diff options
Diffstat (limited to 'doc/source')
| -rw-r--r-- | doc/source/config.rst | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst index 9e9fb83..10b0afd 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst | |||
| @@ -189,6 +189,70 @@ Cookies-related mitigations | |||
| 189 | Since snuffleupagus is providing several hardening features for cookies, | 189 | Since snuffleupagus is providing several hardening features for cookies, |
| 190 | there is a dedicated web page :ref:`here <cookie-encryption-page>` about them. | 190 | there is a dedicated web page :ref:`here <cookie-encryption-page>` about them. |
| 191 | 191 | ||
| 192 | INI Settings Protection | ||
| 193 | ^^^^^^^^^^^^^^^^^^^^^^^ | ||
| 194 | INI settings can be forced to a value, limited by min/max value or regular expression and set read-only mode. | ||
| 195 | |||
| 196 | First, this feature can be enabled or disabled: | ||
| 197 | |||
| 198 | :: | ||
| 199 | |||
| 200 | sp.ini_protection.enable(); | ||
| 201 | sp.ini_protection.disable(); | ||
| 202 | |||
| 203 | The INI protection feature can be set to simulation mode, where violations are only reported, but rules are not enforced: | ||
| 204 | |||
| 205 | :: | ||
| 206 | |||
| 207 | sp.ini_protection.simulation(); | ||
| 208 | |||
| 209 | Rule violations can be set to drop as a global policy, or alternatively be set on individual rules using ``.drop()``. | ||
| 210 | |||
| 211 | :: | ||
| 212 | |||
| 213 | sp.ini_protection.policy_drop(); | ||
| 214 | |||
| 215 | Rules can be set to fail silently without logging anything: | ||
| 216 | |||
| 217 | :: | ||
| 218 | |||
| 219 | sp.ini_protection.policy_silent_fail(); | ||
| 220 | ## or write sp.ini_protection.policy_no_log(); as an alias | ||
| 221 | |||
| 222 | Read-only settings are implemented in a way that the PHP system itself can block the setting, which is very efficient. If you do not need to log read-only violations, these can be set to silent separately: | ||
| 223 | |||
| 224 | :: | ||
| 225 | |||
| 226 | sp.ini_protection.policy_silent_ro(); | ||
| 227 | |||
| 228 | A global access policy can be set to either read-only or read-write. Individual entries can be set to read-only/read-write as well using ``.ro()``/``.rw()``. | ||
| 229 | |||
| 230 | :: | ||
| 231 | |||
| 232 | sp.ini_protection.policy_readonly(); | ||
| 233 | sp.ini_protection.policy_readwrite(); | ||
| 234 | |||
| 235 | Individual rules are specified using ``sp.ini``. These entries can have the following attributes: | ||
| 236 | |||
| 237 | - ``.key("...")``: mandatory ini name. | ||
| 238 | - ``.set("...")``: set the initial value. This overrides php.ini. checks are not performed for this initial value. | ||
| 239 | - ``.min("...")`` / ``.max("...")``: value must be an integer between .min and .max. shorthand notation (e.g. 1k = 1024) is allowed | ||
| 240 | - ``.regexp("...")``: value must match the regular expression | ||
| 241 | - ``.allow_null()``: allow setting a NULL-value | ||
| 242 | - ``.msg("...")``: message is shown in logs on rule violation instead of default message | ||
| 243 | - ``.readonly()`` / ``.ro()`` / .readwrite() / .rw(): set entry to read-only or read-write respectively. If no access keyword is provided, the entry inherits the default policy set by ``sp.ini_protection.policy_*``-rules. | ||
| 244 | - ``.drop()``: drop request on rule violation for this entry | ||
| 245 | - ``.simulation()``: only log rule violation for this entry | ||
| 246 | |||
| 247 | Examples: | ||
| 248 | |||
| 249 | :: | ||
| 250 | |||
| 251 | sp.ini.key("display_errors").set("0").ro(); | ||
| 252 | sp.ini.key("default_socket_timeout").min("1").max("300").rw(); | ||
| 253 | sp.ini.key("highlight.comment").regexp("^#[0-9a-fA-F]{6}$"); | ||
| 254 | |||
| 255 | For more examples, check out the ``config`` directory. | ||
| 192 | 256 | ||
| 193 | readonly_exec | 257 | readonly_exec |
| 194 | ^^^^^^^^^^^^^ | 258 | ^^^^^^^^^^^^^ |