New profile option to ignore specified certificate directories

default.prf

@@ -92,8 +92,9 @@ skip-plugins=no
 # Skip Lynis upgrade availability test (default: no)
 #skip-upgrade-test=yes
 
-# Locations where to search for SSL certificates
+# Locations where to search for SSL certificates (separate paths with a colon)
 ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
 
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full

include/consts

@@ -265,6 +265,7 @@ unset LANG
     SSHKEYSCANBINARY=""
     SSHKEYSCANFOUND=0
     SSL_CERTIFICATE_PATHS=""
+    SSL_CERTIFICATE_PATHS_TO_IGNORE=""
     STUNNELBINARY=""
     SYSLOGNGBINARY=""
     SYSTEMCTLBINARY=""

include/profiles

@@ -63,7 +63,7 @@
         # Now parse the profile and filter out unwanted characters
         DATA=$(egrep "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | sed 's/ /!space!/g')
         for CONFIGOPTION in ${DATA}; do
-            if ContainsString "config:" "${CONFIGOPTION}"; then
+            if ContainsString "^config:" "${CONFIGOPTION}"; then
                 # Old style configuration
                 OPTION=$(echo ${CONFIGOPTION} | cut -d ':' -f2)
                 VALUE=$(echo ${CONFIGOPTION} | cut -d ':' -f3 | sed 's/!space!/ /g')
@@ -119,7 +119,7 @@
                 ;;
 
                 # Ignore configuration data
-                config-data)
+                config-data | permdir | permfile)
                     Debug "Ignoring configuration option, as it will be used by a specific test"
                 ;;
 
@@ -364,7 +364,7 @@
 
                 ssl-certificate-paths-to-ignore)
                     # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
-                    SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /:space:/g')
+                    SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g')
                     Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
                     AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                 ;;
@@ -482,10 +482,14 @@
                 # Catch all bad options and bail out
                 *)
                     LogText "Unknown option ${OPTION} (with value: ${VALUE})"
-                    ${ECHOCMD} ""
-                    ${ECHOCMD} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
-                    ${ECHOCMD} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
-                    ${ECHOCMD} ""
+
+                    ${ECHOCMD:-echo} ""
+                    ${ECHOCMD:-echo} "${RED}Error${NORMAL}: found one or more errors in profile ${PROFILE}"
+                    ${ECHOCMD:-echo} ""
+                    ${ECHOCMD:-echo} ""
+                    ${ECHOCMD:-echo} "Full line: ${CONFIGOPTION}"
+                    ${ECHOCMD:-echo} "${WHITE}Details${NORMAL}: Unknown option '${YELLOW}${OPTION}${NORMAL}' found (with value: ${VALUE})"
+                    ${ECHOCMD:-echo} ""
                     ExitFatal
                 ;;
 

include/tests_crypto

@@ -34,10 +34,13 @@
         COUNT_EXPIRED=0
         COUNT_TOTAL=0
         FOUNDPROBLEM=0
-        sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
-        sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
+        sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
+        sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
         LogText "Paths to scan: ${sSSL_PATHS}"
 
+        IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY})
+        LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
+
         for DIR in ${sSSL_PATHS}; do
             COUNT_DIR=0
             if [ -d ${DIR} ]; then
@@ -45,19 +48,26 @@
                 if [ ${CANREAD} -eq 1 ]; then
                     LogText "Result: found directory ${DIR}"
                     # Search for certificate files
-                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g')
+                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
                     for FILE in ${FILES}; do
-                        FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g')
+                        SKIP=0
+                        FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
+                        # See if we need to skip this path
+                        SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}' | ${SEDBINARY} 's/__space__/ /g')
+                        for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
+                            if Equals "${D}" "${SUBDIR}"; then
+                                SKIP=1
+                            fi
+                        done
+                        if [ ${SKIP} -eq 0 ]; then
                             COUNT_DIR=$((COUNT_DIR + 1))
                             FileIsReadable "${FILE}"
                             if [ ${CANREAD} -eq 1 ]; then
                                 # Only check the files that are not installed by a package
                                 if ! FileInstalledByPackage "${FILE}"; then
-                                LogText "Test: test if file is a certificate"
                                     OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                     if [ $? -eq 0 ]; then
-                                    LogText "Result: file is a certificate"
-                                    LogText "Test: checking certificate details"
+                                        LogText "Result: file is a certificate file"
                                         FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
                                         if [ $? -eq 0 ]; then
                                             # Check certificate where 'end date' has been expired
@@ -74,7 +84,7 @@
                                                 LogText "Result: certificate ${FILE} has been expired"
                                             fi
                                         else
-                                        LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
+                                            LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
                                         fi
                                     else
                                         LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
@@ -83,6 +93,9 @@
                             else
                                 LogText "Result: can not read file ${FILE} (no permission)"
                             fi
+                        else
+                            LogText "Result: path ${SUBDIR} skipped according to profile"
+                        fi
                     done
                     COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
                     LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"