/lynis-1.2.9/include/tests_php
Shell | 215 lines | 124 code | 6 blank | 85 comment | 37 complexity | 2ffcd465aebe529f8c279513edb690e2 MD5 | raw file
Possible License(s): GPL-3.0
- #!/bin/sh
- #################################################################################
- #
- # Lynis
- # ------------------
- #
- # Copyright 2007-2009, Michael Boelen (michael@rootkit.nl), The Netherlands
- # Web site: http://www.rootkit.nl
- #
- # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
- # welcome to redistribute it under the terms of the GNU General Public License.
- # See LICENSE file for usage of this software.
- #
- #################################################################################
- #
- # Software: PHP
- #
- #################################################################################
- #
- InsertSection "Software: PHP"
- # Possible locations of php.ini
- PHPINILOCS="/etc/php.ini \
- /etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \
- /etc/php5/cgi/php.ini /etc/php5/cli/php.ini /etc/php5/apache2/php.ini \
- /private/etc/php.ini \
- /var/www/conf/php.ini \
- /usr/local/etc/php.ini /usr/local/lib/php.ini"
- #Display --indent 2 --text "- Checking PHP..." --result FOUND --color WHITE
- #
- #################################################################################
- #
- # Test : PHP-2211
- # Description : Check php.ini presence
- Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking for presence php.ini"
- PHPINIFILE=""
- for I in ${PHPINILOCS}; do
- if [ -f ${I} ]; then
- PHPINIFILE=${I}
- logtext "Found php.ini file (${PHPINIFILE})"
- fi
- done
- if [ ! "${PHPINIFILE}" = "" ]; then
- Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN
- else
- Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE
- logtext "Result: no php.ini file found"
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2320
- # Description : Check php disable functions option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking for PHP function hardening options"
- FIND1=`grep "^disabled_functions=" ${PHPINIFILE}`
- FIND2=`grep "^suhosin.executor.func.blacklist" ${PHPINIFILE}`
- if [ "${FIND1}" = "" -a "${FIND2}" = "" ]; then
- logtext "Result: one or more PHP functions are disabled/blacklisted"
- Display --indent 2 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN
- AddHP 3 3
- else
- logtext "Result: all PHP functions can be executed"
- Display --indent 2 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW
- ReportSuggestion ${TEST_NO} "Harden PHP by disabling riskful functions (functions of interest: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file(), max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit(), shell_exec, show_source(), system)"
- AddHP 0 1
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2368
- # Description : Check php register_globals option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking register_globals option.."
- FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(off|no|0)' | grep -v '^;'`
- if [ "${FIND}" = "" ]; then
- Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED
- ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
- ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
- logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
- AddHP 1 2
- else
- Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN
- logtext "Result: Found 'register_globals' in disabled state (0, no, or off), which is good."
- AddHP 2 2
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2372
- # Description : Check php expose_php option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking expose_php option.."
- FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
- if [ "${FIND}" = "" ]; then
- Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED
- ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
- ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
- report "Result: expose_php option is turned on, which can expose useful information for an attacker"
- AddHP 1 2
- else
- Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN
- logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
- AddHP 2 2
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2374
- # Description : Check PHP enable_dl option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking PHP enable_dl option.."
- FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
- if [ "${FIND}" = "" ]; then
- Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW
- report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
- ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
- AddHP 0 1
- else
- Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN
- logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
- AddHP 2 2
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2376
- # Description : Check PHP allow_url_fopen option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking PHP allow_url_fopen option.."
- FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
- if [ "${FIND}" = "" ]; then
- Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW
- report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
- ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
- AddHP 0 1
- else
- Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN
- logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
- AddHP 2 2
- fi
- fi
- #
- #################################################################################
- #
- # Test : PHP-2378
- # Description : Check PHP allow_url_include option
- if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking PHP allow_url_include option.."
- FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
- if [ "${FIND}" = "" ]; then
- Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW
- report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
- ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
- AddHP 0 1
- else
- Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN
- logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
- AddHP 2 2
- fi
- fi
- #
- #################################################################################
- #
- # Disable/use functions:
- # safe_mode (only for PHP5?)
- # open_basedir (limits access to defined directory, comparable with chrooting)
- # disable_classes
- # session.save_path
- # session.referer_check
- # upload_tmp_dir
- # file_uploads Off, if possible
- # Set display_errors to Off
- # Set log_errors to On and define error_log (with value Syslog or a filename)
- #
- #################################################################################
- #
- # mod_suexec
- # suPHP (/etc/suphp.conf)
- #
- #################################################################################
- #
- # Test : PHP-2388
- # Description : Check php version number
- #
- #################################################################################
- #
- wait_for_keypress
- #
- #================================================================================
- # Lynis - Copyright 2007-2009, Michael Boelen - www.rootkit.nl - The Netherlands