Merge pull request #882 from topimiettinen/check-package-certificates

[CRYP-7902] Check also certificates provided by packages
2020-04-09 11:01:39 +02:00 · 2020-04-09 11:01:39 +02:00 · a166691199
parent 1163648d89 9642bcffc8
commit a166691199
5 changed files with 13 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -99,6 +99,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - BANN-7126 - additional words for login banner are accepted
 - BOOT-5122 - check for defined password in all GRUB configuration files
 - CONT-8106 - support newer 'docker info' output
+- CRYP-7902 - optionally check also certificates provided by packages
 - CRYP-8002 - gather kernel entropy on Linux systems
 - FILE-6310 - support for HP-UX
 - FILE-6374 - changed log and allow root location to be changed
--- a/default.prf
+++ b/default.prf
@ -93,8 +93,9 @@ skip-plugins=no
 #skip-upgrade-test=yes

 # Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no

 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
--- a/include/consts
+++ b/include/consts
@ -281,6 +281,7 @@ unset LANG
    SNORTBINARY=""
    SSHKEYSCANBINARY=""
    SSHKEYSCANFOUND=0
+    SSL_CERTIFICATE_INCLUDE_PACKAGES=0
    SSL_CERTIFICATE_PATHS=""
    SSL_CERTIFICATE_PATHS_TO_IGNORE=""
    STUNNELBINARY=""
--- a/include/profiles
+++ b/include/profiles
@ -376,6 +376,13 @@
                    AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                ;;

+                # Check also certificates provided by packages?
+                ssl-certificate-include-packages)
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
+                    Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
+                ;;
+
+
                # Set strict mode for development and quality purposes
                strict)
                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1
--- a/include/tests_crypto
+++ b/include/tests_crypto
@ -74,8 +74,8 @@
                            COUNT_DIR=$((COUNT_DIR + 1))
                            FileIsReadable "${FILE}"
                            if [ ${CANREAD} -eq 1 ]; then
-                                # Only check the files that are not installed by a package
-                                if ! FileInstalledByPackage "${FILE}"; then
+                                # Only check the files that are not installed by a package, unless enabled by profile
+                                if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
                                    OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                    if [ $? -eq 0 ]; then
                                        LogText "Result: file is a certificate file"