Scanner for PHP.ini
The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently, it is only for use on the command line and reports the results back to the display for both Pass and Fail on each test.
composer require psecio/iniscan
The only current dependency is the Symfony console.
Global Composer installation
Additionally, you can install it outside of a project with the
global functionality Composer provides. From any directory you can use:
$ ./composer.phar global require psecio/iniscan $ ~/.composer/vendor/bin/iniscan
Using a single Phar file
First make sure you run composer.phar install
curl -LSs https://box-project.github.io/box2/installer.php | php php box.phar build
This should result in an iniscan.phar file being created in the root folder. Instead of using
vendor/bin/iniscan in the examples use
Command line usage
Iniscan offers a few commands for both checking and showing the contents of your php.ini.
scan command will be the most used – it runs the rules checks against the given ini file and reports back the results. For example:
vendor/bin/iniscan scan --path=/path/to/php.ini
If the path is omitted, iniscan will try to find it based off the current configuration (a “php -i” call). By default, this reports back both the pass and fail results of the checks. If you’d like to only return the failures, you can use the
vendor/bin/iniscan scan --path=/path/to/php.ini --fail-only
scan command will return an exit code based on the results:
- 0: No errors
- 1: Failures found
Scan Level Threshold
You can request the only scan for rules that are on or above a threshold:
vendor/bin/iniscan scan --path=/path/to/php.ini --threshold=ERROR
There are 3 levels you can use:
- FATAL (No rules uses that level at the moment)
show command lists out the contents of your
php.ini file with a bit of extra formatting.
vendor/bin/iniscan show --path=/path/to/php.ini
list-tests command shows a listing of the current rules being checked and their related php.ini key.
By default iniscan will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the
--format option to change the output:
vendor/bin/iniscan show --path=/path/to/php.ini --format=json
list-tests command also supports JSON output:
vendor/bin/iniscan list-tests --path=/path/to/php.ini --format=json
NOTE: Currently, only the
scan command supports alternate output formats – console, JSON, XML and HTML.
The HTML output option requires an
--output option of the directory to write the file:
vendor/bin/iniscan scan --format=html --output=/var/www/output
The result will be written to a file named something like
The scanner also supports the concept of “contexts” – environments you may be executing the scanner in. For example, in your development environment, it may be okay to have
display_errors on. In production, however, this is a bad idea. The scanner’s default assumes you’re using it in prod, so it uses the strictest checks unless you tell it otherwise. To do so, use the
context command line option:
vendor/bin/iniscan show --path=/path/to/php.ini --context=dev
In this case, we’ve told it we’re running in dev, so anything that specifically mentions “prod” isn’t executed.
Copyright (c) 2013 Chris Cornutt