Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
  • Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
  • PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.

Differences Between: [Versions 310 and 311] [Versions 311 and 400] [Versions 311 and 401] [Versions 311 and 402] [Versions 311 and 403] [Versions 39 and 311]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Lang strings
  19   *
  20   * @package    report_security
  21   * @copyright  2008 petr Skoda
  22   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  23   */
  24  
  25  $string['configuration'] = 'Configuration';
  26  $string['description'] = 'Description';
  27  $string['details'] = 'Details';
  28  $string['check_configrw_details'] = '<p>It is recommended that the file permissions of <code>config.php</code> are changed after installation so that the file cannot be modified by the web server.
  29  Please note that this measure does not improve security of the server significantly, though it may slow down or limit general exploits.</p>';
  30  $string['check_configrw_name'] = 'Writable config.php';
  31  $string['check_configrw_ok'] = 'config.php can not be modified by PHP scripts.';
  32  $string['check_configrw_warning'] = 'PHP scripts may modify config.php.';
  33  $string['check_cookiesecure_details'] = '<p>If https communication is enabled, it is recommended to enable sending of secure cookies. You should have permanent redirection from http to https and ideally serve HSTS headers as well.</p>';
  34  $string['check_cookiesecure_error'] = 'Please enable secure cookies';
  35  $string['check_cookiesecure_http'] = 'You must turn on https in order to use secure cookies';
  36  $string['check_cookiesecure_name'] = 'Secure cookies';
  37  $string['check_cookiesecure_ok'] = 'Secure cookies enabled.';
  38  $string['check_defaultuserrole_details'] = '<p>All logged in users are given capabilities of the default user role. Please make sure no risky capabilities are allowed in this role.</p>
  39  <p>The only supported legacy type for the default user role is <em>Authenticated user</em>. The course view capability must not be enabled.</p>';
  40  $string['check_defaultuserrole_error'] = 'The default user role "{$a}" is incorrectly defined!';
  41  $string['check_defaultuserrole_name'] = 'Default role for all users';
  42  $string['check_defaultuserrole_notset'] = 'Default role is not set.';
  43  $string['check_defaultuserrole_ok'] = 'Default role for all users definition is OK.';
  44  $string['check_displayerrors_details'] = '<p>Enabling the PHP setting <code>display_errors</code> is not recommended on production sites because error messages can reveal sensitive information about your server.</p>';
  45  $string['check_displayerrors_error'] = 'The PHP setting to display errors is enabled. It is recommended that this is disabled.';
  46  $string['check_displayerrors_name'] = 'Displaying of PHP errors';
  47  $string['check_displayerrors_ok'] = 'Displaying of PHP errors disabled.';
  48  $string['check_emailchangeconfirmation_details'] = '<p>It is recommended that an email confirmation step is required when users change their email address in their profile. If disabled, spammers may try to exploit the server to send spam.</p>
  49  <p>Email field may be also locked from authentication plugins, this possibility is not considered here.</p>';
  50  $string['check_emailchangeconfirmation_error'] = 'Users may enter any email address.';
  51  $string['check_emailchangeconfirmation_info'] = 'Users may enter email addresses from allowed domains only.';
  52  $string['check_emailchangeconfirmation_name'] = 'Email change confirmation';
  53  $string['check_emailchangeconfirmation_ok'] = 'Confirmation of change of email address in user profile.';
  54  $string['check_embed_details'] = '<p>Unlimited object embedding is very dangerous - any registered user may launch an XSS attack against other server users. This setting should be disabled on production servers.</p>';
  55  $string['check_embed_error'] = 'Unlimited object embedding enabled - this is very dangerous for the majority of servers.';
  56  $string['check_embed_name'] = 'Allow EMBED and OBJECT';
  57  $string['check_embed_ok'] = 'Unlimited object embedding is not allowed.';
  58  $string['check_frontpagerole_details'] = '<p>The default frontpage role is given to all authenticated users for frontpage activities. Please make sure no risky capabilities are allowed for this role.</p>
  59  <p>It is recommended that a special role is created for this purpose and a legacy type role is not used.</p>';
  60  $string['check_frontpagerole_error'] = 'Incorrectly defined frontpage role "{$a}" detected!';
  61  $string['check_frontpagerole_name'] = 'Frontpage role';
  62  $string['check_frontpagerole_notset'] = 'Frontpage role is not set.';
  63  $string['check_frontpagerole_ok'] = 'Frontpage role definition is OK.';
  64  $string['check_crawlers_details'] = '<p>The "Open to search engines" setting enables search engines to enter courses with guest access. There is no point in enabling this setting if guest login is not allowed.</p>';
  65  $string['check_crawlers_error'] = 'Search engine access is allowed but guest access is disabled.';
  66  $string['check_crawlers_info'] = 'Search engines may enter as guests.';
  67  $string['check_crawlers_name'] = 'Open to search engines';
  68  $string['check_crawlers_ok'] = 'Search engine access is not enabled.';
  69  $string['check_dotfiles_info'] = 'All dotfiles except /.well-known/* should not be public';
  70  $string['check_dirindex_info'] = 'Directory index should not be enabled';
  71  $string['check_guestrole_details'] = '<p>The guest role is used for guests, not logged in users and temporary guest course access. Please make sure no risky capabilities are allowed in this role.</p>
  72  <p>The only supported legacy type for guest role is <em>Guest</em>.</p>';
  73  $string['check_guestrole_error'] = 'The guest role "{$a}" is incorrectly defined!';
  74  $string['check_guestrole_name'] = 'Guest role';
  75  $string['check_guestrole_notset'] = 'Guest role is not set.';
  76  $string['check_guestrole_ok'] = 'Guest role definition is OK.';
  77  $string['check_mediafilterswf_details'] = '<p>Automatic swf embedding is very dangerous - any registered user may launch an XSS attack against other server users. Please disable it on production servers.</p>';
  78  $string['check_mediafilterswf_error'] = 'Flash media filter is enabled - this is very dangerous for the majority of servers.';
  79  $string['check_mediafilterswf_name'] = 'Enabled .swf media filter';
  80  $string['check_mediafilterswf_ok'] = 'Flash media filter is not enabled.';
  81  $string['check_nodemodules_details'] = '<p>The directory <code>{$a->path}</code> contains Node.js modules and their dependencies, typically installed by the NPM utility. These modules may be needed for local Moodle development, such as for using the grunt framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
  82  $string['check_nodemodules_info'] = 'The node_modules directory should not be present on public sites.';
  83  $string['check_nodemodules_name'] = 'Node.js modules directory';
  84  $string['check_openprofiles_details'] = 'Open user profiles can be abused by spammers. It is recommended that either <code>Force users to log in for profiles</code> or <code>Force users to log in</code> are enabled.';
  85  $string['check_openprofiles_error'] = 'Anyone can may view user profiles without logging in.';
  86  $string['check_openprofiles_name'] = 'Open user profiles';
  87  $string['check_openprofiles_ok'] = 'Login is required before viewing user profiles.';
  88  $string['check_passwordpolicy_details'] = '<p>It is recommended that a password policy is set, since password guessing is very often the easiest way to gain unauthorised access.
  89  Do not make the requirements too strict though, as this can result in users not being able to remember their passwords and either forgetting them or writing them down.</p>';
  90  $string['check_passwordpolicy_error'] = 'Password policy not set.';
  91  $string['check_passwordpolicy_name'] = 'Password policy';
  92  $string['check_passwordpolicy_ok'] = 'Password policy enabled.';
  93  $string['check_preventexecpath_name'] = 'Executable paths';
  94  $string['check_preventexecpath_ok'] = 'Executable paths only settable in config.php.';
  95  $string['check_preventexecpath_warning'] = 'Executable paths can be set in the Admin GUI.';
  96  $string['check_preventexecpath_details'] = '<p>Allowing executable paths to be set via the Admin GUI is a vector for privilege escalation. This must be forced in config.php:</p><p><code>$CFG->preventexecpath = true;</code></p>';
  97  $string['check_publicpaths_name'] = 'Check all public / private paths';
  98  $string['check_publicpaths_generic'] = '{$a} files should not be public';
  99  $string['check_publicpaths_403'] = ' (Returned a 403, ideally should be 404)';
 100  $string['check_riskadmin_detailsok'] = '<p>Please verify the following list of system administrators:</p>{$a}';
 101  $string['check_riskadmin_detailswarning'] = '<p>Please verify the following list of system administrators:</p>{$a->admins}
 102  <p>It is recommended to assign administrator role in the system context only. The following users have (unsupported) admin role assignments in other contexts:</p>{$a->unsupported}';
 103  $string['check_riskadmin_name'] = 'Administrators';
 104  $string['check_riskadmin_ok'] = 'Found {$a} server administrator(s).';
 105  $string['check_riskadmin_unassign'] = '<a href="{$a->url}">{$a->fullname} ({$a->email}) review role assignment</a>';
 106  $string['check_riskadmin_warning'] = 'Found {$a->admincount} server administrators and {$a->unsupcount} unsupported admin role assignments.';
 107  $string['check_riskbackup_detailsok'] = 'No roles explicitly allow backup of user data.  However, note that admins with the "doanything" capability are still likely to be able to do this.';
 108  $string['check_riskbackup_details_overriddenroles'] = '<p>These active overrides give users the ability to include user data in backups. Please make sure this permission is necessary.</p> {$a}';
 109  $string['check_riskbackup_details_systemroles'] = '<p>The following system roles currently allow users to include user data in backups.  Please make sure this permission is necessary.</p> {$a}';
 110  $string['check_riskbackup_details_users'] = '<p>Because of the above roles or local overrides, the following user accounts currently have permission to make backups containing private data from any users enrolled in their course.  Make sure they are (a) trusted and (b) protected by strong passwords:</p> {$a}';
 111  $string['check_riskbackup_editoverride'] = '<a href="{$a->url}">{$a->name} in {$a->contextname}</a>';
 112  $string['check_riskbackup_editrole'] = '<a href="{$a->url}">{$a->name}</a>';
 113  $string['check_riskbackup_name'] = 'Backup of user data';
 114  $string['check_riskbackup_ok'] = 'No roles explicitly allow backup of user data';
 115  $string['check_riskbackup_unassign'] = '<a href="{$a->url}">{$a->fullname} ({$a->email}) in {$a->contextname}</a>';
 116  $string['check_riskbackup_warning'] = 'Found {$a->rolecount} roles, {$a->overridecount} overrides and {$a->usercount} users with the ability to backup user data.';
 117  $string['check_riskxss_details'] = '<p>RISK_XSS denotes all dangerous capabilities that only trusted users may use.</p>
 118  <p>Please verify the following list of users and make sure that you trust them completely on this server:</p><p>{$a}</p>';
 119  $string['check_riskxss_name'] = 'XSS trusted users';
 120  $string['check_riskxss_warning'] = 'RISK_XSS - found {$a} users that have to be trusted.';
 121  $string['check_unsecuredataroot_details'] = '<p>The dataroot directory must not be accessible via web. The best way to make sure the directory is not accessible is to use a directory outside the public web directory.</p>
 122  <p>If you move the directory, you need to update the <code>$CFG->dataroot</code> setting in <code>config.php</code> accordingly.</p>';
 123  $string['check_unsecuredataroot_error'] = 'Your dataroot directory <code>{$a}</code> is in the wrong location and is exposed to the web!';
 124  $string['check_unsecuredataroot_name'] = 'Insecure dataroot';
 125  $string['check_unsecuredataroot_ok'] = 'Dataroot directory must not be accessible via the web.';
 126  $string['check_unsecuredataroot_warning'] = 'Your dataroot directory <code>{$a}</code> is in the wrong location and might be exposed to the web.';
 127  $string['check_vendordir_details'] = '<p>The directory <code>{$a->path}</code> contains various third-party libraries and their dependencies, typically installed by the PHP Composer. These libraries may be needed for local Moodle development, such as for installing the PHPUnit framework. They are not needed to run a Moodle site in production and they can contain potentially dangerous code exposing your site to remote attacks.</p><p>It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it in your webserver configuration.</p>';
 128  $string['check_vendordir_info'] = 'The vendor directory should not be present on public sites.';
 129  $string['check_vendordir_name'] = 'Vendor directory';
 130  $string['check_webcron_details'] = '<p>Running the cron from a web browser can expose privileged information to anonymous users. It is recommended to only run the cron from the command line or set a cron password for remote access.</p>';
 131  $string['check_webcron_warning'] = 'Anonymous users can access cron.';
 132  $string['check_webcron_name'] = 'Web cron';
 133  $string['check_webcron_ok'] = 'Anonymous users can not access cron.';
 134  $string['eventreportviewed'] = 'Viewed security check report';
 135  $string['issue'] = 'Issue';
 136  $string['pluginname'] = 'Security checks';
 137  $string['security:view'] = 'View security report';
 138  $string['timewarning'] = 'Data processing may take a long time, please be patient...';
 139  $string['privacy:metadata'] = 'The Security overview plugin does not store any personal data.';