
Ask HN: Why are there no online databases of whitelisted ubuntu binaries? - HD142245b
I&#x27;m looking for a powerful tool to scan for illegitimate ubuntu binaries. The existing tools (tripwire, rkhunter, chkrootkit) seem to require you to maintain your own brittle whitelist of acceptable binaries. Why is there no online database to do this?<p>My definition of a whitelist is: the set of SHA256 hashes of every binary found in every release of ubuntu.<p>This is a trivially monetizable idea as well - you can keep the whitelist on your servers and make the users upload their live binary SHA256 hashes to the server before checking them, so that your whitelist remains a commercial asset (similar to the VirusTotal model).<p>I&#x27;d be willing to pay good money for this. Can someone please build this?
======
stevekemp
If you look beneath /var/lib/dpkg/info/ you'll find a set of checksums for
binaries in, for example, `zip.md5sums`.

It wouldn't take much effort to extract all the packages from a release-
archive and make that searchable.

I once processed the Debian archive in such a manner, but the problem is
security updates will release every now and again and cause you to need to
update things. Not a problem to store a set of hashes for binaries, with a
floating "most recent" value.

But given that the information is already available to you I'd suspect not
many people would pay for the service, or use it.

~~~
HD142245b
This goes back to the problem of maintaining your own whitelist, though. The
problem is that maintaining your own whitelist is a lot of work. For example,
if you update your system, but don't update your rkhunter database, your next
report is totally inaccurate.

I just want a solution where I can boot up any system from a live CD, and
inspect an existing installation, based on an external verified database.

~~~
stevekemp
Even if you paid for access to a list of known-good binaries you would still
need to have your own local list.

e.g. Malicious exploit drops in /etc/cron.d/botnet.

You might also feel safe if you have "good" copy of bash, but your version
matched a checksum from pre-shellshock.

Really making the list is easy, you could do it yourself, or you could pay
somebody to give you one, but it doesn't solve the problem because you'll
still have local changes you need to flag/whitelist/update.

~~~
HD142245b
Well, I'm not denying that config-file trojans exist, but whitelisting all
executables massively reduces the haystack.

Thx for the tips.

