From 69a61bcc517ee151e8626cc43a290bc22d36f581 Mon Sep 17 00:00:00 2001
From: Romain Dessort <rdessort@evolix.fr>
Date: Mon, 11 Sep 2017 11:16:42 -0400
Subject: [PATCH] Check for world readable private keys

---
 evocheck.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/evocheck.sh b/evocheck.sh
index 203e209..665a55b 100755
--- a/evocheck.sh
+++ b/evocheck.sh
@@ -73,6 +73,7 @@ IS_BACKUPUPTODATE=1
 IS_GITPERMS=1
 IS_NOTUPGRADED=1
 IS_TUNE2FS_M5=1
+IS_PRIVKEYWOLRDREADABLE=1
 
 #Proper to OpenBSD
 IS_SOFTDEP=1
@@ -620,3 +621,12 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
     && grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \
     && grep "^REALM" $f |grep -qv "example.com" ) || echo 'IS_EVOMAINTENANCECONF FAILED!'
 fi
+
+if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
+    for f in /etc/ssl/private/*; do
+        perms=$(stat -c "%a" $f)
+        if [ ${perms: -1} != "0" ]; then
+            echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
+        fi
+    done
+fi