tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 00:04:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added new test PHP-2382

Browse Source
This commit is contained in:
Michael Boelen 2020-04-02 19:46:58 +02:00
parent 64033da973
commit 38a5c2cb79
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
3 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -62,6 +62,7 @@ Using the relevant options, the scan will change base on the intended goal.
- New test: INSE-8316 - test for NIS server - New test: INSE-8316 - test for NIS server
- New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-2706 - check DNSSEC (systemd)
- New test: NETW-3200 - determine enabled network protocols - New test: NETW-3200 - determine enabled network protocols
- New test: PHP-2382 - detect listen option in PHP (FPM)
- New test: PROC-3802 - check presence of prelink tooling - New test: PROC-3802 - check presence of prelink tooling
- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
- New test: TIME-3181 - check status of OpenNTPD time synchronisation - New test: TIME-3181 - check status of OpenNTPD time synchronisation

1
db/tests.db
View File

@ -311,6 +311,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option:
PHP-2376:test:security:php::Check PHP allow_url_fopen option: PHP-2376:test:security:php::Check PHP allow_url_fopen option:
PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2378:test:security:php::Check PHP allow_url_include option:
PHP-2379:test:security:php::Check PHP suhosin extension status: PHP-2379:test:security:php::Check PHP suhosin extension status:
PHP-2382:test:security:php::Check PHP listen option:
PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
PKGS-7303:test:security:ports_packages::Query brew package manager: PKGS-7303:test:security:ports_packages::Query brew package manager:

36
include/tests_php
View File

@ -463,6 +463,42 @@
#fi #fi
# #
################################################################################# #################################################################################
#
# Test : PHP-2382
# Description : Check listen option
# Background : https://github.com/CISOfy/lynis/issues/837
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for FILE in ${PHPINI_ALLFILES}; do
# Don't look at this setting in cli configuration
case "${FILE}" in
*/cli/*)
continue
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found listen on just a port number"
LogText "Data: ${FIND}"
LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
#ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
AddHP 1 3
else
Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
# #
WaitForKeyPress WaitForKeyPress