Skip to content
Snippets Groups Projects

Add the snuffleupagus module

Open Add the snuffleupagus module
hardening into master
Open ale requested to merge hardening into master
Viewing commit f9867d7a
Prev Next
Show latest version
1 file
+ 39
51
Compare changes
  • Side-by-side
  • Inline
conf/php/snuffleupagus/snuffleupagus.rulesconf/php/snuffleupagus/default.rules
+ 39
51
@@ -6,35 +6,38 @@
# Harden the PRNG
sp.harden_random.enable();
# Disabled XXE
sp.disable_xxe.enable();
# Enable XXE protection
@condition extension_loaded("xml");
sp.xxe_protection.enable();
@end_condition;
# Global configuration variables
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
#sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
# Globally activate strict mode
# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict
# sp.global_strict.enable();
# Prevent unserialize-related exploits
sp.unserialize_hmac.enable();
# sp.unserialize_hmac.enable();
# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
sp.readonly_exec.enable();
# Php has a lot of wrappers, most of them aren't usually useful, you should
# PHP has a lot of wrappers, most of them aren't usually useful, you should
# only enable the ones you're using.
# sp.wrappers_whitelist.list("file,php,phar");
sp.wrappers_whitelist.list("file,php,phar");
# Prevent sloppy comparisons.
# sp.sloppy_comparison.enable();
# use SameSite on session cookie
# Use SameSite on session cookie
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
sp.cookie.name("PHPSESSID").samesite("lax");
# Harden the `chmod` function
sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
sp.disable_function.function("chmod").param("mode").value("438").drop();
sp.disable_function.function("chmod").param("mode").value("511").drop();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
@@ -42,6 +45,13 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\-
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
sp.disable_function.function("putenv").param("setting").value_r("GCONV_").drop()
# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
sp.disable_function.function("extract").pos("0").value_r("^_").drop()
sp.disable_function.function("extract").pos("1").value("0").drop()
# This is also burned:
# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd'));
# Since we have no way of matching on two parameters at the same time, we're
@@ -49,7 +59,7 @@ sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
# Moreover, there are non-public bypasses that are also using this vector ;)
sp.disable_function.function("ini_set").param("varname").value_r("open_basedir").drop()
##Prevent various `include`-related vulnerabilities
# Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
@@ -61,21 +71,21 @@ sp.disable_function.function("include").drop()
# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("shell_exec").pos("0").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("var_name").value("allow_url_fopen").drop();
sp.disable_function.function("ini_get").param("var_name").value("open_basedir").drop();
sp.disable_function.function("ini_get").param("var_name").value_r("suhosin").drop();
sp.disable_function.function("ini_set").param("varname").value("assert.active").drop();
sp.disable_function.function("ini_set").param("varname").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("varname").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("varname").value("include_path").drop();
sp.disable_function.function("ini_set").param("varname").value("open_basedir").drop();
# Detect some backdoors via environment recon
sp.disable_function.function("ini_get").param("varname").value("allow_url_fopen").drop();
sp.disable_function.function("ini_get").param("varname").value("open_basedir").drop();
sp.disable_function.function("ini_get").param("varname").value_r("suhosin").drop();
sp.disable_function.function("function_exists").param("function_name").value("eval").drop();
sp.disable_function.function("function_exists").param("function_name").value("exec").drop();
sp.disable_function.function("function_exists").param("function_name").value("system").drop();
@@ -89,34 +99,7 @@ sp.disable_function.function("is_callable").param("var").value("shell_exec").dro
sp.disable_function.function("is_callable").param("var").value("proc_open").drop();
sp.disable_function.function("is_callable").param("var").value("passthru").drop();
# Commenting sqli related stuff to improve performance.
# TODO figure out why these functions can't be hooked at startup
# Ghetto sqli hardening
# sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
# sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
# sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
# sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
# Ghetto sqli detection
# Ghetto error-based sqli detection
# sp.disable_function.function("mysql_query").ret("FALSE").drop();
# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
# sp.disable_function.function("PDO::query").ret("FALSE").drop();
@@ -128,6 +111,11 @@ sp.disable_function.function("curl_setopt").param("value").value("2").allow();
sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
#File upload
# File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
# Logging lockdown
sp.disable_function.function("ini_set").param("varname").value_r("error_log").drop()
sp.disable_function.function("ini_set").param("varname").value_r("error_reporting").drop()
sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()