Added new test PHP-2382

2020-04-02 19:46:58 +02:00 · 2020-04-02 19:46:58 +02:00 · 38a5c2cb79
parent 64033da973
commit 38a5c2cb79
3 changed files with 38 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -62,6 +62,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - New test: INSE-8316 - test for NIS server
 - New test: NETW-2706 - check DNSSEC (systemd)
 - New test: NETW-3200 - determine enabled network protocols
+- New test: PHP-2382 - detect listen option in PHP (FPM)
 - New test: PROC-3802 - check presence of prelink tooling
 - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
 - New test: TIME-3181 - check status of OpenNTPD time synchronisation
--- a/db/tests.db
+++ b/db/tests.db
@ -311,6 +311,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option:
 PHP-2376:test:security:php::Check PHP allow_url_fopen option:
 PHP-2378:test:security:php::Check PHP allow_url_include option:
 PHP-2379:test:security:php::Check PHP suhosin extension status:
+PHP-2382:test:security:php::Check PHP listen option:
 PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
 PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
 PKGS-7303:test:security:ports_packages::Query brew package manager:
--- a/include/tests_php
+++ b/include/tests_php
@ -463,6 +463,42 @@
    #fi
 #
 #################################################################################
+#
+    # Test        : PHP-2382
+    # Description : Check listen option
+    # Background  : https://github.com/CISOfy/lynis/issues/837
+    if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for FILE in ${PHPINI_ALLFILES}; do
+            # Don't look at this setting in cli configuration
+            case "${FILE}" in
+                */cli/*)
+                    continue
+                    ;;
+            esac
+            LogText "Test: Checking file ${FILE}"
+            FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
+            if HasData "${FIND}"; then
+                LogText "Result: found listen on just a port number"
+                LogText "Data: ${FIND}"
+                LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
+                FOUND=1
+            fi
+        done
+
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
+            #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
+            AddHP 1 3
+        else
+            Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
+            AddHP 2 2
+        fi
+    fi
+#
+#################################################################################
 #

 WaitForKeyPress