This repository has been archived by the owner on Nov 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #31 from fubarhouse/feature/GOVCMS-2936
[GOVCMS-2936] - User/role key/value audit creation.
- Loading branch information
Showing
4 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| title: "User administration account security validation" | ||
| name: Drupal8:UserIsAdminCheck | ||
| class: \Drutiny\GovCMS\Audit\Drupal8\UserIsAdminCheck | ||
| tags: | ||
| - Drupal 8 | ||
| - Best Practice | ||
| - Security | ||
| description: Idetify if any users or roles have the is_admin property set to true | ||
| remediation: "Using some form of configuration management, set the value to false." | ||
| success: The insecure property is set correctly. | ||
| warning: | | ||
| The insecure property is set incorrectly. | ||
| {{ #results }} | ||
| - {{ . }} | ||
| {{ /results }} | ||
| failure: | | ||
| The insecure property is set incorrectly. | ||
| {{#results}} | ||
| - {{ . }} | ||
| {{/results}} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| title: 'Drupal Gitlab Pipeline' | ||
| format: | ||
| html: | ||
| template: govcms-page | ||
| policies: | ||
| Drupal:LintTheme: | ||
| severity: low | ||
| Drupal8:UserIsAdminCheck: | ||
| severity: critical | ||
| Drupal:ModuleScan: | ||
| severity: critical | ||
| Drupal:ThemeSecurity: | ||
| severity: critical | ||
| parameters: | ||
| filetypes: | ||
| - php | ||
| - inc | ||
| - theme | ||
| patterns: | ||
| - "_POST" | ||
| - "exec\\(" | ||
| - "db_query" | ||
| - "db_select" | ||
| - "db_merge" | ||
| - "db_update" | ||
| - "db_write_record" | ||
| - "\\->query" | ||
| - "drupal_http_request" | ||
| - "curl_init" | ||
| - "passthru" | ||
| - "proc_open" | ||
| - "system\\(" | ||
| - "sleep\\(" | ||
| - "mysql_" | ||
| - "mysqli" | ||
| - "sqlite" | ||
| - "db_query" | ||
| - "db_fetch" | ||
| - "db_result" | ||
| - "pager_query" | ||
| - "db_set_active" | ||
| - "db_select" | ||
| - "db_insert" | ||
| - "db_update" | ||
| - "db_delete" | ||
| - "fetchAll" | ||
| - "fetchField" | ||
| - "fetchObject" | ||
| - "fetchAssoc" | ||
| - "countQuery" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| <?php | ||
|
|
||
| namespace Drutiny\GovCMS\Audit\Drupal8; | ||
|
|
||
| use Drutiny\Audit; | ||
| use Drutiny\Sandbox\Sandbox; | ||
| use Drutiny\Annotation\Param; | ||
|
|
||
| /** | ||
| * Audit to check if user and roles have the is_admin property associated to them. | ||
| */ | ||
| class UserIsAdminCheck extends Audit { | ||
|
|
||
| /** | ||
| * Return a generated user role object from a user config object. | ||
| * | ||
| * @param array $users | ||
| * The user configuration object. | ||
| * | ||
| * @return array | ||
| * An array of roles and users. | ||
| */ | ||
| private function userObject($users = []) { | ||
| $results = array(); | ||
| foreach ($users as $userKey => $user) { | ||
| foreach($user['roles'] as $role) { | ||
| $results[$role] = $user; | ||
| } | ||
| } | ||
| return $results; | ||
| } | ||
|
|
||
| /** | ||
| * @inheritdoc | ||
| */ | ||
| public function audit(Sandbox $sandbox) { | ||
|
|
||
| // Parameters. | ||
| $rolesToFind = $sandbox->getParameter('roles', array("administrator")); | ||
|
|
||
| // Create an empty array for users and results. | ||
| $users = array(); | ||
| $results = array(); | ||
|
|
||
| // Get all user IDs. | ||
| $uids = $sandbox->drush()->sqlQuery('SELECT (uid) FROM users;'); | ||
| foreach ($uids as $uid) { | ||
| $users[$uid] = $uid; | ||
| } | ||
|
|
||
| // Get all user information. | ||
| foreach ($users as $key => $user) { | ||
| $userData = $sandbox->drush(['format' => 'json'])->userInformation("--uid={$user}"); | ||
| $users[$key] = $userData[count($userData)]; | ||
| } | ||
|
|
||
| // Generate results | ||
| $users = $this->userObject($users); | ||
| foreach ($users as $user) { | ||
| if (isset($user['is_admin'])) { | ||
| if ((bool) $user['is_admin'] === TRUE) { | ||
| $results[] = "The user '{$user['name']}' is not allowed to be an administrator."; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| // Get all user roles. | ||
| $roles = $sandbox->drush(['format' => 'json'])->rls(); | ||
| foreach ($roles as $roleName => $role) { | ||
| $details = $sandbox->drush(['format' => 'json'])->configGet("user.role.{$roleName}"); | ||
| if (isset($details['is_admin'])) { | ||
| if ((bool) $details['is_admin'] === TRUE) { | ||
| $results[] = "The role '{$details['label']}' is not allowed to be an administrator."; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| if (!empty($results)) { | ||
| $sandbox->setParameter('results', $results); | ||
| return FALSE; | ||
| } | ||
|
|
||
| return TRUE; | ||
|
|
||
| } | ||
|
|
||
| } |