1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file
|
5 |
|
|
* Site security review and reporting Drupal module.
|
6 |
|
|
*
|
7 |
|
|
*/
|
8 |
|
|
|
9 |
|
|
/**
|
10 |
|
|
* Implements hook_permission().
|
11 |
|
|
*/
|
12 |
|
|
function security_review_permission() {
|
13 |
|
|
return array(
|
14 |
|
|
'access security review list' => array(
|
15 |
|
|
'title' => t('Access security review pages'),
|
16 |
|
|
'description' => t('View security review checks and output. Give only to trusted users.'),
|
17 |
|
|
),
|
18 |
|
|
'run security checks' => array(
|
19 |
|
|
'title' => t('Run security review checks'),
|
20 |
|
|
'description' => t('Run the security review checks'),
|
21 |
|
|
),
|
22 |
|
|
);
|
23 |
|
|
}
|
24 |
|
|
|
25 |
|
|
/**
|
26 |
|
|
* Implements hook_menu().
|
27 |
|
|
*/
|
28 |
|
|
function security_review_menu() {
|
29 |
|
|
$items = array();
|
30 |
|
|
$items['admin/reports/security-review'] = array(
|
31 |
|
|
'title' => 'Security review',
|
32 |
|
|
'description' => 'Perform a review of the security of your site.',
|
33 |
|
|
'page callback' => 'security_review_page',
|
34 |
|
|
'access arguments' => array('access security review list'),
|
35 |
|
|
'file' => 'security_review.pages.inc',
|
36 |
|
|
'type' => MENU_NORMAL_ITEM,
|
37 |
|
|
);
|
38 |
|
|
$items['admin/reports/security-review/run'] = array(
|
39 |
|
|
'title' => 'Run & review',
|
40 |
|
|
'access arguments' => array('access security review list'),
|
41 |
|
|
'type' => MENU_DEFAULT_LOCAL_TASK,
|
42 |
|
|
);
|
43 |
|
|
$items['admin/reports/security-review/toggle/%'] = array(
|
44 |
|
|
'title' => 'Security review toggle',
|
45 |
|
|
'page callback' => 'security_review_toggle_check',
|
46 |
|
|
'page arguments' => array(4),
|
47 |
|
|
'access arguments' => array('access security review list'),
|
48 |
|
|
'file' => 'security_review.pages.inc',
|
49 |
|
|
'type' => MENU_CALLBACK,
|
50 |
|
|
);
|
51 |
|
|
$items['admin/reports/security-review/help'] = array(
|
52 |
|
|
'title' => 'Help',
|
53 |
|
|
'page callback' => 'security_review_check_help',
|
54 |
|
|
'access arguments' => array('access security review list'),
|
55 |
|
|
'file' => 'security_review.pages.inc',
|
56 |
|
|
'type' => MENU_LOCAL_TASK,
|
57 |
|
|
'weight' => 10,
|
58 |
|
|
);
|
59 |
|
|
$items['admin/reports/security-review/settings'] = array(
|
60 |
|
|
'title' => 'Settings',
|
61 |
|
|
'page callback' => 'drupal_get_form',
|
62 |
|
|
'page arguments' => array('security_review_settings'),
|
63 |
|
|
'access arguments' => array('access security review list'),
|
64 |
|
|
'file' => 'security_review.pages.inc',
|
65 |
|
|
'type' => MENU_LOCAL_TASK,
|
66 |
|
|
'weight' => 15,
|
67 |
|
|
);
|
68 |
|
|
|
69 |
|
|
return $items;
|
70 |
|
|
}
|
71 |
|
|
|
72 |
|
|
/**
|
73 |
|
|
* Implements hook_theme().
|
74 |
|
|
*/
|
75 |
|
|
function security_review_theme($existing, $type, $theme, $path) {
|
76 |
|
|
return array(
|
77 |
|
|
'security_review_reviewed' => array(
|
78 |
|
|
'variables' => array('items' => array(), 'header' => '', 'description' => ''),
|
79 |
|
|
'file' => 'security_review.pages.inc',
|
80 |
|
|
),
|
81 |
|
|
'security_review_help_options' => array(
|
82 |
|
|
'variables' => array('element' => array()),
|
83 |
|
|
'file' => 'security_review.pages.inc',
|
84 |
|
|
),
|
85 |
|
|
'security_review_check_help' => array(
|
86 |
|
|
'variables' => array('element' => array()),
|
87 |
|
|
'file' => 'security_review.pages.inc',
|
88 |
|
|
),
|
89 |
|
|
);
|
90 |
|
|
}
|
91 |
|
|
|
92 |
|
|
/**
|
93 |
|
|
* Retrieve stored checks and results.
|
94 |
|
|
*
|
95 |
|
|
* @return array Array of checks with keys:
|
96 |
|
|
* namespace - string Check namespace
|
97 |
|
|
* reviewcheck - string Check name
|
98 |
|
|
* result - bool Whether check passed or not
|
99 |
|
|
* lastrun - UNIX timestamp of last time check ran
|
100 |
|
|
* skip - bool Whether check is being skipped or not
|
101 |
|
|
* skiptime - UNIX timestamp of when check was skipped, if set
|
102 |
|
|
* skipuid - UID of user who skipped the check, if set
|
103 |
|
|
*/
|
104 |
|
|
function security_review_get_stored_results() {
|
105 |
|
|
$checks = array();
|
106 |
|
|
// Retrieve results from last run of the checklist.
|
107 |
|
|
$result = db_query("SELECT namespace, reviewcheck, result, lastrun, skip, skiptime, skipuid FROM {security_review}");
|
108 |
|
|
foreach ($result as $record) {
|
109 |
|
|
$checks[] = array(
|
110 |
|
|
'namespace' => $record->namespace,
|
111 |
|
|
'reviewcheck' => $record->reviewcheck,
|
112 |
|
|
'result' => $record->result === '1' ? TRUE : FALSE,
|
113 |
|
|
'lastrun' => $record->lastrun,
|
114 |
|
|
'skip' => $record->skip === '1' ? TRUE : FALSE,
|
115 |
|
|
'skiptime' => $record->skiptime,
|
116 |
|
|
'skipuid' => $record->skipuid,
|
117 |
|
|
);
|
118 |
|
|
}
|
119 |
|
|
return $checks;
|
120 |
|
|
}
|
121 |
|
|
|
122 |
|
|
/**
|
123 |
|
|
* Retrieve the result from the last run of a security check.
|
124 |
|
|
*
|
125 |
|
|
* @return array
|
126 |
|
|
* @see security_review_get_stored_results() for format
|
127 |
|
|
*/
|
128 |
|
|
function security_review_get_last_check($namespace, $check_name) {
|
129 |
|
|
$fields = array('namespace', 'reviewcheck', 'result', 'lastrun', 'skip', 'skiptime', 'skipuid');
|
130 |
|
|
$result = db_select('security_review', 'sr')->fields('sr', $fields)
|
131 |
|
|
->condition('namespace', $namespace)
|
132 |
|
|
->condition('reviewcheck', $check_name)
|
133 |
|
|
->execute()->fetchAssoc();
|
134 |
|
|
if (!empty($result)) {
|
135 |
|
|
$result['result'] = $result['result'] === '1' ? TRUE : FALSE;
|
136 |
|
|
$result['skip'] = $result['skip'] === '1' ? TRUE : FALSE;
|
137 |
|
|
return $result;
|
138 |
|
|
}
|
139 |
|
|
return FALSE;
|
140 |
|
|
}
|
141 |
|
|
|
142 |
|
|
/**
|
143 |
|
|
* Run the security review checklist and store the results.
|
144 |
|
|
*/
|
145 |
|
|
function security_review_run_store($checklist, $log = NULL) {
|
146 |
|
|
// Allow callers, like our drush command, to decide not to log.
|
147 |
|
|
if (is_null($log)) {
|
148 |
|
|
$log = variable_get('security_review_log', TRUE);
|
149 |
|
|
}
|
150 |
|
|
// Call our private function to perform the actual review.
|
151 |
|
|
$results = _security_review_run($checklist, $log);
|
152 |
|
|
variable_set('security_review_last_run', time());
|
153 |
|
|
// Store results and return.
|
154 |
|
|
return security_review_store_results($results);
|
155 |
|
|
}
|
156 |
|
|
|
157 |
|
|
/**
|
158 |
|
|
* Store checklist results.
|
159 |
|
|
*/
|
160 |
|
|
function security_review_store_results($results) {
|
161 |
|
|
$log = variable_get('security_review_log', TRUE);
|
162 |
|
|
$saved = $to_save = 0;
|
163 |
|
|
foreach ($results as $module => $checks) {
|
164 |
|
|
foreach ($checks as $check_name => $check) {
|
165 |
|
|
$num_deleted = db_delete('security_review')
|
166 |
|
|
->condition('namespace', $module)
|
167 |
|
|
->condition('reviewcheck', $check_name)
|
168 |
|
|
->execute();
|
169 |
|
|
if ($num_deleted == 1 && is_null($check['result']) && $log) {
|
170 |
|
|
// Last check was deleted and current check returns null so check is
|
171 |
|
|
// no longer applicable.
|
172 |
|
|
$message = '!name no longer applicable for checking';
|
173 |
|
|
_security_review_log($module, $check_name, $message, array('!name' => $check['title']), WATCHDOG_INFO);
|
174 |
|
|
}
|
175 |
|
|
// Only save checks that have a boolean result.
|
176 |
|
|
elseif (!is_null($check['result'])) {
|
177 |
|
|
$to_save++;
|
178 |
|
|
$record = array(
|
179 |
|
|
'namespace' => $module,
|
180 |
|
|
'reviewcheck' => $check_name,
|
181 |
|
|
'result' => $check['result'],
|
182 |
|
|
'lastrun' => $check['lastrun'] ? $check['lastrun'] : REQUEST_TIME,
|
183 |
|
|
);
|
184 |
|
|
|
185 |
|
|
if (drupal_write_record('security_review', $record) == SAVED_NEW) {
|
186 |
|
|
$saved++;
|
187 |
|
|
}
|
188 |
|
|
elseif ($log) {
|
189 |
|
|
_security_review_log($module, $check_name, 'Unable to store check !reviewcheck for !namespace', array('!reviewcheck' => $check_name, '!namespace' => $module), WATCHDOG_ERROR);
|
190 |
|
|
}
|
191 |
|
|
}
|
192 |
|
|
}
|
193 |
|
|
}
|
194 |
|
|
return ($to_save == $saved) ? TRUE : FALSE;
|
195 |
|
|
}
|
196 |
|
|
|
197 |
|
|
/**
|
198 |
|
|
* Run the security review checklist and return the full results.
|
199 |
|
|
*/
|
200 |
|
|
function security_review_run_full($checklist, $log = NULL) {
|
201 |
|
|
module_load_include('inc', 'security_review');
|
202 |
|
|
// Allow callers, like our drush command, to decide not to log.
|
203 |
|
|
if (is_null($log)) {
|
204 |
|
|
$log = variable_get('security_review_log', TRUE);
|
205 |
|
|
}
|
206 |
|
|
// Call our private function to perform the actual review.
|
207 |
|
|
$results = _security_review_run($checklist, $log);
|
208 |
|
|
|
209 |
|
|
// Fill out the descriptions of the results.
|
210 |
|
|
foreach ($results as $module => $checks) {
|
211 |
|
|
foreach ($checks as $check_name => $check) {
|
212 |
|
|
$function = $check['callback'] . '_help';
|
213 |
|
|
// We should have loaded all necessary include files.
|
214 |
|
|
if (function_exists($function)) {
|
215 |
|
|
$element = call_user_func($function, $check);
|
216 |
|
|
// @todo run through theme?
|
217 |
|
|
$results[$module][$check_name]['help'] = $element;
|
218 |
|
|
}
|
219 |
|
|
}
|
220 |
|
|
}
|
221 |
|
|
return $results;
|
222 |
|
|
}
|
223 |
|
|
|
224 |
|
|
/**
|
225 |
|
|
* Operation function called by Batch.
|
226 |
|
|
*/
|
227 |
|
|
function _security_review_batch_op($module, $check_name, $check, $log, &$context) {
|
228 |
|
|
module_load_include('inc', 'security_review');
|
229 |
|
|
$context['message'] = $check['title'];
|
230 |
|
|
// Run the check.
|
231 |
|
|
$check_result = _security_review_run_check($module, $check_name, $check, $log);
|
232 |
|
|
if (!empty($check_result)) {
|
233 |
|
|
$context['results'][$module][$check_name] = $check_result;
|
234 |
|
|
}
|
235 |
|
|
}
|
236 |
|
|
|
237 |
|
|
/**
|
238 |
|
|
* Finished callback for Batch processing the checklist.
|
239 |
|
|
*/
|
240 |
|
|
function _security_review_batch_finished($success, $results, $operations) {
|
241 |
|
|
variable_set('security_review_last_run', time());
|
242 |
|
|
module_load_include('inc', 'security_review');
|
243 |
|
|
if ($success) {
|
244 |
|
|
if (!empty($results)) {
|
245 |
|
|
// Store results in our present table.
|
246 |
|
|
$storage_result = security_review_store_results($results);
|
247 |
|
|
}
|
248 |
|
|
drupal_set_message(t('Review complete'));
|
249 |
|
|
}
|
250 |
|
|
else {
|
251 |
|
|
$error_operation = reset($operations);
|
252 |
|
|
$message = 'An error occurred while processing ' . $error_operation[0] . ' with arguments :' . print_r($error_operation[0], TRUE);
|
253 |
|
|
_security_review_log('', '', $message, array(), WATCHDOG_ERROR);
|
254 |
|
|
drupal_set_message(t('The review did not store all results, please run again or check the logs for details.'));
|
255 |
|
|
}
|
256 |
|
|
}
|
257 |
|
|
|
258 |
|
|
/**
|
259 |
|
|
* Helper function returns skipped checks.
|
260 |
|
|
*/
|
261 |
|
|
function security_review_skipped_checks() {
|
262 |
|
|
$skipped = array();
|
263 |
|
|
|
264 |
|
|
$results = db_query("SELECT namespace, reviewcheck, result, lastrun, skip, skiptime, skipuid FROM {security_review} WHERE skip = 1");
|
265 |
|
|
while ($record = $results->fetchAssoc()) {
|
266 |
|
|
$skipped[$record['namespace']][$record['reviewcheck']] = $record;
|
267 |
|
|
}
|
268 |
|
|
|
269 |
|
|
return $skipped;
|
270 |
|
|
}
|
271 |
|
|
|
272 |
|
|
/**
|
273 |
|
|
* Implementation of hook_security_review_log().
|
274 |
|
|
*/
|
275 |
|
|
function security_review_security_review_log($module, $check_name, $message, $variables, $type) {
|
276 |
|
|
// Log using watchdog().
|
277 |
|
|
watchdog('security_review', $message, $variables, $type);
|
278 |
|
|
} |