2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2017-02-09 13:35:40 +01:00
# Copyright 2007-2017, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: PHP
#
#################################################################################
#
2014-12-09 18:11:38 +01:00
InsertSection "PHP"
2014-08-26 17:33:55 +02:00
# Possible locations of php.ini
2017-04-23 20:06:54 +02:00
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
2017-05-23 14:56:25 +02:00
${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
2017-04-23 20:06:54 +02:00
${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
2017-08-16 20:32:55 +02:00
${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
2017-04-23 20:06:54 +02:00
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
2017-10-24 13:16:59 +02:00
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
${ROOTDIR}usr/local/php54/lib/php.ini \
${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
2017-04-23 20:06:54 +02:00
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
2017-06-14 14:07:37 +02:00
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
${ROOTDIR}opt/alt/php53/etc/php.ini \
${ROOTDIR}opt/alt/php54/etc/php.ini \
${ROOTDIR}opt/alt/php55/etc/php.ini \
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini"
2014-08-26 17:33:55 +02:00
2017-04-23 20:06:54 +02:00
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
2018-01-11 09:47:47 +01:00
${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \
2017-04-23 20:06:54 +02:00
${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
2017-06-14 14:07:37 +02:00
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
${ROOTDIR}opt/alt/php53/etc/php.d.all \
${ROOTDIR}opt/alt/php54/etc/php.d.all \
${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all"
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : PHP-2211
# Description : Check php.ini presence
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2211 --weight L --network NO --category security --description "Check php.ini presence"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for presence php.ini"
2014-08-26 17:33:55 +02:00
PHPINIFILE=""
PHPINI_ALLFILES=""
2016-07-30 16:03:35 +02:00
for FILE in ${PHPINILOCS}; do
LogText "Test: checking presence ${FILE}"
if [ -f ${FILE} ]; then
PHPINIFILE="${FILE}"
2015-12-21 21:17:15 +01:00
LogText "Result: Found php.ini file (${PHPINIFILE})"
LogText "Note: Adding file to php.ini array"
2014-08-26 17:33:55 +02:00
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}"
2016-07-30 16:03:35 +02:00
else
LogText "Result: file ${FILE} not found"
2014-08-26 17:33:55 +02:00
fi
done
# Check all known locations
2016-07-30 16:03:35 +02:00
for DIR in ${PHPINIDIRS}; do
FIND=$(ls ${DIR}/*.ini 2> /dev/null)
if [ -z "${FIND}" ]; then
LogText "Result: no files found for ${DIR}"
else
LogText "Result: found files in location ${DIR}, checking"
for FILE in ${FIND}; do
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists, adding to php.ini array"
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${FILE}"
fi
2014-08-26 17:33:55 +02:00
done
fi
done
2016-07-30 16:03:35 +02:00
if [ ! -z "${PHPINIFILE}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
2016-07-30 16:03:35 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
2015-12-21 21:17:15 +01:00
LogText "Result: no php.ini file found"
2014-08-26 17:33:55 +02:00
fi
2016-07-30 16:03:35 +02:00
unset DIR; unset FILE; unset FIND
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PHP-2320
# Description : Check php disable functions option
2016-09-10 16:12:44 +02:00
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PHPINI_ALLFILES}; do
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
2016-09-10 16:12:44 +02:00
FIND=$(${GREPBINARY} "^disable_functions.*=" ${I})
if [ -z "${FIND}" ]; then
LogText "Result: ${I}: disabled_functions not found"
2014-08-26 17:33:55 +02:00
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${I}: found disabled_functions"
FOUND=1
2014-08-26 17:33:55 +02:00
fi
2016-09-10 16:12:44 +02:00
FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I})
if [ -z "${FIND}" ]; then
LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
2014-08-26 17:33:55 +02:00
else
2016-09-10 16:12:44 +02:00
LogText "Result: ${I}: found suhosin.executor.func.blacklist"
FOUND=1
2014-08-26 17:33:55 +02:00
fi
done
if [ ${FOUND} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: all PHP functions can be executed"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
2015-12-21 21:17:15 +01:00
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
2014-08-26 17:33:55 +02:00
AddHP 0 1
2016-09-10 16:12:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: one or more PHP functions are disabled/blacklisted"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
2016-09-10 16:12:44 +02:00
if [ ! -z "${PHPINIFILE}" -a ! -z "${PHPVERSION}" -a ! -z "${EGREPBINARY}" ]; then
2015-02-15 23:50:28 +01:00
if [ -f "${PHPINIFILE}" ]; then
2016-09-10 16:12:44 +02:00
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2015-02-15 23:50:28 +01:00
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
2016-09-10 16:12:44 +02:00
else
2017-04-23 20:06:54 +02:00
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
2015-02-15 23:50:28 +01:00
fi
2016-09-10 16:12:44 +02:00
else
2015-02-15 23:50:28 +01:00
Debug "File php.ini (${PHPINIFILE}) not found"
2014-08-26 17:33:55 +02:00
fi
2015-02-15 23:50:28 +01:00
else
2016-09-10 16:12:44 +02:00
PREQS_MET="NO"
Debug "Skipping test: php.ini not found, or PHP version empty"
Debug "php.ini: ${PHPINIFILE}"
Debug "version: ${PHPVERSION}"
2014-08-26 17:33:55 +02:00
fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking PHP register_globals option"
2016-09-10 16:12:44 +02:00
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
2017-04-23 20:06:54 +02:00
if [ ! -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:13:33 +02:00
ReportWarning ${TEST_NO} "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
2015-12-21 21:17:15 +01:00
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
2014-08-26 17:33:55 +02:00
AddHP 1 2
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
2014-08-26 17:33:55 +02:00
ReportManual ${TEST_NO}:01
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : PHP-2372
# Description : Check php expose_php option
# Notes : Extend test to check all PHP files YYY
2017-04-23 20:06:54 +02:00
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking expose_php option"
2016-09-10 16:12:44 +02:00
FIND=$(${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
2016-08-10 07:13:33 +02:00
ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
2015-12-21 21:17:15 +01:00
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
2014-08-26 17:33:55 +02:00
AddHP 1 2
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
2016-09-10 16:12:44 +02:00
# TODO Check through all files
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PHP-2374
# Description : Check PHP enable_dl option
2016-07-22 15:46:25 +02:00
# Notes : Extend test to check all PHP files
2017-04-23 20:06:54 +02:00
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking PHP enable_dl option"
2016-08-25 15:31:33 +02:00
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
2016-07-22 15:46:25 +02:00
if [ ! -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
2016-07-22 15:46:25 +02:00
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
2014-08-26 17:33:55 +02:00
AddHP 0 1
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
2016-07-22 15:46:25 +02:00
LogText "Result: Found 'enable_dl' in disabled state (not present, 0, no, or off)"
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : PHP-2376
# Description : Check PHP allow_url_fopen option
# Notes : Extend test to check all PHP files YYY
2017-04-23 20:06:54 +02:00
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking PHP allow_url_fopen option"
2016-09-10 16:12:44 +02:00
FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
2016-07-16 16:28:43 +02:00
LogText "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
2016-09-10 16:12:44 +02:00
# TODO Check through all files
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PHP-2378
# Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY
2016-09-10 16:12:44 +02:00
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Checking PHP allow_url_include option"
2016-09-10 16:12:44 +02:00
FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
2015-12-21 21:17:15 +01:00
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
2016-09-10 16:12:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
2014-08-26 17:33:55 +02:00
AddHP 2 2
fi
fi
#
#################################################################################
2017-06-14 14:06:51 +02:00
#
# Test : PHP-2379
# Description : Check PHP suhosin extension status
2017-07-10 14:38:42 +02:00
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2017-06-14 14:06:51 +02:00
Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
2018-01-11 09:47:47 +01:00
2017-06-14 14:06:51 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
2017-07-10 14:38:42 +02:00
SIMULATION=0
2018-01-11 09:47:47 +01:00
MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
2017-07-28 10:14:04 +02:00
if [ "${OS}" = "OpenBSD" ]; then
FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP
SIMULATION=off
else
for I in ${PHPINI_ALLFILES}; do
LogText "Test: Checking for PHP suhosin extension status in file ${I}"
2018-01-11 09:47:47 +01:00
FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I})
2017-07-28 10:14:04 +02:00
if [ -z "${FIND}" ]; then
LogText "Result: ${I}: suhosin is not enabled"
else
LogText "Result: ${I}: suhosin is enabled"
FOUND=1
fi
2017-07-10 14:38:42 +02:00
2017-07-28 10:14:04 +02:00
LogText "Test: Check Suhosin simulation mode status"
SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} | ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]' '[:lower:]')
if [ "${SIMULATION}" = "off" ]; then
LogText "Result: ${I}: suhosin simulation mode is not active"
else
LogText "Result: ${I}: suhosin simulation mode is active"
fi
done
fi
2017-06-14 14:06:51 +02:00
2018-01-11 09:47:47 +01:00
# Check Suhosin for PHP 7
if [ ! -z ${MAJOR_VERSION} -a ${FOUND} -eq 1 ]; then
LogText "Test: Check Suhosin for PHP 7 is not enabled"
LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
2017-07-10 14:38:42 +02:00
Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
2018-01-11 09:47:47 +01:00
Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
2017-06-14 14:06:51 +02:00
AddHP 0 1
2018-01-11 09:47:47 +01:00
elif [ ! -z ${MAJOR_VERSION} -a ${FOUND} -eq 0 ]; then
LogText "Test: Check Suhosin for PHP 7 is not enabled"
LogText "Result: Suhosin for PHP 7 is not enabled"
2017-07-10 14:38:42 +02:00
Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
2018-01-11 09:47:47 +01:00
Display --indent 6 --text "- Suhosin is not enabled for PHP 7" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
2017-07-10 14:38:42 +02:00
else
2018-01-11 09:47:47 +01:00
if [ ${FOUND} -eq 0 ]; then
LogText "Result: Suhosin extension is not enabled"
Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension"
LogText "suhosin extension is not enabled"
AddHP 0 1
else
LogText "Result: Suhosin extension is enabled"
Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
if [ "${SIMULATION}" = "off" ]; then
LogText "Result: Suhosin simulation mode is not active"
Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Suhosin simulation mode is active"
Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode"
LogText "suhosin simulation mode is active"
AddHP 0 1
fi
2017-07-10 14:38:42 +02:00
fi
2017-06-14 14:06:51 +02:00
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
