lynis 2.0 expose_php false detection ?

[centminmod]

I ran lynis 2.0 on a CentOS 7 server installed with my custom CentminMod.com LEMP stack where Nginx and PHP-FPM are source compiled.

Lynis detects and reports expose_php is ON while in fact it is OFF

    [+] PHP
------------------------------------
  - Checking PHP                                              [ FOUND ]
    - Checking PHP disabled functions                         [ FOUND ]
    - Checking expose_php option                              [ ON ]
    - Checking enable_dl option                               [ OFF ]
    - Checking allow_url_fopen option                         [ ON ]
    - Checking allow_url_include option                       [ OFF ]

check PHPINFO

php -i | grep expose
expose_php => Off => Off

PHP-FPM install has custom settings set in configscandir defined at PHP compile time

cat /etc/centminmod/php.d/a_customphp.ini

date.timezone = UTC
max_execution_time = 60
short_open_tag = On
realpath_cache_size = 8192k
realpath_cache_ttl = 600
upload_max_filesize = 20M
memory_limit = 160M
post_max_size = 20M
expose_php = Off
mail.add_x_header = Off
max_input_nesting_level = 128
max_input_vars = 2000
mysqlnd.net_cmd_buffer_size = 16384

this overrides the default php.ini set expose_php value

grep expose_php /usr/local/lib/php.ini
expose_php = On

so maybe extend the check to grep php -i output ?

php -i | grep expose

[centminmod]

also my additional .ini files registered by PHP configscandir compile option

php --ini
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
/etc/centminmod/php.d/curlcainfo.ini,
/etc/centminmod/php.d/zendopcache.ini

you could add that to array of .ini files you check for php.ini which you grep for any checked php variables like expose_php and make sure those get higher priority over php.ini as they would potentially override php.ini values ?

although simple

php -i | grep expose

would be easier

[adisatria]

how to set "expose_php = Off" in Debian server ?

[quantumpacket]

Correction to initial bug report, php.d/*.ini has nothing to do with PHP-FPM. That is what php-fpm.d/*.conf is for.

What's going on here is similar to psecio/iniscan#82 where PHP settings can be defined in additional .ini files in php.d/*.ini, and/or defined per site pool in PHP-FPM config files in php-fpm.d/*.conf.

php -i | grep expose

Will work for the .ini files overriding the master php.ini values, but will not work to check values set via the PHP-FPM .conf files. At least via commandline.

[mboelen]

This item is "on hold", as it is hard to parse them properly. We will do more research later, to see if we can create a reliable way to parse different PHP configurations and keep the versions in mind as well.

[mboelen]

Closing this issue, to clean up a little bit. Right now, no changes are made to the PHP scanning logic, as it needs a rewrite.