diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2020-04-02 20:46:58 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2020-04-02 20:46:58 +0300 |
commit | 38a5c2cb79bdf56352555f08472b9ea5c77d0e1f (patch) | |
tree | 07ed80ef433ec384187877b5f8818a5244c512f8 | |
parent | 64033da973deb14d7632798904b5f24c06816390 (diff) |
Added new test PHP-2382
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | db/tests.db | 1 | ||||
-rw-r--r-- | include/tests_php | 36 |
3 files changed, 38 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 87873b19..805a18d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: INSE-8316 - test for NIS server - New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-3200 - determine enabled network protocols +- New test: PHP-2382 - detect listen option in PHP (FPM) - New test: PROC-3802 - check presence of prelink tooling - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD - New test: TIME-3181 - check status of OpenNTPD time synchronisation diff --git a/db/tests.db b/db/tests.db index 48430806..ba9778d1 100644 --- a/db/tests.db +++ b/db/tests.db @@ -311,6 +311,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option: PHP-2376:test:security:php::Check PHP allow_url_fopen option: PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2379:test:security:php::Check PHP suhosin extension status: +PHP-2382:test:security:php::Check PHP listen option: PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7303:test:security:ports_packages::Query brew package manager: diff --git a/include/tests_php b/include/tests_php index a452781a..0f498fff 100644 --- a/include/tests_php +++ b/include/tests_php @@ -464,6 +464,42 @@ # ################################################################################# # + # Test : PHP-2382 + # Description : Check listen option + # Background : https://github.com/CISOfy/lynis/issues/837 + if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + for FILE in ${PHPINI_ALLFILES}; do + # Don't look at this setting in cli configuration + case "${FILE}" in + */cli/*) + continue + ;; + esac + LogText "Test: Checking file ${FILE}" + FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) + if HasData "${FIND}"; then + LogText "Result: found listen on just a port number" + LogText "Data: ${FIND}" + LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside" + FOUND=1 + fi + done + + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW + #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-" + AddHP 1 3 + else + Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# +# WaitForKeyPress |