/lynis-1.2.9/include/tests_php

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2009, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: PHP
#
#################################################################################
#
    InsertSection "Software: PHP"

    # Possible locations of php.ini
    PHPINILOCS="/etc/php.ini \
		/etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \
		/etc/php5/cgi/php.ini /etc/php5/cli/php.ini /etc/php5/apache2/php.ini \
	        /private/etc/php.ini \
	        /var/www/conf/php.ini \
                /usr/local/etc/php.ini /usr/local/lib/php.ini"

    #Display --indent 2 --text "- Checking PHP..." --result FOUND --color WHITE
#
#################################################################################
#
    # Test        : PHP-2211
    # Description : Check php.ini presence
    Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking for presence php.ini"
	PHPINIFILE=""
	for I in ${PHPINILOCS}; do
	    if [ -f ${I} ]; then
	        PHPINIFILE=${I}
	        logtext "Found php.ini file (${PHPINIFILE})"
	    fi
	done
	if [ ! "${PHPINIFILE}" = "" ]; then
	    Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN
	  else
    	    Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE
	    logtext "Result: no php.ini file found"
	fi
    fi
#
#################################################################################
#
    # Test        : PHP-2320
    # Description : Check php disable functions option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions"
    if [ ${SKIPTEST} -eq 0 ]; then
	logtext "Test: Checking for PHP function hardening options"
	FIND1=`grep "^disabled_functions=" ${PHPINIFILE}`
	FIND2=`grep "^suhosin.executor.func.blacklist" ${PHPINIFILE}`
	if [ "${FIND1}" = "" -a "${FIND2}" = "" ]; then
	    logtext "Result: one or more PHP functions are disabled/blacklisted"
	    Display --indent 2 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN
	    AddHP 3 3
	  else
	    logtext "Result: all PHP functions can be executed"
	    Display --indent 2 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW
	    ReportSuggestion ${TEST_NO} "Harden PHP by disabling riskful functions (functions of interest: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file(), max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit(), shell_exec, show_source(), system)"
	    AddHP 0 1
	fi
    fi
#
#################################################################################
#
    # Test        : PHP-2368
    # Description : Check php register_globals option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking register_globals option.."
        FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(off|no|0)' | grep -v '^;'`
        if [ "${FIND}" = "" ]; then
            Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED
	    ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
	    ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
	    logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
	    AddHP 1 2
	  else
    	    Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN
	    logtext "Result: Found 'register_globals' in disabled state (0, no, or off), which is good."
	    AddHP 2 2
	fi	
    fi
#
#################################################################################
#
    # Test        : PHP-2372
    # Description : Check php expose_php option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking expose_php option.."
        FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
        if [ "${FIND}" = "" ]; then
            Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED
	    ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
	    ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
	    report "Result: expose_php option is turned on, which can expose useful information for an attacker"
	    AddHP 1 2
	  else
    	    Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN
	    logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
	    AddHP 2 2
	fi	
    fi
#
#################################################################################
#
    # Test        : PHP-2374
    # Description : Check PHP enable_dl option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking PHP enable_dl option.."
        FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
        if [ "${FIND}" = "" ]; then
            Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW
	    report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
	    ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
	    AddHP 0 1
	  else
    	    Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN
	    logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
	    AddHP 2 2
	fi	
    fi
#
#################################################################################
#
    # Test        : PHP-2376
    # Description : Check PHP allow_url_fopen option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking PHP allow_url_fopen option.."
        FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
        if [ "${FIND}" = "" ]; then
            Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW
	    report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
	    ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
	    AddHP 0 1
	  else
    	    Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN
	    logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
	    AddHP 2 2
	fi	
    fi
#
#################################################################################
#
    # Test        : PHP-2378
    # Description : Check PHP allow_url_include option
    if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: Checking PHP allow_url_include option.."
        FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
        if [ "${FIND}" = "" ]; then
            Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW
	    report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
	    ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
	    AddHP 0 1
	  else
    	    Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN
	    logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
	    AddHP 2 2
	fi
    fi
#
#################################################################################
#
# Disable/use functions:
# safe_mode (only for PHP5?)
# open_basedir (limits access to defined directory, comparable with chrooting)
# disable_classes
# session.save_path
# session.referer_check
# upload_tmp_dir
# file_uploads Off, if possible
# Set display_errors to Off
# Set log_errors to On and define error_log (with value Syslog or a filename)
#
#################################################################################
#
    # mod_suexec
    # suPHP (/etc/suphp.conf)
#
#################################################################################
#

    # Test        : PHP-2388
    # Description : Check php version number
#
#################################################################################
#

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2009, Michael Boelen - www.rootkit.nl - The Netherlands