Production checklist (megatask)
As per ACSC Guidelines for Software Development:
Development and modification of software only takes place in development environments
(No config changes/development on production)
-
Disable/restrict user 1 -
Disable/restrict unnecessary functionality, plugins and dev-only modules (eg Field UI, Views UI, Forms UI, devel, etc) -
Install/configure config_readonly module to prevent any prod config changes -
Disable/restrict detailed debug or error messages -
Disable DBLog and configure Syslog, configure centralised logging and alerting mechanism -
Specific Files and Folders: Prevent disclosure of information: Drupal’s default text files (eg CHANGELOG.txt, update.php, install.php, cron.php, LICENCE.txt, UPGRADE.txt, etc) - as they may disclose sensitive debug/versioning information
Final check:
TODO: add more items to this list as required, eg configure CDN, uptime monitoring, traffic monitoring, etc
Refs:
- Drupal: https://www.drupal.org/docs/develop/security
- ACSC: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/web-hardening/securing-content-management-systems
- OWASP: WSTG-INFO-08: Fingerprint Web Application Framework: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
Edited by Janna