Trunk now contains a "Security Audit" page whose purpose is to review the countless settings and configuration options in Fossil and try to sniff out undesirable misconfigurations. The security-audit page is only viewable by administrators, so as not to be a resource for vandals.
The idea is to provide administrators with a simple one-stop place to check for configuration errors in a Fossil server setup. A quick glance at the Security Audit page should give an administrator high confidence that they did everything correctly and that their Fossil server setup meets their security requirements. The current implementation only checks a few simple things that came quickly to my mind. And I have a few more things jotted down but not yet committed to code. See comments in the implementation at https://www.fossil-scm.org/fossil/file/src/security_audit.c for details. Ideally, this page should check many, many things. The more the better, it seems to me. Suggestions for new things to check are welcomed. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
