This project is not covered by Drupal’s security advisory policy.

This module does not protect your site's file integrity. Only you can do that by configuring the site correctly and by not installing insecure software. It can be used to check a Drupal site for file integrity breeches.

This module lets the site maintainer “fingerprint” an entire site (except the files below the public:// upload directory) when it is in an untainted state. It can then be configured to periodically compare the site to this “fingerprint”, and report the following:

  • modified files and directories;
  • potential back-doors (files added to the site);
  • files removed from the site;
  • files writeable by the web-server.

This module should only be used on a stable production site to alert the site maintainer as a first line of defence against file integrity breeches.

Limitations

The module, as currently designed, is less suitable for large sites. It works well for sites with less than 6000 files, but becomes less usable if the site is larger than this. See README.md for details.

Notice

File integrity check considers having files (outside of the public:// upload directory) writable by the web-server a security hazard, and will warn about such files during fingerprinting. If you're installing this module for the first time, make sure this has been fixed before you fingerprint the site for the first time. (File integrity check will produce a lot of warnings if you don't do this.)

Explanation: Having executable PHP-files writable by the web-server is a major security hazard. This means that anyone that manages to compromise the web-server can escalate to a PHP-injection attack. The web-server has a very large attack surface, so it is one of the easiest targets for hackers attacking a Drupal site.

I recommend that the files that are part of Drupal is not owned by web-server user, but by some other user (for example the site owner), and having them readable (but not writeable) by the web-server group (mode bits 640). For example (joe is the site owner and www-data is the web-server group):

-rw-r-----   joe www-data   index.php

Requirements

Recommended modules

  • Advanced Help:
    When this module is enabled, the project's README.md may be displayed on the screen.
  • Markdown filter:
    When this module is enabled, display of the project's README.md will be rendered with the markdown filter.

Similar projects

The following projects may be applied to use cases that are similar to the use case this module was designed to handle:

  • Hacked!:
    This module differs from the File integrity module by not being designed to do used on a production site to perform automatic and periodic checks. Instead, it will verify integrity of core and modules on demand by downloading a untainted copy from Drupal.org and compare. Note that it will not detect back-doors.
  • MD5 Check:
    This module differs from the File integrity module by only monitoring the directories of installed modules, and by comparing the current version to the previous, instead of comparing to a saved “fingerprint”. It does not send email, but log potential integrity breeches using watchdog.
  • Raven: Sentry Integration:
    This bridge module provides integration with Sentry, an open-source application monitoring and error tracking platform, allowing your Drupal site to send log events and performance traces to Sentry.
  • Git:
    This is not a Drupal module. It is a general source control system that may also be used to monitor changes to a set of files.
  • inotify-tools:
    This is not a Drupal module, but a C library and a set of CLI-tools that can be used to monitor and act upon filesystem events.
Supporting organizations: 
sponsored development of the Drupal 7 version.

Project information

Releases