#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Cryptography # ################################################################################# # InsertSection "Cryptography" # ################################################################################# # # Test : CRYP-7902 # Description : check for expired SSL certificates if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates" if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 # Check profiles for paths to check for PROFILE in ${PROFILES}; do PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` if [ ! "${PATHS}" = "" ]; then LogText "Added paths (from profile: ${PROFILE}): ${PATHS}" sSSL_PATHS="${PATHS} ${sSSL_PATHS}" fi done sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "` LogText "Result after sorting: ${sSSL_PATHS}" for I in ${sSSL_PATHS}; do if [ -d ${I} ]; then FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then LogText "Result: found directory ${I}" # Search for CRT files sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` for J in ${sFINDCRTS}; do FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then LogText "Test: checking certificate ${J}" # Check certificate where 'end date' has been expired FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` if [ "${FIND}" = "0" ]; then LogText "Result: certificate ${J} seems to be correct and still valid" Report "valid_certificate[]=${J}|unknown entity|" else FOUNDPROBLEM=1 LogText "Result: certificate ${J} has been expired" Report "expired_certificate[]=${J}|unknown entity|" fi else LogText "Result: can not read file ${J} (no permission)" fi done else LogText "Result: can not read path ${I} (no permission)" fi else LogText "Result: SSL path ${I} does not exist" fi done if [ ${FOUNDPROBLEM} -eq 0 ]; then Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN else Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED ReportSuggestion ${TEST_NO} "Check available certificates for expiration" fi fi # ################################################################################# # wait_for_keypress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com