What security-related modules should exist but don't?

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
coltrane's picture

Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?

A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.

Comments

access grant audits and inactivity blocks

coltrane's picture

A couple ideas:

  1. Record and/or log when user accounts receive roles with admin permissions for mitigation against access abuse / access elevation

  2. Block or remove access to accounts after 90 days inactivity, block status or possibly just certain roles.

How do we detect when the

likewhoa's picture

How do we detect when the role change it's done directly on the DB? This kind of detection would be best if it didn't rely on hook detection so that when an attacker manually edits the DB it will still be detected as a change in the role.

Another idea that I like to recommend which has to do with monitoring is on the filesystem level insite the Drupal root, but the only way I saw this being implemented is using inotify. I start doing this after the Drupalgeddon exploit since one of the attack methods was to create a random php file inside the drupal root directory which could have been mitigated by proper permissions in the Drupal root, but what happens when even proper permissions don't help? That's were an inotify script like the one I start at https://github.com/likewhoa/e-watch which basically monitors for any MODIFY,DELETE or CREATE events inside the Drupal root. My custom script sends over an SMS when any of these events gets triggered which is a nice feature to have.

bending technology to fit businesses.

Fine-grained MySQL tables privileges

EC-GROW's picture

The idea is pretty simple and discussed in this group:

https://groups.drupal.org/node/465893

Dynamic Application Security Testing, tracing input

clayball's picture

Great topic!

I'd like a way to trace user input throughout drupal. Which functions does the input pass through for validation and sanitization. Does it pass these tests or does the input make it to the DB unchecked.. etc.

I was planning on starting a Python or Ruby based project for this type of dynamic application security testing.

Another critical component would be static code analysis.

This may make for a great drupal module.. maybe pieces of the overall project could be.?

Ping me off-list if you'd be interested in working on such a project.

I'm not sure a module can do

cashwilliams's picture

I'm not sure a module can do this. Check out http://php.net/manual/en/book.taint.php though, which is close.

Disable password fields

killes@www.drop.org's picture

There should be a module to disable password fields to be filled in by people.

Drupal can chose much better passwords and display it after account creation to the user to copy it to a password safe.

No

DamienMcKenna's picture

No it doesn't, not when Drupal is limited to picking from a subset of alphanumeric characters and defaults to a length of ten characters, while password managers like 1Password let you generate strings that include control characters and can be much longer (1Password lets you go up to 50 characters).

I didn't say that you have to

killes@www.drop.org's picture

I didn't say that you have to use the core function, but yeah, it could be improved.

Some possibilities

DamienMcKenna's picture

it seems there are a number of issues related to this:

With some improvements to core this could be a really good option.

I think this is

Nice! I admit I wondered why

killes@www.drop.org's picture

Nice!

I admit I wondered why this wouldn't exist and probably didn't really search.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: