1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* Site security review and reporting Drupal module.
|
6
|
*
|
7
|
*/
|
8
|
|
9
|
/**
|
10
|
* Implements hook_permission().
|
11
|
*/
|
12
|
function security_review_permission() {
|
13
|
return array(
|
14
|
'access security review list' => array(
|
15
|
'title' => t('Access security review pages'),
|
16
|
'description' => t('View security review checks and output. Give only to trusted users.'),
|
17
|
),
|
18
|
'run security checks' => array(
|
19
|
'title' => t('Run security review checks'),
|
20
|
'description' => t('Run the security review checks'),
|
21
|
),
|
22
|
);
|
23
|
}
|
24
|
|
25
|
/**
|
26
|
* Implements hook_menu().
|
27
|
*/
|
28
|
function security_review_menu() {
|
29
|
$items = array();
|
30
|
$items['admin/reports/security-review'] = array(
|
31
|
'title' => 'Security review',
|
32
|
'description' => 'Perform a review of the security of your site.',
|
33
|
'page callback' => 'security_review_page',
|
34
|
'access arguments' => array('access security review list'),
|
35
|
'file' => 'security_review.pages.inc',
|
36
|
'type' => MENU_NORMAL_ITEM,
|
37
|
);
|
38
|
$items['admin/reports/security-review/run'] = array(
|
39
|
'title' => 'Run & review',
|
40
|
'access arguments' => array('access security review list'),
|
41
|
'type' => MENU_DEFAULT_LOCAL_TASK,
|
42
|
);
|
43
|
$items['admin/reports/security-review/toggle/%'] = array(
|
44
|
'title' => 'Security review toggle',
|
45
|
'page callback' => 'security_review_toggle_check',
|
46
|
'page arguments' => array(4),
|
47
|
'access arguments' => array('access security review list'),
|
48
|
'file' => 'security_review.pages.inc',
|
49
|
'type' => MENU_CALLBACK,
|
50
|
);
|
51
|
$items['admin/reports/security-review/help'] = array(
|
52
|
'title' => 'Help',
|
53
|
'page callback' => 'security_review_check_help',
|
54
|
'access arguments' => array('access security review list'),
|
55
|
'file' => 'security_review.pages.inc',
|
56
|
'type' => MENU_LOCAL_TASK,
|
57
|
'weight' => 10,
|
58
|
);
|
59
|
$items['admin/reports/security-review/settings'] = array(
|
60
|
'title' => 'Settings',
|
61
|
'page callback' => 'drupal_get_form',
|
62
|
'page arguments' => array('security_review_settings'),
|
63
|
'access arguments' => array('access security review list'),
|
64
|
'file' => 'security_review.pages.inc',
|
65
|
'type' => MENU_LOCAL_TASK,
|
66
|
'weight' => 15,
|
67
|
);
|
68
|
|
69
|
return $items;
|
70
|
}
|
71
|
|
72
|
/**
|
73
|
* Implements hook_theme().
|
74
|
*/
|
75
|
function security_review_theme($existing, $type, $theme, $path) {
|
76
|
return array(
|
77
|
'security_review_reviewed' => array(
|
78
|
'variables' => array('items' => array(), 'header' => '', 'description' => ''),
|
79
|
'file' => 'security_review.pages.inc',
|
80
|
),
|
81
|
'security_review_help_options' => array(
|
82
|
'variables' => array('element' => array()),
|
83
|
'file' => 'security_review.pages.inc',
|
84
|
),
|
85
|
'security_review_check_help' => array(
|
86
|
'variables' => array('element' => array()),
|
87
|
'file' => 'security_review.pages.inc',
|
88
|
),
|
89
|
);
|
90
|
}
|
91
|
|
92
|
/**
|
93
|
* Retrieve stored checks and results.
|
94
|
*
|
95
|
* @return array Array of checks with keys:
|
96
|
* namespace - string Check namespace
|
97
|
* reviewcheck - string Check name
|
98
|
* result - bool Whether check passed or not
|
99
|
* lastrun - UNIX timestamp of last time check ran
|
100
|
* skip - bool Whether check is being skipped or not
|
101
|
* skiptime - UNIX timestamp of when check was skipped, if set
|
102
|
* skipuid - UID of user who skipped the check, if set
|
103
|
*/
|
104
|
function security_review_get_stored_results() {
|
105
|
$checks = array();
|
106
|
// Retrieve results from last run of the checklist.
|
107
|
$result = db_query("SELECT namespace, reviewcheck, result, lastrun, skip, skiptime, skipuid FROM {security_review}");
|
108
|
foreach ($result as $record) {
|
109
|
$checks[] = array(
|
110
|
'namespace' => $record->namespace,
|
111
|
'reviewcheck' => $record->reviewcheck,
|
112
|
'result' => $record->result === '1' ? TRUE : FALSE,
|
113
|
'lastrun' => $record->lastrun,
|
114
|
'skip' => $record->skip === '1' ? TRUE : FALSE,
|
115
|
'skiptime' => $record->skiptime,
|
116
|
'skipuid' => $record->skipuid,
|
117
|
);
|
118
|
}
|
119
|
return $checks;
|
120
|
}
|
121
|
|
122
|
/**
|
123
|
* Retrieve the result from the last run of a security check.
|
124
|
*
|
125
|
* @return array
|
126
|
* @see security_review_get_stored_results() for format
|
127
|
*/
|
128
|
function security_review_get_last_check($namespace, $check_name) {
|
129
|
$fields = array('namespace', 'reviewcheck', 'result', 'lastrun', 'skip', 'skiptime', 'skipuid');
|
130
|
$result = db_select('security_review', 'sr')->fields('sr', $fields)
|
131
|
->condition('namespace', $namespace)
|
132
|
->condition('reviewcheck', $check_name)
|
133
|
->execute()->fetchAssoc();
|
134
|
if (!empty($result)) {
|
135
|
$result['result'] = $result['result'] === '1' ? TRUE : FALSE;
|
136
|
$result['skip'] = $result['skip'] === '1' ? TRUE : FALSE;
|
137
|
return $result;
|
138
|
}
|
139
|
return FALSE;
|
140
|
}
|
141
|
|
142
|
/**
|
143
|
* Run the security review checklist and store the results.
|
144
|
*/
|
145
|
function security_review_run_store($checklist, $log = NULL) {
|
146
|
// Allow callers, like our drush command, to decide not to log.
|
147
|
if (is_null($log)) {
|
148
|
$log = variable_get('security_review_log', TRUE);
|
149
|
}
|
150
|
// Call our private function to perform the actual review.
|
151
|
$results = _security_review_run($checklist, $log);
|
152
|
variable_set('security_review_last_run', time());
|
153
|
// Store results and return.
|
154
|
return security_review_store_results($results);
|
155
|
}
|
156
|
|
157
|
/**
|
158
|
* Store checklist results.
|
159
|
*/
|
160
|
function security_review_store_results($results) {
|
161
|
$log = variable_get('security_review_log', TRUE);
|
162
|
$saved = $to_save = 0;
|
163
|
foreach ($results as $module => $checks) {
|
164
|
foreach ($checks as $check_name => $check) {
|
165
|
$num_deleted = db_delete('security_review')
|
166
|
->condition('namespace', $module)
|
167
|
->condition('reviewcheck', $check_name)
|
168
|
->execute();
|
169
|
if ($num_deleted == 1 && is_null($check['result']) && $log) {
|
170
|
// Last check was deleted and current check returns null so check is
|
171
|
// no longer applicable.
|
172
|
$message = '!name no longer applicable for checking';
|
173
|
_security_review_log($module, $check_name, $message, array('!name' => $check['title']), WATCHDOG_INFO);
|
174
|
}
|
175
|
// Only save checks that have a boolean result.
|
176
|
elseif (!is_null($check['result'])) {
|
177
|
$to_save++;
|
178
|
$record = array(
|
179
|
'namespace' => $module,
|
180
|
'reviewcheck' => $check_name,
|
181
|
'result' => $check['result'],
|
182
|
'lastrun' => $check['lastrun'] ? $check['lastrun'] : REQUEST_TIME,
|
183
|
);
|
184
|
|
185
|
if (drupal_write_record('security_review', $record) == SAVED_NEW) {
|
186
|
$saved++;
|
187
|
}
|
188
|
elseif ($log) {
|
189
|
_security_review_log($module, $check_name, 'Unable to store check !reviewcheck for !namespace', array('!reviewcheck' => $check_name, '!namespace' => $module), WATCHDOG_ERROR);
|
190
|
}
|
191
|
}
|
192
|
}
|
193
|
}
|
194
|
return ($to_save == $saved) ? TRUE : FALSE;
|
195
|
}
|
196
|
|
197
|
/**
|
198
|
* Run the security review checklist and return the full results.
|
199
|
*/
|
200
|
function security_review_run_full($checklist, $log = NULL) {
|
201
|
module_load_include('inc', 'security_review');
|
202
|
// Allow callers, like our drush command, to decide not to log.
|
203
|
if (is_null($log)) {
|
204
|
$log = variable_get('security_review_log', TRUE);
|
205
|
}
|
206
|
// Call our private function to perform the actual review.
|
207
|
$results = _security_review_run($checklist, $log);
|
208
|
|
209
|
// Fill out the descriptions of the results.
|
210
|
foreach ($results as $module => $checks) {
|
211
|
foreach ($checks as $check_name => $check) {
|
212
|
$function = $check['callback'] . '_help';
|
213
|
// We should have loaded all necessary include files.
|
214
|
if (function_exists($function)) {
|
215
|
$element = call_user_func($function, $check);
|
216
|
// @todo run through theme?
|
217
|
$results[$module][$check_name]['help'] = $element;
|
218
|
}
|
219
|
}
|
220
|
}
|
221
|
return $results;
|
222
|
}
|
223
|
|
224
|
/**
|
225
|
* Operation function called by Batch.
|
226
|
*/
|
227
|
function _security_review_batch_op($module, $check_name, $check, $log, &$context) {
|
228
|
module_load_include('inc', 'security_review');
|
229
|
$context['message'] = $check['title'];
|
230
|
// Run the check.
|
231
|
$check_result = _security_review_run_check($module, $check_name, $check, $log);
|
232
|
if (!empty($check_result)) {
|
233
|
$context['results'][$module][$check_name] = $check_result;
|
234
|
}
|
235
|
}
|
236
|
|
237
|
/**
|
238
|
* Finished callback for Batch processing the checklist.
|
239
|
*/
|
240
|
function _security_review_batch_finished($success, $results, $operations) {
|
241
|
variable_set('security_review_last_run', time());
|
242
|
module_load_include('inc', 'security_review');
|
243
|
if ($success) {
|
244
|
if (!empty($results)) {
|
245
|
// Store results in our present table.
|
246
|
$storage_result = security_review_store_results($results);
|
247
|
}
|
248
|
drupal_set_message(t('Review complete'));
|
249
|
}
|
250
|
else {
|
251
|
$error_operation = reset($operations);
|
252
|
$message = 'An error occurred while processing ' . $error_operation[0] . ' with arguments :' . print_r($error_operation[0], TRUE);
|
253
|
_security_review_log('', '', $message, array(), WATCHDOG_ERROR);
|
254
|
drupal_set_message(t('The review did not store all results, please run again or check the logs for details.'));
|
255
|
}
|
256
|
}
|
257
|
|
258
|
/**
|
259
|
* Helper function returns skipped checks.
|
260
|
*/
|
261
|
function security_review_skipped_checks() {
|
262
|
$skipped = array();
|
263
|
|
264
|
$results = db_query("SELECT namespace, reviewcheck, result, lastrun, skip, skiptime, skipuid FROM {security_review} WHERE skip = 1");
|
265
|
while ($record = $results->fetchAssoc()) {
|
266
|
$skipped[$record['namespace']][$record['reviewcheck']] = $record;
|
267
|
}
|
268
|
|
269
|
return $skipped;
|
270
|
}
|
271
|
|
272
|
/**
|
273
|
* Implementation of hook_security_review_log().
|
274
|
*/
|
275
|
function security_review_security_review_log($module, $check_name, $message, $variables, $type) {
|
276
|
// Log using watchdog().
|
277
|
watchdog('security_review', $message, $variables, $type);
|
278
|
}
|