mirror of https://github.com/CISOfy/lynis.git
New profile option to ignore specified certificate directories
This commit is contained in:
Michael Boelen
parent
1854e51e7e
commit
2c17c14c3b
|
|
@ -92,8 +92,9 @@ skip-plugins=no
|
||||||
# Skip Lynis upgrade availability test (default: no)
|
# Skip Lynis upgrade availability test (default: no)
|
||||||
#skip-upgrade-test=yes
|
#skip-upgrade-test=yes
|
||||||
|
|
||||||
# Locations where to search for SSL certificates
|
# Locations where to search for SSL certificates (separate paths with a colon)
|
||||||
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
|
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
|
||||||
|
ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
|
||||||
|
|
||||||
# Scan type - how deep the audit should be (light, normal or full)
|
# Scan type - how deep the audit should be (light, normal or full)
|
||||||
test-scan-mode=full
|
test-scan-mode=full
|
||||||
|
|
|
||||||
|
|
@ -265,6 +265,7 @@ unset LANG
|
||||||
SSHKEYSCANBINARY=""
|
SSHKEYSCANBINARY=""
|
||||||
SSHKEYSCANFOUND=0
|
SSHKEYSCANFOUND=0
|
||||||
SSL_CERTIFICATE_PATHS=""
|
SSL_CERTIFICATE_PATHS=""
|
||||||
|
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
|
||||||
STUNNELBINARY=""
|
STUNNELBINARY=""
|
||||||
SYSLOGNGBINARY=""
|
SYSLOGNGBINARY=""
|
||||||
SYSTEMCTLBINARY=""
|
SYSTEMCTLBINARY=""
|
||||||
|
|
|
||||||
|
|
@ -63,7 +63,7 @@
|
||||||
# Now parse the profile and filter out unwanted characters
|
# Now parse the profile and filter out unwanted characters
|
||||||
DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g')
|
DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g')
|
||||||
for CONFIGOPTION in ${DATA}; do
|
for CONFIGOPTION in ${DATA}; do
|
||||||
if ContainsString "config:" "${CONFIGOPTION}"; then
|
if ContainsString "^config:" "${CONFIGOPTION}"; then
|
||||||
# Old style configuration
|
# Old style configuration
|
||||||
OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
|
OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
|
||||||
VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g')
|
VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g')
|
||||||
|
|
@ -119,7 +119,7 @@
|
||||||
;;
|
;;
|
||||||
|
|
||||||
# Ignore configuration data
|
# Ignore configuration data
|
||||||
config-data)
|
config-data | permdir | permfile)
|
||||||
Debug "Ignoring configuration option, as it will be used by a specific test"
|
Debug "Ignoring configuration option, as it will be used by a specific test"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
@ -364,7 +364,7 @@
|
||||||
|
|
||||||
ssl-certificate-paths-to-ignore)
|
ssl-certificate-paths-to-ignore)
|
||||||
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
|
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
|
||||||
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /:space:/g')
|
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g')
|
||||||
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
|
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
|
||||||
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
|
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
|
||||||
;;
|
;;
|
||||||
|
|
@ -482,10 +482,14 @@
|
||||||
# Catch all bad options and bail out
|
# Catch all bad options and bail out
|
||||||
*)
|
*)
|
||||||
LogText "Unknown option ${OPTION} (with value: ${VALUE})"
|
LogText "Unknown option ${OPTION} (with value: ${VALUE})"
|
||||||
${ECHOCMD} ""
|
|
||||||
${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
|
${ECHOCMD:-echo} ""
|
||||||
${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
|
${ECHOCMD:-echo} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
|
||||||
${ECHOCMD} ""
|
${ECHOCMD:-echo} ""
|
||||||
|
${ECHOCMD:-echo} ""
|
||||||
|
${ECHOCMD:-echo} "Full line: ${CONFIGOPTION}"
|
||||||
|
${ECHOCMD:-echo} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
|
||||||
|
${ECHOCMD:-echo} ""
|
||||||
ExitFatal
|
ExitFatal
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -34,10 +34,13 @@
|
||||||
COUNT_EXPIRED=0
|
COUNT_EXPIRED=0
|
||||||
COUNT_TOTAL=0
|
COUNT_TOTAL=0
|
||||||
FOUNDPROBLEM=0
|
FOUNDPROBLEM=0
|
||||||
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
|
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
|
||||||
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
|
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
|
||||||
LogText "Paths to scan: ${sSSL_PATHS}"
|
LogText "Paths to scan: ${sSSL_PATHS}"
|
||||||
|
|
||||||
|
IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
|
||||||
|
LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
|
||||||
|
|
||||||
for DIR in ${sSSL_PATHS}; do
|
for DIR in ${sSSL_PATHS}; do
|
||||||
COUNT_DIR=0
|
COUNT_DIR=0
|
||||||
if [ -d ${DIR} ]; then
|
if [ -d ${DIR} ]; then
|
||||||
|
|
@ -45,43 +48,53 @@
|
||||||
if [ ${CANREAD} -eq 1 ]; then
|
if [ ${CANREAD} -eq 1 ]; then
|
||||||
LogText "Result: found directory ${DIR}"
|
LogText "Result: found directory ${DIR}"
|
||||||
# Search for certificate files
|
# Search for certificate files
|
||||||
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g')
|
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
|
||||||
for FILE in ${FILES}; do
|
for FILE in ${FILES}; do
|
||||||
FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g')
|
SKIP=0
|
||||||
COUNT_DIR=$((COUNT_DIR + 1))
|
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
|
||||||
FileIsReadable "${FILE}"
|
# See if we need to skip this path
|
||||||
if [ ${CANREAD} -eq 1 ]; then
|
SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}' | ${SEDBINARY} 's/__space__/ /g')
|
||||||
# Only check the files that are not installed by a package
|
for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
|
||||||
if ! FileInstalledByPackage "${FILE}"; then
|
if Equals "${D}" "${SUBDIR}"; then
|
||||||
LogText "Test: test if file is a certificate"
|
SKIP=1
|
||||||
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
|
fi
|
||||||
if [ $? -eq 0 ]; then
|
done
|
||||||
LogText "Result: file is a certificate"
|
if [ ${SKIP} -eq 0 ]; then
|
||||||
LogText "Test: checking certificate details"
|
COUNT_DIR=$((COUNT_DIR + 1))
|
||||||
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
|
FileIsReadable "${FILE}"
|
||||||
|
if [ ${CANREAD} -eq 1 ]; then
|
||||||
|
# Only check the files that are not installed by a package
|
||||||
|
if ! FileInstalledByPackage "${FILE}"; then
|
||||||
|
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
# Check certificate where 'end date' has been expired
|
LogText "Result: file is a certificate file"
|
||||||
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
|
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
|
||||||
EXIT_CODE=$?
|
if [ $? -eq 0 ]; then
|
||||||
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
|
# Check certificate where 'end date' has been expired
|
||||||
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
|
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
|
||||||
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
|
EXIT_CODE=$?
|
||||||
if [ ${EXIT_CODE} -eq 0 ]; then
|
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
|
||||||
LogText "Result: certificate ${FILE} seems to be correct and still valid"
|
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
|
||||||
|
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
|
||||||
|
if [ ${EXIT_CODE} -eq 0 ]; then
|
||||||
|
LogText "Result: certificate ${FILE} seems to be correct and still valid"
|
||||||
|
else
|
||||||
|
FOUNDPROBLEM=1
|
||||||
|
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
|
||||||
|
LogText "Result: certificate ${FILE} has been expired"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
FOUNDPROBLEM=1
|
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
|
||||||
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
|
|
||||||
LogText "Result: certificate ${FILE} has been expired"
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
|
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
|
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
LogText "Result: can not read file ${FILE} (no permission)"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: can not read file ${FILE} (no permission)"
|
LogText "Result: path ${SUBDIR} skipped according to profile"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
|
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue