drutiny/plugin-drupal-7
BlackList Permissions
Name: Drupal-7:BlackListPermissions
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\BlacklistPermissions
Checks to ensure roles do not contain blacklisted permissions.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| permissions | array | An array of permissions to ensure are not available to non-administrator | |
| roles | |||
| - 'administer site configuration' |
CSS Aggregation
Name: Drupal-7:CSSAggregation
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
With CSS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | preprocess_css |
| value | bool | The value of the variable | 1 |
Application Page Cache
Name: Drupal-7:CacheLifetime
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
The minimum cache lifetime prevents Drupal from clearing page and block caches after changes are made to nodes or blocks, for a set period of time. This can cause unexpected behavior when editing content or when an external cache such as a CDN or Varnish is employed.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | cache_lifetime |
| value | bool | The value of the variable | 0 |
Cron running regularly
Name: Drupal-7:CronLast
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\CronLast
Making sure the cron jobs are running properly is key to a healthy Drupal site.
Database logging disabled
Name: Drupal-7:DblogModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The database logging module logs Drupal's watchdog logs into the Drupal database. This works fine in development but can cause performance issues for production websites. Its recommended to disabled this module in production.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | dblog |
Error Level
Name: Drupal-7:ErrorLevel
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
When PHP encounters an error, it can generate an error log and display a report on the screen. While these error messages can be helpful in debugging your site, they can be a security risk on a live site as they may reveal information about your server that can be used to compromise it. site becoming unavailable or unresponsive.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | error_level |
| value | bool | The value of the variable | 0 |
Image Derivatives
Name: Drupal-7:ImageDerivatives
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | image_allow_insecure_derivatives |
| value | bool | The value of the variable | 0 |
| default | bool | The default value of the variable | 0 |
Installation Complete
Name: Drupal-7:InstallTaskCompleted
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
If you fail to set this variable correctly, it can leave your install.php
script open to the general public.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | install_task |
| value | mixed | The value of the variable | done |
Js Aggregation
Name: Drupal-7:JsAggregation
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
With JS optimization disabled, your website visitors are experiencing slower page performance and the server load is increased.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | preprocess_js |
| value | bool | The value of the variable | 1 |
Missing modules
Name: Drupal-7:MissingModules
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\MissingModules
The warning was introduced in Drupal 7.50 and is displayed when Drupal is attempting to find a module or theme in the file system, but either cannot find it or does not find it in the expected place.
Modules enabled
Name: Drupal-7:ModulesEnabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModulesEnabled
Check that a set of modules are enabled.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| modules | array | The name of the modules to ensure is enabled. | - syslog |
No Administrators
Name: Drupal-7:NoAdmins
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\NoAdministrators
Ensure there are no administrators beyond uid:1. This reduces the surface area of escalated accounts being compromised.
Duplicate modules
Name: Drupal-7:NoDuplicateModules
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\DuplicateModules
Duplicate modules can cause a variety of strange behaviors should Drupal ever unexpectedly load the wrong version.
Overlay module disabled
Name: Drupal-7:OverlayModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Drupal core overlay module can cause usability issues and prove to be problematic from a support perspective. It is recommended not to use this module.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | overlay |
PSA-2016-003: Scan webform files for anon PDF uploads
Name: Drupal-7:PSA-2016-003
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\Security\WebformPSA_2016_003
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. For more information, visit https://www.drupal.org/forum/newsletters/security-public-service-announcements/2016-10-10/drupal-file-upload-by-anonymous
Page Cache Control Max Age
Name: Drupal-7:PageCacheMaximumAge
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure you page cache expiry is set to an optimal level for best performance.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | page_cache_maximum_age |
| value | bool | The value of the variable | 300 |
| comp_type | string | The comparison operator to use | gte |
PHP
Name: Drupal-7:PhpModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. There are better alternatives out there that do not expose such vulnerabilities on your site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | php |
Poor Mans Cron Disabled
Name: Drupal-7:PoorMansCronDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Checks that poor mans cron is disabled and will never run with a web thread.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | cron_safe_threshold |
| value | bool | The value of the variable | 0 |
CSS Aggregation
Name: Drupal-7:SA-CORE-2013-003
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Audit\Drupal\ModuleVersion
SA-CORE-2013-003 announed several vulnerabilities and is considered highly critical. The vulnerabilities are:
- Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
- Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
- Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
- Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
- Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
- Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
- Open redirect (Overlay module - Drupal 7): CVE-2013-6389
For more information, see SA-CORE-2013-003.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The module to version information for | system |
| version | string | The static version to check against. | 7.24 |
Search404 module disabled
Name: Drupal-7:Search404ModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The search 404 module conducts searches on 404 pages. This can have impacts to performance and confuse search bots.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | search404 |
Search API Database
Name: Drupal-7:SearchApiDb
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\SearchApiDb
Search backed with the database (and not Solr) can cause performance impacts to your site. Often the SQL queries caused but using the database are slow.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| max_size | int | The maximum size of nodes in the index before it is considered an error. | |
| 50 |
Secure Pages: HTTP Redirect
Name: Drupal-7:SecureHTTPRedirect
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure secure pages module is configured to force redirect to HTTPS.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | securepages_pages |
| value | string | The value of the variable | '*' |
Secure Pages Config: Enabled
Name: Drupal-7:SecurePagesConfig:Enabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
To start using secure pages this setting must be enabled. This setting will only be able to changed when the web server has been configured for SSL.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | securepages_enable |
| value | bool | The value of the variable | 1 |
Secure Pages Config: No Downgrade
Name: Drupal-7:SecurePagesConfig:NoDowngrade
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Secure pages shouldn't be configured to allow downgrade to HTTP.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | securepages_switch |
| value | bool | The value of the variable | 0 |
Secure Pages Enabled
Name: Drupal-7:SecurePagesEnabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Audit\Drupal\ModuleEnabled
Secure Pages module ensures requests are handled securely.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is enabled. | securepages |
Secure Pages Listed
Name: Drupal-7:SecurePagesListed
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Enusre Secure Pages is configured to secure a whitelist of pages.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | securepages_secure |
| value | bool | The value of the variable | 1 |
Shield Disabled
Name: Drupal-7:ShieldModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The shield module protects Drupal sites from prying eyes, often it is used to protect sites that are not yet live, but should never be enabled for live sites.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | shield |
Simpletest
Name: Drupal-7:SimpletestModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The Simpletest module is for testing purposes only and shouldn't be enabled in production.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | simpletest |
Statistics
Name: Drupal-7:StatisticsModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
This module comes with Drupal core and attempts to track page view information. However as often Drupal uses upstream page cache proxies this module is often inccurate and not worth the performance impact it causes.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | statistics |
Untrusted Roles with administrative permissions
Name: Drupal-7:UntrustedRoles
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\UntrustedRoles
Make sure administrative permissions has not been assigned to untrusted roles.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| untrusted_roles | array | The names of untrusted Roles. | - 'anonymous user' - 'authenticated user' |
Update
Name: Drupal-7:UpdateModuleDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ModuleDisabled
The update module fetches the latest module information from Drupal.org and reports on the module statuses used on the site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| module | string | The name of the module to ensure is disabled. | update |
User #1 Locked Down
Name: Drupal-7:User1LockDown
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\User1
It is important to lock down user #1 in Drupal, this user is special an ignores access control.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| blacklist | string | The usernames of the the uid:1 user that are considered forbidden. | |
| Expression maybe a regular expression to match patterns. | |||
| (admin | root | drupal | |
| string | The email that the uid:1 user should have. If an empty string is provided | ||
| then this check is omitted. | |||
| no_reply@example.com | |||
| status | boolean | Ensures the uid:1 user status reflects the same as this argument. Defaults | |
| to active (1). | |||
| 1 |
User Registration Disabled
Name: Drupal-7:UserRegistrationDisabled
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Anonymous sites should have user registration set to off to prevent spam registrations.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | user_register |
| value | bool | The value of the variable | 0 |
Views Cache
Name: Drupal-7:ViewsCache
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsCache
Ensure views cache is enabled and configured
Views Pagination
Name: Drupal-7:ViewsPagination
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ViewsPagination
Ensure views pagination is not over a threshold
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| limit | integer | The maximum number of rows a view can list | 60 |
Views SQL Signature
Name: Drupal-7:ViewsSqlSignature
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
Ensure that Views SQL queries contain a signature that will identify the view the SQL query came from. Useful for database performance debugging.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to check. | views_sql_signature |
| value | bool | The value of the variable | 1 |
XML sitemap base URL
Name: Drupal-7:XMLSitemapBaseURL
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\VariableCompare
The XML sitemap module adds a sitemap on the URL /sitemap.xml.
If not properly configured, the sitemap will point to an incorrect or
possibly broken site.
Parameters
| Name | Type | Description | Default |
|---|---|---|---|
| key | string | The name of the variable to compare. | xmlsitemap_base_url |
| value | mixed | The value to compare against | '^https?://.+$' |
| comp_type | string | The comparison operator to use | regex |
| required_modules | array | An optional array of modules required in order to check variables | xmlsitemap |
Zen rebuild registry disabled
Name: Drupal-7:ZenRegistryRebuild
Package: drutiny/plugin-drupal-7
Class: \Drutiny\Plugin\Drupal7\Audit\ZenRebuildRegistry
The rebuild registry feature is enabled for your theme. This setting is only used during theme development, and can negatively impact site performance.
EntityReference Autocomplete Performance
Name: Drupal-7:entityreference
Package: drutiny/plugin-drupal-7
Class: Drutiny\Plugin\Drupal7\Audit\EntityReferenceAutocomplete
Ensure that entity reference fields are configured correctly.