| Version 4 (modified by , 7 years ago) ( diff ) |
|---|
Web Application Security
Monitoring of compromised sites
[In process, see #13159]
The monitor script mf-monitor-webapps executes the script mf-check-webapps and triggers a Nagios warning if it finds any web app sites that fail the test.
Search server for compromised sites
The script mf-check-webapps searches the given server for any web app that has been compromised.
It finds web apps by searching for the files /home/members/*/sites/*/.red/web-app-security/{drupal,wordpress}-core.
If it finds either file, it runs a check to see if the specified web app has been compromised.
In normal mode, it outputs each site that has checked and the status of the site. In quiet mode, this output is supressed.
Once the run is complete, it either:
- Returns no output and the exit code 0 to indicate that no sites show signs of compromise
- One line with a comma separate list of site names that are compromised and the exit code 1 to indicate a compromise
- Error output and the exit code 255 to indicate an error prevented the script from running properly.
Control Panel Installation
Enable control panel installation of WordPress and Drupal via control panel.
Auto Upgrades
[NOTE: Not yet implemented, still under development.]
May First/People Link provides a service to automatically provide security updates to your web applications. If you opt-in, your web application will be checked every night to see if any security updates are available and, if so, they will be installed.
By using this service, you will greatly improve the protection of your web site against compromise while also incurring a very small chance that something might go wrong during the upgrade.
This service is currently available for Drupal and WordPress only.
The updater will not upgrade all aspects of your site:
- The automatic upgrader only performs security/minor updates. It does not perform an upgrade from Drupal 7 to Drupal 8, for example. Or from Wordpress 4.5 to 4.6.
- It will not upgrade modules or plugins that are not maintained on the central Drupal or WordPress repositories (for example, CiviCRM is maintained separately, so it won't be upgraded via this script).
- WordPress themes are not updated. Drupal themes are updated.
[Note: when fully implemented, users can enable via the control panel.]
An admin can enable this protection by creating a directory in a sites hidden .red directory (e.g. /home/members/mayfirst/sites/mayfirst.org/.red): web-app-security and place one or more files in it.
To indicate that you want to have your web application automatically upgraded, please create a file or files with the following names to indicate what you want upgraded.
- drupal-core
- drupal-modules
- wordpress-core
- wordpress-plugins
If your web application is directly in your web directory, leave the file empty. If it is in a subdirectory, then put the full, absolute path to the root of your web directory in the file.
For example, if you want to upgrade both drupal core and drupal modules for a web appication located directly in your web folder, create two files: one called drupal-core and one called drupal-modules in this directory.
If you have two WordPress installations, one in the web directory and one in a subdirectory called "outreach" and you just want to auto upgrade the core WordPress code for both of them, create a single file called wordpress-core that contains the absolute path to your main web directory on one line and the absolute path to your outreach directory on the second line (note - when specifying additional directories, you have to specify the web directory if you want it included).
Technical Details
All upgrades are run as the user who owns the index.php file in the given directory.
Drupal core upgrades are run via drush with the following command:
drush -y pm-update drupal --security-only
Drupal module upgrade are run with the following command:
drush -y pm-update --no-core --security-only
WordPress upgrades are handled via the following wp-cli commands:
wp core update --minor
And WordPress plugin updates via:
wp plugin update --all
NOTE: WordPress sites with a functioning cron job that are higher than version 3.7 already have auto-updates enabled so this step is not necessary, however, it doesn't hurt either.
Open Tickets tagged web-app-security
