Commit 1d5cd4ab authored by mh's avatar mh
Browse files

generate the rules based on configureable hash

parent 46936a10
......@@ -3,86 +3,3 @@ sp.harden_random.enable();
# Disabled XXE
sp.disable_xxe.enable();
# based on https://snuffleupagus.readthedocs.io/config.html#miscellaneous-examples
# Harden the `chmod` function
# sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
# Since it's now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
##Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.php$").allow();
# wordpress requires .svg
sp.disable_function.function("require_once").value_r("\.svg$").allow();
sp.disable_function.function("include_once").value_r("\.php$").allow();
sp.disable_function.function("require").value_r("\.php$").allow();
sp.disable_function.function("include").value_r("\.php$").allow();
sp.disable_function.function("require_once").drop()
sp.disable_function.function("include_once").drop()
# This will crash f.e. drupbal
# sp.disable_function.function("require").drop()
# sp.disable_function.function("include").drop()
# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
#sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
#sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
# Ghetto sqli hardening
# cms like wordpress do include them
#sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
#sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
#sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
#sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
#sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
#sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
# some CMS and ORM's use this to predict the current schema f.e doctrine
#
sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
#sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
# some CMS and ORM's use this to predict the current schema f.e doctrine
#
sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
#sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
#sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
#sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
#sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
#sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
#sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
# some CMS and ORM's use this to predict the current schema f.e doctrine
#
sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
# Ghetto sqli detection
# alot of apps uses the result of mysql_query to check if everythin was right
# sp.disable_function.function("mysql_query").ret("FALSE").drop();
# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
# sp.disable_function.function("PDO::query").ret("FALSE").drop();
#File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
# manage a snuffleupagus
define php::snuffleupagus(
Stdlib::Compat::Absolute_Path $etcdir,
Optional[Enum[String,Array[String]]] $source = undef,
String $group,
Stdlib::Compat::Absolute_Path $etcdir,
Hash[String,{
content => String[1],
order => String[3,3],
}] $rules = {},
Array[String] $ignore_rules = [],
) {
include php::snuffleupagus::global
$target_rules = $php::snuffleupagus::global::rules + $rules
file{
"${etcdir}/snuffleupagus.d/${name}.rules":
ensure => file,
content => template('php/snuffleupagus.erb'),
owner => root,
group => 0,
mode => '0644',
require => File["${etcdir}/snuffleupagus.d"],
notify => Service["fpm-${name}"],
}
if $source {
File["${etcdir}/snuffleupagus.d/${name}.rules"]{
source => $source,
}
}
group => $group,
mode => '0640',
} ~> Service<| title == "fpm-${name}" |>
}
......@@ -2,6 +2,7 @@
define php::snuffleupagus::base(
Stdlib::Compat::Absolute_Path $etcdir,
){
include php::snuffleupagus::global
file{
"${etcdir}/snuffleupagus.d":
ensure => directory,
......@@ -13,9 +14,9 @@ define php::snuffleupagus::base(
mode => '0644';
"${etcdir}/snuffleupagus.d/base.rules":
source => 'puppet:///modules/php/snuffleupagus/base.rules',
ensure => directory,
owner => root,
group => 0,
mode => '0644';
ensure => directory,
owner => root,
group => 0,
mode => '0644';
} ~> Service<| tag == "systemd-php${name}-fpm" |>
}
class php::snuffleupagus::global(
Hash[
Pattern[/\A[0-9]{3}\-\w+/, String[1]]
] $base_rules = {},
){
# based on https://snuffleupagus.readthedocs.io/config.html#miscellaneous-examples
$rules = {
'010-mail-add-params' => '# Prevent various `mail`-related vulnerabilities
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();',
'020-putenv' => '# Since it\'s now burned, me might as well mitigate it publicly
sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();',
'030-includes' => '##Prevent various `include`-related vulnerabilities
sp.disable_function.function("require_once").value_r("\.php$").allow();
# wordpress requires .svg
sp.disable_function.function("require_once").value_r("\.svg$").allow();
sp.disable_function.function("include_once").value_r("\.php$").allow();
sp.disable_function.function("require").value_r("\.php$").allow();
sp.disable_function.function("include").value_r("\.php$").allow();
sp.disable_function.function("require_once").drop();
sp.disable_function.function("include_once").drop();',
'040-system' => '# Prevent `system`-related injections
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();',
'050-runtime-mods' => '# Prevent runtime modification of interesting things
sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();',
'060-env-recon' => '# Detect some backdoors via environnement recon
sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();',
'070-file-upload' => '#File upload
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();',
} + $base_rules
}
<% @target_rules.keys.sort.each do |k|
unless @ignore_rules.include?(k) -%>
<%= @target_rules[k] %>
<% end
end -%>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment