generate the rules based on configureable hash

files/snuffleupagus/base.rules

@@ -3,86 +3,3 @@ sp.harden_random.enable();
 
 # Disabled XXE
 sp.disable_xxe.enable();
-
-# based on https://snuffleupagus.readthedocs.io/config.html#miscellaneous-examples
-# Harden the `chmod` function
-# sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
-
-# Prevent various `mail`-related vulnerabilities
-sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
-
-# Since it's now burned, me might as well mitigate it publicly
-sp.disable_function.function("putenv").param("setting").value_r("LD_").drop()
-
-##Prevent various `include`-related vulnerabilities
-sp.disable_function.function("require_once").value_r("\.php$").allow();
-# wordpress requires .svg
-sp.disable_function.function("require_once").value_r("\.svg$").allow();
-sp.disable_function.function("include_once").value_r("\.php$").allow();
-sp.disable_function.function("require").value_r("\.php$").allow();
-sp.disable_function.function("include").value_r("\.php$").allow();
-sp.disable_function.function("require_once").drop()
-sp.disable_function.function("include_once").drop()
-# This will crash f.e. drupbal
-# sp.disable_function.function("require").drop()
-# sp.disable_function.function("include").drop()
-
-# Prevent `system`-related injections
-sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
-sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
-sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
-sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
-
-# Prevent runtime modification of interesting things
-sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
-sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
-sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
-sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
-sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
-
-# Detect some backdoors via environnement recon
-sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
-#sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
-#sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
-
-# Ghetto sqli hardening
-# cms like wordpress do include them
-#sp.disable_function.function("mysql_query").param("query").value_r("/\\*").drop();
-#sp.disable_function.function("mysql_query").param("query").value_r("--").drop();
-#sp.disable_function.function("mysql_query").param("query").value_r("#").drop();
-#sp.disable_function.function("mysql_query").param("query").value_r(";.*;").drop();
-#sp.disable_function.function("mysql_query").param("query").value_r("benchmark").drop();
-#sp.disable_function.function("mysql_query").param("query").value_r("sleep").drop();
-# some CMS and ORM's use this to predict the current schema f.e doctrine
-#
-sp.disable_function.function("mysql_query").param("query").value_r("information_schema").drop();
-
-#sp.disable_function.function("mysqli_query").param("query").value_r("/\\*").drop();
-#sp.disable_function.function("mysqli_query").param("query").value_r("--").drop();
-#sp.disable_function.function("mysqli_query").param("query").value_r("#").drop();
-#sp.disable_function.function("mysqli_query").param("query").value_r(";.*;").drop();
-#sp.disable_function.function("mysqli_query").param("query").value_r("benchmark").drop();
-#sp.disable_function.function("mysqli_query").param("query").value_r("sleep").drop();
-# some CMS and ORM's use this to predict the current schema f.e doctrine
-#
-sp.disable_function.function("mysqli_query").param("query").value_r("information_schema").drop();
-
-#sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
-#sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
-#sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
-#sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
-#sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
-#sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
-# some CMS and ORM's use this to predict the current schema f.e doctrine
-#
-sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
-
-# Ghetto sqli detection
-# alot of apps uses the result of mysql_query to check if everythin was right
-# sp.disable_function.function("mysql_query").ret("FALSE").drop();
-# sp.disable_function.function("mysqli_query").ret("FALSE").drop();
-# sp.disable_function.function("PDO::query").ret("FALSE").drop();
-
-#File upload
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
-sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();

manifests/snuffleupagus.pp

 # manage a snuffleupagus
 define php::snuffleupagus(
-  Stdlib::Compat::Absolute_Path        $etcdir,
-  Optional[Enum[String,Array[String]]] $source = undef,
+  String                        $group,
+  Stdlib::Compat::Absolute_Path $etcdir,
+  Hash[String,{
+    content => String[1],
+    order   => String[3,3],
+  }]                            $rules = {},
+  Array[String]                 $ignore_rules = [],
 ) {
+  include php::snuffleupagus::global
+  $target_rules = $php::snuffleupagus::global::rules + $rules
   file{
     "${etcdir}/snuffleupagus.d/${name}.rules":
-      ensure  => file,
+      content => template('php/snuffleupagus.erb'),
       owner   => root,
-      group   => 0,
-      mode    => '0644',
-      require => File["${etcdir}/snuffleupagus.d"],
-      notify  => Service["fpm-${name}"],
-  }
-  if $source {
-    File["${etcdir}/snuffleupagus.d/${name}.rules"]{
-      source => $source,
-    }
-  }
+      group   => $group,
+      mode    => '0640',
+  } ~> Service<| title == "fpm-${name}" |>
 }

manifests/snuffleupagus/base.pp

@@ -2,6 +2,7 @@
 define php::snuffleupagus::base(
   Stdlib::Compat::Absolute_Path $etcdir,
 ){
+  include php::snuffleupagus::global
   file{
     "${etcdir}/snuffleupagus.d":
       ensure  => directory,
@@ -13,9 +14,9 @@ define php::snuffleupagus::base(
       mode    => '0644';
     "${etcdir}/snuffleupagus.d/base.rules":
       source => 'puppet:///modules/php/snuffleupagus/base.rules',
-      ensure  => directory,
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
+      ensure => directory,
+      owner  => root,
+      group  => 0,
+      mode   => '0644';
   } ~> Service<| tag == "systemd-php${name}-fpm" |>
 }

manifests/snuffleupagus/global.pp

+class php::snuffleupagus::global(
+  Hash[
+    Pattern[/\A[0-9]{3}\-\w+/, String[1]]
+  ] $base_rules = {},
+){
+  # based on https://snuffleupagus.readthedocs.io/config.html#miscellaneous-examples
+  $rules = {
+    '010-mail-add-params' => '# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();',
+    '020-putenv'          => '# Since it\'s now burned, me might as well mitigate it publicly
+sp.disable_function.function("putenv").param("setting").value_r("LD_").drop();',
+    '030-includes'        => '##Prevent various `include`-related vulnerabilities
+sp.disable_function.function("require_once").value_r("\.php$").allow();
+# wordpress requires .svg
+sp.disable_function.function("require_once").value_r("\.svg$").allow();
+sp.disable_function.function("include_once").value_r("\.php$").allow();
+sp.disable_function.function("require").value_r("\.php$").allow();
+sp.disable_function.function("include").value_r("\.php$").allow();
+sp.disable_function.function("require_once").drop();
+sp.disable_function.function("include_once").drop();',
+    '040-system'          => '# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();',
+    '050-runtime-mods' => '# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();',
+    '060-env-recon'       => '# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();',
+    '070-file-upload'     => '#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();',
+  } + $base_rules
+}

templates/snuffleupagus.erb

+<% @target_rules.keys.sort.each do |k|
+  unless @ignore_rules.include?(k) -%>
+<%= @target_rules[k] %>
+<% end
+end -%>