Joomla! Forum - community, help and support

Folks

First release of what I hope is a useful little tool for Pre- and Post- Installation Joomla! v1.0 trouble-shooting. Joomla! Health, Installation and Security Audit (HISA)

Overview:
Following the success of WebSmurfs' "Joomla! Diagnostic Tool" it got me thinking and I figured that many of the Forum questions come from basic Web-Serving environment questions and many of the issues come from mis-configured PHP instances, therefore maybe some basic Post- (and Pre-) Installation tools might help.

Hence, HISA was kind of born (well with my coding capabilities, more like threw itself on the keyboard and committed hari-kari!) A very simple hack of the Web-Installer (index.php, the nice bits of code are original core team, the nasty bits are mine. Hope you guys don't mind me butchering your code!) to provide a self-contained, all-in-one tool script providing the following functionality;

    * Pre-Installation Environment Audit
    * Existing Installation Enviromment Audit
    * Minimal Environmental Security Auditing

Normal Web-Installer checks are performed including additional basic Host, Web-Server, PHP, MySQL and Joomla! environmental information is displayed.

Messaging Provisions:
  Warning      : Something needs looking at and resolving.
  Information : Needs to be considered, but not essential.
  Advisory      : Suggestion, recommendation or assistance.
  Good        : Meets Joomla! Installation criteria.


Installation Instructions:
  Post- Joomla! installation : Simply FTP to the Top-Level (same) directory of your Joomla! installation and run from a Web-Browser.
  Pre- Joomla! Installation  : Simply FTP to the Top-Level (same) directory where you intend to install Joomla! and run from a Web-Browser.

Notes:
Printing page breaks have been included to allow for "neat" printing, so end-users can use this to document much of their installation for later reference or for the more Tech Savvy of clients, for those that are developing onbehalf of others.


To Download Joomla! HISA
    http://joomlacode.org/gf/project/hisa/

To Download Joomla! Tools Suite
    http://joomlacode.org/gf/project/jts/


Translations:
    English    ( Me, RussW, remember it's Australian English, not American or British )
    Finnish    ( Thanks to Markku )
    Swedish  ( Thanks to Chrille )
    German    ( Thanks to Ghosty )   
    Hungarian ( Thanks to LocaLicer )

Coming Soon To A Joomla! Install Near You!!
  HISA German/Swiss (Thanks to Ghosty) and Swedish (Thanks to Chrille)
   
Stage Two: ( Under Development )
  Joomla! Tools Suite, will include embedded HISA, Websmurfs' Diagnostics, DB Optimise and Admin Password Reset tools. (English, Finnish, Swedish & Swiss)

  Thanks To:
  infograf768, MMMedia, Humvee, rliskey, Markku, Chrille, Ghosty, ot2sen for testing and translations.

This looks very good indeed. thanks for the hard work and the contribution to the Joomla Community

Very nice a must have

@Moutro

This is a slightly updated version than the one that came out on the Melbourne J! Day, checks for a few more PHP things.

@Brian

Thanks for the kind words, always a pleasure...

ahh yes i did find that one use full but the sum checks were all wrong and i was 100% sure i had the right files. Forge not loading atm for anyone else ?

Forge working for me

Forge has been up and down for me tonight, very slow when up though.

OT I wonder if its a routing issue from the southern hemisphere?

Scrap that its not working for me now

Very good idea.
Well done to Russ and others involved.

Stage Two: ( Under Development )
  Joomla! Tools Suite, will include embedded HISA, Websmurfs' Diagnostics, DB Optimise and Admin Password Reset tools. (English, Finnish, Swedish & Swiss)

Can't wait for stage 2 

- Vince

This MUST be included in J! standard installation / pre-installation check !
Very nice work

Just a small add:
Under "Directory and File permissions Check" only directories are listed. Would be great to see not only configuraton.php checked, but also index.php admin/index.php and so on..

thanx again

Thanks for the encouraging words folks...  Stage 2, is well under way.... the team is enjoying ironing out the details ....

The HISA StandAlone tool was kind of based originally on the Joomla! Web-Installer, just a bit of an extension. What we saw in the forums was a number of Pre- and Post- Installation issues where sometimes, even the Admin back-end wasn't available to check the settings, so we figured that for Post- Installation a "StandAlone" Tool, not Joomla! integrated was needed.

For those that are new to Joomla! and would like to know if it would run on their hosting account or server, obviously a StandAlone tool would be useful. The addition of reasonably "cute" printing was really an added extra, but we like of being able to document Joomla! installation to some degree.

If this helps to reduce installation issues or subsequently reduce "Trouble Posts" here, then it is doing its job and making the initial Joomla! experience better for new users.

@elkuku
Thanks for the suggestion, we will look in to it for a later release maybe. At the current time, for HISA, we wanted to keep it as simple as possible, whilst still being as useful as possible. File permissions was a huge output and we didn't see any one or particulalry regular same files being corrupted or troublesome to only add specific entries.  Will be added to the list though.

New Documentation released to project;

    Joomla! v1.0 Installation Guide for Unix
    Joomla! v1.0 Trouble-Shooting Guide
    Joomla! v1.5 Beta Installation Guide for Unix


To Download Joomla! HISA & Documentation
    http://forge.joomla.org/sf/frs/do/viewS ... _suite/frs

Wow! Thank you so very much, Russ! 

Amazing . . . remarkable . . . I love it!!!!

This not only flagged some directory and config.php premissions that were making my site vulnerable, but also revealed info about my host's architecture that could have saved me many hours of waiting for someone savvy enough (at my host) to provide the details I needed to download and install the appropriate version of ioncube loaders.

@RussW: If you're still open to suggestions, it would be great if this could also test and make recommendations for htaccess settings.

Thanks so much!!!!

HISA is featured in this weeks Joomla Weekly News.

I hope it helps in some small way to spread the word.

HISA really is an essential tool for all prospective and current joomla users

@Brian

Thanks mate that is great news and really appreciated by the team.

We really are enjoying developing the HISA script and now working on the Next Generation Tools Suite, hopefully they will add value to the Joomla! environment and assist in enhancing the end-users Joomla! experience as a whole.

@eaglescout
.htaccess functionality will be added to the list of things to incorporate in to the NextGen script first and if successful and useful we will consider back-porting in to the standalone HISA scripts. Thank you for your interest and suggestion.

The HISA project team (RussW, Markku, Chrille, Ghosty) would like to announce the RC1 Release of the Joomla! Tools Suite v1.0-RC1


This new tool is the "Next Generation" version of the HISA StandAlone Tool, including embedded versions of HISA with enhancements (which will be back-ported to HISA), WebSmutfs Joomla! Diagnostics and a Database Optimisation script.


Note:
For those following previous announcements, we have decided not to release the "Administrator Password Reset" tool embedded in this Suite due to the risks of abuse far out weighing the usefulness, a standalone script will be released at a later date.

JTS v1.0-RC1 may be downloaded from :
    http://forge.joomla.org/sf/frs/do/viewS ... _suite/frs

    Translations: English, Finnish, Swedish & German


HISA StandAlone v1.0 may also be downloaded from the same location.

  Installation:
   
    1) Make a new directory under your Joomla! current or proposed directory. ( EG: /jts/ )
    2) Download and unztip/untar the JTS distribution file.
    3) FTP the files to your new directory on the server.
    4) Access JTS via your web-browser. ( EG: http://www.yourdomain.com.au/jts/index.php )

Security Note:
Due to the sensitive nature of the information provided by these tools, it is recommended that these files are not left on the server after use.[/b]

Wonderful, it's getting better every day, thanks to all who are working on this. I'm gaining more confidence every day with J! community.

Question: I ran this on a new install and a couple flags came up, could someone tell me if I should be alarmed by these:

Joomla! :: HISA
Your configuration.php is world writable. For security you should consider demoting the permissions on this file. World writable may expose your site to potential unwanted access or exploits.
(When I check the permissions via FTP app they're set to 644, feedback please?)

Joomla! :: Diagnostics for Joomla! 1.0.12
WARNING /home/mydomain.com/html/globals.php - File is corrupted or has been altered (Could this be caused by changing globals emulation to "off" ?)

SECURITY /home/mydomain.com/html/includes/Cache/Lite.php - File does not contain _VALID_MOS. Read More..
SECURITY /home/mydomain.com/html/includes/domit/xml_domit_rss_shared.php - File does not contain _VALID_MOS. Read More..
SECURITY /home/mydomain.com/html/includes/phpmailer/class.phpmailer.php - File does not contain _VALID_MOS. Read More..

Also, I haven't run the DB Optimizer yet  and would like to know more about it's functions. I'm wondering if it runs automatically when selecting the link or if there's a dialog with options, or an info panel telling me what will happen when initiated? I know I should have more faith, but I'm proceeding with caution! 

Comments would be appreciated!

@eagleshout

I will look in to the permissions thing, can't see a reason for it right now. What OS are you using?

The first warning is, as yu you say, the RG_EMULATION change. Which is good.

The other SECURITY notices are known in Joomla!, did you click the "Read More" link? Did it not give you more information regarding this notice?  Otherwise there is a discussion on this board for WebSmurfs tool which should give you more information http://forum.joomla.org/index.php/topic,53052.0.html

At the moment, the Database is selected and optimised when you select the link, I may, over time, change this to have a button you need to select to actually optimise.

We still need to start the "JTS Help" link which will document its features, sorry about that, caution is always a good thing.

OK eagleshout, thanks for taking the time.

I have checked the script again and it is basically a "mis-represented" message based on the actual check we are making.

We are only checking if the file is "writeable" (not actually checking the "real" permissions, only the "effective" permissions) which means is it writable to the web-server user, if your web-server runs as the "user" account then it is seen as writable, due to the "effective" permissions of the user, even at 644  ( rw- r-- r-- )  because that user has write permissions.

The message will be changed to be more accurate in the next release. The term, "world" writable is incorrect in this case, apologies for the confusion.

Hope this helps a little, I have also written a small permissions FAQ, if this helps you;

FAQ: Joomla! Permissions Overview
http://forum.joomla.org/index.php/topic,121470.0.html

RussW wrote: @eagleshout: I will look in to the permissions thing, can't see a reason for it right now. What OS are you using? The first warning is, as yu you say, the RG_EMULATION change. Which is good.

I'm using 1.0.12, in fact I updated another site this afternoon from 1.0.11 and that trimmed the warnings to 33%

RussW wrote:The other SECURITY notices are known in Joomla!, did you click the "Read More" link? Did it not give you more information regarding this notice?  Otherwise there is a discussion on this board for WebSmurfs tool which should give you more information http://forum.joomla.org/index.php/topic,53052.0.html

Thanks for the link I'll look at the post. I found a FAQ on Joomla Add-onshttp://www.joomla-addons.org/faq/view/j ... s/147.html which I'm guessing is his site.

RussW wrote:At the moment, the Database is selected and optimised when you select the link, I may, over time, change this to have a button you need to select to actually optimise.

Cool, it would be good if this had a little precautionary note before activating. Such as: "The following action may interrupt service to your Joomla site, you're advised to take your site offline prior to initiating this action" or some such warning. Just a suggestion since it's currently unclear what (or how) this will optimize the DB.

RussW wrote:We still need to start the "JTS Help" link which will document its features, sorry about that, caution is always a good thing.

No apologies needed, this is shaping up quite nicely. Based on what you folks have delivered thus far, I'm sure we can wait a bit for the help doc!

Hi again Russ,
This is progressing into a nice tool for Joomla Webmasters.

A couple of thoughts for your consideration, for both convenience and security:

* Will it run from a sub-directory within /administration/
If so, how about a 'Wrapper' link added to admin section?

* Maybe you can make this into an Admin mod?

Keep up the great work.

- Vince

Hey folks,

Glad you are finding the tools scripts useful 

@Vince
At the current time, the tools are only designed to run from within the basic Joomla! directory, this was determined to be the best location based on several criteria;

  1) The HISA and Diagnostic tool are very designed as a installation Trouble-Shooting style tool set.
  2) The HISA can also be used as a Pre- Installation Audit to assure that the server environment is acceptable for a Joomla! installation.
  3) The tools need to run without restraint of the Joomla! framework, thus if the installation is having issues, then the tools will still be useful.
  4) The tools needed to be useful to varying degree's for both Pre- & Post- Installation environments.

Although, we would like to consider the integration of this tool-set into Joomla! it would actually reduce its designed functionality and usability as prescribed above. This is not to say that at a later date, there might be some form of integration of some of the tool-set in to an Admin component or module, but at this time, it is not in the plans.

The tools were not designed to be a permanent addition to a Joomla! installation, merely a set of diagnostic tools for trouble-shooting.


@eagleshout
Glad you found the link for the diagnostics, yes, that is WebSmurfs site where the Original Joomla! Diagnostic tool is hosted.

The RC1 release has initial implementation of some additional htaccess checks, although this has not been back-ported in to the StandAlone HISA yet, thanks for the suggestion.

As discussed, I will be adding a confirmation button in to the DB Optimisation in a future release, so that just opening the link doesn't head off and actually do the optimisation, users will need to confirm their desire to take that action first. Thanks for the suggestion.


On another note
Having read some comments, thoughts and PM's, it struck me (not that anyone has said anything) that there might be some need for clarification, it certainly has not been my intention to mis-lead anyone or mis-represent the project in anyway, my apologies if you feel this has been the case.

The Joomla! HISA and Joomla! Tools Suite utilities are a standalone diagnostic tool-set being developed by a number of like minded Joomla! folks, the fact that, so far, all participants in this project have been "Joomla! Working Group" members is purely incidental, albeit extremely beneficial to the project. This project is in no way directly associated with, or endorsed by, the Joomla! Project Core Team members or Open Source Matters, the Joomla! Project has been kind enough to allow us to post on the Extensions Site and provide a project repository on the Joomla! Forge for us.


Hope that clears up any mis-understandings there might have been.

I think that this is an excellent too with great features.

As a new user, when the report assesses the joomla installation as "85%"....."Joomla! should install or run, but you might have difficulty making use of some features"..... how do I find out what this means and what do I need to do to go to 100%?

Hi bob0108

glad you have found the tools to be of use to you.

In regards to your query, review the rest of the report for the reasons why you are only getting an 85% chance of success. There should be several informational, warning or even error messages that will highlight what is not configured correctly with suggestions as to how to resolve  or what the implications are. Alternatively, there will also be items high-lighted in RED that define many of the common problems seen during installation and require resolution.

Hope this helps you on your way,

Wauw, great tool! Just solved few little topics to make my site even more secure! A big 'thanks' for it.

I have an other addition to it: (actually, I'm looking after something like this) A script that checks ALL the file and directory permissions. If the files are set to 644 and the directories to 755, they are ok, else note them in a list to change them (or auto-change it if possible)! With a script it will be much easier than verifying every file in all the directories.

Anyway, thanks again. I'll denenitly pass this tool through.
Greetings,
B.

Glad it was of use to you, will look in to your thoughts for a future release....  auto-setting permissions is "troublesome" though due to different OS's, configurations etc.

Good luck with your Joomla! site...

I am having trouble bringing forge up ATM, but Do you see the possibility of making this handy little tool work for multiple sites.  What I'd like to see is the ability to use this tool for multiple sites from a single installation of this tool.  Am I making sense?  is this even possible? 

Looking forward to getting forge up so i can get this handy-dandy little tool!

Unfortunately, the Forge has been having a few issues recently, these issues are being managed by the apparopriate teams.


The StandAlone HISA Tool and the JTS Tool are designed for Trouble-Shooting and Diagnostic purposes, although it has been designed to also provide simple site and configuration documentation in mind, it has not been designed with Multi- site capabilities.

At this time I have no plans to re-develop in that way either, with a few more updates in the coming weeks, HISA will basically become a static toolset with little ot no further development need, it does the job it was designed for.

As for JTS, well, this might evolve further with additional tools, if requested or we see the need but right now it is not planned to extend in to a multi- site tool suite.

The JTS team are pleased to announce RC2 Release of the Joomla! Tools Suite

Download
    http://forge.joomla.org/sf/go/projects. ... s_v1_0_rc2

Updates
   
    1) HISA: Improved .htaccess / SEF / Cache Checking.
    2) HISA: New User/Owner comparison to Script RunTime Owner, checking for potential ownership issue.
    3) HISA : Graphical & Aesthetic readability updates, including HISA "Section Hide/Show"
    4) HISA : Updated "Actual Absolute Path" comparison to "$mosConfig_absolute_path"
                  (takes in to account CaSe SenSaTiViTy for Unix but ignores it for Windows)

Note:
    The StandAlone HISA version has not been updated yet, these updates are only currently available for the JTS Tool.


Russ