mirror of https://github.com/CISOfy/lynis.git
88 lines
3.7 KiB
Bash
88 lines
3.7 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Cryptography
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Cryptography"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : CRYP-7902
|
|
# Description : check for expired SSL certificates
|
|
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUNDPROBLEM=0
|
|
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g')
|
|
sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | sort | uniq | tr "\n" " "`
|
|
LogText "Result after sorting: ${sSSL_PATHS}"
|
|
|
|
for I in ${sSSL_PATHS}; do
|
|
if [ -d ${I} ]; then
|
|
FileIsReadable ${I}
|
|
if [ ${CANREAD} -eq 1 ]; then
|
|
LogText "Result: found directory ${I}"
|
|
# Search for CRT files
|
|
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
|
|
for J in ${sFINDCRTS}; do
|
|
FileIsReadable ${J}
|
|
if [ ${CANREAD} -eq 1 ]; then
|
|
LogText "Test: checking certificate ${J}"
|
|
# Check certificate where 'end date' has been expired
|
|
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
|
|
if [ "${FIND}" = "0" ]; then
|
|
LogText "Result: certificate ${J} seems to be correct and still valid"
|
|
Report "valid_certificate[]=${J}|unknown entity|"
|
|
else
|
|
FOUNDPROBLEM=1
|
|
LogText "Result: certificate ${J} has been expired"
|
|
Report "expired_certificate[]=${J}|unknown entity|"
|
|
fi
|
|
else
|
|
LogText "Result: can not read file ${J} (no permission)"
|
|
fi
|
|
done
|
|
else
|
|
LogText "Result: can not read path ${I} (no permission)"
|
|
fi
|
|
else
|
|
LogText "Result: SSL path ${I} does not exist"
|
|
fi
|
|
done
|
|
|
|
if [ ${FOUNDPROBLEM} -eq 0 ]; then
|
|
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED
|
|
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|