False positives on PHP tests on DirectAdmin servers

[gralex54]

Describe the bug

The control panel DirectAdmin (www.directadmin.com) installs PHP from sources, it compiles PHP versions and installs them into /usr/local/php<VERSION>/ directories, e.g. the following PHP binaries might exist (depending on options a server administrator chooses):

• /usr/local/php54/bin/php
• /usr/local/php56/bin/php
• /usr/local/php71/bin/php
• /usr/local/php72/bin/php

<VERSION> might be any possible existing versions of PHP in a format 55, 56, 70, 71, 72, 73 corresponding to 5.5, 5.6, 7.0, 7.1, 7.2, 7.3

And every PHP version has its own directory for PHP ini files:

• Loaded Configuration File: /usr/local/php<VERSION>/lib/php.ini
• Scan for additional .ini files in: /usr/local/php<VERSION>/lib/php.conf.d/

For example (for PHP installed as suphp, fastcgi, PHP-FPM):

Configuration File (php.ini) Path: /usr/local/php72/lib
Loaded Configuration File:         /usr/local/php72/lib/php.ini
Scan for additional .ini files in: /usr/local/php72/lib/php.conf.d
Additional .ini files parsed:      /usr/local/php72/lib/php.conf.d/10-directadmin.ini,
/usr/local/php72/lib/php.conf.d/50-webapps.ini,
/usr/local/php72/lib/php.conf.d/90-custom.ini

and (for PHP installed as mod_php):

Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /usr/local/lib/php.conf.d
Additional .ini files parsed:      /usr/local/lib/php.conf.d/10-directadmin.ini,
/usr/local/lib/php.conf.d/50-webapps.ini,
/usr/local/lib/php.conf.d/90-custom.ini

And here where the issue comes out. The lynis does not check those directories and files for settings when doing tests from /usr/share/lynis/include/tests_php.

Version

• Distribution: CentOS 6, 7, 8
• Lynis version: 2.7.5

Expected behavior Lynis should detect PHP ini files installed by DirectAdmin. Actually under php.conf.d/ of the listed above locations any number of custom *.ini files might exist.

Output

[root@da-server include]# php -i | grep expose
expose_php => Off => Off
[root@da-server include]# 
[root@da-server include]# grep expose /var/log/lynis.log
2019-10-10 08:43:06 Performing test ID PHP-2372 (Check PHP expose_php option)
2019-10-10 08:43:06 Result: found a a possible match on expose_php setting
2019-10-10 08:43:06 Data: expose_php = On
2019-10-10 08:43:06 Suggestion: Turn off PHP information exposure [test:PHP-2372] [details:expose_php = Off] [solution:-]
[root@da-server include]#

Additional context

Please advise.

[Schmuuu]

Hi,

Maybe I can look into the code and add the check of ini files in subfolders. A spontaneous question however: how would you like the test to handle multiple occurrences of one parameter and especially contradictory configurations like expose_php = On in one file and expose_php = Off in another? It would be safer to report that "bad" setting even if found only once anywhere, right?

[gralex54]

Hello,

It would be nice if you can look into the code and add the check of ini files in subfolders. Yes, I'm agree it would be much safer to report that "bad" setting even if found only once anywhere.

Thanks and regards, Alex.

[Schmuuu]

Hi @gralex54

I looked into the code and noticed that I only had to add the missing folders. I didn't had to change any code regarding the test itself. I created the pull request #805 now. Could you test that, please?

Thanks in advance.

[gralex54]

Hi @Schmuuu

Thanks. I confirm it's working now

    - Checking expose_php option                              [ OFF ]

with:

# grep -i -R ^expose /usr/local/php*/lib/
/usr/local/php52/lib/php.ini-dist:expose_php = On
/usr/local/php52/lib/php.ini-recommended:expose_php = On
/usr/local/php52/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php52/lib/php.ini:expose_php = Off
/usr/local/php53/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php53/lib/php.ini:expose_php = off
/usr/local/php54/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php54/lib/php.ini:expose_php = off
/usr/local/php55/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php55/lib/php.ini:expose_php = off
/usr/local/php56/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php56/lib/php.ini:expose_php = off
/usr/local/php70/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php70/lib/php.ini:expose_php = off
/usr/local/php71/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php71/lib/php.ini:expose_php = off
/usr/local/php72/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php72/lib/php.ini:expose_php = off
/usr/local/php73/lib/php.conf.d/90-custom.ini:expose_php = off
/usr/local/php73/lib/php.ini:expose_php = off

Regards, Alex.