Ask HN: Why are there no online databases of whitelisted ubuntu binaries?
I'm looking for a powerful tool to scan for illegitimate ubuntu binaries. The existing tools (tripwire, rkhunter, chkrootkit) seem to require you to maintain your own brittle whitelist of acceptable binaries. Why is there no online database to do this?
My definition of a whitelist is: the set of SHA256 hashes of every binary found in every release of ubuntu.
This is a trivially monetizable idea as well - you can keep the whitelist on your servers and make the users upload their live binary SHA256 hashes to the server before checking them, so that your whitelist remains a commercial asset (similar to the VirusTotal model).
I'd be willing to pay good money for this. Can someone please build this?
4 comments
[ 4.5 ms ] story [ 19.7 ms ] threadIt wouldn't take much effort to extract all the packages from a release-archive and make that searchable.
I once processed the Debian archive in such a manner, but the problem is security updates will release every now and again and cause you to need to update things. Not a problem to store a set of hashes for binaries, with a floating "most recent" value.
But given that the information is already available to you I'd suspect not many people would pay for the service, or use it.
I just want a solution where I can boot up any system from a live CD, and inspect an existing installation, based on an external verified database.
e.g. Malicious exploit drops in /etc/cron.d/botnet.
You might also feel safe if you have "good" copy of bash, but your version matched a checksum from pre-shellshock.
Really making the list is easy, you could do it yourself, or you could pay somebody to give you one, but it doesn't solve the problem because you'll still have local changes you need to flag/whitelist/update.
Thx for the tips.