tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[CRYP-7902] fix for bourne shell and rewrite

This commit is contained in:
Michael Boelen 2017-09-06 12:56:32 +02:00
parent 2451029a6e
commit c248ab6a16
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
include/tests_crypto
View File

@ -31,6 +31,7 @@
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates" Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
COUNT_EXPIRED=0
COUNT_TOTAL=0 COUNT_TOTAL=0
FOUNDPROBLEM=0 FOUNDPROBLEM=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g') sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
@ -43,13 +44,15 @@
FileIsReadable ${DIR} FileIsReadable ${DIR}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
LogText "Result: found directory ${DIR}" LogText "Result: found directory ${DIR}"
# Search for CRT files # Search for certificate files
${FINDBINARY} ${DIR} -type f -print0 | ${EGREPBINARY} -z ".crt$|.pem$|^cert" | ${SORTBINARY} -z | while IFS= read -r -d $'\0' FILE; do FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g')
COUNT_DIR=$((COUNT_DIR + 1))
FileIsReadable "${FILE}" FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package # Only check the files that are not installed by a package
if ! FileInstalledByPackage "${FILE}"; then if ! FileInstalledByPackage "${FILE}"; then
COUNT_DIR=$((COUNT_DIR + 1))
LogText "Test: checking file and determining if it is certificate ${FILE}" LogText "Test: checking file and determining if it is certificate ${FILE}"
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -59,10 +62,11 @@
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid" LogText "Result: certificate ${FILE} seems to be correct and still valid"
else else
FOUNDPROBLEM=1 FOUNDPROBLEM=1
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
LogText "Result: certificate ${FILE} has been expired" LogText "Result: certificate ${FILE} has been expired"
fi fi
else else
@ -73,25 +77,22 @@
LogText "Result: can not read file ${FILE} (no permission)" LogText "Result: can not read file ${FILE} (no permission)"
fi fi
done done
if [ -z "$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert")" ]; then COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
LogText "Result: no certificates found in directory ${DIR}" LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
fi
else else
LogText "Result: can not read path ${DIR} (no permission)" LogText "Result: can not read path ${DIR} (no permission)"
fi fi
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
else else
LogText "Result: SSL path ${DIR} does not exist" LogText "Result: SSL path ${DIR} does not exist"
fi fi
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
done done
Report "certificates=${COUNT_TOTAL}" Report "certificates=${COUNT_TOTAL}"
LogText "Result: found a total of ${COUNT_TOTAL} certificates" LogText "Result: found a total of ${COUNT_TOTAL} certificates"
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
else else
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration" ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi fi
fi fi