diff options
Diffstat (limited to 'include/tests_php')
| -rw-r--r-- | include/tests_php | 281 |
1 files changed, 281 insertions, 0 deletions
diff --git a/include/tests_php b/include/tests_php new file mode 100644 index 00000000..fcb582a2 --- /dev/null +++ b/include/tests_php @@ -0,0 +1,281 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Software: PHP +# +################################################################################# +# + InsertSection "Software: PHP" + + # Possible locations of php.ini + PHPINILOCS="/etc/php.ini \ + /etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \ + /etc/php/apache2-php5.4/php.ini /etc/php/apache2-php5.5/php.ini \ + /etc/php5/cgi/php.ini \ + /etc/php5/cli/php.ini \ + /etc/php5/cli-php5.4/php.ini /etc/php5/cli-php5.5/php.ini /etc/php5/cli-php5.6/php.ini \ + /etc/php5/apache2/php.ini \ + /private/etc/php.ini \ + /var/www/conf/php.ini \ + /usr/local/etc/php.ini /usr/local/lib/php.ini" + + PHPINIDIRS="/etc/php5/conf.d" +# +################################################################################# +# + # Test : PHP-2211 + # Description : Check php.ini presence + Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking for presence php.ini" + PHPINIFILE="" + PHPINI_ALLFILES="" + for I in ${PHPINILOCS}; do + logtext "Test: checking presence ${I}" + if [ -f ${I} ]; then + PHPINIFILE=${I} + logtext "Result: Found php.ini file (${PHPINIFILE})" + logtext "Note: Adding file to php.ini array" + PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}" + else + logtext "Result: file ${I} not found" + fi + done + + # Check all known locations + for I in ${PHPINIDIRS}; do + tFILES=`ls ${I}/*.ini 2>/dev/null` + if [ "${tFILES}" = "" ]; then + logtext "Result: no files found for ${I}" + else + logtext "Result: found files in location ${I}, checking.." + for I in ${tFILES}; do + if [ -f ${I} ]; then + logtext "Result: file ${I} exists, adding to php.ini array" + PHPINI_ALLFILES="${PHPINI_ALLFILES} ${I}" + fi + done + fi + done + + if [ ! "${PHPINIFILE}" = "" ]; then + Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN + logtext "Result: using single file ${PHPINIFILE} for main php.ini tests" + logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" + else + Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE + logtext "Result: no php.ini file found" + fi + fi +# +################################################################################# +# + # Test : PHP-2320 + # Description : Check php disable functions option + if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + for I in ${PHPINI_ALLFILES}; do + logtext "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" + FIND=`grep "^disable_functions.*=" ${I}` + if [ "${FIND}" = "" ]; then + logtext "Result: ${I}: disabled_functions not found" + else + logtext "Result: ${I}: found disabled_functions" + FOUND=1 + fi + + FIND=`grep "^suhosin.executor.func.blacklist=" ${I}` + if [ "${FIND}" = "" ]; then + logtext "Result: ${I}: suhosin.executor.func.blacklist not found" + else + logtext "Result: ${I}: found suhosin.executor.func.blacklist" + FOUND=1 + fi + done + if [ ${FOUND} -eq 0 ]; then + logtext "Result: all PHP functions can be executed" + Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW + ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions" + logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" + AddHP 0 1 + else + logtext "Result: one or more PHP functions are disabled/blacklisted" + Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN + AddHP 3 3 + fi + fi +# +################################################################################# +# + # Test : PHP-2368 + # Description : Check php register_globals option + # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) + if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" ]; then + FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"` + if [ "${FIND}" = "" ]; then + PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" + else + PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan" + fi + else + Debug "Skipping test: php.ini not found, or PHP version empty" + Debug "php.ini: ${PHPINIFILE}" + Debug "version: ${PHPVERSION}" + fi + Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking PHP register_globals option.." + FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'` + if [ ! "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED + ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" + ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" + logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting." + AddHP 1 2 + else + Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN + logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." + ReportManual ${TEST_NO}:01 + AddHP 2 2 + fi + fi +# +################################################################################# +# + # Test : PHP-2372 + # Description : Check php expose_php option + # Notes : Extend test to check all PHP files YYY + if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking expose_php option.." + FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED + ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." + ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" + report "Result: expose_php option is turned on, which can expose useful information for an attacker" + AddHP 1 2 + else + Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN + logtext "Result: Found 'expose_php' in disabled state (0, no, or off)" + AddHP 2 2 + fi + #YYY Check through all files + fi +# +################################################################################# +# + # Test : PHP-2374 + # Description : Check PHP enable_dl option + # Notes : Extend test to check all PHP files YYY + if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking PHP enable_dl option.." + FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW + report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" + ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" + AddHP 0 1 + else + Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN + logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)" + AddHP 2 2 + fi + #YYY Check through all files + fi +# +################################################################################# +# + # Test : PHP-2376 + # Description : Check PHP allow_url_fopen option + # Notes : Extend test to check all PHP files YYY + if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking PHP allow_url_fopen option.." + FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW + report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" + ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" + AddHP 0 1 + else + Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN + logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" + AddHP 2 2 + fi + #YYY Check through all files + fi +# +################################################################################# +# + # Test : PHP-2378 + # Description : Check PHP allow_url_include option + # Notes : Extend test to check all PHP files YYY + if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking PHP allow_url_include option.." + FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW + report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" + ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" + AddHP 0 1 + else + Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN + logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" + AddHP 2 2 + fi + #YYY Check through all files + fi +# +################################################################################# +# +# Disable/use functions: +# safe_mode (only for PHP5?) +# open_basedir (limits access to defined directory, comparable with chrooting) +# disable_classes +# session.save_path +# session.referer_check +# upload_tmp_dir +# file_uploads Off, if possible +# Set display_errors to Off +# Set log_errors to On and define error_log (with value Syslog or a filename) +# +################################################################################# +# + # mod_suexec + # suPHP (/etc/suphp.conf) +# +################################################################################# +# + # Test : PHP-2388 + # Description : Check php version number +# +################################################################################# +# + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |