What security-related modules should exist but don't?

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by coltrane on September 9, 2015 at 12:55am

Consider this a brainstorm post about generating module ideas around security for Drupal sites. What modules do you wish existed but don't? What security feature, change audit, access control, risk mitigation, etc doesn't exist for Drupal, but should?

A couple come to my mind which I'll leave as a comment. Share yours, whether basic or advanced, and we can discuss how it might work and it's needs.

Comments

access grant audits and inactivity blocks

Posted by coltrane on September 9, 2015 at 1:00am

A couple ideas:

  1. Record and/or log when user accounts receive roles with admin permissions for mitigation against access abuse / access elevation

  2. Block or remove access to accounts after 90 days inactivity, block status or possibly just certain roles.

How do we detect when the

Posted by likewhoa on September 9, 2015 at 5:14pm

How do we detect when the role change it's done directly on the DB? This kind of detection would be best if it didn't rely on hook detection so that when an attacker manually edits the DB it will still be detected as a change in the role.

Another idea that I like to recommend which has to do with monitoring is on the filesystem level insite the Drupal root, but the only way I saw this being implemented is using inotify. I start doing this after the Drupalgeddon exploit since one of the attack methods was to create a random php file inside the drupal root directory which could have been mitigated by proper permissions in the Drupal root, but what happens when even proper permissions don't help? That's were an inotify script like the one I start at https://github.com/likewhoa/e-watch which basically monitors for any MODIFY,DELETE or CREATE events inside the Drupal root. My custom script sends over an SMS when any of these events gets triggered which is a nice feature to have.

bending technology to fit businesses.

Fine-grained MySQL tables privileges

Posted by EC-GROW (not verified) on September 10, 2015 at 6:28am
EC-GROW's picture

The idea is pretty simple and discussed in this group:

https://groups.drupal.org/node/465893

Dynamic Application Security Testing, tracing input

Posted by clayball on September 9, 2015 at 5:35pm

Great topic!

I'd like a way to trace user input throughout drupal. Which functions does the input pass through for validation and sanitization. Does it pass these tests or does the input make it to the DB unchecked.. etc.

I was planning on starting a Python or Ruby based project for this type of dynamic application security testing.

Another critical component would be static code analysis.

This may make for a great drupal module.. maybe pieces of the overall project could be.?

Ping me off-list if you'd be interested in working on such a project.

I'm not sure a module can do

Posted by cashwilliams on September 11, 2015 at 2:21pm

I'm not sure a module can do this. Check out http://php.net/manual/en/book.taint.php though, which is close.

Disable password fields

Posted by killes@www.drop.org on September 19, 2015 at 8:21am

There should be a module to disable password fields to be filled in by people.

Drupal can chose much better passwords and display it after account creation to the user to copy it to a password safe.

No

Posted by damienmckenna on September 19, 2015 at 12:33pm

No it doesn't, not when Drupal is limited to picking from a subset of alphanumeric characters and defaults to a length of ten characters, while password managers like 1Password let you generate strings that include control characters and can be much longer (1Password lets you go up to 50 characters).

I didn't say that you have to

Posted by killes@www.drop.org on September 19, 2015 at 1:34pm

I didn't say that you have to use the core function, but yeah, it could be improved.

Some possibilities

Posted by damienmckenna on September 19, 2015 at 2:37pm

it seems there are a number of issues related to this:

With some improvements to core this could be a really good option.

Nice! I admit I wondered why

Posted by killes@www.drop.org on September 24, 2015 at 4:41pm

Nice!

I admit I wondered why this wouldn't exist and probably didn't really search.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /