From 4a4722a30c24a556e382581c2ce8df432a5bae33 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Fri, 5 Mar 2021 12:20:39 +0100
Subject: [PATCH] chg: [security audit] removed sharing group recommendation
 and fixed grammar

- the hide sharing group org setting is actively harmful, we should definitely not promote it
---
 app/Lib/Tools/SecurityAudit.php | 60 +++++++++++++++++++--------------
 1 file changed, 35 insertions(+), 25 deletions(-)

diff --git a/app/Lib/Tools/SecurityAudit.php b/app/Lib/Tools/SecurityAudit.php
index 1d87b221b..6a32a32c5 100644
--- a/app/Lib/Tools/SecurityAudit.php
+++ b/app/Lib/Tools/SecurityAudit.php
@@ -40,7 +40,7 @@ class SecurityAudit
 
         $passwordPolicyLength = Configure::read('Security.password_policy_length') ?: $server->serverSettings['Security']['password_policy_length']['value'];
         if ($passwordPolicyLength < 8) {
-            $output['Password'][] = ['error', __('Minimum password length is set to %s, that too short.', $passwordPolicyLength)];
+            $output['Password'][] = ['error', __('Minimum password length is set to %s, it is highly advised to increase it.', $passwordPolicyLength)];
         } elseif ($passwordPolicyLength < 12) {
             $output['Password'][] = ['warning', __('Minimum password length is set to %s, consider raising to at least 12 characters.', $passwordPolicyLength)];
         }
@@ -54,20 +54,20 @@ class SecurityAudit
         if (!empty(Configure::read('Security.auth')) && !Configure::read('Security.auth_enforced')) {
             $output['Login'][] = [
                 'hint',
-                __('External authentication is enabled, but local accounts will still work. You can disable logging with local accounts by setting `Security.auth_enforced` to `true`.'),
+                __('External authentication is enabled, but local accounts will still work. You can disable the ability to log in via local accounts by setting `Security.auth_enforced` to `true`.'),
             ];
         }
 
         if (empty(Configure::read('Security.disable_browser_cache'))) {
             $output['Browser'][] = [
                 'warning',
-                __('Browser cache is enabled. Attacker can obtain sensitive data from user cache. You can disable cache by setting `Security.disable_browser_cache` to `true`.'),
+                __('Browser cache is enabled. An attacker could obtain sensitive data from the user cache. You can disable the cache by setting `Security.disable_browser_cache` to `true`.'),
             ];
         }
         if (empty(Configure::read('Security.check_sec_fetch_site_header'))) {
             $output['Browser'][] = [
                 'warning',
-                __('MISP server is not checking `Sec-Fetch` HTTP headers. This is protection against CSRF for moder browsers. You can enable this checks by setting `Security.check_sec_fetch_site_header` to `true`.'),
+                __('The MISP server is not checking `Sec-Fetch` HTTP headers. This is a protection mechanism against CSRF used by modern browsers. You can enable this check by setting `Security.check_sec_fetch_site_header` to `true`.'),
             ];
         }
         if (empty(Configure::read('Security.csp_enforce'))) {
@@ -77,50 +77,57 @@ class SecurityAudit
                 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
             ];
         }
-        if (Configure::read('Security.disable_form_security')) {
-            $output['Browser'][] = ['error', __('Disabling form security is never a good idea.')];
+        if (!env('HTTPS') && strpos(Configure::read('MISP.baseurl'), 'https://') === 0) {
+            $output['Browser'][] = [
+                'error',
+                __('MISP base URL is set to https://, but MISP thinks that the connection is insecure. This usually happens when a server is running behind a reverse proxy. By setting `Security.force_https` to `true`, session cookies will be set as Secure and CSP headers will upgrade insecure requests.'),
+            ];
+        }
+        $sessionConfig = Configure::read('Session');
+        if (isset($sessionConfig['ini']['session.cookie_secure']) && !$sessionConfig['ini']['session.cookie_secure']) {
+            $output['Browser'][] = ['error', __('Setting session cookies as not secure is never a good idea.')];
         }
 
         if (empty(Configure::read('Security.advanced_authkeys'))) {
-            $output['Auth Key'][] = ['warning', __('Consider enabling Advanced Auth Keys, that provides higher security.')];
+            $output['Auth Key'][] = ['warning', __('Consider enabling Advanced Auth Keys, they provide increased security by only storing the API key hashes.')];
         }
         if (Configure::read('Security.allow_unsafe_apikey_named_param')) {
-            $output['Auth Key'][] = ['error', __('It is possible to pass API key in URL, so the key can be logged by proxies.')];
+            $output['Auth Key'][] = ['error', __('It is possible to pass API keys via the URL, meaning that the keys can be logged by proxies.')];
         }
         if (empty(Configure::read('Security.do_not_log_authkeys'))) {
-            $output['Auth Key'][] = ['warning', __('Auth Key logging is not disabled. Auth Keys in cleartext can be visible in Audit log.')];
+            $output['Auth Key'][] = ['warning', __('Auth Key logging is not disabled. Auth Keys in cleartext can be visible in the Audit log.')];
         }
 
         $salt = Configure::read('Security.salt');
         if (empty($salt)) {
             $output['Security salt'][] = ['error', __('Salt is not set.')];
         } else if (strlen($salt) < 32) {
-            $output['Security salt'][] = ['warning', __('Salt is too short, should contains at least 32 characters.')];
+            $output['Security salt'][] = ['warning', __('Salt is too short, should contain at least 32 characters.')];
         } else if ($salt === "Rooraenietu8Eeyo<Qu2eeNfterd-dd+") {
-            $output['Security salt'][] = ['error', __('Salt is set to default value.')];
+            $output['Security salt'][] = ['error', __('Salt is set to the default value.')];
         }
 
         if (empty(Configure::read('MISP.log_client_ip'))) {
             $output['Logging'][] = ['warning', __('Logging client IP in audit log is disabled. Logging IP address can help to solve potential security breaches.')];
         }
         if (empty(Configure::read('MISP.log_user_ips'))) {
-            $output['Logging'][] = ['warning', __('Logging client IP in Redis is disabled. Logging IP address can help to solve potential security breaches.')];
+            $output['Logging'][] = ['warning', __('Logging client IP in Redis is disabled. Logging IP addresses can help investigate potential security breaches.')];
         }
         if (Configure::read('MISP.log_user_ips') && Configure::read('Security.advanced_authkeys') && empty(Configure::read('MISP.log_user_ips_authkeys'))) {
             $output['Logging'][] = [
                 'hint',
-                __('You can enable advanced logging of authkey usage by setting `MISP.log_user_ips_authkeys` to `true`.'),
+                __('You can enable the logging of advanced authkeys by setting `MISP.log_user_ips_authkeys` to `true`.'),
             ];
         }
         if (empty(Configure::read('Security.username_in_response_header'))) {
             $output['Logging'][] = [
                 'hint',
-                __('Passing user information to response headers is disabled. This can be useful for logging user info at reverse proxy level. You can enable that by setting `Security.username_in_response_header` to `true`.'),
+                __('Passing user information to response headers is disabled. This can be useful for logging user info at the reverse proxy level. You can enable it by setting `Security.username_in_response_header` to `true`.'),
             ];
         }
 
         if (empty(Configure::read('MISP.attachment_scan_module'))) {
-            $output['Attachment scanning'][] = ['hint', __('Module for scanning attachment for viruses is not defined.')];
+            $output['Attachment scanning'][] = ['hint', __('No module for scanning attachments for viruses is currently defined.')];
         }
 
         if (Configure::read('debug')) {
@@ -139,7 +146,7 @@ class SecurityAudit
         if (Configure::read('Security.rest_client_enable_arbitrary_urls')) {
             $output['REST client'][] = [
                 'hint',
-                __('Users can use REST client to query any remote URL. This is generally not a good idea if your instance is public.')
+                __('Users can use the REST client to query any remote URL. This is generally not a good idea if your instance is public.')
             ];
         }
 
@@ -165,6 +172,8 @@ class SecurityAudit
 
         $this->email($output);
 
+        /*
+         * These settings are dangerous and break both the transparency and potential introduce sync issues
         if (!Configure::read('Security.hide_organisation_index_from_users')) {
             $output['MISP'][] = [
                 'hint',
@@ -177,6 +186,7 @@ class SecurityAudit
                 __('Any user can see list of all organisations in sharing group that user can see. You can disable that by setting `Security.hide_organisations_in_sharing_groups` to `true`. %s', $server->serverSettings['Security']['hide_organisations_in_sharing_groups']['description']),
             ];
         }
+        */
 
         $this->feeds($output);
         $this->remoteServers($output);
@@ -197,19 +207,19 @@ class SecurityAudit
         } else if (version_compare(PHP_VERSION, '7.4.0', '<')) {
             $output['PHP'][] = [
                 'hint',
-                __('PHP version 7.3 will be not supported after 6 Dec 2021. Event after that date can be still supported by your distribution.'),
+                __('PHP version 7.3 will not be supported after 6 Dec 2021. Even beyond that date, it can be still supported by your distribution.'),
                 'https://www.php.net/supported-versions.php'
             ];
         }
         if (ini_get('session.use_strict_mode') != 1) {
             $output['PHP'][] = [
                 'warning',
-                __('Session strict mode is disable.'),
+                __('Session strict mode is disabled.'),
                 'https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode',
             ];
         }
         if (empty(ini_get('session.cookie_httponly'))) {
-            $output['PHP'][] = ['error', __('Session cookie is not set as HTTP only. Session cookie can be access from JavaScript.')];
+            $output['PHP'][] = ['error', __('Session cookie is not set as HTTP only. Session cookie can be accessed from JavaScript.')];
         }
         if (!in_array(strtolower(ini_get('session.cookie_samesite')), ['strict', 'lax'])) {
             $output['PHP'][] = [
@@ -325,14 +335,14 @@ class SecurityAudit
         if (!Configure::read('GnuPG.bodyonlyencrypted')) {
             $output['Email'][] = [
                 'hint',
-                __('Full email body with all event information will be send even without encryption.')
+                __('Full email body with all event information will be sent, even without encryption.')
             ];
         }
 
         if ($canSignPgp && !Configure::read('GnuPG.obscure_subject')) {
             $output['Email'][] = [
                 'hint',
-                __('Even for encrypted emails, email subject will be send unencrypted. You can change that behaviour by setting `GnuPG.obscure_subject` to `true`.'),
+                __('Even for encrypted emails, the email subject will be sent unencrypted. You can change that behaviour by setting `GnuPG.obscure_subject` to `true`.'),
             ];
         }
 
@@ -357,7 +367,7 @@ class SecurityAudit
             if ($diffDays > 300) {
                 $output['System'][] = [
                     'warning',
-                    __('Kernel build time is since %s days ago. This usually means that the system kernel is not updated.', $diffDays),
+                    __('Kernel build time was s days ago. This usually means that the system kernel is not updated.', $diffDays),
                 ];
             }
         }
@@ -394,7 +404,7 @@ class SecurityAudit
             } else if (version_compare($parts[1], '3.7', '<')) {
                 $output['System'][] = [
                     'hint',
-                    __('You are using Python %s. This version will be not supported after 23 Dec 2021, but it can be still supported by your distribution.', $parts[1]),
+                    __('You are using Python %s. This version will not be supported beyond 23 Dec 2021, but it can be that it is still supported by your distribution.', $parts[1]),
                     'https://endoflife.date/python',
                 ];
             }
@@ -406,7 +416,7 @@ class SecurityAudit
             if (in_array($ubuntuVersion, ['14.04', '19.10'])) {
                 $output['System'][] = [
                     'warning',
-                    __('You are using Ubuntu %s. This version doesn\'t have security support anymore.', $ubuntuVersion),
+                    __('You are using Ubuntu %s. This version doesn\'t receive security support anymore.', $ubuntuVersion),
                     'https://endoflife.date/ubuntu',
                 ];
             } else if (in_array($ubuntuVersion, ['16.04'])) {
@@ -490,7 +500,7 @@ class SecurityAudit
         $command = implode(' ', $command);
         $process = proc_open($command, $descriptorspec, $pipes);
         if (!$process) {
-            throw new Exception("Command '$command' could be started.");
+            throw new Exception("Command '$command' could not be started.");
         }
 
         $stdout = stream_get_contents($pipes[1]);