I'm not sure if there's any easier way to check for packages that need an update/patch than to issue something like:
or whatever the equivalent is on your systems' distributions.

As for those "suspect" executables, if you're considering a roll-your-own solution: Don't package managers have the ability to list all the files contained in a specified package? Comparing a list of all files that are part of each installed package against a list of all executables found on the system ought to reveal those "suspects". Something like:
Obtaining that list of files to ignore would be the trick.



[1] -- There are exceptions: gcc gets confused when you try something like "cc hello.x"---even when it's a valid C source file. :^)

1 members found this post helpful.