--- /dev/null
+
+-- ABOUT --
+
+Security Review automates checking many of the configuration errors that lead
+to an insecure Drupal site and looks for existing vulnerabilities and attack
+attempts.
+
+The primary goal of the module is to elevate your awareness of the importance of
+securing your Drupal site. The results of some checks may be incorrect depending
+on unique factors, this module does not make your site more secure. You should
+use the results of the checklist and its resources to manually secure your site.
+
+Refer to the support section below if you are interested in securing your Drupal
+site.
+
+-- INSTALLATION --
+
+Place the security_review directory and its contents under /modules or a
+subdirectory of /modules in the Drupal root directory.
+
+Enable the module at Administer >> Modules and refer to the
+following sections for configuration and usage.
+
+-- CONFIGURATION --
+
+Two permissions are provided and required to use the module. Navigate to
+Administer >> People >> Permissions to enable
+'access security review list' and 'run security checks' for trusted roles.
+
+NOTICE: This module provides information on the state of your site's security so
+it is imperative you grant these permissions to trusted roles and users only.
+For instance, if you have an admin role, be sure that all the users who have
+been granted this role are indeed users you trust if you grant them these
+permissions.
+
+After you have granted permissions to the module you should inform the system
+what roles are not trusted. Navigate to
+Administer >> Reports >> Security Review >> Settings to mark which roles are
+untrusted. Most checks only care if the resource is usable by
+untrusted roles.
+
+On this page you can also define the level of logging. The result
+of the last checklist is always stored but you can enable watchdog logging of
+each check if you like.
+
+-- USAGE --
+
+Navigate to Administer >> Reports >> Security Review to run the checklist.
+
+If a check is enabled it will be run. You can enable or skip a check on this
+page only after it has been run. Clicking on the 'Help' link beside each check
+will provide details on why the check exists and what was found on the last run.
+
+-- DRUSH USAGE --
+
+Running the Security Review checklist using Drush is a great way to build
+automated security audits of your site into your site development lifecycle and
+as part of continuous integration.
+
+With the module installed invoke 'drush secrev' from within your Drupal root.
+
+Call 'drush help secrev' to see available options.
+
+For running specific checks pass the '--check' option. Be sure to remove any
+whitespace characters separating check names.
+
+Consult implementations of hook_security_checks() for exact list of available
+check options. Standard Security Review checks are:
+
+file_perms, input_formats, field, error_reporting, private_files, query_errors,
+failed_logins, upload_extensions, admin_permissions, executable_php,
+trusted_hosts, temporary_files
+
+For custom checks you may prefix the check name with the module name and
+colon (:) character. For example:
+
+'drush secrev --check=my_module:my_check'
+
+Note, custom checks require that its module be enabled. Also, should you be
+skipping any check the 'store' option will not allow that check to be run.
+
+-- SUPPORT --
+
+Please use the issue queue at http://drupal.org/project/security_review for all
+module support. You can read more about securely configuring your site at
+http://drupal.org/security/secure-configuration and http://drupalscout.com
+
+-- CREDIT --
+
+Security Review module originally written by Benjamin Jeavons, drupal.org user
+coltrane. Ported to Drupal 8 by Viktor Bán.
projects / yaffs-website / blobdiff