drutiny/drutiny
.htaccess redirects
Name: Apache:LimitHtacessRedirects
Package: drutiny/drutiny
Class: \Drutiny\Audit\Apache\HtaccessRedirects
When there are a large number of redirects in the .htaccess file
they are all required to be loaded at run time during every request as Apache
needs to analyze the contents so that it can make appropriate decisions about
how to process the application and incoming requests. Redirect rules should be
refactored to take advantage of regular expressions if possible. Otherwise the
redirect module should be added to the site and all of the redirects in the
.htaccess file should be moved into the Drupal site. Although
these redirects will then require a Drupal bootstrap in order to fulfill the
request, Varnish will be able to cache the redirect once it has been made once
as long as there is a maximum age set on the site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_redirects | integer | The maximum number of redirects to allow in htaccess. | 10 |
Database size
Name: Database:Size
Package: drutiny/drutiny
Class: \Drutiny\Audit\Database\DatabaseSize
Large databases can negatively impact your production site, and slow down things like database dumps. The size reported is the data and index size combined.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_size | integer | The maximum size in megabytes the database should be. | 1000 |
| warning_size | integer | The size in megabytes this check will issues a warning at. | 800 |
Anonymous sessions
Name: Drupal:AnonSession
Package: drutiny/drutiny
Class: Drutiny\Audit\Drupal\SqlResultAudit
If you are generating sessions for anonymous users, you are causing a major performance impact to your site. Having anonymous sessions will break traditional page caching in Varnish and CDNs.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| field | string | The name of the field in the result row to pull the value from | count |
| value | mixed | The value to compare against | 0 |
| query | string | The SQL query to run. Can use other parameters for variable replacement. | "SELECT COUNT(*) as count FROM sessions\nWHERE uid = 0\n AND session NOT LIKE 'openid%'\n AND session NOT LIKE '%Access denied%'\n" |
Lint PHP files in Theme
Name: Drupal:LintTheme
Package: drutiny/drutiny
Class: Drutiny\Audit\Drupal\PhpLint
Ensure all PHP files in the theme pass basic PHP syntax parsing.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| path | string | The path where to lint PHP files. | '%root/%themes' |
User Enumeration
Name: Drupal:Security:UserEmueration
Package: drutiny/drutiny
Class: Drutiny\Audit\Drupal\ModuleEnabled
User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site's login page and its ‘Forgot Password' functionality.
User enumeration is a default vulnerability in Drupal but can be mitigated through the use of the Username Enumeration Prevention module.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The module to check is enabled. | username_enumeration_prevention |
Syslog
Name: Drupal:SyslogEnabled
Package: drutiny/drutiny
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Syslog module writes Drupal watchdog logs to the syslog.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is enabled. | syslog |
Drupal Theme Security
Name: Drupal:ThemeSecurity
Package: drutiny/drutiny
Class: Drutiny\Audit\Filesystem\CodeScan
Some basic checks to ensure that the theme is not doing any seriously bad things. Note this is not supposed to be perfect, but used as an aid in code review.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| directory | string | Absolute filepath to directory to scan | '%root/%themes' |
| filetypes | array | file extensions to include in the scan | - php - inc - theme |
| patterns | array | patterns to run over each matching file. | - _POST - exec( - db_query - db_select - db_merge - db_update - db_write_record - ->query - drupal_http_request - curl_init - passthru - proc_open - system( - sleep( |
Large Drupal Files
Name: Drupal:largeFiles
Package: drutiny/drutiny
Class: \Drutiny\Audit\Drupal\LargeDrupalFiles
Large static assets should be optimized for online display or ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos). Storing large files can consume storage volumes, increase page load time and contribute to a higher than desired cache eviction rate. Varnish, on Acquia Cloud, does not cache files larger than 10 MB.
This policy identifies files managed by Drupal that are larger than .
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_size | integer | Report files larger than this value measured in bytes. | 10000000 |
Module updates
Name: Drupal:moduleUpdates
Package: drutiny/drutiny
Class: \Drutiny\Audit\Drupal\ModuleUpdateStatus
Throughout the lifetime of your site, the Drupal project and its community contributed modules will release new versions that contain bug fixes, new features and security updates. It important to keep your site up to date and patched from known security vulnerabilities.
Note that upgrading modules, especially between major versions can introduce regressions into your site. While its important to maintain a continual update schedule for your site, regression testing changes is of equal importance.
Database updates
Name: Drupal:updates
Package: drutiny/drutiny
Class: \Drutiny\Audit\Drupal\UpdateDBStatus
Updates to Drupal core or contrib modules sometimes include important database changes which should be applied after the code updates have been deployed.
Always error test policy
Name: Test:Error
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysError
This policy should always error. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always fail test policy
Name: Test:Fail
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysFail
This policy should always fail. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Not applicable test policy
Name: Test:NA
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysNA
This policy should always be not applicable. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always notice test policy
Name: Test:Notice
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysNotice
This policy should always be a notice. Twee godard poutine knausgaard, street keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always pass test policy
Name: Test:Pass
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysPass
This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always pass dependant test policy
Name: Test:PassDependant
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysPass
This policy should always pass. Twee godard poutine knausgaard, street art keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Always warn test policy
Name: Test:Warning
Package: drutiny/drutiny
Class: \Drutiny\Audit\AlwaysWarn
This policy should always issue a warning. Twee godard poutine knausgaard, keytar readymade unicorn wayfarers vape mumblecore blue bottle. Portland pitchfork air plant kale chips, craft beer meditation tumeric seitan umami vexillologist cred coloring book taxidermy actually.
Banjo narwhal la croix portland green juice lumbersexual biodiesel kombucha vegan umami aesthetic trust fund ramps. Art party +1 celiac everyday carry succulents seitan franzen distillery venmo keytar cray mustache gastropub. 8-bit seitan banh mi, vice chillwave viral synth vinyl +1. Mixtape mustache pitchfork, meh tacos kitsch offal pop-up intelligentsia VHS air plant pork belly. Thundercats microdosing taxidermy try-hard +1 ennui photo booth 8-bit.
Drupal Theme Directory Size
Name: fs:DrupalThemeDirectory
Package: drutiny/drutiny
Class: Drutiny\Audit\Filesystem\FsSize
Large theme directories can be indicative of best practice violations: * Source files in site artifact. e.g. node_modules * Media assets unsuitable for web delivery
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_size | integer | The maximum size in MegaBytes a directory should be. | 50 |
| path | string | The path of the directory to check for size. | '%root/%themes' |
Sensitive public files
Name: fs:SensitivePublicFiles
Package: drutiny/drutiny
Class: Drutiny\Audit\Filesystem\SensitivePublicFiles
Certain file extensions should never be in public files for security reasons.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| extensions | string | The sensitive file extensions to look for. | 'php,sh,py,sql,bz2,gz,tar,tgz,zip' |
Large public files
Name: fs:largeFiles
Package: drutiny/drutiny
Class: Drutiny\Audit\Filesystem\LargeFiles
Large static assets should ideally be housed in other services, e.g. Amazon S3 (for files) or Youtube (for videos).
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_size | integer | Report files larger than this value measured in megabytes. | 50 |