Posted by coltrane on September 9, 2015 at 12:55am
Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?
A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.
Comments
access grant audits and inactivity blocks
A couple ideas:
Record and/or log when user accounts receive roles with admin permissions for mitigation against access abuse / access elevation
Block or remove access to accounts after 90 days inactivity, block status or possibly just certain roles.
How do we detect when the
How do we detect when the role change it's done directly on the DB? This kind of detection would be best if it didn't rely on hook detection so that when an attacker manually edits the DB it will still be detected as a change in the role.
Another idea that I like to recommend which has to do with monitoring is on the filesystem level insite the Drupal root, but the only way I saw this being implemented is using inotify. I start doing this after the Drupalgeddon exploit since one of the attack methods was to create a random php file inside the drupal root directory which could have been mitigated by proper permissions in the Drupal root, but what happens when even proper permissions don't help? That's were an inotify script like the one I start at https://github.com/likewhoa/e-watch which basically monitors for any MODIFY,DELETE or CREATE events inside the Drupal root. My custom script sends over an SMS when any of these events gets triggered which is a nice feature to have.
bending technology to fit businesses.
Fine-grained MySQL tables privileges
The idea is pretty simple and discussed in this group:
https://groups.drupal.org/node/465893
Dynamic Application Security Testing, tracing input
Great topic!
I'd like a way to trace user input throughout drupal. Which functions does the input pass through for validation and sanitization. Does it pass these tests or does the input make it to the DB unchecked.. etc.
I was planning on starting a Python or Ruby based project for this type of dynamic application security testing.
Another critical component would be static code analysis.
This may make for a great drupal module.. maybe pieces of the overall project could be.?
Ping me off-list if you'd be interested in working on such a project.
I'm not sure a module can do
I'm not sure a module can do this. Check out http://php.net/manual/en/book.taint.php though, which is close.
Disable password fields
There should be a module to disable password fields to be filled in by people.
Drupal can chose much better passwords and display it after account creation to the user to copy it to a password safe.
No
No it doesn't, not when Drupal is limited to picking from a subset of alphanumeric characters and defaults to a length of ten characters, while password managers like 1Password let you generate strings that include control characters and can be much longer (1Password lets you go up to 50 characters).
I didn't say that you have to
I didn't say that you have to use the core function, but yeah, it could be improved.
Some possibilities
it seems there are a number of issues related to this:
With some improvements to core this could be a really good option.
I think this is
I think this is https://www.drupal.org/project/genpass
knaddison blog | Morris Animal Foundation
Nice! I admit I wondered why
Nice!
I admit I wondered why this wouldn't exist and probably didn't really search.