diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 12:25:31 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-04-02 12:52:13 +0300 |
commit | 9642bcffc839f4713558f927f4202ce3dd3588fd (patch) | |
tree | 65293862bd65233bbeee37a03b21826c0305fb11 /include | |
parent | b5a2d11738cf72691f3b09c48a4c647a4c499277 (diff) |
[CRYP-7902] Optionally check also certificates provided by packages
The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.
I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/consts | 1 | ||||
-rw-r--r-- | include/profiles | 7 | ||||
-rw-r--r-- | include/tests_crypto | 4 |
3 files changed, 10 insertions, 2 deletions
diff --git a/include/consts b/include/consts index 3969aad5..80548c6b 100644 --- a/include/consts +++ b/include/consts @@ -279,6 +279,7 @@ unset LANG SNORTBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 + SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_PATHS="" SSL_CERTIFICATE_PATHS_TO_IGNORE="" STUNNELBINARY="" diff --git a/include/profiles b/include/profiles index 328d4d49..da2124f7 100644 --- a/include/profiles +++ b/include/profiles @@ -376,6 +376,13 @@ AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; + # Check also certificates provided by packages? + ssl-certificate-include-packages) + FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1 + Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}" + ;; + + # Set strict mode for development and quality purposes strict) FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1 diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..e001bb26 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -74,8 +74,8 @@ COUNT_DIR=$((COUNT_DIR + 1)) FileIsReadable "${FILE}" if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then + # Only check the files that are not installed by a package, unless enabled by profile + if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then LogText "Result: file is a certificate file" |