Back to projects

cPanel HF Plugin

Cybersecurity

cPanel HF Plugin COMPLETED

Technical summary

hforensic delivers account-level forensic workflows in cPanel without exposing privileged host controls. The PHP UI/API layer invokes hf.sh in restricted mode and provides controlled quarantine, restore, and delete actions with CSRF, path, scope, and metadata integrity protections.

Layered architecture

  1. UI/API: hforensic/forensic.live.php
  2. Runner: hforensic/bin/run_hforensic.sh
  3. Engine: /usr/local/bin/hf.sh

forensic.php remains as a compatibility redirect preserving legacy entry URLs under .live.php behavior.

Functional scope

  • File browsing restricted to /home/<cpanel_user>.
  • Per-file audit execution with modal output.
  • Evidence timeline and risk cards.
  • Export options:

    • - print/PDF, - TXT, - evidence JSON, - PNG snapshot.

  • Quarantine lifecycle:

    • - move, - restore, - delete.

  • Safe runweblogs refresh via constrained wrapper.

Security model

Package/install hardening

  • tar entry validation (no traversal/absolute paths),
  • root-required install flow,
  • optional hf.sh checksum enforcement (--hf-sha256),
  • marker/capability checks before activation.

UI/API hardening (PHP)

  • CSRF on state-changing actions,
  • per-action HTTP method enforcement,
  • strict user validation,
  • path normalization and null-byte rejection,
  • sensitive symlink rejection,
  • HMAC-signed quarantine index,
  • security headers (nosniff, same-origin, SAMEORIGIN).

Runner/wrapper hardening

  • strict username regex,
  • target must resolve under /home/<cpanel_user>/,
  • forensic max file size guard (10 MiB),
  • safe hf-runweblogs-safe wrapper:

    • - root-only, - SUDO_USER == CP_USER, - per-user lock/stamp, - minimum cooldown (180s default).

Installation

Tarball production path


PKG="cpanel-hf-plugin.tar.gz" && tar -xOf "$PKG" scripts/one_shot_install.sh | \
  bash -s -- --package "$PWD/$PKG" --theme jupiter

Source-tree path


bash scripts/install.sh --theme jupiter

Uninstall


# tarball
PKG="cpanel-hf-plugin.tar.gz" && tar -xOf "$PKG" scripts/one_shot_uninstall.sh | \
  bash -s -- --package "$PWD/$PKG" --theme jupiter

# source tree
bash scripts/uninstall.sh --theme jupiter

Installer outputs

  • /usr/local/cpanel/base/frontend/jupiter/hforensic/
  • /usr/local/bin/hf.sh
  • /usr/local/bin/hf-runweblogs-safe
  • /etc/sudoers.d/hforensic_runweblogs

Plugin registration via /usr/local/cpanel/scripts/install_plugin.

Operational model and limits

  • multi-tenant shared-hosting ready,
  • no root exposure to account users,
  • depends on account log retention/availability,
  • dual anti-spam throttling for log refresh (frontend + backend).

Stack and tooling

  • cPanel Plugin Framework
  • PHP
  • Bash
  • constrained sudo wrapper
  • HMAC metadata integrity

Operational tags

  • cPanel
  • PHP
  • Bash
  • Forensics
  • Plugin Security

Operational outcome

  • Account self-service forensic triage without breaking tenant isolation.
  • Faster first-response path for suspicious file incidents.
  • Repeatable evidence workflow with explicit hardening controls.

GitHub progress (issues)

Real-time panel with latest repository issues.

live feed

open issues on GitHub
abertas (amostra): -- fechadas (amostra): -- base: -- ultimas issues

carregando andamento...

Real results

cPanel account-scoped forensic plugin with hf.sh integration, evidence timeline, and controlled quarantine/restore flow under strict security boundaries.

Architecture and organization

Execution and operations

The project follows reproducible execution flow with technical validation in production-like environments.

Screenshots

cPanel HF Plugin screenshot 1

Talk about this project

Apply this implementation pattern in your environment and accelerate delivery with technical consistency.

Open form LinkedIn GitHub View issues Technical Guide