diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 12:25:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-04-02 12:52:13 +0300 |
commit | 9642bcffc839f4713558f927f4202ce3dd3588fd (patch) | |
tree | 65293862bd65233bbeee37a03b21826c0305fb11 /include/tests_crypto | |
parent | b5a2d11738cf72691f3b09c48a4c647a4c499277 (diff) |
[CRYP-7902] Optionally check also certificates provided by packages
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.
I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_crypto')
-rw-r--r-- | include/tests_crypto | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..e001bb26 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -74,8 +74,8 @@ COUNT_DIR=$((COUNT_DIR + 1)) FileIsReadable "${FILE}" if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then + # Only check the files that are not installed by a package, unless enabled by profile + if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then LogText "Result: file is a certificate file" |