Skip to content

Commit

Permalink
Merge pull request #736 from HoxhaEndri/master
Browse files Browse the repository at this point in the history 
PEM file with multiple certificates - @levi-blodgett and @HoxhaEndri looks really good. Thank you for your contribution.
  • Loading branch information
@m-1-k-3
m-1-k-3 committed Aug 22, 2023
2 parents 33da0b7 + c63e82d commit 00f1030
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 21 deletions.
18 changes: 12 additions & 6 deletions modules/F50_base_aggregator.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ output_details() {
output_config_issues() {
local DATA=0

if [[ "${PW_COUNTER:-0}" -gt 0 || "${S85_SSH_VUL_CNT:-0}" -gt 0 || "${STACS_HASHES:-0}" -gt 0 || "${INT_COUNT:-0}" -gt 0 || "${POST_COUNT:-0}" -gt 0 || "${MOD_DATA_COUNTER:-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 || "${S55_HISTORY_COUNTER:-0}" -gt 0 || "${S50_AUTH_ISSUES:-0}" -gt 0 || "${PASS_FILES_FOUND:-0}" -gt 0 || "${CERT_CNT:-0}" -gt 0 || "${S24_FAILED_KSETTINGS:-0}" -gt 0 ]]; then
if [[ "${PW_COUNTER:-0}" -gt 0 || "${S85_SSH_VUL_CNT:-0}" -gt 0 || "${STACS_HASHES:-0}" -gt 0 || "${INT_COUNT:-0}" -gt 0 || "${POST_COUNT:-0}" -gt 0 || "${MOD_DATA_COUNTER:-0}" -gt 0 || "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 || "${S55_HISTORY_COUNTER:-0}" -gt 0 || "${S50_AUTH_ISSUES:-0}" -gt 0 || "${PASS_FILES_FOUND:-0}" -gt 0 || "${TOTAL_CERT_CNT:-0}" -gt 0 || "${S24_FAILED_KSETTINGS:-0}" -gt 0 ]]; then
print_output "[+] Found the following configuration issues:"
if [[ "${S40_WEAK_PERM_COUNTER:-0}" -gt 0 ]]; then
print_output "$(indent "$(green "Found $ORANGE$S40_WEAK_PERM_COUNTER$GREEN areas with weak permissions.")")"
Expand Down Expand Up @@ -360,11 +360,13 @@ output_config_issues() {
fi
DATA=1
fi
if [[ "${CERT_CNT:-0}" -gt 0 ]]; then
print_output "$(indent "$(green "Found $ORANGE$CERT_OUT_CNT$GREEN outdated certificates in $ORANGE$CERT_CNT$GREEN certificates.")")"
if [[ "${TOTAL_CERT_CNT:-0}" -gt 0 ]]; then
print_output "$(indent "$(green "Found $ORANGE$CERT_OUT_CNT$GREEN outdated certificates and $ORANGE$CERT_WARNING_CNT expiring certificates in $ORANGE$CERT_CNT$GREEN certificate files and in a total of $ORANGE$TOTAL_CERT_CNT$GREEN certificates.")")"
write_link "s60"
write_csv_log "certificates" "$CERT_CNT" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
write_csv_log "total_certificates" "$TOTAL_CERT_CNT" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
write_csv_log "certificate_files" "$CERT_CNT" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
write_csv_log "certificates_outdated" "$CERT_OUT_CNT" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
write_csv_log "certificates_expiring" "$CERT_WARNING_CNT" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
DATA=1
fi
if [[ "${MOD_DATA_COUNTER:-0}" -gt 0 ]]; then
Expand Down Expand Up @@ -780,8 +782,10 @@ get_data() {
export PASS_FILES_FOUND=0
export S50_AUTH_ISSUES=0
export S55_HISTORY_COUNTER=0
export TOTAL_CERT_CNT=0
export CERT_CNT=0
export CERT_OUT_CNT=0
export CERT_WARNING_CNT=0
export S85_SSH_VUL_CNT=0
export INT_COUNT=0
export POST_COUNT=0
Expand Down Expand Up @@ -896,8 +900,10 @@ get_data() {
S55_HISTORY_COUNTER=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S55_LOG" | cut -d: -f2 || true)
fi
if [[ -f "$LOG_DIR"/"$S60_LOG" ]]; then
CERT_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f2 || true)
CERT_OUT_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f3 || true)
TOTAL_CERT_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f2 || true)
CERT_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f3 || true)
CERT_OUT_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f4 || true)
CERT_WARNING_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S60_LOG" | cut -d: -f5 || true)
fi
if [[ -f "$LOG_DIR"/"$S85_LOG" ]]; then
S85_SSH_VUL_CNT=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$S85_LOG" | cut -d: -f2 || true)
Expand Down
68 changes: 53 additions & 15 deletions modules/S60_cert_file_check.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,51 +24,89 @@ S60_cert_file_check()
local CERT_FILES_ARR=()
readarray -t CERT_FILES_ARR < <(config_find "$CONFIG_DIR""/cert_files.cfg")

local CERT_CNT=0
local CERT_FILES_CNT=0
local TOTAL_CERT_CNT=0
local CERT_OUT_CNT=0
local CURRENT_DATE=""
local LINE=""
local CERT_DATE=""
local CERT_DATE_=""
local CERT_NAME=""
local CERT_LOG=""
local NESTED_CERT_CNT=0
local FUTURE_DATE=""
local EXPIRE_WATCH_DATE="2 years"
local SPECIFIC_CERT=""
local CERT_WARNING_CNT=0

if [[ "${CERT_FILES_ARR[0]-}" == "C_N_F" ]]; then print_output "[!] Config not found"
elif [[ ${#CERT_FILES_ARR[@]} -ne 0 ]]; then
write_csv_log "Certificate file" "Certificate expire on" "Certificate expired"
print_output "[+] Found ""$ORANGE${#CERT_FILES_ARR[@]}$GREEN"" possible certification files:"
print_ln
CURRENT_DATE=$(date +%s)
FUTURE_DATE=$(date --date="$EXPIRE_WATCH_DATE" +%s)
for LINE in "${CERT_FILES_ARR[@]}" ; do
if [[ -f "$LINE" && $(wc -l "$LINE" | awk '{print $1}'|| true) -gt 1 ]]; then
((CERT_CNT+=1))
((CERT_FILES_CNT+=1))
if command -v openssl > /dev/null ; then
CERT_DATE=$(date --date="$(timeout --preserve-status --signal SIGINT 10 openssl x509 -enddate -noout -in "$LINE" 2>/dev/null | cut -d= -f2)" --iso-8601 || true)
CERT_DATE_=$(date --date="$(timeout --preserve-status --signal SIGINT 10 openssl x509 -enddate -noout -in "$LINE" 2>/dev/null | cut -d= -f2)" +%s || true)
CERT_NAME=$(basename "$LINE")
CERT_LOG="$LOG_PATH_MODULE/cert_details_$CERT_NAME.txt"
write_log "[*] Cert file: $LINE\n" "$CERT_LOG"
timeout --preserve-status --signal SIGINT 10 openssl x509 -in "$LINE" -text 2>/dev/null >> "$CERT_LOG" || true
if [[ $CERT_DATE_ -lt $CURRENT_DATE ]]; then
print_output " ${RED}$CERT_DATE - $(print_path "$LINE")${NC}" "" "$CERT_LOG"
write_csv_log "$LINE" "$CERT_DATE_" "yes"
((CERT_OUT_CNT+=1))
else
print_output " ${GREEN}$CERT_DATE - $(print_path "$LINE")${NC}" "" "$CERT_LOG"
write_csv_log "$LINE" "$CERT_DATE_" "no"
fi
timeout --preserve-status --signal SIGINT 10 openssl storeutl -noout -text -certs "$LINE" 2>/dev/null >> "$CERT_LOG"
NESTED_CERT_CNT=$(tail -n 1 < "$CERT_LOG" | grep -o '[0-9]\+')
((TOTAL_CERT_CNT+=NESTED_CERT_CNT))
for ((i=1; i<=NESTED_CERT_CNT; i++)); do
index=$((i - 1))
CERT_DATE=$(date --date="$(grep 'Not After :' "$CERT_LOG" | awk -v cnt="$i" 'NR==cnt {sub(/.*: /, ""); print}')" --iso-8601 || true)
CERT_DATE_=$(date --date="$(grep 'Not After :' "$CERT_LOG" | awk -v cnt="$i" 'NR==cnt {sub(/.*: /, ""); print}')" +%s || true)
SIGNATURE=$(sed -n '/Signature Value:/!b;n;p' "$CERT_LOG" | sed -n "${i}p" | xargs)
SPECIFIC_CERT=$(head -n -1 < "$CERT_LOG" | awk -v idx="$index" '
BEGIN { found = 0 }
/^[0-9]+: Certificate$/ {
if (found) {
print cert;
cert = "";
found = 0
}
}
$1 == idx ":" && !found {
found = 1
}
found {
cert = cert $0 ORS
}
END {
if (found) {
print cert
}
}' | tail -n+2)

if [[ $CERT_DATE_ -lt $CURRENT_DATE ]]; then
print_output " ${RED}$CERT_DATE - $(print_path "$LINE") $SIGNATURE ${NC}" "" "$SPECIFIC_CERT"
write_csv_log "$LINE" "$CERT_DATE_" "yes"
((CERT_OUT_CNT+=1))
elif [[ $CERT_DATE_ -le $FUTURE_DATE ]]; then
print_output " ${ORANGE}$CERT_DATE - $(print_path "$LINE") $SIGNATURE ${NC}" "" "$SPECIFIC_CERT"
write_csv_log "$LINE" "$CERT_DATE_" "expires within $EXPIRE_WATCH_DATE"
((CERT_WARNING_CNT+=1))
else
print_output " ${GREEN}$CERT_DATE - $(print_path "$LINE") $SIGNATURE ${NC}" "" "$SPECIFIC_CERT"
write_csv_log "$LINE" "$CERT_DATE_" "no"
fi
done
else
print_output "$(indent "$(orange "$(print_path "$LINE")")")"
write_csv_log "$LINE" "unknown" "unknown"
fi
fi
done
write_log ""
write_log "[*] Statistics:$CERT_CNT:$CERT_OUT_CNT"
write_log "[*] Statistics:$TOTAL_CERT_CNT:$CERT_FILES_CNT:$CERT_OUT_CNT:$CERT_WARNING_CNT"
else
print_output "[-] No certification files found"
fi

module_end_log "${FUNCNAME[0]}" "$CERT_CNT"
module_end_log "${FUNCNAME[0]}" "$TOTAL_CERT_CNT"
}

0 comments on commit 00f1030

Please sign in to comment.