From c0ae2e217b7f1fb0171017ce5afb8eb8898470db Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 Aug 2014 17:33:55 +0200 Subject: Initial import --- include/tests_crypto | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 include/tests_crypto (limited to 'include/tests_crypto') diff --git a/include/tests_crypto b/include/tests_crypto new file mode 100644 index 00000000..8560b05c --- /dev/null +++ b/include/tests_crypto @@ -0,0 +1,72 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Cryptography +# +################################################################################# +# + InsertSection "Cryptography" +# +################################################################################# +# + # Test : CRYP-7902 + # Description : check for expired SSL certificates + if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates" + if [ ${SKIPTEST} -eq 0 ]; then + FOUNDPROBLEM=0 + # Check profile for paths to check + sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` + for I in ${sSSL_PATHS}; do + if [ -d ${I} ]; then + logtext "Result: found directory ${I}" + # Search for CRT files + sFINDCRTS=`find ${I} -name "*.crt" -type f -print` + for J in ${sFINDCRTS}; do + logtext "Test: checking certificate ${J}" + # Check certificate where 'end date' has been expired + FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` + if [ "${FIND}" = "0" ]; then + logtext "Result: certificate ${J} seems to be correct and still valid" + report "valid_certificate[]=${J}|unknown entity|" + else + FOUNDPROBLEM=1 + logtext "Result: certificate ${J} has been expired" + report "expired_certificate[]=${J}" + #YYY Dump more information to log file + fi + done + else + logtext "Result: SSL path ${I} does not exist" + fi + done + + if [ ${FOUNDPROBLEM} -eq 0 ]; then + Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN + else + Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired" + fi + fi +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands -- cgit v1.2.3