mirror of https://github.com/CISOfy/lynis.git
103 lines
4.9 KiB
Bash
103 lines
4.9 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Cryptography
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Cryptography"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : CRYP-7902
|
|
# Description : check for expired SSL certificates
|
|
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
COUNT_TOTAL=0
|
|
FOUNDPROBLEM=0
|
|
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g')
|
|
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ")
|
|
LogText "Paths to scan: ${sSSL_PATHS}"
|
|
|
|
for DIR in ${sSSL_PATHS}; do
|
|
COUNT_DIR=0
|
|
if [ -d ${DIR} ]; then
|
|
FileIsReadable ${DIR}
|
|
if [ ${CANREAD} -eq 1 ]; then
|
|
LogText "Result: found directory ${DIR}"
|
|
# Search for CRT files
|
|
sFINDCRTS=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY})
|
|
if [ ! -z "${sFINDCRTS}" ]; then
|
|
for FILE in ${sFINDCRTS}; do
|
|
FileIsReadable ${FILE}
|
|
if [ ${CANREAD} -eq 1 ]; then
|
|
# Only check the files that are not installed by a package
|
|
if ! FileInstalledByPackage ${FILE}; then
|
|
COUNT_DIR=$((COUNT_DIR + 1))
|
|
LogText "Test: checking certificate ${FILE}"
|
|
# Check certificate where 'end date' has been expired
|
|
EXIT_CODE=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in ${FILE} -enddate > /dev/null ; echo $?)
|
|
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in ${FILE} 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
|
|
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in ${FILE} 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
|
|
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
|
|
if [ "${EXIT_CODE}" = "0" ]; then
|
|
LogText "Result: certificate ${FILE} seems to be correct and still valid"
|
|
else
|
|
FOUNDPROBLEM=1
|
|
LogText "Result: certificate ${FILE} has been expired"
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Result: can not read file ${FILE} (no permission)"
|
|
fi
|
|
done
|
|
else
|
|
LogText "Result: no certificates found in directory ${DIR}"
|
|
fi
|
|
else
|
|
LogText "Result: can not read path ${DIR} (no permission)"
|
|
fi
|
|
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
|
|
else
|
|
LogText "Result: SSL path ${DIR} does not exist"
|
|
fi
|
|
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
|
|
done
|
|
Report "certificates=${COUNT_TOTAL}"
|
|
LogText "Result: found a total of ${COUNT_TOTAL} certificates"
|
|
|
|
if [ ${FOUNDPROBLEM} -eq 0 ]; then
|
|
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
|
|
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|