Feeds:
Posts
Comments

Posts Tagged ‘Security’

Our Moodle demonstration site is now using Moodle 1.9.7 (thanks to Moodle HQ sys admin Jordan for upgrading) and has demo account passwords FunMood1ing! which fulfil the default password policy i.e. at least 8 characters and including at least one number, one lowercase letter, one uppercase letter and one non-alphanumeric character.

The security overview report (in Site Administration > Reports > Security overview) includes a report of any roles, permissions overrides and users who are allowed to backup user data. It is recommended that the capability to backup user data is only allowed for people who really need it, and their accounts should be protected by strong passwords. Note that glossary and database activity entries can easily be moved to a different course using the export and import entries feature without needing to backup user data.

Backup of user data report screenshot

The security overview report also reports that a password salt has been set.

Of course these demo site security improvements aren’t strictly necessary, since the database and files are erased and restored to a clean state every hour, however hopefully they serve to set a good example.

Read Full Post »

A heads up for anyone upgrading to the latest Moodle 1.9.6+, you’ll find the password policy (in Site Administration > Security > Site policies) has been enabled and admins will be prompted to change their password on next login.

Thus, if your site is for testing purposes only, you may wish to disable the password policy.

Read Full Post »

Password salting

Today I have been learning about password salting, a method of making encrypted passwords more secure and practically impossible to crack. Please see the documentation Password salting for the collected wisdom of posters in the forum discussion Moodle Salting and in our developer chat.

Elsewhere in Moodle Docs, I loved a talk page comment regarding a typo fix from documentation writer Chris Collman to Tim Hunt:

Keep doing the heavy lifting, sometimes I will find a grain of sand to put in the right place.

Read Full Post »

Today is the last day of MOODLE_17_STABLE in the Moodle Tracker. As Martin mentioned in the moodle.org news back in February, New releases: Moodle 1.9.4, 1.8.8, 1.7.7 and 1.6.9,

Moodle 1.6.9 and Moodle 1.7.7 mark the last builds that the core team plan to release from those branches… please upgrade to later versions!

For anyone interested, our process of dropping support for older stable branches is detailed in Development:Stable branch support.

Keeping your site up-to-date is highly recommended in order to keep your site secure. Also recommended is to regularly run the Security overview report in Site Administration > Reports > Security overview (source: Hacked site recovery).

Read Full Post »

Issue security levels

Did you know that the security level setting of an issue in the Moodle Tracker determines how many people can view it?

I knew that serious security issues could only be viewed by members of the security team (led by Petr Škoda) but I only discovered recently that the other security levels also restrict access.

The different security levels provide access as follows:

  • None – Viewable by everyone, including non-logged-in users
  • Could be a security issue – Viewable by all logged-in users
  • Minor security issue – Viewable by developers and testers only
  • Serious security issue – Viewable by members of the security team only

If you’re not sure whether your issue is security-related or not, please report it in the tracker anyway. If you’re not sure which security level to choose, select a higher level. The issue can then be reviewed by a member of the security team and if necessary the level changed (as happened for MDL-18996).

The reason for restricting access to security issues, is that Moodle practises responsible disclosure. This means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations. (Source: Moodle security procedures)

If you have a non-security-related issue, then the more people who can view it the better.

“Given enough eyeballs, all bugs are shallow” (Linus’s law).

Read Full Post »

Further security improvements

I’ve come across several security improvements in today’s weekly code review, including the implementation of a spam cleaner tool (MDL-17144) and links in the security overview report for fixing any unsupported role assignments (MDL-18041). All being well, these improvements, together with lots of bug fixes, will be available in tomorrow’s weekly download packages.

Read Full Post »

To be effective, the new security overview report in Moodle 1.9.4 (and in Moodle 1.8.8+ from Wednesday onwards) requires documentation for administrators on how to fix any identified security issues (MDL-18078).

Following Petr’s work in adding links to pages in Moodle Docs for each security overview issue, I’ve created the pages in the wiki to make it easy for anyone to add information.

Help in editing these pages and adding further information or links to forum discussions would be much appreciated.

Read Full Post »

Older Posts »