At work, I've served some of the country's largest companies. Some of those companies, members of the Fortune 50, have world-class security demands. We have turned those security specifications, in part, into a snapshot of contributed Drupal modules we now call Guardr.

Drupal is a web application platform, which to me is much more than brochure-ware. A finished Drupal web application is much more than managed content - it is a streamlined business process, workflow management, and digital asset system. The toolkit Drupal provides through its hook system allows us to extend a mix of public and proprietary modules to streamline business process bottlenecks.

When you investigate Guardr, and what we will be adding to it in the coming weeks, is not for social networking, non-profit fundraising, magazine and news publishing, or image galleries. Guardr is the basis on which to build a secure web application, the likes of which your common national bank security department could approve of.

Module highlights

For the demanding security team who wants mixed-case, role-dependent minimum length, history-constrained, expiring, alpha-numeric passwords, mix it up by force with a password policy.

With all the kinds of session hijacking methods out there, make your site secure by locking it down with SSL enforced through LDAP logins, which are automatically logged out after role-dependent idleness, and which otherwise expire. I should note, expire session cookies on browser-close by setting session.cookie_lifetime to 0 in settings.php. Just in case you forgot to logout from another terminal, you can logout an earlier session automatically with session limits.

Roadmap

What I pushed to the Guardr git repository is a drush make collection to help you download the most stable and compatible versions for Drupal 6. In its current state, Guardr for Drupal 6 is an incomplete and probably always will be. It is a cross-section of some common modules we use in our production, private intranet sites. As development on Guardr continues, we will be adjusting the module list and adding to the default installation profile a series of pre-configured security defaults which we think are critical to the proper use of Guardr's module set. You might even discover an occasional source hack.

We know, however, that we can't keep track of developments in all the thousands of Drupal contributed modules. New modules obsolete the old, sometimes overlap, or just simply get introduced without us noticing. That is why we are hosting Guardr out in the open, on drupal.org, where we hope you will drop your commentary in the Guardr issue queue.

Note, most of the modules in Guardr have a multi-year track record of continuous maintenance and bug fixes. Guardr is a manifestation of continuing commitment from myself and, by extension, others with a stake in Drupal security to those modules. As we upgrade our customers private sites from Drupal 6 to 7, we will do the same with Guardr, though you should discover a big chunk of what we consider the core of Guardr already has Drupal 7 releases.

I plan on making sure Guardr gets all the normal accessories with a .com/.org homepage, logo, marketing of the distribution, and professional maintenance.

An Aside

Guardr, to me, is made possible by what I call the "Drupal co-op". Drupal itself doesn't succeed without the combined, shared efforts of several organizations and hundreds of individuals from those organizations who work both during and after work to keep Drupal moving ahead.

Drupal has an underlying framework which has been argued over by a small group of developers, which set the basic structure for revisioned nodes, role assignments to users, node access controls by role, and to some extent, field-level permissions when you drift into contrib. All along the way, these things have been hooked and are extendable.

Guardr, and by extension, Drupal, will be a success as businesses see it as more than a content management system. Drupal's future is not limited to content management, publishing, social media, blogging, and image galleries. If you examine the deeper guts, it has the composition of a web application, capable of driving commerce and manufacturing.

Join me, and others on the Guardr maintenance team, as we put a new spin on getting business done through Guardr.

Post categories

Drupal