PHP配置漂移检测与合规审计

PHP配置漂移检测与合规审计

配置漂移是指系统配置逐渐偏离标准状态的过程。合规审计确保系统符合安全策略。今天说说PHP中配置漂移检测和合规审计的实现。

配置漂移检测定期检查系统配置与期望状态的一致性。

```php
class ConfigDriftDetector
{
private array $expectedConfig;

public function __construct(array $expectedConfig)
{
$this->expectedConfig = $expectedConfig;
}

public function detect(array $currentConfig): array
{
$drifts = [];

foreach ($this->expectedConfig as $key => $expectedValue) {
$currentValue = $currentConfig[$key] ?? null;

if ($currentValue === null) {
$drifts[] = [
'key' => $key,
'expected' => $expectedValue,
'current' => null,
'type' => 'missing',
'severity' => 'high',
];
continue;
}

if ($currentValue !== $expectedValue) {
$drifts[] = [
'key' => $key,
'expected' => $expectedValue,
'current' => $currentValue,
'type' => 'changed',
'severity' => $this->determineSeverity($key),
];
}
}

return $drifts;
}

private function determineSeverity(string $key): string
{
$criticalKeys = ['encryption_key', 'db_password', 'api_secret', 'auth_secret'];
foreach ($criticalKeys as $critical) {
if (str_contains($key, $critical)) return 'critical';
}
return 'medium';
}

public function checkPhpIni(): array
{
$expectedIni = [
'display_errors' => '0',
'display_startup_errors' => '0',
'expose_php' => '0',
'allow_url_fopen' => '0',
'allow_url_include' => '0',
];

$drifts = [];
foreach ($expectedIni as $key => $expected) {
$current = ini_get($key);
if ((string)$current !== $expected) {
$drifts[] = compact('key', 'expected', 'current');
}
}

return $drifts;
}
}
?>

合规审计系统记录和报告安全相关事件：

```php
class ComplianceAuditor
{
private PDO $pdo;

public function __construct(PDO $pdo)
{
$this->pdo = $pdo;
$this->initSchema();
}

private function initSchema(): void
{
$this->pdo->exec("
CREATE TABLE IF NOT EXISTS audit_log (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
user_id INT,
action VARCHAR(200) NOT NULL,
resource VARCHAR(200),
details JSON,
ip_address VARCHAR(45),
user_agent VARCHAR(500),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
INDEX idx_user_action (user_id, action),
INDEX idx_created (created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
");
}

public function log(string $action, string $resource = '', array $details = []): void
{
$stmt = $this->pdo->prepare("
INSERT INTO audit_log (user_id, action, resource, details, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?, ?)
");
$stmt->execute([
$_SESSION['user_id'] ?? 0,
$action,
$resource,
json_encode($details, JSON_UNESCAPED_UNICODE),
$_SERVER['REMOTE_ADDR'] ?? '',
$_SERVER['HTTP_USER_AGENT'] ?? '',
]);
}

public function query(array $filters = [], int $limit = 50, int $offset = 0): array
{
$where = [];
$params = [];

if (!empty($filters['user_id'])) {
$where[] = 'user_id = ?';
$params[] = $filters['user_id'];
}
if (!empty($filters['action'])) {
$where[] = 'action LIKE ?';
$params[] = "%{$filters['action']}%";
}
if (!empty($filters['from'])) {
$where[] = 'created_at >= ?';
$params[] = $filters['from'];
}
if (!empty($filters['to'])) {
$where[] = 'created_at <= ?';
$params[] = $filters['to'];
}

$whereClause = $where ? 'WHERE ' . implode(' AND ', $where) : '';

$stmt = $this->pdo->prepare("
SELECT * FROM audit_log {$whereClause}
ORDER BY created_at DESC
LIMIT ? OFFSET ?
");
$stmt->execute(array_merge($params, [$limit, $offset]));
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}

public function generateReport(\DateTime $from, \DateTime $to): array
{
$stmt = $this->pdo->prepare("
SELECT action, COUNT(*) as count
FROM audit_log
WHERE created_at BETWEEN ? AND ?
GROUP BY action
ORDER BY count DESC
");
$stmt->execute([$from->format('Y-m-d'), $to->format('Y-m-d')]);
return $stmt->fetchAll();
}
}
?>

配置审计和安全合规是保障系统安全的重要环节。定期检测配置漂移可以及时发现安全配置的变更。合规审计日志记录了所有敏感操作，是安全事件追踪的依据。自动化的审计系统比人工检查更可靠、更高效。