PHP环境安全性能检查

PHP环境安全性能检查

PHP在Linux环境下安全配置是一个复杂的过程，其中涉及到很多的细节设置，在这里发出来一个脚本，通过这个脚本来检测你的PHP环境是否存在安全隐患，从而针对这些对你的PHP环境进行加固。
功能：

• 1.检测PHP环境安全配置
• 2.应禁用的功能。
• 3.危险的设置，可能会导致本地或远程文件包含。
• 4.错误处理。
• 5.在编译时定义的常量。

安装PHP环境后，将此三个文件脚本放在网站web目录下（audit.php php.xml style.css ）进行浏览器查看，他将在你配置的基础中通过XML文件中匹配规则检测出可能存在的配置错误，存在问题的选项它会用红色突出的颜色显示。当然还有一些东西可以根据你的要求更改。
效果如下：

audit.php

1. <?php
2. /**
3.  * PHP Security Auditor
4.  */
5. class Audit {
6.  
7. static private $rules;
8. static private $constants;
9. static private $phpVer;
10.  
11. static public $report;
12.  
13. /**
14. * Converts settings such as 1M 1G 1K to their byte equivilent values
15. *
16. * @param string $n
17. * @return string
18. */
19. static private function convertToBytes($n) {
20.  
21. // If n is -1 then there is no limit
22.      if ($n == -1)
23.      return PHP_INT_MAX;
24.  
25.      switch (substr($n, -1)) {
26.                     case "B": return substr($n,0,-1);
27.       case "K": return substr($n,0,-1) * 1024;
28.                     case "M": return substr($n,0,-1) * 1024 * 1024;
29.                     case "G": return substr($n,0,-1) * 1024 * 1024 * 1024;
30.             }
31.             return $n;
32.      }
33.  
34. static private function MakeReport($type, $title) {
35.  
36. ksort(self::$report[$type]);
37.  
38.      $html = '<h1>' . $title . '</h1><table><tr class="h"><th>Setting</th><th>Current</th><th>Recomended</th><th>Description</th></tr>';
39.     foreach(self::$report[$type] as $key => $values)
40.     {
41.     if ($values['p'] == 1) $class="r";
42.     else $class="v";
43.  
44. $html .= '<tr><td class="e">' . htmlentities($key) . '</td>' .
45. '<td class=". $class .">' . htmlentities($values['c']) . '</td>' .
46. '<td class=". $class .">' . htmlentities($values['r']) . '</td>' .
47. '<td class=". $class .">' . htmlentities($values['d']) . '</td></tr>';
48.     }
49.     $html .= '</table>';
50.  
51. return $html;
52. }
53.  
54.  
55.     static public function HTMLReport()
56.      {
57.      $class = "";
58.  
59.      $html = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">' .
60. '<html><head>' .
61.      '<link rel="stylesheet" type="text/css" media="all" href="style.css"/>' .
62.      '</head><body>';
63.  
64.      $html .= self::MakeReport("ini", "PHP INI");
65.      $html .= self::MakeReport("disabled", "PHP Disabled Functions");
66.      $html .= self::MakeReport("const", "PHP CONST");
67.  
68.     $html .= '</html>';
69.  
70.     echo($html . "\n");
71. }
72.  
73.    /**
74.    * Adds an item to the reporting array.
75.    *
76.    * @param string $type - the type (ini or const)
77.    * @param string $key - the name of the variable
78.    * @param string $currentValue - the current ini or const value
79.    * @param string $recomended - the recomended value
80.    * @param string $desc - a description of the issue
81.    * @param boolean $problem - true if not complaint, false if compliant
82.    */
83. static private function Report($type, $key, $currentValue, $recomended, $desc, $problem)
84. {
85. if (isset(self::$report[$type][$key]))
86. if ((self::$report[$type][$key]['r'] < $recomended)
87. && (self::$report[$type][$key['p']] == 1))
88. return;
89.  
90. self::$report[$type][$key] = array(
91. "c" => $currentValue,
92. "r" => $recomended,
93. "d" => $desc,
94. "p" => $problem
95. );
96. }
97.  
98. /**
99. * Loads the rules from an XML file
100. *
101. * @param string $file
102. */
103. static public function LoadRules($file = "php.xml")
104. {
105.  
106. if (!defined('PHP_VERSION_ID'))
107. {
108. $version = explode(".", PHP_VERSION);
109. self::$phpVer =  ($version[0] * 10000 + $version[1] * 100 + $version[2]);
110. } else
111. self::$phpVer = PHP_VERSION_ID;
112.  
113. self::$constants = get_defined_constants();
114. self::$rules = simplexml_load_file($file);
115. }
116.  
117. /**
118. * Processes the XML ruleset against const and ini values found in PHP
119. *
120. */
121. static public function ProcessXML() {
122.  
123. foreach(self::$rules as $null => $entry) {
124. $ruleID = $entry->attributes()->id;
125.  
126. // Check the version of PHP the rule applies to
127.  
128. $version = (string)$entry->version;
129.  
130. if ($version != "") {
131.  
132. $op = (string)$entry->version->attributes()->op;
133.  
134. switch ($op) {
135. case 'before':
136. if ($version < self::$phpVer)
137. continue 2;
138. break;
139. }
140. }
141.  
142. // Evaluate the rule as we are sure it applys to the version of PHP running
143.  
144. switch((string)$entry->type)
145. {
146. // Look at CONST values in PHP
147. case "const":
148.  
149. $key = (string)$entry->key; // e.g LIBXML_NOENT
150. $cValue = self::$constants[$key]; // The current value
151. $rValue = (string)$entry->value; // The recomended value
152. $desc = (string)$entry->description; // Description
153.  
154. switch((string)$entry->value->attributes()->op)
155. {
156. case "eq":
157. self::Report("const", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
158. break;
159. }
160.  
161. break;
162.  
163. // Check the list of functions that should be restricted
164.  
165. case "disable_functions":
166.  
167. $disabled = ini_get("disable_functions");
168. $list = explode(",", $disabled);
169.  
170. $xmlList = (array)($entry->list);
171. $xmlList = $xmlList['function'];
172.  
173. foreach($xmlList as $null => $function) {
174. $de = array_search($function, $list);
175. self::Report("disabled", $function, (($de == 0) ? "enabled" : "disabled"), "disabled", "", (($de == 0) ? 1 : 0));
176. }
177.  
178. break;
179.  
180. // Look at values defined within the INI files
181.  
182. case "ini":
183.  
184. $key = (string)$entry->key; // e.g. display_errors
185. $cValue = trim(self::convertToBytes(ini_get($key))); // Current value
186. $rValue = (string)$entry->value; // Recomended value
187. $desc = (string)$entry->description; // Description
188.  
189. if (is_numeric($rValue) && $cValue == "") $cValue = "0";
190.  
191. // Deals with where one value should be compared to another
192.  
193. if ((string)$entry->value->attributes()->type == "key")
194. $rValue = self::convertToBytes(ini_get((string)$entry->value));
195.  
196. switch((string)$entry->value->attributes()->op)
197. {
198. // Equal to
199. case "eq":
200. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
201. break;
202.  
203. // Less than or equal to
204. case "lt":
205. self::Report("ini", $key, $cValue, "< $rValue", $desc, ($cValue <= $rValue) ? 0 : 1);
206. break;
207.  
208. // Greater than or equal to
209. case "gt":
210. self::Report("ini", $key, $cValue, "> $rValue", $desc, ($cValue >= $rValue) ? 0 : 1);
211. break;
212.  
213. // Not equal to
214. case "ne":
215. $neValue  = (string)$entry->value->attributes()->net;
216. $notBlank = (string)$entry->value->attributes()->notblank;
217.  
218.  
219. if ($notBlank == "true") {
220. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != "") ? 0 : 1);
221. break;
222. }
223.  
224. self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != $neValue) ? 0 : 1);
225. break;
226.  
227. }
228.  
229. break;
230. }
231.  
232. }
233.  
234. }
235.  
236.  
237. }
238.  
239. Audit::LoadRules();
240. Audit::ProcessXML();
241. Audit::HTMLReport();

php.xml代码如下：

1. <?xml version="1.0" encoding="UTF-8"?>
2. <rules>
3. <entry id="1">
4. <type>ini</type>
5. <key>upload_max_filesize</key>
6. <value op="lt">4194304</value>
7. <description>Sets the maximum size of an uploaded file. Reduce this to mitigate the risk of DOS attacks.</description>
8. </entry>
9. <entry id="29">
10. <type>ini</type>
11. <key>upload_max_filesize</key>
12. <value op="lt" type="key">memory_limit</value>
13. <description>The maximum size of an uploaded file should be able to fit within the avaliable memory limit.</description>
14. </entry>
15. <entry id="30">
16. <type>ini</type>
17. <key>post_max_size</key>
18. <value op="lt" type="key">memory_limit</value>
19. <description>The maximum post size of data posted to the server should be within the avaliable memory limit.</description>
20. </entry>
21. <entry id="32">
22. <type>ini</type>
23. <key>always_populate_raw_post_data</key>
24. <value op="eq">0</value>
25. <description>This does not need to be used. The preferred method for accessing the raw POST data is php://input.</description>
26. </entry>
27. <entry id="33">
28. <type>ini</type>
29. <key>magic_quotes_gpc</key>
30. <value op="eq">0</value>
31. <description>Sets magic_quotes state for GPC (GET PUT COOKIE) data.  Relying on this feature is highly discouraged.</description>
32. <version op="before">50300</version>
33. <url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc</url>
34. </entry>
35. <entry id="34">
36. <type>ini</type>
37. <key>magic_quotes_runtime</key>
38. <value op="eq">0</value>
39. <description>Sets magic_quotes state for data from external sources.  Relying on this feature is highly discouraged.</description>
40. <version op="before">50300</version>
41. <url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime</url>
42. </entry>
43. <entry id="35">
44. <type>ini</type>
45. <key>safe_mode</key>
46. <value op="eq">0</value>
47. <description>This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.</description>
48. <version op="before">50300</version>
49. </entry>
50. <entry id="36">
51. <type>ini</type>
52. <key>memory_limit</key>
53. <value op="lt">16777216</value>
54. <description>The maximum memory limit for each script should be 16M or less.</description>
55. </entry>
56. <entry id="5">
57. <type>ini</type>
58. <key>upload_max_filesize</key>
59. <value op="lt" type="key">post_max_size</value>
60. <description>The maximum upload file size should be less than or equal to the maximum post size.</description>
61. </entry>
62. <entry id="2">
63. <type>ini</type>
64. <key>max_file_uploads</key>
65. <value op="lt">10</value>
66. <description>The maximum mumber of files that can be uploaded in 1 go.</description>
67. </entry>
68. <entry id="3">
69. <type>ini</type>
70. <key>file_uploads</key>
71. <value op="eq">0</value>
72. <description>This may be impractical but if not needed file uploading should be disabled.</description>
73. </entry>
74. <entry id="4">
75. <type>ini</type>
76. <key>post_max_size</key>
77. <value op="lt">4194304</value>
78. <description>The maximum post size should as small as reasonably possible to mitigate the risk of DOS attacks.</description>
79. </entry>
80. <entry id="6">
81. <type>ini</type>
82. <key>register_long_arrays</key>
83. <value op="eq">0</value>
84. <description>Populates HTTP_*_VARS which should no longer be used.</description>
85. <version op="before">50300</version>
86. </entry>
87. <entry id="7">
88. <type>ini</type>
89. <key>register_globals</key>
90. <value op="eq">0</value>
91. <description>Highly dangerous feature enabling variables to be defined in scripts from the GPC paramaters. This should be always be turned off.</description>
92. <version op="before">50300</version>
93. </entry>
94. <entry id="8">
95. <type>ini</type>
96. <key>session.hash_function</key>
97. <value op="eq">1</value>
98. <description>MD5 should be replaced with SHA-160 as it is a more complex and secure hashing algorithm.</description>
99. <version op="after">50000</version>
100. </entry>
101. <entry id="9">
102. <type>ini</type>
103. <key>session.hash_bits_per_character</key>
104. <value op="gt">5</value>
105. <description>The number of bits encoded per character of the session key.</description>
106. <version op="after">50000</version>
107. </entry>
108. <entry id="10">
109. <type>ini</type>
110. <key>session.entropy_file</key>
111. <value op="ne" net="">/dev/random</value>
112. <description>Provides a random seed for generating the session.</description>
113. </entry>
114. <entry id="11">
115. <type>ini</type>
116. <key>session.entropy_length</key>
117. <value op="gt">32</value>
118. <description>The number of bytes to read for gathering entropy for session generation.</description>
119. </entry>
120. <entry id="12">
121. <type>ini</type>
122. <key>session.name</key>
123. <value op="ne" net="PHPSESSID">Custom String</value>
124. <description>The name given to the PHP Session. It is recomended this be changed from the default.</description>
125. </entry>
126. <entry id="14">
127. <type>ini</type>
128. <key>session.save_path</key>
129. <value op="ne" net="/tmp" notblank="true">/custom/location</value>
130. <description>The save path for the session should be changed from the default /tmp.</description>
131. </entry>
132. <entry id="15">
133. <type>ini</type>
134. <key>session.use_trans_sid</key>
135. <value op="eq">0</value>
136. <description>Sessions should not be allowed in GET paramaters.</description>
137. </entry>
138. <entry id="18">
139. <type>ini</type>
140. <key>display_errors</key>
141. <value op="eq">0</value>
142. <description>Error messages should be suppressed</description>
143. </entry>
144. <entry id="19">
145. <type>ini</type>
146. <key>allow_url_fopen</key>
147. <value op="eq">0</value>
148. <description>Remote files should not be accessable using fopen.</description>
149. </entry>
150. <entry id="20">
151. <type>ini</type>
152. <key>allow_url_include</key>
153. <value op="eq">0</value>
154. <description>You should not be able to include remote scripts using include.</description>
155. </entry>
156. <entry id="31">
157. <type>ini</type>
158. <key>session.cookie_httponly</key>
159. <value op="eq">1</value>
160. <description>Cookies must be httponly by default</description>
161. <version op="after">50200</version>
162. </entry>
163. <entry id="20">
164. <type>ini</type>
165. <key>open_basedir</key>
166. <value op="ne" net="/" notblank="true">/the/webroot</value>
167. <description>Limit the files that can be opened by PHP to the webroot.</description>
168. </entry>
169. <entry id="32">
170. <type>ini</type>
171. <key>upload_tmp_dir</key>
172. <value op="ne" net="/tmp" notblank="true">/custom/location</value>
173. <description>Change the location of where files are initally uploaded to</description>
174. </entry>
175. <entry id="21">
176. <type>ini</type>
177. <key>max_execution_time</key>
178. <value op="lt">20</value>
179. <description>Execution time should be limited to 20 seconds or less.</description>
180. </entry>
181. <entry id="22">
182. <type>ini</type>
183. <key>max_input_nesting_level</key>
184. <value op="lt">32</value>
185. <description>Maximum level of nesting of objects 32 is sufficent.</description>
186. </entry>
187. <entry id="23">
188. <type>ini</type>
189. <key>enable_dl</key>
190. <value op="eq">0</value>
191. <description>Disable loading of dynamic extensions.</description>
192. </entry>
193. <entry id="24">
194. <type>ini</type>
195. <key>display_startup_errors</key>
196. <value op="eq">0</value>
197. <description>Startup errors should be suppressed.</description>
198. </entry>
199. <entry id="25">
200. <type>ini</type>
201. <key>log_errors</key>
202. <value op="eq">1</value>
203. <description>All errors generated by PHP should be logged to a file.</description>
204. </entry>
205. <entry id="26">
206. <type>ini</type>
207. <key>log_errors_max_len</key>
208. <value op="gt">2048</value>
209. <description>At least 2048 characters of the error message should be stored in the error log.</description>
210. </entry>
211. <entry id="27">
212. <type>ini</type>
213. <key>error_log</key>
214. <value op="ne" net="">/custom/location</value>
215. <description>Should be set to the location of the php error log.</description>
216. </entry>
217. <entry id="28">
218. <type>const</type>
219. <key>LIBXML_NOENT</key>
220. <value op="eq">0</value>
221. <description>External entities should be disabled for XML parsing</description>
222. </entry>
223. <entry id="37">
224. <type>ini</type>
225. <key>session.use_only_cookies</key>
226. <value op="eq">1</value>
227. <description>Session variables should only be passed in cookies.</description>
228. </entry>
229. <entry id="29">
230. <type>const</type>
231. <key>LIBXML_NONET</key>
232. <value op="eq">0</value>
233. <description>Network access for XML parsers should be disabled.</description>
234. </entry>
235. <entry id="38">
236. <type>disable_functions</type>
237. <list>
238. <function>fsocket_open</function>
239. <function>pack</function>
240. <function>escapeshellarg</function>
241. <function>escapeshellcmd</function>
242. <function>exec</function>
243. <function>passthru</function>
244. <function>proc_close</function>
245. <function>php_uname</function>
246. <function>getmyuid</function>
247. <function>getmypid</function>
248. <function>passthru</function>
249. <function>leak</function>
250. <function>listen</function>
251. <function>diskfreespace</function>
252. <function>tmpfile</function>
253. <function>link</function>
254. <function>ignore_user_abort</function>
255. <function>set_time_limit</function>
256. <function>limit</function>
257. <function>exec</function>
258. <function>highlight_file</function>
259. <function>show_source</function>
260. <function>fpaththru</function>
261. <function>virtual</function>
262. <function>posix_ctermid</function>
263. <function>posix_getcwd</function>
264. <function>posix_getegid</function>
265. <function>posix_geteuid</function>
266. <function>posix_getgid</function>
267. <function>posix_getgrgid</function>
268. <function>posix_getgrnam</function>
269. <function>posix_getgroups</function>
270. <function>posix_getlogin</function>
271. <function>posix_getpgid</function>
272. <function>posix_getpgrp</function>
273. <function>posix_getpid</function>
274. <function>posix</function>
275. <function>posix_getpwnam</function>
276. <function>posix_getpwuid</function>
277. <function>posix_getrlimit</function>
278. <function>posix_getsid</function>
279. <function>posix_getuid</function>
280. <function>posix_isatty</function>
281. <function>posix_kill</function>
282. <function>posix_mkfifo</function>
283. <function>posix_setegid</function>
284. <function>posix_seteuid</function>
285. <function>posix_setgid</function>
286. <function>posix_setpgid</function>
287. <function>posix_setsid</function>
288. <function>posix_setuid</function>
289. <function>posix_times</function>
290. <function>posix_ttyname</function>
291. <function>posix_uname</function>
292. <function>proc_open</function>
293. <function>proc_close</function>
294. <function>proc_get_status</function>
295. <function>proc_nice</function>
296. <function>proc_terminate</function>
297. <function>phpinfo</function>
298. <function>proc_open</function>
299. <function>shell_exec</function>
300. <function>system</function>
301. <function>set_time_limit</function>
302. <function>ini_alter</function>
303. <function>dl</function>
304. <function>popen</function>
305. <function>parse_ini_file</function>
306. </list>
307. </entry>
308. </rules>

style.css代码如下：

1. @CHARSET "UTF-8";
2.  
3. body { color: #000000;}
4. body, td, th, h1, h2 {font-family: sans-serif;}
5. pre {margin: 0px; font-family: monospace;}
6. table {border-collapse: collapse;}
7. td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;  padding-left:5px; padding-right:5px;}
8. h1 {font-size: 150%;}
9. h2 {font-size: 125%;}
10. .p {text-align: left;}
11. .e { font-weight: bold; color: #000000;}
12. .h {background-color: #9999cc; font-weight: bold; color: #000000;}
13. .v { color: #000000; padding-left:5px;}
14. .r {background-color: #c50000; color: #000000;  padding-left:5px;}

三个文件已经打包：php-security-check.zip
转自：http://lanlan611.sinaapp.com/?p=112

转载请标明文章来源:《https://www.centos.bz/2012/03/php-security-check/》