tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[PHP-2372] test all PHP files for expose_php and improved logging

This commit is contained in:
Michael Boelen 2018-08-23 12:23:48 +02:00
parent afaae50989
commit 4df28ca659
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
include/tests_php
View File

@ -223,25 +223,33 @@
################################################################################# #################################################################################
# #
# Test : PHP-2372 # Test : PHP-2372
# Description : Check php expose_php option # Description : Check PHP expose_php option
# Notes : Extend test to check all PHP files YYY # Background : When this option is turned on, PHP will show its version number in the HTTP headers
if [ ! -z "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi # Notes : TODO - Extend test to check all PHP files
if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking expose_php option" FOUND=0
FIND=$(${EGREPBINARY} -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') for FILE in ${PHPINI_ALLFILES}; do
if [ -z "${FIND}" ]; then LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
if HasData "${FIND}"; then
LogText "Result: found a a possible match on expose_php setting"
LogText "Data: ${FIND}"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
ReportWarning ${TEST_NO} "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Turn off PHP information exposure" "expose_php = Off" "-"
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker" Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2 AddHP 1 3
else else
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
# TODO Check through all files
fi fi
# #
################################################################################# #################################################################################