2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2019-01-31 14:47:35 +01:00
# Copyright 2007-2019, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
InsertSection "Cryptography"
#
#################################################################################
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-09-06 12:56:32 +02:00
COUNT_EXPIRED=0
2016-09-08 21:04:02 +02:00
COUNT_TOTAL=0
2014-08-26 17:33:55 +02:00
FOUNDPROBLEM=0
2019-07-08 21:20:45 +02:00
SKIP=0
2019-07-08 15:08:56 +02:00
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
2016-09-08 21:04:02 +02:00
LogText "Paths to scan: ${sSSL_PATHS}"
2016-04-13 19:49:30 +02:00
2019-07-08 15:08:56 +02:00
IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
2016-09-08 21:04:02 +02:00
for DIR in ${sSSL_PATHS}; do
COUNT_DIR=0
if [ -d ${DIR} ]; then
FileIsReadable ${DIR}
2014-09-09 14:49:37 +02:00
if [ ${CANREAD} -eq 1 ]; then
2019-07-08 21:20:45 +02:00
LASTSUBDIR=""
2016-09-08 21:04:02 +02:00
LogText "Result: found directory ${DIR}"
2017-09-06 12:56:32 +02:00
# Search for certificate files
2019-07-08 15:08:56 +02:00
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
2017-09-06 12:56:32 +02:00
for FILE in ${FILES}; do
2019-07-08 15:08:56 +02:00
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
2019-07-08 21:20:45 +02:00
SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ 'sub(FS $NF,x)' | ${SEDBINARY} 's/__space__/ /g')
# If we discover a new directory, do evaluation
#Debug "File : ${FILE}"
#Debug "Lastdir: ${LASTSUBDIR}"
#Debug "Curdir : ${SUBDIR}"
if [ ! "${SUBDIR}" = "${LASTSUBDIR}" ]; then
SKIP=0
# Now check if this path is on the to-be-ignored list
for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
if Equals "${D}" "${SUBDIR}"; then
SKIP=1
LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list"
fi
done
fi
2019-07-08 15:08:56 +02:00
if [ ${SKIP} -eq 0 ]; then
2019-07-08 21:20:45 +02:00
#Debug "Testing ${FILE} in path: $SUBDIR"
2019-07-08 15:08:56 +02:00
COUNT_DIR=$((COUNT_DIR + 1))
FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package
if ! FileInstalledByPackage "${FILE}"; then
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
2018-03-05 11:32:23 +01:00
if [ $? -eq 0 ]; then
2019-07-08 15:08:56 +02:00
LogText "Result: file is a certificate file"
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
else
FOUNDPROBLEM=1
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
LogText "Result: certificate ${FILE} has been expired"
fi
2018-03-05 11:32:23 +01:00
else
2019-07-08 15:08:56 +02:00
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
2018-03-05 11:32:23 +01:00
fi
2017-03-12 16:35:50 +01:00
else
2019-07-08 15:08:56 +02:00
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
2017-03-12 16:35:50 +01:00
fi
2016-09-08 21:04:02 +02:00
fi
2019-07-08 15:08:56 +02:00
else
LogText "Result: can not read file ${FILE} (no permission)"
2014-09-09 14:49:37 +02:00
fi
2017-08-29 14:32:42 +02:00
fi
2019-07-08 21:20:45 +02:00
LASTSUBDIR="${SUBDIR}"
2017-08-29 14:32:42 +02:00
done
2017-09-06 12:56:32 +02:00
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
2016-09-08 21:04:02 +02:00
else
LogText "Result: can not read path ${DIR} (no permission)"
2014-09-09 14:49:37 +02:00
fi
2016-09-08 21:04:02 +02:00
else
LogText "Result: SSL path ${DIR} does not exist"
2014-08-26 17:33:55 +02:00
fi
done
2016-09-08 21:04:02 +02:00
Report "certificates=${COUNT_TOTAL}"
LogText "Result: found a total of ${COUNT_TOTAL} certificates"
2014-08-26 17:33:55 +02:00
if [ ${FOUNDPROBLEM} -eq 0 ]; then
2017-09-06 12:56:32 +02:00
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
2016-09-08 21:04:02 +02:00
else
2017-09-06 12:56:32 +02:00
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
2014-12-03 14:13:29 +01:00
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2019-07-09 10:33:51 +02:00
#
# Test : CRYP-7930
# Description : Determine if system uses disk or file encryption
2019-07-09 11:42:04 +02:00
Register --test-no CRYP-7930 --weight L --network NO --category security --description "Determine if system uses disk or file encryption"
2019-07-09 10:33:51 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FILE="${ROOTDIR}etc/crypttab"
if [ -f ${FILE} ]; then
2019-07-09 11:42:04 +02:00
LogText "Result: crypttab file (${FILE}) exists"
DATA=$(${GREPBINARY} "^[a-z]" ${FILE} | ${TRBINARY} -cd '[:alnum:]_\-=,\n\t ' | ${SEDBINARY} 's/[[:blank:]]/__space__/g')
2019-07-09 10:33:51 +02:00
for LINE in ${DATA}; do
LINE=$(echo ${LINE} | ${SEDBINARY} 's/__space__/ /g')
if ContainsString "luks," "${LINE}"; then
PARTITION=$(echo ${LINE} | ${AWKBINARY} '{print $1}' | ${AWKBINARY} -F_ '{print $1}')
LogText "Result: Found LUKS encryption on partition ${PARTITION}"
Report "encryption[]=luks,partition,${PARTITION}"
fi
done
unset DATA LINE PARTITION
2019-07-09 11:42:04 +02:00
else
LogText "Result: crypttab file (${FILE}) does not exist"
2019-07-09 10:33:51 +02:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
