303.473.4400 / Toll Free: 888.772.0777
Select Page

arrow-left      FREE MAGENTO 2 EXTENSION    arrow-right

Free Magento 2 Extension: Git Status Security ReportGit Status Security Report - Magento 2 Extension

Do you know if critical files on your site are being changed without your knowledge?

Customer Paradigm’s Magento 2 Git Status: Security Report is a new extension that allows you to find out if any files on your site have been updated or changed.

It uses the Git version control system to keep track of changes to files, and will send you an email if anything was changed but not checked in.

We’ve used this system to quickly detect intrusions on sites that have been hacked. It also allows you to know if developers are working on your site and not committing their changes properly in your version control system.

Instead of relying on your customers to let you know that your site has been attacked and is stealing credit card data, this system will alert you right away if files have been changed.

The director of the FBI famously said, “There are two types of companies: those that have been hacked, and those that don’t know that they’ve been hacked.”

We’ve used this system on many of our Enterprise-grade eCommerce sites to protect them. We’re releasing this to the Magento community as a way to increase security and confidence in the Magento 2 ecosystem.

The Free system:

  • Uses your Git version control system to keep track of changed files on your site.
  • You can set how often you want the system to scan your site for changes (as frequently as every 15 minutes, each hour, each day, etc).
  • The system will email you if any new files are detected or if any files have been changed but not committed to Git.

The extension has been designed to not conflict with other extensions, and work smoothly with Magento 2. You must have Git installed on your server, and your server must allow the script to run a Git Status command as a shell exec script. This extension was coded out by one of our top, certified Magento 2.0 developers on the Customer Paradigm team. The code has been peer reviewed by the rest of the department and tested extensively.


Pricing: Magento 2 Git Status Security Report Extension:

Price: Free Until May 1, 2017

Magento Versions Supported:

  • Magento Community Edition (CE): 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.07, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4
  • Magento Enterprise Edition (EE): 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.1, 2.1.2, 2.1.3, 2.1.4

Installation / Setup / Training/ Configuration Available. If you would like us to help you install and configure the extension, we are happy to do this on an hourly basis for you. Please contact us >>

Customization Available. If you have special requirements for how you would like the Magento 2 Git Status Extension to work with your site, please let us know. We can modify the extension to meet your business needs, or modify where the order comments are displayed on the page. For example, perhaps you want only a specific person to be notified if a specific file changes. We can do this, but for user experience reasons, these features were not included in this extension. Please contact us >>


This extension is available to be downloaded for free here:

(We ask that you fill out this form so that if we have security or other updates to the extension that we can notify you.)

Need help with Magento? Call 303.473.4400 or visit here to have a real person contact you now >>


Admin Configuration for Magento 2 Git Status Extension:

The end user of your Magento 2 site will not see any part of this extension. If the Git Status extension does it’s job, your Magento 2 site will continue to run, without unauthorized changes to the site.

From the admin menu, you’ll see the “Git Status Security Report” extension listed under the “System” tab under “Tools”:

Git Status Security Report - Admin Menu View: System -- Tools - Git Status Security Report

Step 1. Git Status Settings – Select Cron settings:

On this page, you’ll select when the Git Status Magento 2 extension will run.

First, you can select the status of the extension:

Select Status - Enabled - Disabled

If you select “Enabled” then the system will run. If it’s disabled, it won’t run.

Second, you have lots of different options to configure when the script will run. We’ve tried to make it as easy as possible to allow you, the admin, to be able to set it to run for maximum flexibility.

Note: the Git Status report time settings will use the time zone that you set for your main Magento 2 store.

Minute:

You can have the Git Status system run every 15 minutes, or at the start of each hour, 15 minutes after the hour, 30 minutes after the hour, or 45 minutes after each hour:

Run Cron Every 15 Minutes, or at top bottom or quarter of each hour.

Hour: You can have the system run every hour, or just at a specific time of the day (i.e. 6:00 am)

Note: right now, you cannot set the system to run twice a day (i.e. 6 am and 6 pm)

Run Git Status via Cron every hour, or just a specific hour of the day.

 

Day of the Month:

You can have the Git Status Magento 2 Report run every day of the month, or just on a specific day of the month (such as the 2nd day of each month):

Run Git Status for Magento 2 Cron every day of the month, or just on a selected day.

 

Month: You can have the system run every month, or just on a selected month, such as the month of June:

Run Git Status report every month, or just on a specific month.

 

Day of the Week: You can run the Git Status Magento 2 Report each and every day, or just on specific days (such as Tuesdays).

Run Git Status for Magento 2 every day of the week, or just on a specific day of the week, such as a Monday.

 

How often should you run the Git Status report?

How paranoid are you? If you are the type to wear a tin foil hat, run it every hour.It depends on how paranoid you are.

If you regularly wear a tin foil hat and are super paranoid, you can run the script every 15 minutes. You’ll get a lot of emails with this method, too. For example, let’s say your developer makes a change to the site at 5:00 pm on Friday, and then leaves for the weekend. But he doesn’t commit the changes to git. By Monday morning at 9:00 am, the system will have sent you 255 emails (One email every 15 minutes for 64 hours). This may impact your system performance – the git status can take up memory resources to run. It might also be an annoying way to fill up your email inbox.

If you’re as paranoid as I am, run the script every hour, but only have it send you emails if there are changes. (You’ll get a lot of emails, though. In the example above, you’d receive about 64 emails between Friday at 5:00 pm and Monday morning at 9:00 am.)

If you’re just worried about unwanted changes on your site, run the script once a day at 6:00 am. Why in the morning? Then you have all day to track down a developer and have them fix the site. If you run it at 6:00 pm, then you’ll just worry all night (unless you have developers who are complete night owls and only start waking up at 6:00 pm).

How do you set up the Cron settings in the Git Status Magento 2 Extension? Here are several practical examples:

Example 1: Run Every Hour

To run the system every hour, at the top of the hour, use these selections:

Run Git Status Security Report Every Hour on the Hour - Cron settings

 

Example 2: Run Git Status Every 15 Minutes

For the truly paranoid, use these settings to run the script every 15 minutes.

Beware: this will send you a LOT of emails if you have uncommitted changes.

Run Git Status Security Report Every morning at 6:00 am

 

Example 3: Run Git Status Every Day at 6 am (Recommended Setting)

If you’d like to run the system every day at 6:00 am, select this setting.

 

Run Git Status Security Report Every day at 6:00 am

 

Example 4: Run Git Status Every Monday Morning at 9:45 am

Once a week might be more than enough – especially if this is just something you want to run on a development server and keep track of uncommitted git changes.

Here’s how to run the Magento 2 extension every Monday morning at 9:45 am:

Run Git Status Security Report Every Monday Morning at 9:45 am

Example 5: Run Git Status Report at 5:30 pm on the 1st Day of Every Month

So, if you only want the script to run once a month, on the first day of the month at 5:30 pm, here’s how to do this:

Run Git Status Security Report Every 1st day of the month at 5:30 pm

 

Example 6: Run Git Status Every Thursday at 6:00 am:

To run the Magento 2 Git Status Security Report script every Thursday at 6:00 am, please use these cron settings:

Run Git Status Security Report Every Thursday at 6:00 am

 

 

Example 7: Run Every 15 Minutes During the Month of November:

Okay… so perhaps you’re only paranoid during a single month of the year (i.e. big holiday online shopping season for Black Friday). We’ve made it possible for you to run the Magento 2 Git Status Report every 15 minutes, but only during the month of November:

Run Git Status Security Report Every 15 Minutes, but only in the month of November

 

Step 2: Email Settings for Magento 2 – Git Status Security Report

 

FROM Email Address:

In this form field, you can set the FROM email address of your Git Status Report.

Send FROM Email Address for the Git Status Email Report

Important notes:

  • This should ONLY be a single email address.
  • The email address you are sending from should match the domain name of your Magento site.
  • You may wish to include the Magento site in your safe senders list / white list, and/or add this email address to your address book
  • If you use a gmail or yahoo email address, your server probably doesn’t have authority to send on behalf of another domain.

Email Addresses for Report:

In this field, enter in the email address or email addresses that you want to receive the report.

For multiple emails, separate them with a comma.

Git Status - Email Recipients

Important note: if you add your boss to this email, and your developer has uncommitted changes, your boss will receive these emails. Don’t upset your boss with unwanted emails!

Subject Line:

Use this field to set a custom subject line for the email reports. You might want to include the site’s name (if you have multiple websites).

Git Status - Subject line for emails

Email Status Selection:

Use this selection to determine if you want an email sent every time the Git Status script runs (i.e. every hour) or only if there are uncommitted changes to the system.

Email status - when change detected or always send email

Personally, I have the system run once a day, and always send an email. Why? This creates trust and confidence that the system is working and watching. I can deal with one email every single day that says my site is secure. This might be a good way to promote trust and confidence with your boss in your organization.

Others might want the system to run every hour, but let them know if there are uncommitted changes. The drawback to this is that if the changes aren’t committed to Git, then you’ll receive an email every hour until the changes are committed into Git.

Git Status Emails:

Here’s a copy of the Git Status Security Check emails:

This one shows uncommitted changes (in this case, to the Git Status extension itself):

Git Status Security Check - email when branch is not up to date.

 

This email shows a clean git status, with nothing to report:

Git Status email - clean branch with nothing to commit.

 


FAQ – Common Questions about the Magento 2 Git Status Security Report Module

Q: Will this work if I don’t use GIT?

A: No. In order for this system to work, your site needs to use the Git version control system. And your developers must be checking in their work on a frequent basis.


Q: I keep getting the same email saying that there are uncommitted changes to my site. Should I worry?

A: What this means is that there have been changes to your file system since the last time someone committed their changes to Git. If you know that nobody should be working on your site, then yes – changed files may be a sign that there have been updates to your site without your permission. If any of the files are in the core directory, this could be a sign that something is off with your site.


Q: Can I run this on my staging and development sites, too?

A: Yes, although you may not want to run the system as frequently on a development site.


Q: I’m not receiving the git status emails. Why not?

A: There are a few reasons why you might not be receiving emails from the Git Status system:

  • First – Cron *must* be enabled and running for this system to work properly. If cron is not enabled, then the system will not be able to be triggered.
  • Second, make sure that the email address you are sending FROM (i.e. in the FROM line) has permission to send from your server. For example, if your server is XYZ-Corp.com, you should likely be able to send FROM info@XYZ-Corp.com.
  • You may need to check with your email provider to make sure that this server is whitelisted.
  • We recommend making sure that the email address you are sending FROM is in your address book in your email program.
  • We also recommend having an SPF record that gives permission via DNS to send email on behalf of the domain. Beyond this, if your transactional emails are sending from the server (i.e. the order confirmation emails), then Git Status should be able to send properly as well.
  • Make sure that sendmail or another outbound email sending program is enabled.

Q: If I see changed files, does this mean my site was hacked?

A: Maybe. Or, perhaps someone on your team uploaded or changed files on the site. Or your server company did a security update. All this report will tell you is that files were changed on your site.


Q: I uploaded a file to my images directory, but it doesn’t show up on the report?

A: Most of the time, your image directory is not tracked by the Git file system. Specific file types or directories are set up in your gitignore file. This is done to help prevent the Git system from growing too large with large video or image files. Git normally just tracks your system files. If someone adds in bad files into a directory that is ignored by your git ignore file, the system will not be able to track the changes.


Q: Can my site still be hacked with this script running?

A: Yes, your site can still be vulnerable. What the Git status script will do is alert you if any of the files in the system change. Unless your attacker is also committing files into your Git system (which we have not seen anyone do), then this will alert you, depending on when the script runs.


Q: Will Git Status show folder or file permission changes?

A: No. Git does not currently track if folders or files have permissions changed as part of their version control system. Git only keeps track of changes to the files.


Q: I don’t have Git installed on my site. Can Customer Paradigm help me install git?

A: Yes… we’re happy to help on a consulting basis. Please contact us at 303.473.4400 or Visit here to have a real person contact you now >>.


Q: I don’t understand what the report means. Can Customer Paradigm help me understand the report?

A: Yes… contact us at 303.473.4400 or Visit here to have a real person contact you now >>.


Q: Can Customer Paradigm install this for me on my Magento 2 site?

A: Yes… contact us at 303.473.4400 or Visit here to have a real person contact you now >>.


Q: Can Customer Paradigm customize this extension for my Magento 2 site?

A: Yes… we’re happy to help! Please contact us at 303.473.4400 or Visit here to have a real person contact you now >>.


Installation of the Magento 2 Order Comments for Checkout Extension :

Git Status File Tree for the Magento 2 appBefore using the order comments extension in your Magento 2.0 store, it must be properly installed to notify your Magento site to the existence of the extension.

How to Install Extension:

To install the Magento 2.0 Git Status security extension, please follow these steps:

  1. (Recommended) Run a backup of the code base and database.
  2. Download the installation package.
  3. Unpack the installation package and upload to your store’s root folder.
  4. Using SSH, login and navigate to your store’s root folder.
  5. Enter the following command:  php -f bin/magento module:enable CustomerParadigm_Gitstatus
  6. Then enter the following command: php -f bin/magento setup:upgrade
  7. Please flush system cache by navigating to System->Tools->Cache Management from the admin panel.
  8. Log out and log back into the admin panel.
  9. If you have successfully processed these steps, you should now see the Magento 2 Git Status Security Report extension active in your admin area (displayed above).

 


Uninstall / Removing the Extension – Magento 2:

Perhaps this module doesn’t work for your Magento 2 site. One of the most annoying things in the past is that once a module or extension is installed, it’s next to impossible to remove from your system. (That’s why we often see many, many extensions that have been turned off, but are still part of the code base.)

We make it easy to remove the extension.

Magento 2 does not have a fully defined mechanism with which to fully uninstall an extension. What follows is a detailed list of steps to fully remove the code and custom database tables associated with this extension:

How to Uninstall Extension:

To uninstall the Magento 2 extension, please follow these steps:

  1. (Recommended) Run a backup of the code base and database.
  2. Using SSH, login and navigate to your store’s root folder.
  3. Enter the following command:

php -f bin/magento module:uninstall CustomerParadigm_Gitstatus

Please flush system cache by navigating to System->Tools->Cache Management from the admin panel.

To ensure the extension has been disabled, please navigate to the front end of the site and view the checkout page. If order comments are no longer showing up, your extension has been disabled.

You may now delete all of the code associated with the extension located (from your Magento root folder) at: app/code/CustomerParadigm/Gitstatus

The Git status extension does add in an additional database table called cp_gitstatus_cron into your Magento 2.0 store. You may remove this table directly from your mySQL database.


Questions? Contact us at 303.473.4400 or Visit here to have a real person contact you now >>.

Pin It on Pinterest