Added an option to check for X-Frame-Options

ChangeLog

@@ -1,3 +1,7 @@
+2022-09-06  Matteo Corti  <[email protected]>
+
+        * check_ssl_cert (main): Added --require-x-frame-options to check for the X-Frame-Options header
+
 2022-09-02  Matteo Corti  <[email protected]>
 
         * Makefile (CITATION.cff): rebuild if a new version was specified

NEWS.md

@@ -1,5 +1,6 @@
 * 2022-09-02 Version 2.42.0
   * Disable nmap checks if a proxy is specified
+  * Added ```--require-x-frame-options``` to check for the X-Frame-Options header
 * 2022-09-01 Version 2.41.0
   * Fixed the parsing of UTF-8 certificate subjects
   * Better OpenSSL error handling

README.md

@@ -204,7 +204,7 @@ Options:
       --require-no-tls1            Critical if TLS 1 is offered
       --require-no-tls1_1          Critical if TLS 1.1 is offered
       --require-ocsp-stapling      Require OCSP stapling
-      --require-purpose usage      requires the specified key usage (can be
+      --require-purpose usage      Require the specified key usage (can be
                                    specified more then once)
       --require-purpose-critical   the key usage must be critical
       --resolve ip                 Provide a custom IP address for the
@@ -272,6 +272,8 @@ Deprecated options:
       --require-san                Require the presence of a Subject
                                    Alternative Name
                                    extension
+      --require-x-frame-options    Require the presence of the
+                                   X-Frame-Options HTTP header
    -S,--ssl version                Force SSL version (2,3)
                                    (see: --ssl2 or --ssl3)
       --curl-user-agent string     User agent that curl shall use to obtain

RELEASE_NOTES.md

@@ -1 +1,2 @@
-Disable checks with nmap if a proxy is specified
+ * Disable checks with nmap if a proxy is specified
+ * Added   ```--require-x-frame-options``` to check for the X-Frame-Options header

check_ssl_cert

@@ -290,9 +290,11 @@ usage() {
     echo "      --require-no-tls1            Critical if TLS 1 is offered"
     echo "      --require-no-tls1_1          Critical if TLS 1.1 is offered"
     echo "      --require-ocsp-stapling      Require OCSP stapling"
-    echo "      --require-purpose usage      requires the specified key usage (can be"
+    echo "      --require-purpose usage      Require the specified key usage (can be"
     echo "                                   specified more then once)"
     echo "      --require-purpose-critical   the key usage must be critical"
+    echo "      --require-x-frame-options    Require the presence of the"
+    echo "                                   X-Frame-Options HTTP header"
     echo "      --resolve ip                 Provide a custom IP address for the"
     echo "                                   specified host"
     echo "      --rootcert-dir path          Root directory to be used for certificate"
@@ -2886,6 +2888,10 @@ parse_command_line_options() {
             REQUIRE_SAN=1
             shift
             ;;
+        --require-x-frame-options)
+            REQUIRE_X_FRAME_OPTIONS=1
+            shift
+            ;;
         -s | --selfsigned)
             SELFSIGNED=1
             shift
@@ -3588,6 +3594,7 @@ main() {
         # we check HSTS only with HTTP/HTTPS
         if [ -z "${PROTOCOL}" ] || [ "${PROTOCOL}" = 'http' ] || [ "${PROTOCOL}" = 'https' ] || [ "${PROTOCOL}" = 'h2' ] ; then
             REQUIRE_HSTS=1
+            REQUIRE_X_FRAME_OPTIONS=1
         fi
 
     fi
@@ -4789,22 +4796,48 @@ main() {
 
     fi
 
-    # check HSTS
-    if [ -n "${REQUIRE_HSTS}" ] ; then
+    # check HSTS and/or X-Frame-Options
+    if [ -n "${REQUIRE_HSTS}" ] || [ -n "${REQUIRE_X_FRAME_OPTIONS}" ] ; then
 
-        debuglog "Checking HSTS"
+        debuglog "Checking HTTP headers"
+
+        create_temporary_file
+        HTML=${TEMPFILE}
 
         # -s (--silent)
         # -D (--dump-header)
         # -A (--user-agent)
         # -L (--location): follow redirects
-        exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} -s -D- -A '${HTTP_USER_AGENT}' -L https://${HOST} | grep -i ^strict-transport-security:"
+        exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} -s -D- -A '${HTTP_USER_AGENT}' -L https://${HOST}" "${HTML}"
         RET=$?
 
-        if [ "${RET}" -eq 1 ] ; then
-            prepend_critical_message "HSTS is not supported"
-        else
-            verboselog "HSTS is supported"
+        if [ "${RET}" -ne 0 ] ; then
+            debuglog "Cannot retrieve HTML headers (curl error code: ${RET})"
+            prepend_critical_message "Cannot retrieve HTML headers"
+        fi
+
+        if [ -n "${REQUIRE_HSTS}" ] ; then
+
+            debuglog "Checking HSTS"
+
+            if ! grep -q -i '^strict-transport-security:' "${HTML}" ; then
+                prepend_critical_message "HSTS is not supported"
+            else
+                verboselog "HSTS is supported"
+            fi
+
+        fi
+
+        if [ -n "${REQUIRE_X_FRAME_OPTIONS}" ] ; then
+
+            debuglog "Checking X-Frame-Options"
+
+            if ! grep -q -i '^X-Frame-Options' "${HTML}" ; then
+                prepend_critical_message "X-Frame-Options is not supported"
+            else
+                verboselog "X-Frame-Options is supported"
+            fi
+
         fi
 
     fi

check_ssl_cert.1

@@ -338,7 +338,7 @@ Critical if TLS 1.1 is offered
 Require OCSP stapling
 .TP
 .BR "    --require-purpose" " usage"
-requires the specified key usage (can be specified more then once)
+Require the specified key usage (can be specified more then once)
 .TP
 .BR "    --require-purpose-critical"
 the key usage must be critical
@@ -457,6 +457,9 @@ Check revocation via OCSP (enabled by default)
 .BR "   --require-san"
 Require the presence of a Subject Alternative Name extension
 .TP
+.BR "   --require-x-frame-options"
+Require the presence of the X-Frame-Options HTTP header
+.TP
 .BR "-S,--ssl" " version"
 Force SSL version (2,3) (see: --ssl2 or --ssl3)
 .TP

check_ssl_cert.completion

@@ -14,7 +14,7 @@ _check_ssl_cert() {
     #   only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are
     #   using autocompletion.
     #
-    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --critical --check-ciphers --check-ciphers-warnings  --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-hsts --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve  --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning"
+    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --critical --check-ciphers --check-ciphers-warnings  --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-hsts --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --require-x-frame-options --resolve  --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning"
 
     if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
         # shellcheck disable=2207

check_ssl_cert.spec

@@ -54,7 +54,7 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
-* Thu Sep   2 2022 Matteo Corti <[email protected]> - 2.42.0-0
+* Tue Sep   6 2022 Matteo Corti <[email protected]> - 2.42.0-0
 - Updated to 2.42.0
 
 * Thu Sep   1 2022 Matteo Corti <[email protected]> - 2.41.0-0

test/unit_tests.sh

@@ -1751,6 +1751,20 @@ testDNSSECError() {
     assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
 }
 
+testXFrameOptionsOK() {
+    # shellcheck disable=SC2086
+    ${SCRIPT} ${TEST_DEBUG} -H github.com --ignore-exp --require-x-frame-options
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
+testXFrameOptionsFailed() {
+    # shellcheck disable=SC2086
+    ${SCRIPT} ${TEST_DEBUG} -H badssl.com --ignore-exp --require-x-frame-options
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
 # the script will exit without executing main
 export SOURCE_ONLY='test'
 

utils/help.txt

@@ -151,12 +151,14 @@
 --require-no-tls1;Critical if TLS 1 is offered
 --require-no-tls1_1;Critical if TLS 1.1 is offered
 --require-ocsp-stapling;Require OCSP stapling
---require-purpose usage;requires the specified key usage (can be
+--require-purpose usage;Require the specified key usage (can be
 --require-purpose usage;specified more then once)
 --require-purpose-critical;the key usage must be critical
 --require-san;Alternative Name
 --require-san;Require the presence of a Subject
 --require-san;extension
+--require-x-frame-options;Require the presence of the
+--require-x-frame-options;X-Frame-Options HTTP header
 --resolve ip;Provide a custom IP address for the
 --resolve ip;specified host
 --rootcert-dir path;Root directory to be used for