lynis/include/tests_crypto

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), CISOfy
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
    InsertSection "Cryptography"
#
#################################################################################
#
    # Test        : CRYP-7902
    # Description : check for expired SSL certificates
    if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUNDPROBLEM=0
        # Check profile for paths to check
        sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
        for I in ${sSSL_PATHS}; do
            if [ -d ${I} ]; then
                FileIsReadable ${I}
                if [ ${CANREAD} -eq 1 ]; then
                    logtext "Result: found directory ${I}"
                    # Search for CRT files
                    sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
                    for J in ${sFINDCRTS}; do
                        FileIsReadable ${J}
                        if [ ${CANREAD} -eq 1 ]; then
                            logtext "Test: checking certificate ${J}"
                            # Check certificate where 'end date' has been expired
                            FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
                            if [ "${FIND}" = "0" ]; then
                                logtext "Result: certificate ${J} seems to be correct and still valid"
                                report "valid_certificate[]=${J}|unknown entity|"
                              else
                                FOUNDPROBLEM=1
                                logtext "Result: certificate ${J} has been expired"
                                report "expired_certificate[]=${J}|unknown entity|"
                            fi
                          else
                            logtext "Result: can not read file ${J} (no permission)"
                        fi
                    done
                  else
                    logtext "Result: can not read path ${I} (no permission)"
                fi
              else
                logtext "Result: SSL path ${I} does not exist"
            fi
        done

        if [ ${FOUNDPROBLEM} -eq 0 ]; then
            Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
          else
            Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
            ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
        fi
    fi
#
#################################################################################
#

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Initial import 2014-08-26 17:33:55 +02:00			`#!/bin/sh`

			`#################################################################################`
			`#`
			`# Lynis`
			`# ------------------`
			`#`
Update of the files to reflect HTTPS version of website and 2015. Happy New Year! 2015-01-03 12:45:22 +01:00			`# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), CISOfy`
Removed warning for expired SSL certificate, added suggestion instead 2014-12-03 14:13:29 +01:00			`# Web site: https://cisofy.com`
Initial import 2014-08-26 17:33:55 +02:00			`#`
			`# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are`
			`# welcome to redistribute it under the terms of the GNU General Public License.`
			`# See LICENSE file for usage of this software.`
			`#`
			`#################################################################################`
			`#`
			`# Cryptography`
			`#`
			`#################################################################################`
			`#`
			`InsertSection "Cryptography"`
			`#`
			`#################################################################################`
			`#`
			`# Test : CRYP-7902`
			`# Description : check for expired SSL certificates`
			`if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi`
			`Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates"`
			`if [ ${SKIPTEST} -eq 0 ]; then`
			`FOUNDPROBLEM=0`
			`# Check profile for paths to check`
Delete trailing whitespace 2015-09-07 17:35:07 +02:00			sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} \| cut -d ':' -f3`
Initial import 2014-08-26 17:33:55 +02:00			`for I in ${sSSL_PATHS}; do`
			`if [ -d ${I} ]; then`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`FileIsReadable ${I}`
			`if [ ${CANREAD} -eq 1 ]; then`
			`logtext "Result: found directory ${I}"`
			`# Search for CRT files`
			sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
			`for J in ${sFINDCRTS}; do`
			`FileIsReadable ${J}`
			`if [ ${CANREAD} -eq 1 ]; then`
			`logtext "Test: checking certificate ${J}"`
			`# Check certificate where 'end date' has been expired`
			FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
			`if [ "${FIND}" = "0" ]; then`
			`logtext "Result: certificate ${J} seems to be correct and still valid"`
			`report "valid_certificate[]=${J}\|unknown entity\|"`
			`else`
			`FOUNDPROBLEM=1`
			`logtext "Result: certificate ${J} has been expired"`
Removed warning for expired SSL certificate, added suggestion instead 2014-12-03 14:13:29 +01:00			`report "expired_certificate[]=${J}\|unknown entity\|"`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`fi`
			`else`
Removed warnings, updated changelog 2014-09-15 10:52:06 +02:00			`logtext "Result: can not read file ${J} (no permission)"`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`fi`
			`done`
			`else`
Removed warnings, updated changelog 2014-09-15 10:52:06 +02:00			`logtext "Result: can not read path ${I} (no permission)"`
Made adjustments to run in non-privileged scans 2014-09-09 14:49:37 +02:00			`fi`
Initial import 2014-08-26 17:33:55 +02:00			`else`
			`logtext "Result: SSL path ${I} does not exist"`
			`fi`
			`done`

			`if [ ${FOUNDPROBLEM} -eq 0 ]; then`
Show different status on screen when expired SSL certificates were found 2015-09-01 15:49:50 +02:00			`Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN`
Initial import 2014-08-26 17:33:55 +02:00			`else`
Show different status on screen when expired SSL certificates were found 2015-09-01 15:49:50 +02:00			`Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED`
Removed warning for expired SSL certificate, added suggestion instead 2014-12-03 14:13:29 +01:00			`ReportSuggestion ${TEST_NO} "Check available certificates for expiration"`
Initial import 2014-08-26 17:33:55 +02:00			`fi`
			`fi`
			`#`
			`#################################################################################`
			`#`

			`wait_for_keypress`

			`#`
			`#================================================================================`
Update of the files to reflect HTTPS version of website and 2015. Happy New Year! 2015-01-03 12:45:22 +01:00			`# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com`