Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool

[montano]

What an amazing concept. I can't wait to check it out.  I have one site that is just loaded with gremlins and I hope this helps.  I'll report back.

THANKS!

[RussW]

Thanks Montano, please let us know how your testing goes....

[RussW]

JTS and HISA have been relocated to the new "Go Faster Striped, With Furry Dice" JoomlaCode.org

  http://joomlacode.org/gf/project/jts/

[RussW]

  v1.0-1 Released
    http://joomlacode.org/gf/project/jts/

    New Translation : Hungarian and Hungarian (Informal) Thanks to Jozsef (LocALiceR)
    Added : DataBase Integrity Checks
    Updated : DataBase Optimisation - No longer automatically runs, now required to select "Optimise Now" button
                                                    Optimisations should be completed in "low" traffic periods

[RussW]

Joomla! Tools Suite v1.0-1AF Released

  Tracker #185 Fixed
  Parse error: parse error, unexpected $end seen with PHP Short Open Tags Off
    Removed "short" open tag on line 171 in optimise_dbs.php

      Patch Id #212 : v1.0-1F To v1.0-1AF Patch
        http://joomlacode.org/gf/download/track ... .0-1AF.zip

      v1.0-1AF Full Release
        http://joomlacode.org/gf/project/jts/frs/

[RussW]

*OBSOLETE* Newly Released JTS v1.0-2 Beta

  1) Newly enhanced "Directory and File Permissions Audit" routine.

  2) Suspicious file detection
      -  .cgi & .pl, not being part of the Joomla! release.
      -  .tar, .tar.gz & .zip, not being a standard part of Joomla! release.

  3) English only translation for Beta

      Download :
      JTS v1.0-2Beta : http://joomlacode.org/gf/download/frsre ... -2Beta.zip
      Feedback & Comments welcome....

      JTS v1.0-1Final  : http://joomlacode.org/gf/download/frsre ... 280307.zip

[RussW]

In response to some requests, coming soon in Joomla Tools Suite....  Installed Extensions Audit Report

Permissions Audit and Extensions Audit Preview...

As ever, suggestions and thoughts welcome...

[friesengeist]

In response to some requests, coming soon in Joomla Tools Suite....  Installed Extensions Audit Report

Permissions Audit and Extensions Audit Preview...

Screenshots look very promising! Cool

[RussW]

Newly Released.. JTS v1.0-2 Beta2

  1) *NEW* "Installed Extensions Audit" routine. (Components, Modules and Mambots)

  2) * IMPROVED* "Directory and File Permissions Audit" routine.

  3) English only translations for Beta

      Download JTS 1.0-2 Beta2 :
      http://joomlacode.org/gf/download/frsre ... Beta2F.zip
      Feedback & Comments welcome....


      JTS v1.0-1Final  : http://joomlacode.org/gf/download/frsre ... 280307.zip




Thanks for the comments friesengeist, always good to get feedback.....

[RussW]

Beta 2 Refreshed...

  1) Improved Extensions Audit

  2) New JTS Help
      Can also be found at Joomla Tutorials



JTS Preview...

[icwebmaster]

With what versions of joomla does this work with,

1.0.8 ?

[RussW]

1.0.8 is a very old revision, with the associated and documented security risks and I would suggest that it might be time to upgrade, however, having said that....  many parts of Joomla! Tools Suite and the Standalone HISA "should" work with lower revisions.


Immediately, I can say that the Joomla! Diagnostic probably would work, but at the current time, only has hash's for v1.0.11 and v1.0.12 (English verisons), as a project we will not be producing hashes for revisions lower than v1.0.11 due to the nature and status of lower revisions but that does not mean tat you cannot produce your own for specific versions or languages.

All other Tools "should" work, I can see no reason why not, but have only be specifically designed to ensure compatibility with v1.0.11 and above and the project "officially" only support from v1.0.11 and above.

[light_man]

I can't connect to download JTS !

What must I do ?

Thanks in advance 

[Markku]

Hi,

JTS is available here: http://joomlacode.org/gf/project/jts/

[light_man]

Sorry, now it's ok. 

I just don't see page number at bottom of the page . 

You can delete my post on this thread 

[Markku]

Good to hear that you find the right URL. You should be able to delete your own post if you really want, but I don't think it is necessary at all.

[RussW]

v1.0-2 Beta Release Update

Included in the next Beta Release of JTS 1.0-2, due within the next few days;

Custom, Joomla! Diagnostic Hash
The "Hash Generation" utility provides the capability to build a Hash file of the current production Joomla! site as it is installed today. This new "Custom" Hash will not only include the Joomla! Core files, but will also include any files installed by Joomla! extensions. This new Hash contains information on the site at a known point in time and can now be compared against the current site to determine if any changes have occured since the last Hash was generated.

In addition to the standard Joomla! Diagnostic highliting files that have been modified or deleted, the new "Custom J!D" report also has the ability to highlite new files that may have been uploaded or added since the last hash was generated, providing a central focal point for "Change Management" and the detection of possible exploit or intrusion of a Joomla! site. Following the Generation of your "Custom" Hash, running "Custom J!D" from the menu will now use the newly created custom hash file instead of the standard Joomla! Core hash files.  Joomla! Core Files may still be compared from the standard integrated Joomla! Diagnostic option.

The "Custom Hash Utility" should be capable of handling Joomla! sites of any version/release/dev status/language or with core hacks due to not using the standard core file structure hash, including current and future v1.5 releases.

Joomla! Session & Table Integrity Maintenance
Prior to the Database optimisation, Joomla! Core Tables will be checked for Integrity, if problems are found, a table repair will be attempted. Following any required table repair, the #__session table will be checked for any Stale Sessions, these stale sessions will be deleted and the optimisation routine will then be run.

[brian]

Good work Russ.

[RussW]

Thanks Brian, I haven't seen any problems in testing on Windows and CentOS, hopefully it will fulfill the tracker feature request and be useful and effective for others.

The plan is to get a test version available on JoomlaCode in a few days or so, if al is well, once the translations are complete, we will release the Final Version...

[RussW]

* JTS V1.0-2 RC1 Released *

RC1 Available For Download from;
  JoomlaCode JTS Project Page


Custom, Joomla! Diagnostic Hash
The "Hash Generation" utility provides the capability to build a Hash file of the current production Joomla! site as it is installed today. This new "Custom" Hash will not only include the Joomla! Core files, but will also include any files installed by Joomla! extensions. This new Hash contains information on the site at a known point in time and can now be compared against the current site to determine if any changes have occured since the last Hash was generated.

In addition to the standard Joomla! Diagnostic highliting files that have been modified or deleted, the new "Custom J!D" report also has the ability to highlite new files that may have been uploaded or added since the last hash was generated, providing a central focal point for "Change Management" and the detection of possible exploit or intrusion of a Joomla! site. Following the Generation of your "Custom" Hash, running "Custom J!D" from the menu will now use the newly created custom hash file instead of the standard Joomla! Core hash files.  Joomla! Core Files may still be compared from the standard integrated Joomla! Diagnostic option.

The "Custom Hash Utility" should be capable of handling Joomla! sites of any version/release/dev status/language or with core hacks due to not using the standard core file structure hash, including current and future v1.5 releases.

Joomla! Session & Table Integrity Maintenance
Prior to the Database optimisation, Joomla! Core Tables will be checked for Integrity, if problems are found, a table repair will be attempted. Following any required table repair, the #__session table will be checked for any Stale Sessions, these stale sessions will be deleted and the optimisation routine will then be run.

RC1 Available For Download from;
  JoomlaCode JTS Project Page

[ursusblue]

Typos:

The Absolute Path is where yuo shuold find your Joomla! installation.

Found under the Joomla Environment settings

[Tokapi]

Again, really great job RussW!
I have some other request: Apply some filtering or sorting on the 'Directory and File Permissions Audit'  Split it into categories like 'dangerous setting', 'to verify' and 'safe'. Because now, you have to scroll trough a very long list to find the items you'll need to change.
Thanks, I'm impressed. Keep up the good work!

[RussW]

@ursusblue

Thanks will get those typo's fixed up....

@Tokapi
Thanks for taking the time to try JTS and comment, much appreciated.

Could add this to the Feature Request tracker on JoomlaCode, so I don't forget it....   ( http://joomlacode.org/gf/project/jts/tracker/ ) We will look in to its feasibility...

[frazelle09]

Way to go Russ and team!

i've extracted the zip into /tools, uploaded /tools under /Joomla in my website and tried

http://www.bahaismexicali.org/joomla/tools/ and got

Forbidden
You don't have permission to access /joomla/tools/ on this server.

Any ideas?

Have a great day! 

[Tokapi]

Did you verify the permissions / owner of the /tools folder and files ?

[frazelle09]

In my FTP browser the permissions say:  r?x for the folders and r?- for the files...

The owner is:  User: 32377, Group:  bahaism

Have a great day and thanks for responding! 

[RussW]

Which file did you upload? Check your upload location, something us definately strange with your location choice.

If I go to the URL supplied  /joomla/tools/  it appears maybe to not even exist, and you main site appears to be under " / "  so if anything, you need a directory under that....  so just "/tools" .... then the URL would be  " http://www..com.au/tools/ "

Tools Directory permissions should 755 and files within the directory should 644

(with one exception, if you plan to use the "Custom Hash" option, the file "joomla_my_site.txt" needs to be writeable during the generation phase and make "un-writable" again immediately afterwards.)

[RussW]

Folks

Looking for comments, feedback, suggestions......

The JTS project has received an interesting Feature Request from Lucious

Although the idea of a "Self-Healing" Joomla! option is really appealing, a little thought has led me to believe that this could be problematic regarding any "unexpected Self-Healing's" after valid changes to files or the installation of new extensions or content asset uploads.

However, continued exercise of the "Single-Cell-Amoeba" led me to considering maybe something along the lines of the following, as an add-on script to JTS;

Following a "Custom-Hash" being built for the current site,  a "Stand-Alone" php script is now also made available that maybe added to a crontab, say set to run every 6 hours or so, this custom script will run the Joomla! Diagnostic MD5 comparison against your newly built Custom-Hash and will email out a warning if differences are found.

Although not quite as "pro-active" as a "Self-Healing" process, it would be capable of providing an early warning of a compromise or exploit.

[k4lch]

one feature that might be useful is a way to setup a cron or batch file to run say at 3am or time you want to check the site then email the report to an address that way when you have muiltible sites to monitor you can get a report from each without having to manually checking

[weekendclimber]

I've been having problems with the permissions audit. I've got two installations of Joomla, one in my root directory, and another in a sub-folder that runs on a parked domain (same server and directory, different domain names). When I run the extensions audit for the system located in the root, it goes through the the parked domain's folder and then stops going any further. It seems to stop in the middle of execution as there are no tags at the end of the source. I also get a small note about not being able to access a directory, but it doesn't tell me which one.

BTW, This is a really great tool