From 9642bcffc839f4713558f927f4202ce3dd3588fd Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Fri, 27 Mar 2020 11:25:31 +0200
Subject: [CRYP-7902] Optionally check also certificates provided by packages

The package maintainers are not immune to mistakes or they might not
always provide timely updates, so let's check (optionally) more
certificates even if they are delivered by packages.

I found three expired certificates in my Debian/unstable system,
thanks to changed Lynis.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 default.prf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'default.prf')

diff --git a/default.prf b/default.prf
index f59e50c2..6ff3eac2 100644
--- a/default.prf
+++ b/default.prf
@@ -93,8 +93,9 @@ skip-plugins=no
 #skip-upgrade-test=yes
 
 # Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
 
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
-- 
cgit v1.2.3