Commit 4e732c6f authored by ale's avatar ale
Browse files

Add the snuffleupagus module, with default config

parent 74be54b8
Pipeline #31632 failed with stage
in 51 seconds
......@@ -17,6 +17,19 @@ PACKAGES="
php-mbstring
php-mysql
php-gd
snuffleupagus
"
PHP_ENABLE_MODULES="
snuffleupagus
"
# Remove access to SYSV IPC to avoid DoS possibilities (Apache
# uses SYSV shared memory).
PHP_DISABLE_MODULES="
sysvmsg
sysvsem
sysvshm
"
# The default bitnami/minideb image defines an 'install_packages'
......@@ -45,6 +58,14 @@ echo "export PHP_FPM_EXPORTER_PORT=\`expr \$APACHE_PORT + 200\`" >> /etc/apache2
# Enable php configuration.
a2enconf -q php7.0-fpm php7.0-fpm-proxy-fcgi
# Enable / disable chosen PHP modules.
for m in ${PHP_DISABLE_MODULES}; do
phpdismod -v ALL -s ALL $m
done
for m in ${PHP_ENABLE_MODULES}; do
phpenmod -v ALL -s ALL $m
done
# Rsync our configuration, on top of /etc.
rsync -a /tmp/conf/ /etc/
......
extension=snuffleupagus.so
sp.configuration_file=/etc/php/snuffleupagus/*.rules
# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io).
# It contains "reasonable" defaults that won't break your websites,
# and a lot of commented directives that you can enable if you want to
# have a better protection.
# Harden the PRNG
sp.harden_random.enable();
# Disabled XXE
sp.disable_xxe.enable();
# Global configuration variables
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
# Globally activate strict mode
# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
# sp.global_strict.enable();
# Prevent unserialize-related exploits
sp.unserialize_hmac.enable();
# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
sp.readonly_exec.enable();
# Php has a lot of wrappers, most of them aren't usually useful, you should
# only enable the ones you're using.
# sp.wrappers_whitelist.list("file,php,phar");
# Prevent sloppy comparisons.
# sp.sloppy_comparison.enable();
# use SameSite on session cookie
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
sp.cookie.name("PHPSESSID").samesite("lax");
# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
# This is also burned:
# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
# Since we have no way of matching on two parameters at the same time, we're
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
# Moreover, there are non-public bypasses that are also using this vector ;)
sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
##Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
sp.disable_function.function("require").drop()
sp.disable_function.function("include").drop()
# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop();
sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop();
sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop();
sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("system").drop();
sp.disable_function.function("function_exists").param("function_name").value("shell_exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("proc_open").drop();
sp.disable_function.function("function_exists").param("function_name").value("passthru").drop();
sp.disable_function.function("is_callable").param("var").value("eval").drop();
sp.disable_function.function("is_callable").param("var").value("exec").drop();
sp.disable_function.function("is_callable").param("var").value("system").drop();
sp.disable_function.function("is_callable").param("var").value("shell_exec").drop();
sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
sp.disable_function.function("is_callable").param("var").value("passthru").drop();
# Commenting sqli related stuff to improve performance.
# TODO figure out why these functions can't be hooked at startup
# Ghetto sqli hardening
# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
# Ghetto sqli detection
# sp.disable_function.function("mysql_query").ret("FALSE").drop();
# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
# sp.disable_function.function("PDO::query").ret("FALSE").drop();
# Ensure that certificates are properly verified
sp.disable_function.function("curl_setopt").param("value").value("1").allow();
sp.disable_function.function("curl_setopt").param("value").value("2").allow();
# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
#File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment