PHP Audit

Posted On // Leave a Comment

PHP AUDIT

PHP is very widely used technology worldwide and we found many application and many servers on running on LAMP lamp is very widely used for application deployment,and auditing php.ini is okay when we have only 10-20 servers, but for an environment where 200-300 LAMP Servers are present its hard to perform review so here is a script which audit the php.ini file for common checks

Sample



Script : -


Note :- To Execute this you need to give the path of php.ini in front of script
Ex.      ./yourscriptname.sh php.ini
#!/bin/bash
#################################################
# This Script will Audit PHP For basic Security
# Author:- Kaustubh Padwad                    
#################################################

echo "Please Enter The Path Of php in front of script"

#Expose php This should be OFF
GPASS="php Expose"
Passv="`cat $1 | grep ^exp | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#Loggin on php This should be on
GPASS="php Loggin"
Passv="`cat $1 | grep ^log_errors | cut -d "=" -f2 | head -n 1`"
EXPPASS=' On'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#error_file This should be file path
GPASS="Error_Log"
Passv="`cat $1 | grep "^error_log" | head -n 1 | cut -d "=" -f1`"
EXPPASS='error_log'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#Log lenth This should be file 1024
GPASS="Log Lenth"
Passv="`cat $1 | grep "^log_errors_max_len" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' 1024'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#File upload This should be off
GPASS="File Upload Status"
Passv="`cat $1 | grep "^file_uploads" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#upload Max FIle Size This should be file 2M
GPASS="Upload Limit"
Passv="`cat $1 | grep "^upload_max" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' 2M'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi
#call Time this should be off
GPASS="Allow Call Time"
Passv="`cat $1 | grep "^allow_call_time_pass" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#allow Url Fopen
GPASS="Allow URL fopen"
Passv="`cat $1 | grep "^allow_url" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi
#Allow URL Include
GPASS="Allow URL Include"
Passv="`cat $1 | grep "^allow_url" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi
#magic_quotes_gpc
GPASS="magic Quotes GPC"
Passv="`cat $1 | grep "^magic_quotes_gpc" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi
#magic_quotes_runtime this Should be Off
GPASS="magic_Quotes_runTime"
Passv="`cat $1 | grep "^magic_quotes_runtime" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#magic_quotes_sybase This Should Be Off

GPASS="magic Quotes sybse"
Passv="`cat $1 | grep "^magic_quotes_sybase" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' Off'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#post_max_size This should be 1M

GPASS="Post Max Size"
Passv="`cat $1 | grep "^post_max_size" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' 1M'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#max_execution_time This Should be 30
GPASS="max_execution_time"
Passv="`cat $1 | grep "^max_execution_time" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' 30'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#max_input_time This Should be 30
GPASS="Max input Time"
Passv="`cat $1 | grep "^max_input_time" | head -n 1 | cut -d "=" -f2`"
EXPPASS=' 30'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi

#memory_limit This Should Be 40

GPASS="Memory_Limit"

Passv="`cat $1 | grep "^memory_limit" | head -n 1 | cut -d "=" -f2`"

EXPPASS=' 40'
if [ "${Passv}" = "${EXPPASS}" ] ; then
echo "${GPASS}: OK"
else
echo "${GPASS}: Not OK"
fi


These will save too much time while auditing php.ini