From 2c17c14c3b8235c906e3435369b278e95f09b1ad Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Jul 2019 15:08:56 +0200 Subject: [PATCH] New profile option to ignore specified certificate directories --- default.prf | 3 +- include/consts | 1 + include/profiles | 18 ++++++----- include/tests_crypto | 73 ++++++++++++++++++++++++++------------------ 4 files changed, 57 insertions(+), 38 deletions(-) diff --git a/default.prf b/default.prf index 98f3e20d..befd40d0 100644 --- a/default.prf +++ b/default.prf @@ -92,8 +92,9 @@ skip-plugins=no # Skip Lynis upgrade availability test (default: no) #skip-upgrade-test=yes -# Locations where to search for SSL certificates +# Locations where to search for SSL certificates (separate paths with a colon) ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www +ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: # Scan type - how deep the audit should be (light, normal or full) test-scan-mode=full diff --git a/include/consts b/include/consts index b29c4d67..a03f2708 100644 --- a/include/consts +++ b/include/consts @@ -265,6 +265,7 @@ unset LANG SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 SSL_CERTIFICATE_PATHS="" + SSL_CERTIFICATE_PATHS_TO_IGNORE="" STUNNELBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" diff --git a/include/profiles b/include/profiles index 42562c80..71e05b1a 100644 --- a/include/profiles +++ b/include/profiles @@ -63,7 +63,7 @@ # Now parse the profile and filter out unwanted characters DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g') for CONFIGOPTION in ${DATA}; do - if ContainsString "config:" "${CONFIGOPTION}"; then + if ContainsString "^config:" "${CONFIGOPTION}"; then # Old style configuration OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2) VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g') @@ -119,7 +119,7 @@ ;; # Ignore configuration data - config-data) + config-data | permdir | permfile) Debug "Ignoring configuration option, as it will be used by a specific test" ;; @@ -364,7 +364,7 @@ ssl-certificate-paths-to-ignore) # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces - SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /:space:/g') + SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g') Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}" AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; @@ -482,10 +482,14 @@ # Catch all bad options and bail out *) LogText "Unknown option ${OPTION} (with value: ${VALUE})" - ${ECHOCMD} "" - ${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}" - ${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})" - ${ECHOCMD} "" + + ${ECHOCMD:-echo} "" + ${ECHOCMD:-echo} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}" + ${ECHOCMD:-echo} "" + ${ECHOCMD:-echo} "" + ${ECHOCMD:-echo} "Full line: ${CONFIGOPTION}" + ${ECHOCMD:-echo} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})" + ${ECHOCMD:-echo} "" ExitFatal ;; diff --git a/include/tests_crypto b/include/tests_crypto index 4188dea9..2d064b5f 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -34,10 +34,13 @@ COUNT_EXPIRED=0 COUNT_TOTAL=0 FOUNDPROBLEM=0 - sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g') - sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ") + sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g') + sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY}) LogText "Paths to scan: ${sSSL_PATHS}" + IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY}) + LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}" + for DIR in ${sSSL_PATHS}; do COUNT_DIR=0 if [ -d ${DIR} ]; then @@ -45,43 +48,53 @@ if [ ${CANREAD} -eq 1 ]; then LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do - FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g') - COUNT_DIR=$((COUNT_DIR + 1)) - FileIsReadable "${FILE}" - if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then - LogText "Test: test if file is a certificate" - OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then - LogText "Result: file is a certificate" - LogText "Test: checking certificate details" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + SKIP=0 + FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') + # See if we need to skip this path + SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}' | ${SEDBINARY} 's/__space__/ /g') + for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do + if Equals "${D}" "${SUBDIR}"; then + SKIP=1 + fi + done + if [ ${SKIP} -eq 0 ]; then + COUNT_DIR=$((COUNT_DIR + 1)) + FileIsReadable "${FILE}" + if [ ${CANREAD} -eq 1 ]; then + # Only check the files that are not installed by a package + if ! FileInstalledByPackage "${FILE}"; then + OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then - # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) - EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') - Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" - if [ ${EXIT_CODE} -eq 0 ]; then - LogText "Result: certificate ${FILE} seems to be correct and still valid" + LogText "Result: file is a certificate file" + FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ $? -eq 0 ]; then + # Check certificate where 'end date' has been expired + FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + EXIT_CODE=$? + CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" + if [ ${EXIT_CODE} -eq 0 ]; then + LogText "Result: certificate ${FILE} seems to be correct and still valid" + else + FOUNDPROBLEM=1 + COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) + LogText "Result: certificate ${FILE} has been expired" + fi else - FOUNDPROBLEM=1 - COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) - LogText "Result: certificate ${FILE} has been expired" + LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)" fi else - LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" + LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi - else - LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi + else + LogText "Result: can not read file ${FILE} (no permission)" fi else - LogText "Result: can not read file ${FILE} (no permission)" + LogText "Result: path ${SUBDIR} skipped according to profile" fi done COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))