X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs-website;a=blobdiff_plain;f=web%2Fmodules%2Fcontrib%2Fsecurity_review%2FREADME.txt;fp=web%2Fmodules%2Fcontrib%2Fsecurity_review%2FREADME.txt;h=03e730428cb38d067cdb03e7dd282e0adfb2282e;hp=0000000000000000000000000000000000000000;hb=ba1b5c55c66590c41ccc9844d3e62391b0399abb;hpb=93ef30d42f68e55d11d97312531118bbcd4cf318 diff --git a/web/modules/contrib/security_review/README.txt b/web/modules/contrib/security_review/README.txt new file mode 100644 index 000000000..03e730428 --- /dev/null +++ b/web/modules/contrib/security_review/README.txt @@ -0,0 +1,91 @@ + +-- ABOUT -- + +Security Review automates checking many of the configuration errors that lead +to an insecure Drupal site and looks for existing vulnerabilities and attack +attempts. + +The primary goal of the module is to elevate your awareness of the importance of +securing your Drupal site. The results of some checks may be incorrect depending +on unique factors, this module does not make your site more secure. You should +use the results of the checklist and its resources to manually secure your site. + +Refer to the support section below if you are interested in securing your Drupal +site. + +-- INSTALLATION -- + +Place the security_review directory and its contents under /modules or a +subdirectory of /modules in the Drupal root directory. + +Enable the module at Administer >> Modules and refer to the +following sections for configuration and usage. + +-- CONFIGURATION -- + +Two permissions are provided and required to use the module. Navigate to +Administer >> People >> Permissions to enable +'access security review list' and 'run security checks' for trusted roles. + +NOTICE: This module provides information on the state of your site's security so +it is imperative you grant these permissions to trusted roles and users only. +For instance, if you have an admin role, be sure that all the users who have +been granted this role are indeed users you trust if you grant them these +permissions. + +After you have granted permissions to the module you should inform the system +what roles are not trusted. Navigate to +Administer >> Reports >> Security Review >> Settings to mark which roles are +untrusted. Most checks only care if the resource is usable by +untrusted roles. + +On this page you can also define the level of logging. The result +of the last checklist is always stored but you can enable watchdog logging of +each check if you like. + +-- USAGE -- + +Navigate to Administer >> Reports >> Security Review to run the checklist. + +If a check is enabled it will be run. You can enable or skip a check on this +page only after it has been run. Clicking on the 'Help' link beside each check +will provide details on why the check exists and what was found on the last run. + +-- DRUSH USAGE -- + +Running the Security Review checklist using Drush is a great way to build +automated security audits of your site into your site development lifecycle and +as part of continuous integration. + +With the module installed invoke 'drush secrev' from within your Drupal root. + +Call 'drush help secrev' to see available options. + +For running specific checks pass the '--check' option. Be sure to remove any +whitespace characters separating check names. + +Consult implementations of hook_security_checks() for exact list of available +check options. Standard Security Review checks are: + +file_perms, input_formats, field, error_reporting, private_files, query_errors, +failed_logins, upload_extensions, admin_permissions, executable_php, +trusted_hosts, temporary_files + +For custom checks you may prefix the check name with the module name and +colon (:) character. For example: + +'drush secrev --check=my_module:my_check' + +Note, custom checks require that its module be enabled. Also, should you be +skipping any check the 'store' option will not allow that check to be run. + +-- SUPPORT -- + +Please use the issue queue at http://drupal.org/project/security_review for all +module support. You can read more about securely configuring your site at +http://drupal.org/security/secure-configuration and http://drupalscout.com + +-- CREDIT -- + +Security Review module originally written by Benjamin Jeavons, drupal.org user +coltrane. Ported to Drupal 8 by Viktor Bán.