I'm currently working on setting up automatized pentest reporting. The scripts I set up perform TLS and other security checks to see if the application is secure in these aspects yes or no. Currently use the testssl.sh application (which can be found here: https://testssl.sh/) to perform these checks. I then output the findings to a csv file and created a script that greps the file in question and based on what is found, he will mention something is wrong or is correct. Seeing as I have performed a check and all values were correct, I apply invert greps to say that whenever the value cannot be found in the file, then he needs to perform a certain action.
At first I thought the script I was working on was working, however, when testing another site, the output generated is not correct. Things that are missing should be mentioned, however, when I invert grep only one term without placing OR statements in between the large amounts of things that need to be checked it seems to work.
I have tried all sorts of grep types to get a constant output, but no luck so far. So far, I have tried the following:
if grep -v -e "NULLciphersnoencryptionnotoffered" -e "AnonymousNULLCiphersnoauthenticationnotoffered" -e "ExportcipherswoADHNULLnotoffered" -e "LOW64BitDESencryptionwoexportnotoffered|" -e "Weak128BitciphersSEEDIDEARC24notoffered" -e "TripleDESCiphersMediumnotoffered" -e "HighencryptionAESCamellianoAEADoffered" -e "StrongencryptionAEADciphersoffered" ./resultaten/tls-cipher-suites-ng.csv; then
echo 'This is wrong' >> ../CH-40-Scans.tex
else
echo 'This is correct.' >> ../CH-40-Scans.tex
fi
What I see is that the above does not show This is wrong, but This is correct, while the following does trigger:
if ! grep -q -i "ipv6enabled" ./resultaten/tls-vulnerabilities-new-def.csv; then
echo '\item This is wrong.' >> ../CH-40-Scans.tex
fi
I already replaced the -e with the | variant, but I am not having luck so far on finding a consistent working method (also tried things as egrep). Is there another way to get this working? I don't mind using things such as Java or PHP or whatever to get this working, so if those are needed to create something consistent that would be fine.
I would gladly hear anything I could try to get a trustworthy working fix.
I don't know what it is you're trying to do but try these:
if awk '/NULLciphersnoencryptionnotoffered/ || \
/AnonymousNULLCiphersnoauthenticationnotoffered/ || \
/StrongencryptionAEADciphersoffered/ { f=1; exit }
END { exit !f }' ./resultaten/tls-cipher-suites-ng.csv; then
echo 'Present'
else
echo 'Absent'
fi
if awk -v RS='^$' '/NULLciphersnoencryptionnotoffered/ && \
/AnonymousNULLCiphersnoauthenticationnotoffered/ && \
/StrongencryptionAEADciphersoffered/ { f=1 }
END { exit !f }' ./resultaten/tls-cipher-suites-ng.csv; then
echo 'Present'
else
echo 'Absent'
fi
The first one will exit success if any of the "strings" are present, the second one will exit success if all of them are present. That second one requires GNU awk for multi-char RS.