1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# Software: PHP 22# 23################################################################################# 24# 25 # Variables 26 PHPVERSION="" 27 28 InsertSection "PHP" 29 30 # Possible locations of php.ini 31 PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \ 32 ${ROOTDIR}etc/php/php.ini \ 33 ${ROOTDIR}etc/php5.5/php.ini \ 34 ${ROOTDIR}etc/php5.6/php.ini \ 35 ${ROOTDIR}etc/php7.0/php.ini \ 36 ${ROOTDIR}etc/php7.1/php.ini \ 37 ${ROOTDIR}etc/php7.2/php.ini \ 38 ${ROOTDIR}etc/php7.3/php.ini \ 39 ${ROOTDIR}etc/php7.4/php.ini \ 40 ${ROOTDIR}etc/php/cgi-php5/php.ini \ 41 ${ROOTDIR}etc/php/cli-php5/php.ini \ 42 ${ROOTDIR}etc/php/apache2-php5/php.ini \ 43 ${ROOTDIR}etc/php/apache2-php5.5/php.ini \ 44 ${ROOTDIR}etc/php/apache2-php5.6/php.ini \ 45 ${ROOTDIR}etc/php/apache2-php7.0/php.ini \ 46 ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ 47 ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ 48 ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ 49 ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ 50 ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ 51 ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ 52 ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ 53 ${ROOTDIR}etc/php/cgi-php7.1/php.ini \ 54 ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ 55 ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ 56 ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ 57 ${ROOTDIR}etc/php/cli-php5.5/php.ini \ 58 ${ROOTDIR}etc/php/cli-php5.6/php.ini \ 59 ${ROOTDIR}etc/php/cli-php7.0/php.ini \ 60 ${ROOTDIR}etc/php/cli-php7.1/php.ini \ 61 ${ROOTDIR}etc/php/cli-php7.2/php.ini \ 62 ${ROOTDIR}etc/php/cli-php7.3/php.ini \ 63 ${ROOTDIR}etc/php/cli-php7.4/php.ini \ 64 ${ROOTDIR}etc/php/embed-php5.5/php.ini \ 65 ${ROOTDIR}etc/php/embed-php5.6/php.ini \ 66 ${ROOTDIR}etc/php/embed-php7.0/php.ini \ 67 ${ROOTDIR}etc/php/embed-php7.1/php.ini \ 68 ${ROOTDIR}etc/php/embed-php7.2/php.ini \ 69 ${ROOTDIR}etc/php/embed-php7.3/php.ini \ 70 ${ROOTDIR}etc/php/embed-php7.4/php.ini \ 71 ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ 72 ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ 73 ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ 74 ${ROOTDIR}etc/php/fpm-php7.1/php.ini \ 75 ${ROOTDIR}etc/php/fpm-php7.0/php.ini \ 76 ${ROOTDIR}etc/php/fpm-php5.5/php.ini \ 77 ${ROOTDIR}etc/php/fpm-php5.6/php.ini \ 78 ${ROOTDIR}etc/php5/cgi/php.ini \ 79 ${ROOTDIR}etc/php5/cli/php.ini \ 80 ${ROOTDIR}etc/php5/cli-php5.4/php.ini \ 81 ${ROOTDIR}etc/php5/cli-php5.5/php.ini \ 82 ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ 83 ${ROOTDIR}etc/php5/apache2/php.ini \ 84 ${ROOTDIR}etc/php5/fpm/php.ini \ 85 ${ROOTDIR}private/etc/php.ini \ 86 ${ROOTDIR}etc/php/7.0/apache2/php.ini \ 87 ${ROOTDIR}etc/php/7.1/apache2/php.ini \ 88 ${ROOTDIR}etc/php/7.2/apache2/php.ini \ 89 ${ROOTDIR}etc/php/7.3/apache2/php.ini \ 90 ${ROOTDIR}etc/php/7.4/apache2/php.ini \ 91 ${ROOTDIR}etc/php/7.0/cli/php.ini \ 92 ${ROOTDIR}etc/php/7.0/fpm/php.ini \ 93 ${ROOTDIR}etc/php/7.1/cli/php.ini \ 94 ${ROOTDIR}etc/php/7.1/fpm/php.ini \ 95 ${ROOTDIR}etc/php/7.2/cli/php.ini \ 96 ${ROOTDIR}etc/php/7.2/fpm/php.ini \ 97 ${ROOTDIR}etc/php/7.3/cli/php.ini \ 98 ${ROOTDIR}etc/php/7.3/fpm/php.ini \ 99 ${ROOTDIR}etc/php/7.4/cli/php.ini \ 100 ${ROOTDIR}etc/php/7.4/fpm/php.ini \ 101 ${ROOTDIR}var/www/conf/php.ini \ 102 ${ROOTDIR}usr/local/etc/php.ini \ 103 ${ROOTDIR}usr/local/lib/php.ini \ 104 ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ 105 ${ROOTDIR}usr/local/php54/lib/php.ini \ 106 ${ROOTDIR}usr/local/php56/lib/php.ini \ 107 ${ROOTDIR}usr/local/php70/lib/php.ini \ 108 ${ROOTDIR}usr/local/php71/lib/php.ini \ 109 ${ROOTDIR}usr/local/php72/lib/php.ini \ 110 ${ROOTDIR}usr/local/php73/lib/php.ini \ 111 ${ROOTDIR}usr/local/php74/lib/php.ini \ 112 ${ROOTDIR}usr/local/zend/etc/php.ini \ 113 ${ROOTDIR}usr/pkg/etc/php.ini \ 114 ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ 115 ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \ 116 ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \ 117 ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \ 118 ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ 119 ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ 120 ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ 121 ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ 122 ${ROOTDIR}opt/alt/php44/etc/php.ini \ 123 ${ROOTDIR}opt/alt/php51/etc/php.ini \ 124 ${ROOTDIR}opt/alt/php52/etc/php.ini \ 125 ${ROOTDIR}opt/alt/php53/etc/php.ini \ 126 ${ROOTDIR}opt/alt/php54/etc/php.ini \ 127 ${ROOTDIR}opt/alt/php55/etc/php.ini \ 128 ${ROOTDIR}opt/alt/php56/etc/php.ini \ 129 ${ROOTDIR}opt/alt/php70/etc/php.ini \ 130 ${ROOTDIR}opt/alt/php71/etc/php.ini \ 131 ${ROOTDIR}opt/alt/php72/etc/php.ini \ 132 ${ROOTDIR}opt/alt/php73/etc/php.ini \ 133 ${ROOTDIR}opt/alt/php74/etc/php.ini \ 134 ${ROOTDIR}etc/opt/remi/php56/php.ini \ 135 ${ROOTDIR}etc/opt/remi/php70/php.ini \ 136 ${ROOTDIR}etc/opt/remi/php71/php.ini \ 137 ${ROOTDIR}etc/opt/remi/php72/php.ini \ 138 ${ROOTDIR}etc/opt/remi/php73/php.ini \ 139 ${ROOTDIR}etc/opt/remi/php74/php.ini" 140 # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current 141 PHPINILOCS="${PHPINILOCS} \ 142 ${ROOTDIR}etc/php-5.6.ini \ 143 ${ROOTDIR}etc/php-7.0.ini \ 144 ${ROOTDIR}etc/php-7.1.ini \ 145 ${ROOTDIR}etc/php-7.2.ini \ 146 ${ROOTDIR}etc/php-7.3.ini \ 147 ${ROOTDIR}etc/php-7.4.ini" 148 149 PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ 150 ${ROOTDIR}etc/php/7.0/cli/conf.d \ 151 ${ROOTDIR}etc/php/7.1/cli/conf.d \ 152 ${ROOTDIR}etc/php/7.2/cli/conf.d \ 153 ${ROOTDIR}etc/php/7.3/cli/conf.d \ 154 ${ROOTDIR}etc/php/7.4/cli/conf.d \ 155 ${ROOTDIR}etc/php/7.0/fpm/conf.d \ 156 ${ROOTDIR}etc/php/7.1/fpm/conf.d \ 157 ${ROOTDIR}etc/php/7.2/fpm/conf.d \ 158 ${ROOTDIR}etc/php/7.3/fpm/conf.d \ 159 ${ROOTDIR}etc/php/7.4/fpm/conf.d \ 160 ${ROOTDIR}etc/php.d \ 161 ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ 162 ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ 163 ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \ 164 ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ 165 ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ 166 ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ 167 ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ 168 ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ 169 ${ROOTDIR}opt/alt/php44/etc/php.d.all \ 170 ${ROOTDIR}opt/alt/php51/etc/php.d.all \ 171 ${ROOTDIR}opt/alt/php52/etc/php.d.all \ 172 ${ROOTDIR}opt/alt/php53/etc/php.d.all \ 173 ${ROOTDIR}opt/alt/php54/etc/php.d.all \ 174 ${ROOTDIR}opt/alt/php55/etc/php.d.all \ 175 ${ROOTDIR}opt/alt/php56/etc/php.d.all \ 176 ${ROOTDIR}opt/alt/php70/etc/php.d.all \ 177 ${ROOTDIR}opt/alt/php71/etc/php.d.all \ 178 ${ROOTDIR}opt/alt/php72/etc/php.d.all \ 179 ${ROOTDIR}opt/alt/php73/etc/php.d.all \ 180 ${ROOTDIR}opt/alt/php74/etc/php.d.all \ 181 ${ROOTDIR}usr/local/lib/php.conf.d \ 182 ${ROOTDIR}usr/local/php70/lib/php.conf.d \ 183 ${ROOTDIR}usr/local/php71/lib/php.conf.d \ 184 ${ROOTDIR}usr/local/php72/lib/php.conf.d \ 185 ${ROOTDIR}usr/local/php73/lib/php.conf.d \ 186 ${ROOTDIR}usr/local/php74/lib/php.conf.d" 187 # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current 188 PHPINIDIRS="${PHPINIDIRS} \ 189 ${ROOTDIR}etc/php-5.6 \ 190 ${ROOTDIR}etc/php-7.0 \ 191 ${ROOTDIR}etc/php-7.1 \ 192 ${ROOTDIR}etc/php-7.2 \ 193 ${ROOTDIR}etc/php-7.3 \ 194 ${ROOTDIR}etc/php-7.4" 195# 196################################################################################# 197# 198 # Test : PHP-2211 199 # Description : Check php.ini presence 200 Register --test-no PHP-2211 --weight L --network NO --category security --description "Check php.ini presence" 201 if [ ${SKIPTEST} -eq 0 ]; then 202 LogText "Test: Checking for presence php.ini" 203 PHPINIFILE="" 204 PHPINI_ALLFILES="" 205 for FILE in ${PHPINILOCS}; do 206 LogText "Test: checking presence ${FILE}" 207 if [ -f ${FILE} ]; then 208 PHPINIFILE="${FILE}" 209 LogText "Result: Found php.ini file (${PHPINIFILE})" 210 LogText "Note: Adding file to php.ini array" 211 PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}" 212 else 213 LogText "Result: file ${FILE} not found" 214 fi 215 done 216 217 # Check all known locations 218 for DIR in ${PHPINIDIRS}; do 219 FIND=$(ls ${DIR}/*.ini 2> /dev/null) 220 if [ -z "${FIND}" ]; then 221 LogText "Result: no files found for ${DIR}" 222 else 223 LogText "Result: found files in location ${DIR}, checking" 224 for FILE in ${FIND}; do 225 if [ -f ${FILE} ]; then 226 LogText "Result: file ${FILE} exists, adding to php.ini array" 227 PHPINI_ALLFILES="${PHPINI_ALLFILES} ${FILE}" 228 fi 229 done 230 fi 231 done 232 233 if [ -n "${PHPINIFILE}" ]; then 234 Display --indent 2 --text "- Checking PHP" --result "${STATUS_FOUND}" --color GREEN 235 LogText "Result: using single file ${PHPINIFILE} for main php.ini tests" 236 LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests" 237 else 238 Display --indent 2 --text "- Checking PHP" --result "${STATUS_NOT_FOUND}" --color WHITE 239 LogText "Result: no php.ini file found" 240 fi 241 unset DIR FILE FIND 242 fi 243# 244################################################################################# 245# 246 # Test : PHP-2320 247 # Description : Check php disable functions option 248 if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 249 Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP disabled functions" 250 if [ ${SKIPTEST} -eq 0 ]; then 251 FOUND=0 252 for I in ${PHPINI_ALLFILES}; do 253 LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}" 254 FIND=$(${GREPBINARY} "^disable_functions.*=" ${I}) 255 if [ -z "${FIND}" ]; then 256 LogText "Result: ${I}: disabled_functions not found" 257 else 258 LogText "Result: ${I}: found disabled_functions" 259 FOUND=1 260 fi 261 262 FIND=$(${GREPBINARY} "^suhosin.executor.func.blacklist=" ${I}) 263 if [ -z "${FIND}" ]; then 264 LogText "Result: ${I}: suhosin.executor.func.blacklist not found" 265 else 266 LogText "Result: ${I}: found suhosin.executor.func.blacklist" 267 FOUND=1 268 fi 269 done 270 if [ ${FOUND} -eq 0 ]; then 271 LogText "Result: all PHP functions can be executed" 272 Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_NONE}" --color YELLOW 273 ReportSuggestion "${TEST_NO}" "Harden PHP by disabling risky functions" 274 LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)" 275 AddHP 0 1 276 else 277 LogText "Result: one or more PHP functions are disabled/blacklisted" 278 Display --indent 4 --text "- Checking PHP disabled functions" --result "${STATUS_FOUND}" --color GREEN 279 AddHP 3 3 280 fi 281 fi 282# 283################################################################################# 284# 285 # Test : PHP-2368 286 # Description : Check php register_globals option 287 # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) 288 if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then 289 if [ -f "${PHPINIFILE}" ]; then 290 FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") 291 if [ -z "${FIND}" ]; then 292 PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" 293 else 294 PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan" 295 fi 296 else 297 Debug "File php.ini (${PHPINIFILE}) not found" 298 fi 299 else 300 PREQS_MET="NO" 301 Debug "Skipping test: php.ini not found, or PHP version empty" 302 Debug "php.ini: ${PHPINIFILE}" 303 Debug "version: ${PHPVERSION}" 304 fi 305 Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" 306 if [ ${SKIPTEST} -eq 0 ]; then 307 LogText "Test: Checking PHP register_globals option" 308 FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') 309 if [ -n "${FIND}" ]; then 310 Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED 311 ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" 312 ReportSuggestion "${TEST_NO}" "Change the register_globals line to: register_globals = Off" 313 LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting." 314 AddHP 1 2 315 else 316 Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_OK}" --color GREEN 317 LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value." 318 ReportManual ${TEST_NO}:01 319 AddHP 2 2 320 fi 321 fi 322# 323################################################################################# 324# 325 # Test : PHP-2372 326 # Description : Check PHP expose_php option 327 # Background : When this option is turned on, PHP will show its version number in the HTTP headers 328 # Notes : TODO - Extend test to check all PHP files 329 if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 330 Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" 331 if [ ${SKIPTEST} -eq 0 ]; then 332 FOUND=0 333 for FILE in ${PHPINI_ALLFILES}; do 334 # Don't look at this setting in cli configuration 335 case "${FILE}" in 336 */cli/*) 337 continue 338 ;; 339 esac 340 LogText "Test: Checking file ${FILE}" 341 FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') 342 if HasData "${FIND}"; then 343 LogText "Result: found a a possible match on expose_php setting" 344 LogText "Data: ${FIND}" 345 FOUND=1 346 fi 347 done 348 349 if [ ${FOUND} -eq 1 ]; then 350 Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_ON}" --color RED 351 ReportSuggestion "${TEST_NO}" "Turn off PHP information exposure" "expose_php = Off" "-" 352 Report "Result: expose_php option is turned on, which can expose useful information for an attacker" 353 AddHP 1 3 354 else 355 Display --indent 4 --text "- Checking expose_php option" --result "${STATUS_OFF}" --color GREEN 356 LogText "Result: Found 'expose_php' in disabled state (0, no, or off)" 357 AddHP 2 2 358 fi 359 fi 360# 361################################################################################# 362# 363 # Test : PHP-2374 364 # Description : Check PHP enable_dl option 365 # Notes : Extend test to check all PHP files 366 if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 367 Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" 368 if [ ${SKIPTEST} -eq 0 ]; then 369 LogText "Test: Checking PHP enable_dl option" 370 FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') 371 if [ -n "${FIND}" ]; then 372 Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW 373 Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" 374 ReportSuggestion "${TEST_NO}" "Change the enable_dl line to: enable_dl = Off, to disable dynamically loading new modules" 375 AddHP 0 1 376 else 377 Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_OFF}" --color GREEN 378 LogText "Result: Found 'enable_dl' in disabled state (not present, 0, no, or off)" 379 AddHP 2 2 380 fi 381 fi 382# 383################################################################################# 384# 385 # Test : PHP-2376 386 # Description : Check PHP allow_url_fopen option 387 # Notes : Extend test to check all PHP files YYY 388 if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 389 Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" 390 if [ ${SKIPTEST} -eq 0 ]; then 391 LogText "Test: Checking PHP allow_url_fopen option" 392 FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') 393 if [ -z "${FIND}" ]; then 394 Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW 395 LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk" 396 ReportSuggestion "${TEST_NO}" "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" 397 AddHP 0 1 398 else 399 Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_OFF}" --color GREEN 400 LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" 401 AddHP 2 2 402 fi 403 # TODO Check through all files 404 fi 405# 406################################################################################# 407# 408 # Test : PHP-2378 409 # Description : Check PHP allow_url_include option 410 # Notes : Extend test to check all PHP files YYY 411 if [ -n "${PHPINIFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 412 Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" 413 if [ ${SKIPTEST} -eq 0 ]; then 414 LogText "Test: Checking PHP allow_url_include option" 415 FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') 416 if [ -z "${FIND}" ]; then 417 Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW 418 Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk" 419 ReportSuggestion "${TEST_NO}" "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" 420 AddHP 0 1 421 else 422 Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_OFF}" --color GREEN 423 LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)" 424 AddHP 2 2 425 fi 426 fi 427# 428################################################################################# 429# 430 # - test disabled for time being, as newer suhosin7 work is not stable enough - 431 # Test : PHP-2379 432 # Description : Check PHP suhosin extension status 433 #if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 434 #Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status" 435 436 #if [ ${SKIPTEST} -eq 0 ]; then 437 # FOUND=0 438 # SIMULATION=0 439 # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") 440 # if [ "${OS}" = "OpenBSD" ]; then 441 # FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP 442 # SIMULATION=off 443 # else 444 # for I in ${PHPINI_ALLFILES}; do 445 # LogText "Test: Checking for PHP suhosin extension status in file ${I}" 446 # FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I}) 447 # if [ -z "${FIND}" ]; then 448 # LogText "Result: ${I}: suhosin is not enabled" 449 # else 450 # LogText "Result: ${I}: suhosin is enabled" 451 # FOUND=1 452 # fi 453 454 # LogText "Test: Check Suhosin simulation mode status" 455 # SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} | ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]' '[:lower:]') 456 # if [ "${SIMULATION}" = "off" ]; then 457 # LogText "Result: ${I}: suhosin simulation mode is not active" 458 # else 459 # LogText "Result: ${I}: suhosin simulation mode is active" 460 # fi 461 # done 462 # fi 463 464 # # Check Suhosin for PHP 7 465 # if [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then 466 # LogText "Test: Check Suhosin for PHP 7 is not enabled" 467 # LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production" 468 # ReportSuggestion "${TEST_NO}" "Disable Suhosin for PHP 7" 469 # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED 470 # Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED 471 # AddHP 0 1 472 # elif [ -n "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then 473 # LogText "Test: Check Suhosin for PHP 7 is not enabled" 474 # LogText "Result: Suhosin for PHP 7 is not enabled" 475 # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN 476 # Display --indent 6 --text "- Suhosin is not enabled for PHP 7" --result "${STATUS_OK}" --color GREEN 477 # AddHP 1 1 478 # else 479 # if [ ${FOUND} -eq 0 ]; then 480 # LogText "Result: Suhosin extension is not enabled" 481 # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED 482 # ReportSuggestion "${TEST_NO}" "Harden PHP by enabling suhosin extension" 483 # LogText "suhosin extension is not enabled" 484 # AddHP 0 1 485 # else 486 # LogText "Result: Suhosin extension is enabled" 487 # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN 488 # AddHP 2 2 489 # fi 490 491 # if [ "${SIMULATION}" = "off" ]; then 492 # LogText "Result: Suhosin simulation mode is not active" 493 # Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_OK}" --color GREEN 494 # AddHP 2 2 495 # else 496 # LogText "Result: Suhosin simulation mode is active" 497 # Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED 498 # ReportSuggestion "${TEST_NO}" "Harden PHP by deactivating suhosin simulation mode" 499 # LogText "suhosin simulation mode is active" 500 # AddHP 0 1 501 # fi 502 # fi 503 #fi 504# 505################################################################################# 506# 507 # Test : PHP-2382 508 # Description : Check listen option 509 # Background : https://github.com/CISOfy/lynis/issues/837 510 if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 511 Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" 512 if [ ${SKIPTEST} -eq 0 ]; then 513 FOUND=0 514 for FILE in ${PHPINI_ALLFILES}; do 515 # Don't look at this setting in cli configuration 516 case "${FILE}" in 517 */cli/*) 518 continue 519 ;; 520 esac 521 LogText "Test: Checking file ${FILE}" 522 FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) 523 if HasData "${FIND}"; then 524 LogText "Result: found listen on just a port number" 525 LogText "Data: ${FIND}" 526 LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside" 527 FOUND=1 528 fi 529 done 530 531 if [ ${FOUND} -eq 1 ]; then 532 Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW 533 #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-" 534 AddHP 1 3 535 else 536 Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN 537 AddHP 2 2 538 fi 539 fi 540# 541################################################################################# 542# 543 544WaitForKeyPress 545 546# 547#================================================================================ 548# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com 549