Note: You are currently viewing documentation for Moodle 1.9. Up-to-date documentation for the latest stable version is available here: Security.

Talk:Security

From MoodleDocs
Revision as of 23:27, 14 March 2007 by Clint Lalonde (talk | contribs)

Little spelling error in opening paragraph."involving some conbination of input" should be combination, not conbination.


Should this page deal with valid users as well? I'm talking about input sanitization, etc. For example, in my school's version of Moodle, I can craft some code that logs the user out as soon as they see my forum post. I suggest taking a look at MediaWiki's approach to code sanitizing. -- Tim McCormack is talk 12:45, 11 February 2006 (WST)

Tim, I believe what you are mentioning is actually related to the future development of Moodle code, or possibly an existing security bug? There is actually a lead Security Officer, Petr Škoda (skodak), who is charged with reviewing the security code. He would probably like to see an example of what you mentioned. Jonathan Moore Jonathan Moore 8:46, 12 February 2006 (CST)
I have reported it in full detail at the security.moodle.org site. -- Tim McCormack is talk 09:29, 16 February 2006 (WST)

Please, take a look at the "Before all" topic I have just added, based on Petr's opinion on this: http://moodle.org/mod/forum/discuss.php?d=39404#182024 - David Delgado 02:11, 13 February 2006 (WST)

I have updated the file permissions, with what I hope are more correct values. Jonathan Moore Jonathan Moore 10:52, 14 February 2006 (CST)

Security for Security page

Maybe we should take a look at the security in this "Security" page. :-/ Should it be a protected page maintained directly by http://security.moodle.org? Please, give us your opinion on this in the "page comments" label in this page.

I do think it SHOULD be protected and maintained directly by http://security.moodle.org , since it is the best place to introduce security hazards. Just add "Do not forget to send your admin password to safe@cracker.com", for example. Think also of more sophisticated cracking methods. By the way... moodledata directory owned by root with 700 permissions, Jonathan Moore? :-/ - David Delgado 16:44, 13 February 2006 (WST)
I think you make a good point. At a minimum this page needs to be monitored by someone. I think more subtle problems than the send password to x variety could be introduced too. Such as changing the permission numbers or some such.
Since I am not a member of security.moodle.org, I can't speak for them. I don't know what all of their duties entail and whether there is a complete match up with what they cover for Moodle and what is covered in the guide.
Page protected, as requested. Please use this page for suggesting changes to Security. --Helen Foster 19:06, 16 February 2006 (WST)

Running Moodle with PHP safe_mode=on

Does any security guru dare to document that? I think it is possible to do that (both to run Moodle with safe_mode=on and to write the document). ;-)



=========================What About System Validation==========Audit Trails?==========================

I am a physician in a medical laboratory doing both commercial and clinical trials (FDA regulated) diagnostic studies on a global basis. We are redesigning our entire validation, documentation and training systems and I am in the process of using MOODLE to manage the training process. I have a very computer savvy employee who used to be the administrator for the ANGEL LMS from Indiana Universiy (that is now a commercial product).

Now here is the delimma, everything even remotely associated with Clinical trials and even routine medicine is getting extremely regulated and we virtually are inspected 12+ times a year (1-4 day audits). With Part11 regulations ALL software (developed or off the shelf) has to have a full system validation. The FDA has moved this to a risk-based processes, so intense validation is in basically critical data where users have access to alter data. We develop our own LIS (Laboratory Information System) because you cannot get OTS software with functionality to work in clinical trials. Thus we have a small team of (pharmaceutical business experienced) validation personnel. So we will do something in this area. However it would be extremely helpful if others had done some of this work to share some use case examples and any outcomes or known areas of system weakness. The FDA is also very strongly into electronic audit trails, is that possible in MOODLE?

Since I am new to this software, I am just starting to explore it, but would welcome any experience in this area. We will sure share our experience with others becuase this type of software has a much broader application that just in educational institutions. (I was also the medical director of a fully ACCME accredited non-profit post-graduate medical education company that had over 5,000 medical technologist and physician subscribers. That company was sold to the largest CME provider for laboratory professionals in the world, ASCP).

Mick Glant, MD Indianapolis, IN