tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-22 21:34:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CRYP-7902] Gather more certificate details and style improvements

Browse Source
This commit is contained in:
Michael Boelen 2016-09-08 21:04:02 +02:00
parent a596bdc349
commit 81d8486cb0
1 changed files with 42 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
include/tests_crypto
View File

@ -31,43 +31,55 @@
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates" Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
COUNT_TOTAL=0
FOUNDPROBLEM=0 FOUNDPROBLEM=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g') sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | ${SORTBINARY} | uniq | tr "\n" " "` sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
LogText "Result after sorting: ${sSSL_PATHS}" LogText "Paths to scan: ${sSSL_PATHS}"
for I in ${sSSL_PATHS}; do for DIR in ${sSSL_PATHS}; do
if [ -d ${I} ]; then COUNT_DIR=0
FileIsReadable ${I} if [ -d ${DIR} ]; then
FileIsReadable ${DIR}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
LogText "Result: found directory ${I}" LogText "Result: found directory ${DIR}"
# Search for CRT files # Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` sFINDCRTS=$(${FINDBINARY} ${DIR} -name "*.crt" -type f -print 2> /dev/null)
for J in ${sFINDCRTS}; do if [ ! -z "${sFINDCRTS}" ]; then
FileIsReadable ${J} for FILE in ${sFINDCRTS}; do
FileIsReadable ${FILE}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
LogText "Test: checking certificate ${J}" COUNT_DIR=$((COUNT_DIR + 1))
LogText "Test: checking certificate ${FILE}"
# Check certificate where 'end date' has been expired # Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` EXIT_CODE=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in ${FILE} -enddate > /dev/null ; echo $?)
if [ "${FIND}" = "0" ]; then CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in ${FILE} 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
LogText "Result: certificate ${J} seems to be correct and still valid" CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in ${FILE} 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "valid_certificate[]=${J}|unknown entity|" Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ "${EXIT_CODE}" = "0" ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
else else
FOUNDPROBLEM=1 FOUNDPROBLEM=1
LogText "Result: certificate ${J} has been expired" LogText "Result: certificate ${FILE} has been expired"
Report "expired_certificate[]=${J}|unknown entity|"
fi fi
else else
LogText "Result: can not read file ${J} (no permission)" LogText "Result: can not read file ${FILE} (no permission)"
fi fi
done done
else else
LogText "Result: can not read path ${I} (no permission)" LogText "Result: no certificates found in directory ${DIR}"
fi fi
else else
LogText "Result: SSL path ${I} does not exist" LogText "Result: can not read path ${DIR} (no permission)"
fi fi
else
LogText "Result: SSL path ${DIR} does not exist"
fi
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
done done
Report "certificates=${COUNT_TOTAL}"
LogText "Result: found a total of ${COUNT_TOTAL} certificates"
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN