Guardr logo for the Guardr Drupal distribution

Guardr is a Drupal distribution with a combination of modules and settings to enhance a Drupal application's security and availability to meet enterprise security requirements.

Guardr follows the CIA information security triad: confidentiality, integrity and availability. From Wikipedia:

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.

We've worked with the security departments of various US national banks and corporations, ones with names you would recognize, along with taking security standards from studying in the CSSLP and CISSP to not only pick out some great hardening modules, but to configure them during the profile install with hardened settings.

A default Guardr install will make your users pick passwords that won't be in a dictionary (password_policy). It'll keep more logs than Drupal basic (1,000,000 instead of 1,000), not only standard watchdog logs, but role changes for users, too (role_watchdog). It won't let your browser save the password (clear_password_field). It'll warn you when your disk is about to fill up to prevent a DoS (diskfree), hide fatal errors (hide_php_fatal_error), and remove the generator META tag (remove_generator). The Paranoia module prevents even your administrators from enabling the PHP input filter. Just in case your users create Views that list users, Username Enumeration Prevention will help prevent a list of your users being exposed to the Internet without your knowledge.

Guardr goes beyond just adding some selected contrib modules by changing the default email notifications to remove references to user names and user IDs. That way any intercepted email isn't as helpful to whoever did a MITM on your email. We even change the defaults on checking for updates to Drupal modules because Drupal should check for security updates by default. It disables displaying errors by default rather than outputting them by default because you should have to opt-in to getting debug information. Users also get blocked from creating new accounts on a Guardr site by default; administrators are the only ones who can create accounts until the administrator switches the site to public signups.

If that paranoia wasn't enough, it goes as far as to add additional documentation to settings.php to show how you can configure Drupal to connect to MySQL over SSL, though additional SSL configuration is required for generating certificates between your web and database servers.

Join us on IRC in channel #drupal-guardr at irc.freenode.net
Follow Guardr on Twitter!

Guardr for Drupal 8 is being actively developed using Composer as the build process. Help out in the 8.x issue queue. Also, follow progress on the D7 to D8 module crosswalk plan.

Supporting organizations: 

Project Information

Downloads