mirror of https://github.com/CISOfy/lynis.git
579 lines
29 KiB
Bash
579 lines
29 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2021, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Software: PHP
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Variables
|
|
PHPVERSION=""
|
|
|
|
InsertSection "PHP"
|
|
|
|
# Possible locations of php.ini
|
|
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
|
|
${ROOTDIR}etc/php/php.ini \
|
|
${ROOTDIR}etc/php7.0/php.ini \
|
|
${ROOTDIR}etc/php7.1/php.ini \
|
|
${ROOTDIR}etc/php7.2/php.ini \
|
|
${ROOTDIR}etc/php7.3/php.ini \
|
|
${ROOTDIR}etc/php7.4/php.ini \
|
|
${ROOTDIR}etc/php8.0/php.ini \
|
|
${ROOTDIR}etc/php8.1/php.ini \
|
|
${ROOTDIR}etc/php8.2/php.ini \
|
|
${ROOTDIR}etc/php8.3/php.ini \
|
|
${ROOTDIR}etc/php8.4/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php7.4/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php8.0/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php8.1/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
|
|
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
|
|
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
|
|
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
|
|
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
|
|
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
|
|
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
|
|
${ROOTDIR}etc/php/cli-php5.5/php.ini \
|
|
${ROOTDIR}etc/php/cli-php5.6/php.ini \
|
|
${ROOTDIR}etc/php/cli-php7.0/php.ini \
|
|
${ROOTDIR}etc/php/cli-php7.1/php.ini \
|
|
${ROOTDIR}etc/php/cli-php7.2/php.ini \
|
|
${ROOTDIR}etc/php/cli-php7.3/php.ini \
|
|
${ROOTDIR}etc/php/cli-php7.4/php.ini \
|
|
${ROOTDIR}etc/php/cli-php8.0/php.ini \
|
|
${ROOTDIR}etc/php/cli-php8.1/php.ini \
|
|
${ROOTDIR}etc/php/cli-php8.2/php.ini \
|
|
${ROOTDIR}etc/php/cli-php8.3/php.ini \
|
|
${ROOTDIR}etc/php/cli-php8.4/php.ini \
|
|
${ROOTDIR}etc/php/embed-php7.0/php.ini \
|
|
${ROOTDIR}etc/php/embed-php7.1/php.ini \
|
|
${ROOTDIR}etc/php/embed-php7.2/php.ini \
|
|
${ROOTDIR}etc/php/embed-php7.3/php.ini \
|
|
${ROOTDIR}etc/php/embed-php7.4/php.ini \
|
|
${ROOTDIR}etc/php/embed-php8.0/php.ini \
|
|
${ROOTDIR}etc/php/embed-php8.1/php.ini \
|
|
${ROOTDIR}etc/php/embed-php8.2/php.ini \
|
|
${ROOTDIR}etc/php/embed-php8.3/php.ini \
|
|
${ROOTDIR}etc/php/embed-php8.4/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
|
|
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
|
|
${ROOTDIR}etc/php/7.0/apache2/php.ini \
|
|
${ROOTDIR}etc/php/7.1/apache2/php.ini \
|
|
${ROOTDIR}etc/php/7.2/apache2/php.ini \
|
|
${ROOTDIR}etc/php/7.3/apache2/php.ini \
|
|
${ROOTDIR}etc/php/7.4/apache2/php.ini \
|
|
${ROOTDIR}etc/php/8.0/apache2/php.ini \
|
|
${ROOTDIR}etc/php/8.1/apache2/php.ini \
|
|
${ROOTDIR}etc/php/8.2/apache2/php.ini \
|
|
${ROOTDIR}etc/php/8.3/apache2/php.ini \
|
|
${ROOTDIR}etc/php/8.4/apache2/php.ini \
|
|
${ROOTDIR}etc/php/7.0/cli/php.ini \
|
|
${ROOTDIR}etc/php/7.0/fpm/php.ini \
|
|
${ROOTDIR}etc/php/7.1/cli/php.ini \
|
|
${ROOTDIR}etc/php/7.1/fpm/php.ini \
|
|
${ROOTDIR}etc/php/7.2/cli/php.ini \
|
|
${ROOTDIR}etc/php/7.2/fpm/php.ini \
|
|
${ROOTDIR}etc/php/7.3/cli/php.ini \
|
|
${ROOTDIR}etc/php/7.3/fpm/php.ini \
|
|
${ROOTDIR}etc/php/7.4/cli/php.ini \
|
|
${ROOTDIR}etc/php/7.4/fpm/php.ini \
|
|
${ROOTDIR}etc/php/8.0/cli/php.ini \
|
|
${ROOTDIR}etc/php/8.0/fpm/php.ini \
|
|
${ROOTDIR}etc/php/8.1/cli/php.ini \
|
|
${ROOTDIR}etc/php/8.1/fpm/php.ini \
|
|
${ROOTDIR}etc/php/8.2/cli/php.ini \
|
|
${ROOTDIR}etc/php/8.2/fpm/php.ini \
|
|
${ROOTDIR}etc/php/8.3/cli/php.ini \
|
|
${ROOTDIR}etc/php/8.3/fpm/php.ini \
|
|
${ROOTDIR}etc/php/8.4/cli/php.ini \
|
|
${ROOTDIR}etc/php/8.4/fpm/php.ini \
|
|
${ROOTDIR}opt/alt/php70/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php71/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php72/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php73/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php74/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php80/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php81/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php82/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php83/etc/php.ini \
|
|
${ROOTDIR}opt/alt/php84/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
|
|
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
|
|
${ROOTDIR}private/etc/php.ini \
|
|
${ROOTDIR}var/www/conf/php.ini \
|
|
${ROOTDIR}usr/local/etc/php.ini \
|
|
${ROOTDIR}usr/local/lib/php.ini \
|
|
${ROOTDIR}usr/local/php70/lib/php.ini \
|
|
${ROOTDIR}usr/local/php71/lib/php.ini \
|
|
${ROOTDIR}usr/local/php72/lib/php.ini \
|
|
${ROOTDIR}usr/local/php73/lib/php.ini \
|
|
${ROOTDIR}usr/local/php74/lib/php.ini \
|
|
${ROOTDIR}usr/local/php80/lib/php.ini \
|
|
${ROOTDIR}usr/local/php81/lib/php.ini \
|
|
${ROOTDIR}usr/local/php82/lib/php.ini \
|
|
${ROOTDIR}usr/local/php83/lib/php.ini \
|
|
${ROOTDIR}usr/local/php84/lib/php.ini \
|
|
${ROOTDIR}usr/local/zend/etc/php.ini \
|
|
${ROOTDIR}usr/pkg/etc/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php56/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php70/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php71/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php72/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php73/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php74/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php80/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php81/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php82/php.ini\
|
|
${ROOTDIR}etc/opt/remi/php83/php.ini \
|
|
${ROOTDIR}etc/opt/remi/php84/php.ini"
|
|
|
|
PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
|
|
${ROOTDIR}etc/php/7.1/cli/conf.d \
|
|
${ROOTDIR}etc/php/7.2/cli/conf.d \
|
|
${ROOTDIR}etc/php/7.3/cli/conf.d \
|
|
${ROOTDIR}etc/php/7.4/cli/conf.d \
|
|
${ROOTDIR}etc/php/7.0/fpm/conf.d \
|
|
${ROOTDIR}etc/php/7.1/fpm/conf.d \
|
|
${ROOTDIR}etc/php/7.2/fpm/conf.d \
|
|
${ROOTDIR}etc/php/7.3/fpm/conf.d \
|
|
${ROOTDIR}etc/php/7.4/fpm/conf.d \
|
|
${ROOTDIR}etc/php/8.0/fpm/conf.d \
|
|
${ROOTDIR}etc/php/8.1/fpm/conf.d \
|
|
${ROOTDIR}etc/php/8.2/fpm/conf.d \
|
|
${ROOTDIR}etc/php/8.3/fpm/conf.d \
|
|
${ROOTDIR}etc/php/8.4/fpm/conf.d \
|
|
${ROOTDIR}etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
|
|
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
|
|
${ROOTDIR}opt/alt/php70/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php71/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php72/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php73/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php74/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php80/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php81/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php82/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php83/etc/php.d.all \
|
|
${ROOTDIR}opt/alt/php84/etc/php.d.all \
|
|
${ROOTDIR}usr/local/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php70/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php71/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php72/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php73/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php74/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php80/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php81/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php82/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php83/lib/php.conf.d \
|
|
${ROOTDIR}usr/local/php84/lib/php.conf.d"
|
|
|
|
PHPINIDIRS="${PHPINIDIRS} \
|
|
${ROOTDIR}etc/php-7.0 \
|
|
${ROOTDIR}etc/php-7.1 \
|
|
${ROOTDIR}etc/php-7.2 \
|
|
${ROOTDIR}etc/php-7.3 \
|
|
${ROOTDIR}etc/php-7.4 \
|
|
${ROOTDIR}etc/php-8.0 \
|
|
${ROOTDIR}etc/php-8.1 \
|
|
${ROOTDIR}etc/php-8.2 \
|
|
${ROOTDIR}etc/php-8.3 \
|
|
${ROOTDIR}etc/php-8.4"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2211
|
|
# Description : Check php.ini presence
|
|
Register --test-no PHP-2211 --weight L --network NO --category security --description "Check php.ini presence"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for presence php.ini"
|
|
PHPINIFILE=""
|
|
PHPINI_ALLFILES=""
|
|
for FILE in ${PHPINILOCS}; do
|
|
LogText "Test: checking presence ${FILE}"
|
|
if [ -f ${FILE} ]; then
|
|
PHPINIFILE="${FILE}"
|
|
LogText "Result: Found php.ini file (${PHPINIFILE})"
|
|
LogText "Note: Adding file to php.ini array"
|
|
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}"
|
|
else
|
|
LogText "Result: file ${FILE} not found"
|
|
fi
|
|
done
|
|
|
|
# Check all known locations
|
|
for DIR in ${PHPINIDIRS}; do
|
|
FIND=$(ls ${DIR}/*.ini 2> /dev/null)
|
|
if [ -z "${FIND}" ]; then
|
|
LogText "Result: no files found for ${DIR}"
|
|
else
|
|
LogText "Result: found files in location ${DIR}, checking"
|
|
for FILE in ${FIND}; do
|
|
if [ -f ${FILE} ]; then
|
|
LogText "Result: file ${FILE} exists, adding to php.ini array"
|
|
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${FILE}"
|
|
fi
|
|
done
|
|
fi
|
|
done
|
|
|
|
if [ -n "${PHPINIFILE}" ]; then
|
|
Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN
|
|
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
|
|
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
|
|
else
|
|
Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
LogText "Result: no php.ini file found"
|
|
fi
|
|
unset DIR FILE FIND
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2320
|
|
# Description : Check php disable functions option
|
|
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
for I in ${PHPINI_ALLFILES}; do
|
|
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
|
|
FIND=$(${GREPBINARY} "^disable_functions.*=" ${I})
|
|
if [ -z "${FIND}" ]; then
|
|
LogText "Result: ${I}: disabled_functions not found"
|
|
else
|
|
LogText "Result: ${I}: found disabled_functions"
|
|
FOUND=1
|
|
fi
|
|
|
|
FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I})
|
|
if [ -z "${FIND}" ]; then
|
|
LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
|
|
else
|
|
LogText "Result: ${I}: found suhosin.executor.func.blacklist"
|
|
FOUND=1
|
|
fi
|
|
done
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
LogText "Result: all PHP functions can be executed"
|
|
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW
|
|
ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions"
|
|
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
|
|
AddHP 0 1
|
|
else
|
|
LogText "Result: one or more PHP functions are disabled/blacklisted"
|
|
Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN
|
|
AddHP 3 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2368
|
|
# Description : Check php register_globals option
|
|
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
|
|
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then
|
|
if [ -f "${PHPINIFILE}" ]; then
|
|
FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])")
|
|
if [ -z "${FIND}" ]; then
|
|
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
|
|
else
|
|
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
|
|
fi
|
|
else
|
|
Debug "File php.ini (${PHPINIFILE}) not found"
|
|
fi
|
|
else
|
|
PREQS_MET="NO"
|
|
Debug "Skipping test: php.ini not found, or PHP version empty"
|
|
Debug "php.ini: ${PHPINIFILE}"
|
|
Debug "version: ${PHPVERSION}"
|
|
fi
|
|
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking PHP register_globals option"
|
|
FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
|
if [ -n "${FIND}" ]; then
|
|
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
|
|
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
|
|
ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off"
|
|
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
|
|
AddHP 1 2
|
|
else
|
|
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
|
|
ReportManual ${TEST_NO}:01
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2372
|
|
# Description : Check PHP expose_php option
|
|
# Background : When this option is turned on, PHP will show its version number in the HTTP headers
|
|
# Notes : TODO - Extend test to check all PHP files
|
|
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
for FILE in ${PHPINI_ALLFILES}; do
|
|
# Don't look at this setting in cli configuration
|
|
case "${FILE}" in
|
|
*/cli/*)
|
|
continue
|
|
;;
|
|
esac
|
|
LogText "Test: Checking file ${FILE}"
|
|
FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
|
|
if HasData "${FIND}"; then
|
|
LogText "Result: found a a possible match on expose_php setting"
|
|
LogText "Data: ${FIND}"
|
|
FOUND=1
|
|
fi
|
|
done
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED
|
|
ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-"
|
|
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
|
|
AddHP 1 3
|
|
else
|
|
Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN
|
|
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2374
|
|
# Description : Check PHP enable_dl option
|
|
# Notes : Extend test to check all PHP files
|
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking PHP enable_dl option"
|
|
FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
|
if [ -n "${FIND}" ]; then
|
|
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
|
|
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
|
|
ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules"
|
|
AddHP 0 1
|
|
else
|
|
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN
|
|
LogText "Result: Found 'enable_dl' in disabled state (not present, 0, no, or off)"
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2376
|
|
# Description : Check PHP allow_url_fopen option
|
|
# Notes : Extend test to check all PHP files YYY
|
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking PHP allow_url_fopen option"
|
|
FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
|
|
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
|
|
ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
|
|
AddHP 0 1
|
|
else
|
|
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN
|
|
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
|
|
AddHP 2 2
|
|
fi
|
|
# TODO Check through all files
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2378
|
|
# Description : Check PHP allow_url_include option
|
|
# Notes : Extend test to check all PHP files YYY
|
|
if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking PHP allow_url_include option"
|
|
FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
|
|
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
|
|
ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
|
|
AddHP 0 1
|
|
else
|
|
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN
|
|
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# - test disabled for time being, as newer suhosin7 work is not stable enough -
|
|
# Test : PHP-2379
|
|
# Description : Check PHP suhosin extension status
|
|
#if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
#Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status"
|
|
|
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
# FOUND=0
|
|
# SIMULATION=0
|
|
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7")
|
|
# if [ "${OS}" = "OpenBSD" ]; then
|
|
# FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP
|
|
# SIMULATION=off
|
|
# else
|
|
# for I in ${PHPINI_ALLFILES}; do
|
|
# LogText "Test: Checking for PHP suhosin extension status in file ${I}"
|
|
# FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I})
|
|
# if [ -z "${FIND}" ]; then
|
|
# LogText "Result: ${I}: suhosin is not enabled"
|
|
# else
|
|
# LogText "Result: ${I}: suhosin is enabled"
|
|
# FOUND=1
|
|
# fi
|
|
|
|
# LogText "Test: Check Suhosin simulation mode status"
|
|
# SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} | ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]' '[:lower:]')
|
|
# if [ "${SIMULATION}" = "off" ]; then
|
|
# LogText "Result: ${I}: suhosin simulation mode is not active"
|
|
# else
|
|
# LogText "Result: ${I}: suhosin simulation mode is active"
|
|
# fi
|
|
# done
|
|
# fi
|
|
|
|
# # Check Suhosin for PHP 7
|
|
# if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
|
|
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
|
# LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production"
|
|
# ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7"
|
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
|
# Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED
|
|
# AddHP 0 1
|
|
# elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
|
|
# LogText "Test: Check Suhosin for PHP 7 is not enabled"
|
|
# LogText "Result: Suhosin for PHP 7 is not enabled"
|
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
|
|
# Display --indent 6 --text "- Suhosin is not enabled for PHP 7" --result "${STATUS_OK}" --color GREEN
|
|
# AddHP 1 1
|
|
# else
|
|
# if [ ${FOUND} -eq 0 ]; then
|
|
# LogText "Result: Suhosin extension is not enabled"
|
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED
|
|
# ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension"
|
|
# LogText "suhosin extension is not enabled"
|
|
# AddHP 0 1
|
|
# else
|
|
# LogText "Result: Suhosin extension is enabled"
|
|
# Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN
|
|
# AddHP 2 2
|
|
# fi
|
|
|
|
# if [ "${SIMULATION}" = "off" ]; then
|
|
# LogText "Result: Suhosin simulation mode is not active"
|
|
# Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_OK}" --color GREEN
|
|
# AddHP 2 2
|
|
# else
|
|
# LogText "Result: Suhosin simulation mode is active"
|
|
# Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED
|
|
# ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode"
|
|
# LogText "suhosin simulation mode is active"
|
|
# AddHP 0 1
|
|
# fi
|
|
# fi
|
|
#fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : PHP-2382
|
|
# Description : Check listen option
|
|
# Background : https://github.com/CISOfy/lynis/issues/837
|
|
if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
for FILE in ${PHPINI_ALLFILES}; do
|
|
# Don't look at this setting in cli configuration
|
|
case "${FILE}" in
|
|
*/cli/*)
|
|
continue
|
|
;;
|
|
esac
|
|
LogText "Test: Checking file ${FILE}"
|
|
FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE})
|
|
if HasData "${FIND}"; then
|
|
LogText "Result: found listen on just a port number"
|
|
LogText "Data: ${FIND}"
|
|
LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
|
|
FOUND=1
|
|
fi
|
|
done
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
#ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
|
|
AddHP 1 3
|
|
else
|
|
Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 2 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|