Skip to content

drutiny/plugin-drupal-7

BlackList Permissions

Name: Drupal-7:BlackListPermissions
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\BlacklistPermissions

Checks to ensure roles do not contain blacklisted permissions.

Parameters

Name Type Description Default
permissions array An array of permissions to ensure are not available to non-administrator
roles
- 'administer site configuration'

CSS Aggregation

Name: Drupal-7:CSSAggregation
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

With CSS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.

Parameters

Name Type Description Default
key string The name of the variable to check. preprocess_css
value bool The value of the variable 1

Application Page Cache

Name: Drupal-7:CacheLifetime
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

The minimum cache lifetime prevents Drupal from clearing page and block caches after changes are made to nodes or blocks, for a set period of time. This can cause unexpected behavior when editing content or when an external cache such as a CDN or Varnish is employed.

Parameters

Name Type Description Default
key string The name of the variable to check. cache_lifetime
value bool The value of the variable 0

Cron running regularly

Name: Drupal-7:CronLast
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\CronLast

Making sure the cron jobs are running properly is key to a healthy Drupal site.

Database logging disabled

Name: Drupal-7:DblogModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The database logging module logs Drupal's watchdog logs into the Drupal database. This works fine in development but can cause performance issues for production websites. Its recommended to disabled this module in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. dblog

Error Level

Name: Drupal-7:ErrorLevel
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it. site becoming unavailable or unresponsive.

Parameters

Name Type Description Default
key string The name of the variable to check. error_level
value bool The value of the variable 0

Image Derivatives

Name: Drupal-7:ImageDerivatives
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Parameters

Name Type Description Default
key string The name of the variable to check. image_allow_insecure_derivatives
value bool The value of the variable 0
default bool The default value of the variable 0

Installation Complete

Name: Drupal-7:InstallTaskCompleted
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

If you fail to set this variable correctly, it can leave your install.php script open to the general public.

Parameters

Name Type Description Default
key string The name of the variable to check. install_task
value mixed The value of the variable done

Js Aggregation

Name: Drupal-7:JsAggregation
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

With JS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.

Parameters

Name Type Description Default
key string The name of the variable to check. preprocess_js
value bool The value of the variable 1

Missing modules

Name: Drupal-7:MissingModules
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\MissingModules

The warning was introduced in Drupal 7.50 and is displayed when Drupal is attempting to find a module or theme in the file system, but either cannot find it or does not find it in the expected place.

Modules enabled

Name: Drupal-7:ModulesEnabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModulesEnabled

Check that a set of modules are enabled.

Parameters

Name Type Description Default
modules array The name of the modules to ensure is enabled. - syslog

No Administrators

Name: Drupal-7:NoAdmins
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\NoAdministrators

Ensure there are no administrators beyond uid:1. This reduces the surface area of escalated accounts being compromised.

Duplicate modules

Name: Drupal-7:NoDuplicateModules
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\DuplicateModules

Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.

Overlay module disabled

Name: Drupal-7:OverlayModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Drupal core overlay module can cause usability issues and prove to be problematic from a support perspective. It is recommended not to use this module.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. overlay

PSA-2016-003: Scan webform files for anon PDF uploads

Name: Drupal-7:PSA-2016-003
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\Security\WebformPSA_2016_003

This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. For more information, visit https://www.drupal.org/forum/newsletters/security-public-service-announcements/2016-10-10/drupal-file-upload-by-anonymous

Page Cache Control Max Age

Name: Drupal-7:PageCacheMaximumAge
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure you page cache expiry is set to an optimal level for best performance.

Parameters

Name Type Description Default
key string The name of the variable to check. page_cache_maximum_age
value bool The value of the variable 300
comp_type string The comparison operator to use gte

PHP

Name: Drupal-7:PhpModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. php

Poor Mans Cron Disabled

Name: Drupal-7:PoorMansCronDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Checks that poor mans cron is disabled and will never run with a web thread.

Parameters

Name Type Description Default
key string The name of the variable to check. cron_safe_threshold
value bool The value of the variable 0

CSS Aggregation

Name: Drupal-7:SA-CORE-2013-003
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Audit\Drupal\ModuleVersion

SA-CORE-2013-003 announed several vulnerabilities and is considered highly critical. The vulnerabilities are:

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
  • Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
  • Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
  • Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
  • Open redirect (Overlay module - Drupal 7): CVE-2013-6389

For more information, see SA-CORE-2013-003.

Parameters

Name Type Description Default
module string The module to version information for system
version string The static version to check against. 7.24

Search404 module disabled

Name: Drupal-7:Search404ModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The search 404 module conducts searches on 404 pages. This can have impacts to performance and confuse search bots.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. search404

Search API Database

Name: Drupal-7:SearchApiDb
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\SearchApiDb

Search backed with the database (and not Solr) can cause performance impacts to your site. Often the SQL queries caused but using the database are slow.

Parameters

Name Type Description Default
max_size int The maximum size of nodes in the index before it is considered an error.
50

Secure Pages: HTTP Redirect

Name: Drupal-7:SecureHTTPRedirect
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure secure pages module is configured to force redirect to HTTPS.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_pages
value string The value of the variable '*'

Secure Pages Config: Enabled

Name: Drupal-7:SecurePagesConfig:Enabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

To start using secure pages this setting must be enabled. This setting will only be able to changed when the web server has been configured for SSL.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_enable
value bool The value of the variable 1

Secure Pages Config: No Downgrade

Name: Drupal-7:SecurePagesConfig:NoDowngrade
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Secure pages shouldn't be configured to allow downgrade to HTTP.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_switch
value bool The value of the variable 0

Secure Pages Enabled

Name: Drupal-7:SecurePagesEnabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Audit\Drupal\ModuleEnabled

Secure Pages module ensures requests are handled securely.

Parameters

Name Type Description Default
module string The name of the module to ensure is enabled. securepages

Secure Pages Listed

Name: Drupal-7:SecurePagesListed
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Enusre Secure Pages is configured to secure a whitelist of pages.

Parameters

Name Type Description Default
key string The name of the variable to check. securepages_secure
value bool The value of the variable 1

Shield Disabled

Name: Drupal-7:ShieldModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. shield

Simpletest

Name: Drupal-7:SimpletestModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The Simpletest module is for testing purposes only and shouldn't be enabled in production.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. simpletest

Statistics

Name: Drupal-7:StatisticsModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. statistics

Untrusted Roles with administrative permissions

Name: Drupal-7:UntrustedRoles
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\UntrustedRoles

Make sure administrative permissions has not been assigned to untrusted roles.

Parameters

Name Type Description Default
untrusted_roles array The names of untrusted Roles. - 'anonymous user'
- 'authenticated user'

Update

Name: Drupal-7:UpdateModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled

The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.

Parameters

Name Type Description Default
module string The name of the module to ensure is disabled. update

User #1 Locked Down

Name: Drupal-7:User1LockDown
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\User1

It is important to lock down user #1 in Drupal, this user is special an ignores access control.

Parameters

Name Type Description Default
blacklist string The usernames of the the uid:1 user that are considered forbidden.
Expression maybe a regular expression to match patterns.
(admin root drupal
email string The email that the uid:1 user should have. If an empty string is provided
then this check is omitted.
no_reply@example.com
status boolean Ensures the uid:1 user status reflects the same as this argument. Defaults
to active (1).
1

User Registration Disabled

Name: Drupal-7:UserRegistrationDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Anonymous sites should have user registration set to off to prevent spam registrations.

Parameters

Name Type Description Default
key string The name of the variable to check. user_register
value bool The value of the variable 0

Views Cache

Name: Drupal-7:ViewsCache
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsCache

Ensure views cache is enabled and configured

Views Pagination

Name: Drupal-7:ViewsPagination
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsPagination

Ensure views pagination is not over a threshold

Parameters

Name Type Description Default
limit integer The maximum number of rows a view can list 60

Views SQL Signature

Name: Drupal-7:ViewsSqlSignature
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

Ensure that Views SQL queries contain a signature that will identify the view the SQL query came from. Useful for database performance debugging.

Parameters

Name Type Description Default
key string The name of the variable to check. views_sql_signature
value bool The value of the variable 1

XML sitemap base URL

Name: Drupal-7:XMLSitemapBaseURL
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare

The XML sitemap module adds a sitemap on the URL /sitemap.xml. If not properly configured, the sitemap will point to an incorrect or possibly broken site.

Parameters

Name Type Description Default
key string The name of the variable to compare. xmlsitemap_base_url
value mixed The value to compare against '^https?://.+$'
comp_type string The comparison operator to use regex
required_modules array An optional array of modules required in order to check variables xmlsitemap

Zen rebuild registry disabled

Name: Drupal-7:ZenRegistryRebuild
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ZenRebuildRegistry

The rebuild registry feature is enabled for your theme. This setting is only used during theme development, and can negatively impact site performance.

EntityReference Autocomplete Performance

Name: Drupal-7:entityreference
Package: drutiny/plugin-drupal-7
Class: Drutiny\Plugin\Drupal7\Audit\EntityReferenceAutocomplete

Ensure that entity reference fields are configured correctly.