#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2012, Michael Boelen (michael@rootkit.nl), The Netherlands # Web site: http://www.rootkit.nl # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Software: PHP # ################################################################################# # InsertSection "Software: PHP" # Possible locations of php.ini PHPINILOCS="/etc/php.ini \ /etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \ /etc/php5/cgi/php.ini /etc/php5/cli/php.ini /etc/php5/apache2/php.ini \ /private/etc/php.ini \ /var/www/conf/php.ini \ /usr/local/etc/php.ini /usr/local/lib/php.ini" #Display --indent 2 --text "- Checking PHP..." --result FOUND --color WHITE # ################################################################################# # # Test : PHP-2211 # Description : Check php.ini presence Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for presence php.ini" PHPINIFILE="" for I in ${PHPINILOCS}; do if [ -f ${I} ]; then PHPINIFILE=${I} logtext "Found php.ini file (${PHPINIFILE})" fi done if [ ! "${PHPINIFILE}" = "" ]; then Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN else Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE logtext "Result: no php.ini file found" fi fi # ################################################################################# # # Test : PHP-2320 # Description : Check php disable functions option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking for PHP function hardening options" FIND1=`grep "^disabled_functions=" ${PHPINIFILE}` FIND2=`grep "^suhosin.executor.func.blacklist" ${PHPINIFILE}` if [ "${FIND1}" = "" -a "${FIND2}" = "" ]; then logtext "Result: one or more PHP functions are disabled/blacklisted" Display --indent 2 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN AddHP 3 3 else logtext "Result: all PHP functions can be executed" Display --indent 2 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW ReportSuggestion ${TEST_NO} "Harden PHP by disabling riskful functions (functions of interest: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file(), max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit(), shell_exec, show_source(), system)" AddHP 0 1 fi fi # ################################################################################# # # Test : PHP-2368 # Description : Check php register_globals option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking register_globals option.." FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off" logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting." AddHP 1 2 else Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN logtext "Result: Found 'register_globals' in disabled state (0, no, or off), which is good." AddHP 2 2 fi fi # ################################################################################# # # Test : PHP-2372 # Description : Check php expose_php option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking expose_php option.." FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers." ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off" report "Result: expose_php option is turned on, which can expose useful information for an attacker" AddHP 1 2 else Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN logtext "Result: Found 'expose_php' in disabled state (0, no, or off)" AddHP 2 2 fi fi # ################################################################################# # # Test : PHP-2374 # Description : Check PHP enable_dl option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP enable_dl option.." FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)" AddHP 2 2 fi fi # ################################################################################# # # Test : PHP-2376 # Description : Check PHP allow_url_fopen option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP allow_url_fopen option.." FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)" AddHP 2 2 fi fi # ################################################################################# # # Test : PHP-2378 # Description : Check PHP allow_url_include option if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking PHP allow_url_include option.." FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'` if [ "${FIND}" = "" ]; then Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP" ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP" AddHP 0 1 else Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi fi # ################################################################################# # # Disable/use functions: # safe_mode (only for PHP5?) # open_basedir (limits access to defined directory, comparable with chrooting) # disable_classes # session.save_path # session.referer_check # upload_tmp_dir # file_uploads Off, if possible # Set display_errors to Off # Set log_errors to On and define error_log (with value Syslog or a filename) # ################################################################################# # # mod_suexec # suPHP (/etc/suphp.conf) # ################################################################################# # # Test : PHP-2388 # Description : Check php version number # ################################################################################# # wait_for_keypress # #================================================================================ # Lynis - Copyright 2007-2012, Michael Boelen - www.rootkit.nl - The Netherlands