2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
InsertSection "Cryptography"
#
#################################################################################
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
2016-07-05 16:46:50 +02:00
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g')
2016-04-13 19:49:30 +02:00
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "`
LogText "Result after sorting: ${sSSL_PATHS}"
2014-08-26 17:33:55 +02:00
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
2014-09-09 14:49:37 +02:00
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found directory ${I}"
2014-09-09 14:49:37 +02:00
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking certificate ${J}"
2014-09-09 14:49:37 +02:00
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: certificate ${J} seems to be correct and still valid"
Report "valid_certificate[]=${J}|unknown entity|"
2014-09-09 14:49:37 +02:00
else
FOUNDPROBLEM=1
2015-12-21 21:17:15 +01:00
LogText "Result: certificate ${J} has been expired"
Report "expired_certificate[]=${J}|unknown entity|"
2014-09-09 14:49:37 +02:00
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: can not read file ${J} (no permission)"
2014-09-09 14:49:37 +02:00
fi
done
else
2015-12-21 21:17:15 +01:00
LogText "Result: can not read path ${I} (no permission)"
2014-09-09 14:49:37 +02:00
fi
2014-08-26 17:33:55 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: SSL path ${I} does not exist"
2014-08-26 17:33:55 +02:00
fi
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
2014-08-26 17:33:55 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
2014-12-03 14:13:29 +01:00
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com