lynis 2.0 expose_php false detection ? about lynis HOT 5 CLOSED

also my additional .ini files registered by PHP configscandir compile option

php --ini
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
/etc/centminmod/php.d/curlcainfo.ini,
/etc/centminmod/php.d/zendopcache.ini

you could add that to array of .ini files you check for php.ini which you grep for any checked php variables like expose_php and make sure those get higher priority over php.ini as they would potentially override php.ini values ?

although simple

php -i | grep expose

would be easier

from lynis.

how to set "expose_php = Off" in Debian server ?

from lynis.

Correction to initial bug report, php.d/*.ini has nothing to do with PHP-FPM. That is what php-fpm.d/*.conf is for.

What's going on here is similar to psecio/iniscan#82 where PHP settings can be defined in additional .ini files in php.d/*.ini, and/or defined per site pool in PHP-FPM config files in php-fpm.d/*.conf.

php -i | grep expose

Will work for the .ini files overriding the master php.ini values, but will not work to check values set via the PHP-FPM .conf files. At least via commandline.

from lynis.

This item is "on hold", as it is hard to parse them properly. We will do more research later, to see if we can create a reliable way to parse different PHP configurations and keep the versions in mind as well.

from lynis.

Closing this issue, to clean up a little bit. Right now, no changes are made to the PHP scanning logic, as it needs a rewrite.

from lynis.