lynis/include/tests_crypto

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
    InsertSection "Cryptography"
#
#################################################################################
#
    # Test        : CRYP-7902
    # Description : check for expired SSL certificates
    if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
    if [ ${SKIPTEST} -eq 0 ]; then
        COUNT_TOTAL=0
        FOUNDPROBLEM=0
        sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
        sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
        LogText "Paths to scan: ${sSSL_PATHS}"

        for DIR in ${sSSL_PATHS}; do
            COUNT_DIR=0
            if [ -d ${DIR} ]; then
                FileIsReadable ${DIR}
                if [ ${CANREAD} -eq 1 ]; then
                    LogText "Result: found directory ${DIR}"
                    # Search for CRT files
                    ${FINDBINARY} ${DIR} -type f -print0 | ${EGREPBINARY} -z ".crt$|.pem$|^cert" | ${SORTBINARY} -z | while IFS= read -r -d $'\0' FILE; do                    
                        FileIsReadable "${FILE}"
                        if [ ${CANREAD} -eq 1 ]; then
                            # Only check the files that are not installed by a package
                            if ! FileInstalledByPackage "${FILE}"; then
                                COUNT_DIR=$((COUNT_DIR + 1))
                                LogText "Test: checking file and determining if it is certificate ${FILE}"
                                FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
                                if [ $? -eq 0 ]; then
                                    # Check certificate where 'end date' has been expired
                                    FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
                                    EXIT_CODE=$?
                                    CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
                                    CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
                                    Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
                                    if [ ${EXIT_CODE} -eq 0 ]; then
                                        LogText "Result: certificate ${FILE} seems to be correct and still valid"
                                    else
                                        FOUNDPROBLEM=1
                                        LogText "Result: certificate ${FILE} has been expired"
                                    fi
                                else
                                    LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
                                fi
                            fi
                        else
                            LogText "Result: can not read file ${FILE} (no permission)"
                        fi
                    done
                    if [ -z "$(${FINDBINARY} ${DIR} -type f  2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert")" ]; then
                        LogText "Result: no certificates found in directory ${DIR}"
                    fi
                else
                    LogText "Result: can not read path ${DIR} (no permission)"
                fi
                LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
            else
                LogText "Result: SSL path ${DIR} does not exist"
            fi
            COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
        done
        Report "certificates=${COUNT_TOTAL}"
        LogText "Result: found a total of ${COUNT_TOTAL} certificates"

        if [ ${FOUNDPROBLEM} -eq 0 ]; then
            Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
        else
            Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
            ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
        fi
    fi
#
#################################################################################
#

WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
Initial import 2014-08-26 17:33:55 +02:00			`#!/bin/sh`

			`#################################################################################`
			`#`
			`# Lynis`
			`# ------------------`
			`#`
Added link to website, blog, github 2016-03-13 16:00:39 +01:00			`# Copyright 2007-2013, Michael Boelen`
Changed date and preparing for release 2017-02-09 13:35:40 +01:00			`# Copyright 2007-2017, CISOfy`
Added link to website, blog, github 2016-03-13 16:00:39 +01:00			`#`
			`# Website : https://cisofy.com`
			`# Blog : http://linux-audit.com`
			`# GitHub : https://github.com/CISOfy/lynis`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are`
			`# welcome to redistribute it under the terms of the GNU General Public License.`
			`# See LICENSE file for usage of this software.`
			`#`
			`#################################################################################`
			`#`
			`# Cryptography`
			`#`
			`#################################################################################`
			`#`
			`InsertSection "Cryptography"`
			`#`
			`#################################################################################`
			`#`
			`# Test : CRYP-7902`
			`# Description : check for expired SSL certificates`
			`if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi`
Rename of categories, introduction of groups 2016-07-24 17:22:00 +02:00			`Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"`
Initial import 2014-08-26 17:33:55 +02:00			`if [ ${SKIPTEST} -eq 0 ]; then`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`COUNT_TOTAL=0`
Initial import 2014-08-26 17:33:55 +02:00			`FOUNDPROBLEM=0`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} \| ${SEDBINARY} 's/:/ /g')`
			`sSSL_PATHS=$(echo ${sSSL_PATHS} \| ${SEDBINARY} 's/^ //' \| ${TRBINARY} " " "\n" \| ${SORTBINARY} \| uniq \| ${TRBINARY} "\n" " ")`
			`LogText "Paths to scan: ${sSSL_PATHS}"`
[CRYP-7902] Added support for multiple profiles 2016-04-13 19:49:30 +02:00
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`for DIR in ${sSSL_PATHS}; do`
			`COUNT_DIR=0`
			`if [ -d ${DIR} ]; then`
			`FileIsReadable ${DIR}`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`if [ ${CANREAD} -eq 1 ]; then`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`LogText "Result: found directory ${DIR}"`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`# Search for CRT files`
Support spaces in file names (#444) File names may contain spaces 2017-08-29 14:32:42 +02:00			`${FINDBINARY} ${DIR} -type f -print0 \| ${EGREPBINARY} -z ".crt$\|.pem$\|^cert" \| ${SORTBINARY} -z \| while IFS= read -r -d $'\0' FILE; do`
			`FileIsReadable "${FILE}"`
			`if [ ${CANREAD} -eq 1 ]; then`
			`# Only check the files that are not installed by a package`
			`if ! FileInstalledByPackage "${FILE}"; then`
			`COUNT_DIR=$((COUNT_DIR + 1))`
			`LogText "Test: checking file and determining if it is certificate ${FILE}"`
			`FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null \| ${GREPBINARY} "^notAfter")`
			`if [ $? -eq 0 ]; then`
			`# Check certificate where 'end date' has been expired`
			`FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)`
			`EXIT_CODE=$?`
			`CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null \| ${SEDBINARY} -e 's/^subject.CN=\([a-zA-Z0-9\.\-\]\).$/\1/')`
			`CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null \| ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')`
			`Report "certificate[]=${FILE}\|${EXIT_CODE}\|cn:${CERT_CN};notafter:${CERT_NOTAFTER};\|"`
			`if [ ${EXIT_CODE} -eq 0 ]; then`
			`LogText "Result: certificate ${FILE} seems to be correct and still valid"`
[CRYP-7902] Test certificates with extension crt and pem, only if not part of a package 2017-03-12 16:35:50 +01:00			`else`
Support spaces in file names (#444) File names may contain spaces 2017-08-29 14:32:42 +02:00			`FOUNDPROBLEM=1`
			`LogText "Result: certificate ${FILE} has been expired"`
[CRYP-7902] Test certificates with extension crt and pem, only if not part of a package 2017-03-12 16:35:50 +01:00			`fi`
Support spaces in file names (#444) File names may contain spaces 2017-08-29 14:32:42 +02:00			`else`
			`LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`fi`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`fi`
Support spaces in file names (#444) File names may contain spaces 2017-08-29 14:32:42 +02:00			`else`
			`LogText "Result: can not read file ${FILE} (no permission)"`
			`fi`
			`done`
			`if [ -z "$(${FINDBINARY} ${DIR} -type f 2> /dev/null \| ${EGREPBINARY} ".crt$\|.pem$\|^cert")" ]; then`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`LogText "Result: no certificates found in directory ${DIR}"`
			`fi`
			`else`
			`LogText "Result: can not read path ${DIR} (no permission)"`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`fi`
[CRYP-7902] Test certificates with extension crt and pem, only if not part of a package 2017-03-12 16:35:50 +01:00			`LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`else`
			`LogText "Result: SSL path ${DIR} does not exist"`
Initial import 2014-08-26 17:33:55 +02:00			`fi`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))`
Initial import 2014-08-26 17:33:55 +02:00			`done`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`Report "certificates=${COUNT_TOTAL}"`
			`LogText "Result: found a total of ${COUNT_TOTAL} certificates"`
Initial import 2014-08-26 17:33:55 +02:00
			`if [ ${FOUNDPROBLEM} -eq 0 ]; then`
Replaced text strings to allow translations 2016-06-18 11:14:01 +02:00			`Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN`
[CRYP-7902] Gather more certificate details and style improvements 2016-09-08 21:04:02 +02:00			`else`
Replaced text strings to allow translations 2016-06-18 11:14:01 +02:00			`Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED`
Removed warning for expired SSL certificate, added suggestion instead 2014-12-03 14:13:29 +01:00			`ReportSuggestion ${TEST_NO} "Check available certificates for expiration"`
Initial import 2014-08-26 17:33:55 +02:00			`fi`
			`fi`
			`#`
			`#################################################################################`
			`#`

Replaced old function names with new ones 2016-04-28 12:31:57 +02:00			`WaitForKeyPress`
Initial import 2014-08-26 17:33:55 +02:00
			`#`
			`#================================================================================`
Removed copyright line, added description 2016-03-13 16:03:46 +01:00			`# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com`