[CRYP-7902] Optionally check also certificates provided by packages

The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.

I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

CHANGELOG.md

@@ -95,6 +95,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - BANN-7126 - additional words for login banner are accepted
 - BOOT-5122 - check for defined password in all GRUB configuration files
 - CONT-8106 - support newer 'docker info' output
+- CRYP-7902 - optionally check also certificates provided by packages
 - CRYP-8002 - gather kernel entropy on Linux systems
 - FILE-6310 - support for HP-UX
 - FILE-6374 - changed log and allow root location to be changed

default.prf

@@ -93,8 +93,9 @@ skip-plugins=no
 #skip-upgrade-test=yes
 
 # Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
 
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full

include/consts

@@ -279,6 +279,7 @@ unset LANG
     SNORTBINARY=""
     SSHKEYSCANBINARY=""
     SSHKEYSCANFOUND=0
+    SSL_CERTIFICATE_INCLUDE_PACKAGES=0
     SSL_CERTIFICATE_PATHS=""
     SSL_CERTIFICATE_PATHS_TO_IGNORE=""
     STUNNELBINARY=""

include/profiles

@@ -376,6 +376,13 @@
                     AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                 ;;
 
+                # Check also certificates provided by packages?
+                ssl-certificate-include-packages)
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
+                    Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
+                ;;
+
+
                 # Set strict mode for development and quality purposes
                 strict)
                     FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1

include/tests_crypto

@@ -74,8 +74,8 @@
                             COUNT_DIR=$((COUNT_DIR + 1))
                             FileIsReadable "${FILE}"
                             if [ ${CANREAD} -eq 1 ]; then
-                                # Only check the files that are not installed by a package
+                                # Only check the files that are not installed by a package, unless enabled by profile
-                                if ! FileInstalledByPackage "${FILE}"; then
+                                if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
                                     OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                     if [ $? -eq 0 ]; then
                                         LogText "Result: file is a certificate file"