lynis/include/tests_crypto

96 lines
3.9 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
InsertSection "Cryptography"
#
#################################################################################
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# Check profiles for paths to check
for PROFILE in ${PROFILES}; do
PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
if [ ! "${PATHS}" = "" ]; then
LogText "Added paths (from profile: ${PROFILE}): ${PATHS}"
sSSL_PATHS="${PATHS} ${sSSL_PATHS}"
fi
done
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "`
LogText "Result after sorting: ${sSSL_PATHS}"
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
LogText "Result: found directory ${I}"
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
LogText "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
LogText "Result: certificate ${J} seems to be correct and still valid"
Report "valid_certificate[]=${J}|unknown entity|"
else
FOUNDPROBLEM=1
LogText "Result: certificate ${J} has been expired"
Report "expired_certificate[]=${J}|unknown entity|"
fi
else
LogText "Result: can not read file ${J} (no permission)"
fi
done
else
LogText "Result: can not read path ${I} (no permission)"
fi
else
LogText "Result: SSL path ${I} does not exist"
fi
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com