documentation for the ini protection feature

author: Ben Fuhrmannek 2021-08-18 15:13:55 +0200
committer: Ben Fuhrmannek 2021-08-18 15:13:55 +0200
commit: ebf9ee33374e59920da6977f7b7e6b3a5d9a4ce5 (patch)
tree: f512a4f9c7ed2ac293f9de116cb00b007ab0708b
parent: 3f558f11805225f335d700db6076ce75ae4b17b3 (diff)
1 files changed, 64 insertions, 0 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 9e9fb83..10b0afd 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -189,6 +189,70 @@ Cookies-related mitigations
 Since snuffleupagus is providing several hardening features for cookies,
 there is a dedicated web page :ref:`here <cookie-encryption-page>` about them.
+INI Settings Protection
+^^^^^^^^^^^^^^^^^^^^^^^
+INI settings can be forced to a value, limited by min/max value or regular expression and set read-only mode.
+First, this feature can be enabled or disabled:
+::
+  sp.ini_protection.enable();
+  sp.ini_protection.disable();
+The INI protection feature can be set to simulation mode, where violations are only reported, but rules are not enforced:
+::
+  sp.ini_protection.simulation();
+Rule violations can be set to drop as a global policy, or alternatively be set on individual rules using ``.drop()``.
+::
+  sp.ini_protection.policy_drop();
+Rules can be set to fail silently without logging anything:
+::
+  sp.ini_protection.policy_silent_fail();
+  ## or write sp.ini_protection.policy_no_log(); as an alias
+Read-only settings are implemented in a way that the PHP system itself can block the setting, which is very efficient. If you do not need to log read-only violations, these can be set to silent separately:
+::
+  sp.ini_protection.policy_silent_ro();
+A global access policy can be set to either read-only or read-write. Individual entries can be set to read-only/read-write as well using ``.ro()``/``.rw()``.
+::
+  sp.ini_protection.policy_readonly();
+  sp.ini_protection.policy_readwrite();
+Individual rules are specified using ``sp.ini``. These entries can have the following attributes:
+- ``.key("...")``: mandatory ini name.
+- ``.set("...")``: set the initial value. This overrides php.ini. checks are not performed for this initial value.
+- ``.min("...")`` / ``.max("...")``: value must be an integer between .min and .max. shorthand notation (e.g. 1k = 1024) is allowed
+- ``.regexp("...")``: value must match the regular expression
+- ``.allow_null()``: allow setting a NULL-value
+- ``.msg("...")``: message is shown in logs on rule violation instead of default message
+- ``.readonly()`` / ``.ro()`` / .readwrite() / .rw(): set entry to read-only or read-write respectively. If no access keyword is provided, the entry inherits the default policy set by ``sp.ini_protection.policy_*``-rules.
+- ``.drop()``: drop request on rule violation for this entry
+- ``.simulation()``: only log rule violation for this entry
+Examples:
+::
+  sp.ini.key("display_errors").set("0").ro();
+  sp.ini.key("default_socket_timeout").min("1").max("300").rw();
+  sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
+For more examples, check out the ``config`` directory.
 readonly_exec
 ^^^^^^^^^^^^^
author	Ben Fuhrmannek	2021-08-18 15:13:55 +0200
committer	Ben Fuhrmannek	2021-08-18 15:13:55 +0200
commit	ebf9ee33374e59920da6977f7b7e6b3a5d9a4ce5 (patch)
tree	f512a4f9c7ed2ac293f9de116cb00b007ab0708b
parent	3f558f11805225f335d700db6076ce75ae4b17b3 (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index 9e9fb83..10b0afd 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -189,6 +189,70 @@ Cookies-related mitigations
189	Since snuffleupagus is providing several hardening features for cookies,	189	Since snuffleupagus is providing several hardening features for cookies,
190	there is a dedicated web page :ref:`here <cookie-encryption-page>` about them.	190	there is a dedicated web page :ref:`here <cookie-encryption-page>` about them.
191		191
		192	INI Settings Protection
		193	^^^^^^^^^^^^^^^^^^^^^^^
		194	INI settings can be forced to a value, limited by min/max value or regular expression and set read-only mode.
		195
		196	First, this feature can be enabled or disabled:
		197
		198	::
		199
		200	sp.ini_protection.enable();
		201	sp.ini_protection.disable();
		202
		203	The INI protection feature can be set to simulation mode, where violations are only reported, but rules are not enforced:
		204
		205	::
		206
		207	sp.ini_protection.simulation();
		208
		209	Rule violations can be set to drop as a global policy, or alternatively be set on individual rules using ``.drop()``.
		210
		211	::
		212
		213	sp.ini_protection.policy_drop();
		214
		215	Rules can be set to fail silently without logging anything:
		216
		217	::
		218
		219	sp.ini_protection.policy_silent_fail();
		220	## or write sp.ini_protection.policy_no_log(); as an alias
		221
		222	Read-only settings are implemented in a way that the PHP system itself can block the setting, which is very efficient. If you do not need to log read-only violations, these can be set to silent separately:
		223
		224	::
		225
		226	sp.ini_protection.policy_silent_ro();
		227
		228	A global access policy can be set to either read-only or read-write. Individual entries can be set to read-only/read-write as well using ``.ro()``/``.rw()``.
		229
		230	::
		231
		232	sp.ini_protection.policy_readonly();
		233	sp.ini_protection.policy_readwrite();
		234
		235	Individual rules are specified using ``sp.ini``. These entries can have the following attributes:
		236
		237	- ``.key("...")``: mandatory ini name.
		238	- ``.set("...")``: set the initial value. This overrides php.ini. checks are not performed for this initial value.
		239	- ``.min("...")`` / ``.max("...")``: value must be an integer between .min and .max. shorthand notation (e.g. 1k = 1024) is allowed
		240	- ``.regexp("...")``: value must match the regular expression
		241	- ``.allow_null()``: allow setting a NULL-value
		242	- ``.msg("...")``: message is shown in logs on rule violation instead of default message
		243	- ``.readonly()`` / ``.ro()`` / .readwrite() / .rw(): set entry to read-only or read-write respectively. If no access keyword is provided, the entry inherits the default policy set by ``sp.ini_protection.policy_*``-rules.
		244	- ``.drop()``: drop request on rule violation for this entry
		245	- ``.simulation()``: only log rule violation for this entry
		246
		247	Examples:
		248
		249	::
		250
		251	sp.ini.key("display_errors").set("0").ro();
		252	sp.ini.key("default_socket_timeout").min("1").max("300").rw();
		253	sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$");
		254
		255	For more examples, check out the ``config`` directory.
192		256
193	readonly_exec	257	readonly_exec
194	^^^^^^^^^^^^^	258	^^^^^^^^^^^^^