From 9642bcffc839f4713558f927f4202ce3dd3588fd Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 11:25:31 +0200 Subject: [CRYP-7902] Optionally check also certificates provided by packages The package maintainers are not immune to mistakes or they might not always provide timely updates, so let's check (optionally) more certificates even if they are delivered by packages. I found three expired certificates in my Debian/unstable system, thanks to changed Lynis. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + default.prf | 3 ++- include/consts | 1 + include/profiles | 7 +++++++ include/tests_crypto | 4 ++-- 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40844409..14d77906 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -95,6 +95,7 @@ Using the relevant options, the scan will change base on the intended goal. - BANN-7126 - additional words for login banner are accepted - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output +- CRYP-7902 - optionally check also certificates provided by packages - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6374 - changed log and allow root location to be changed diff --git a/default.prf b/default.prf index f59e50c2..6ff3eac2 100644 --- a/default.prf +++ b/default.prf @@ -93,8 +93,9 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: +ssl-certificate-include-packages=no # Scan type - how deep the audit should be (light, normal or full) test-scan-mode=full diff --git a/include/consts b/include/consts index 3969aad5..80548c6b 100644 --- a/include/consts +++ b/include/consts @@ -279,6 +279,7 @@ unset LANG SNORTBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 + SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_PATHS="" SSL_CERTIFICATE_PATHS_TO_IGNORE="" STUNNELBINARY="" diff --git a/include/profiles b/include/profiles index 328d4d49..da2124f7 100644 --- a/include/profiles +++ b/include/profiles @@ -376,6 +376,13 @@ AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; + # Check also certificates provided by packages? + ssl-certificate-include-packages) + FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1 + Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}" + ;; + + # Set strict mode for development and quality purposes strict) FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1 diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..e001bb26 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -74,8 +74,8 @@ COUNT_DIR=$((COUNT_DIR + 1)) FileIsReadable "${FILE}" if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then + # Only check the files that are not installed by a package, unless enabled by profile + if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then LogText "Result: file is a certificate file" -- cgit v1.2.3