1 |
85ad3d82
|
Assos Assos
|
|
2 |
|
|
-- ABOUT --
|
3 |
|
|
|
4 |
|
|
Security Review automates checking many of the configuration errors that lead
|
5 |
|
|
to an insecure Drupal site and looks for existing vulnerabilities and attack
|
6 |
|
|
attempts.
|
7 |
|
|
|
8 |
|
|
The primary goal of the module is to elevate your awareness of the importance of
|
9 |
|
|
securing your Drupal site. The results of some checks may be incorrect depending
|
10 |
|
|
on unique factors, this module does not make your site more secure. You should
|
11 |
|
|
use the results of the checklist and its resources to manually secure your site.
|
12 |
|
|
|
13 |
|
|
Refer to the support section below if you are interested in securing your Drupal
|
14 |
|
|
site.
|
15 |
|
|
|
16 |
|
|
-- INSTALLATION --
|
17 |
|
|
|
18 |
|
|
Place the security_review directory and its contents under sites/all/modules or
|
19 |
|
|
under an appropriate sites/ directory if you are using Drupal's multisite
|
20 |
|
|
capabilities.
|
21 |
|
|
|
22 |
|
|
Enable the module at Administer >> Modules and refer to the
|
23 |
|
|
following sections for configuration and usage.
|
24 |
|
|
|
25 |
|
|
-- CONFIGURATION --
|
26 |
|
|
|
27 |
|
|
Two permissions are provided and required to use the module. Navigate to
|
28 |
|
|
Administer >> People >> Permissions to enable
|
29 |
|
|
'access security review list' and 'run security checks' for trusted roles.
|
30 |
|
|
|
31 |
|
|
NOTICE: This module provides information on the state of your site's security so
|
32 |
|
|
it is imperative you grant these permissions to trusted roles and users only.
|
33 |
|
|
For instance, if you have an admin role, be sure that all the users who have
|
34 |
|
|
been granted this role are indeed users you trust if you grant them these
|
35 |
|
|
permissions.
|
36 |
|
|
|
37 |
|
|
After you have granted permissions to the module you should inform the system
|
38 |
|
|
what roles are not trusted. Navigate to
|
39 |
|
|
Administer >> Reports >> Security Review >> Settings to mark which roles are
|
40 |
|
|
untrusted. Most checks only care if the resource is usable by
|
41 |
|
|
untrusted roles.
|
42 |
|
|
|
43 |
|
|
On this page you can also define the level of logging. The result
|
44 |
|
|
of the last checklist is always stored but you can enable watchdog logging of
|
45 |
|
|
each check if you like.
|
46 |
|
|
|
47 |
|
|
-- USAGE --
|
48 |
|
|
|
49 |
|
|
Navigate to Administer >> Reports >> Security Review to run the checklist.
|
50 |
|
|
|
51 |
|
|
If a check is enabled it will be run. You can enable or skip a check on this
|
52 |
|
|
page only after it has been run. Clicking on the 'Help' link beside each check
|
53 |
|
|
will provide details on why the check exists and what was found on the last run.
|
54 |
|
|
|
55 |
|
|
-- DRUSH USAGE --
|
56 |
|
|
|
57 |
|
|
Running the Security Review checklist using Drush is a great way to build
|
58 |
|
|
automated security audits of your site into your site development lifecycle and
|
59 |
|
|
as part of continuous integration.
|
60 |
|
|
|
61 |
|
|
With the module installed invoke 'drush secrev' from within your Drupal root.
|
62 |
|
|
|
63 |
|
|
Call 'drush help secrev' to see available options.
|
64 |
|
|
|
65 |
|
|
For running specific checks pass the '--check' option. Be sure to remove any
|
66 |
|
|
whitespace characters separating check names.
|
67 |
|
|
|
68 |
|
|
Consult implementations of hook_security_checks() for exact list of available
|
69 |
|
|
check options. Standard Security Review checks are:
|
70 |
|
|
|
71 |
|
|
file_perms, input_formats, field, error_reporting, private_files, query_errors,
|
72 |
|
|
failed_logins, upload_extensions, admin_permissions, untrusted_php,
|
73 |
|
|
executable_php, base_url_set, temporary_files
|
74 |
|
|
|
75 |
|
|
For custom checks you may prefix the check name with the module name and
|
76 |
|
|
colon (:) character. For example:
|
77 |
|
|
|
78 |
|
|
'drush secrev --check=my_module:my_check'
|
79 |
|
|
|
80 |
|
|
Note, custom checks require that its module be enabled. Also, should you be
|
81 |
|
|
skipping any check the 'store' option will not allow that check to be run.
|
82 |
|
|
|
83 |
|
|
-- SUPPORT --
|
84 |
|
|
|
85 |
|
|
Please use the issue queue at http://drupal.org/project/security_review for all
|
86 |
|
|
module support. You can read more about securely configuring your site at
|
87 |
|
|
http://drupal.org/security/secure-configuration and http://drupalscout.com
|
88 |
|
|
|
89 |
|
|
Acquia, the provider of this module, offers detailed,
|
90 |
|
|
targetted security review and support for Drupal websites and can be contacted
|
91 |
|
|
at http://wwww.acquia.com or via email at sales@acquia.com.
|
92 |
|
|
|
93 |
|
|
You can read more about our Drupal security review service at
|
94 |
|
|
http://www.acquia.com/products-services/professional-services/offerings#security_audit
|
95 |
|
|
|
96 |
|
|
|
97 |
|
|
-- CREDIT --
|
98 |
|
|
|
99 |
|
|
Security Review module written by Benjamin Jeavons, drupal.org user coltrane,
|
100 |
|
|
with thanks to Greg Knaddison, drupal.org user greggles, for the idea and
|
101 |
|
|
mentorship. |