Search

The security overview report can be accessed via the Site administration menu by following that path Security > Security overview. It displays a report on the status of all of the key security settings from within the system, showing whether the current setting is OK.  If there is a problem you will see a status of; Warning or Serious which means you should review that setting and ensure you are aware of the security risks or take necessary corrective steps. 

SettingDescriptionNotes

Insecure dataroot

User files are stored by Totara Learn in the dataroot. To keep it secure this should not be accessible from the web.If the dataroot directory is moved then the $CFG->datarootsetting will need to be updated in the config.php file.

Displaying of PHP errors

This should be turned off for all live/production sites, as it could create a security vulnerability other as if PHP is set to display errors it would allow someone to gain information such as directory structures by entering a faulty URL (prompting PHP to display details about the error and the system).This can be changed in the php.ini file. Open the file and set display_errors to display_errors=Off.

Vendor directory

The vendor directory contains various third-party libraries and their dependencies, typically installed by the PHP Composer. It may be needed for local development, such as for installing the PHPUnit framework. But it can also contain potentially dangerous code exposing your site to remote attacks.

It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it.

-

Node.js modules directory

The node_modules directory contains Node.js modules and their dependencies, typically installed by the NPM utility. These modules may be required for Totara development. They are not needed to run a Totara Learn site and they can contain potentially dangerous code exposing your site to remote attacks.

It is strongly recommended to remove the directory if the site is available via a public URL, or at least prohibit web access to it.

-

No authentication

This setting should be turned off on live/production sites as it would allow someone to create an account with no authentication, meaning they could even use an email address that does not exist and there is no verification required.

This can be turned off by going to Site administration > Plugins > Authentication > Manage authentication and ensuring that it is disabled (Eye icon with line through (disabled).).

Allow EMBED and OBJECT

As a default security measure, normal users are not allowed to embed multimedia (like Flash) within texts using explicit EMBED and OBJECT tags in their HTML (although it can still be done safely using the mediaplugins filter). If you wish to allow these tags then enable this option in the Security settings.To configure this go to Site administration > Security > Security settings.

Enabled .swf media filter

It is not recommended to enable automatic embedding of Flash (.swf) file by default as this could enable a user to launch a Cross-Site Scripting (XXS) attack, by using a file that contains some malicious code.You can control this by turning ensuring the Convert URLs into links and images setting is disabled under Site administration > Plugins > Filters > Manage filters. You can also choose whether to allow Flash files in the media player settings under Site administration > Plugins > Media players > Manage media players.

Open user profiles

If you leave all of the user profiles open then there is a risk these could be abused by spammers (as they would be publicly viewable). It is recommended that you only make user profiles available to logged in users.Control this by configuring the Force users to log in and Force users to log in for profiles settings under Site administration > Security > Security settings.

Open to Google

This setting works with Guest access to allow search engines to access courses with the guest access permissions. Note that allowing Google access to your site will mean that all contents are publicly accessible, so only do this if there is no confidential or sensitive information on your site.This is configured under Site administration > Security > Security settings.

Password policy

Using a password policy helps make your site more secure by encouraging/forcing good password habits, including more complex passwords (which are harder to guess) and also more frequent changing of passwords (if they are easier to guess). Try not to make password requirements too strict or difficult though as this might lead to users forgetting their passwords or writing them down, thus negating any security benefits.This is configured under Site administration > Security > Security settings.

Email change confirmation

You can choose to force users to confirm any changes they make to their email address. It is recommended that you do this to prevent spammers from exploiting your server.This is configured under Site administration > Security > Security settings.

Username enumeration

When a user enters incorrect login credentials Totara Learn ensures that it is vague about the reason for the unsuccessful login, so that anyone trying to attack the site cannot tell if the username or password is wrong. Username enumeration is a process that potential attackers can use to figure out what the username convention is for your Totara Learn site, so that they only need to guess the password of a user to get access.You can disable the self registration setting in Site administration > Plugins > Authentication > Manage authentication (as potential attackers could generate their own usernames to figure out the pattern).

You should enable Protect username so that no hints are given to potential attackers if they click the forgotten password link. This can be done under Site administration > Security > Security settings.

HTTPS protocols

As HTTP protocol is easily exploitable it is recommended that you use HTTPS protocol on all your servers.-

Secure cookies

You should ensure secure cookies if you are allowing HTTPS communications with your site (recommended). It is also advisable to only use HSTS headers and set up permanent redirects for any HTTP pages to HTTPS.Secure cookies can be enabled via Site administration > Security > HTTP security.

HTTP only cookies

This prevents scripts from accessing cookies sent by your server, so that cookies are only accessible by actual requests. This can help reduce the risk of Cross-Site Scripting (XSS) attacks.HTTP only cookies can be enabled from Site administration > Security > HTTP security. Note that some older browsers may not support this feature.
Persistent loginIf enabled persistent logins ignore standard session timeouts and set a permanent browser cookie. This cookie is later used to automatically re-login user after browser restart or session timeout.This can be configured via Site administration > Security > Security settings.
SCORM session keep aliveIf enabled user session is kept alive in SCORM player. Can be configured in Site administration > Plugins > Activity modules > SCORM package.

Writable config.php

After you have installed your Totara Learn site you should edit the config.php file to ensure it is set to read-only so that it cannot be modified by the web server.You will need to CHMOD the config.php file to either 644 or 444 to ensure it is read-only.

XSS trusted users

Some content such as certain multi-media files, HTML code, JavaScript, and Flash aplets can be used to attack your site (using a cross-site scripting attack (XSS attack)). Certain capabilities will allow roles/users within you side to add these types of content as they can be useful for training purposes, however it is important to make sure that you only allow trusted users to have access to these capabilities. This setting in the overview report will show a list of users with these abilities so you can check they are all trusted individuals. -

Administrators

It is advisable to keep the number of Site Administrators to a minimum. If users do not need all the permissions/capabilities of a Site Administrator please consider another role, such as Site Manager.You can adjust the number of Site Administrators under Site administration > Permissions > Site administrators.

Backup of user data

This setting checks for roles that have the backup:userinfo capability, as holders of this permission can back up all of the user data (including relevant user account details) when backing up a course. This could lead to a security breach if in the wrong hands. It is also recommended that you ensure a robust password policy, to protect the accounts of users with this capability.

The ability to backup user data is separate from the ability to back up course data. By default only the manager role can backup user data.

Password policies can be setup via Site administration > Security > Security settings.

Default role for all users

The default user role is normally set as Authenticated user. If you see the a status of Critical then this means the role is not correctly configured and that some risky capabilities may have been given to it. You can edit the permissions of the role under Site administration > Users > Permissions > Define roles then click on Authenticated user and browse the permissions column to check everything in as expected.This can be configured under Site administration > Permissions > User policies.

Guest role

The Guest role is intended for non-logged in, temporary users and therefore no risky permissions/capabilities should be given to this role.This can be configured under Site administration > Permissions > User policies.

Frontpage role

The default frontpage role is given to all registered users for frontpage activities. Please make sure no risky capabilities are allowed for this role.

It is recommended that a special role is created for this purpose and a legacy type role is not used.

Configured via Edit settings in the Administration block on the front page

Web cron

It is recommended that you only run cron from the command line, as running cron from a web browser risks exposing privileged information to anonymous users. Additionally, you could set a cron password for remote access.This is configured under Site administration > Security > Security settings.

Guest access

You will need to carefully consider the security risks associated with allowing access to the site without a user account (which is possible via guest access). You may wish to consider disabling the Guest login button setting.Guest access can be managed under Site administration > Plugins > Authentication > Manage authentication. See Authentication for more information.

URL downloader repository

Enabling the URL downloader can allow external users to access URLs within your internal network. You should not enable this feature if you have users who are allowed to access your LMS but not allowed to access other resources within your internal network that are accessible from the LMS server.-

XXE risk

Some versions of LibXML and PHP potentially loaded external entities into XML by default, meaning contents of local files could be obtained by a malicious user. Ensure that you are using up-to-date versions of LibXML and PHP to help prevent against this vulnerability.-
Executable pathsAllowing executable paths to be set via the Admin GUI is a vector for privilege escalation.-
On this page

Provide feedback about this page using the link in the bottom right of this page. 

Still have questions? Why not post them in the forums of the Totara Community?