From c473be13687ebd98c328f390d936be311dae7db6 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 17 Jan 2018 14:53:40 +0100
Subject: Our configuration files are ending in .rules, not .ini

This commit fixes the documentation, our shipped configuration files,
and the related tests.

Thanks to @remicollet for the tip
---
 config/default.rules | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 config/default.rules

(limited to 'config/default.rules')

diff --git a/config/default.rules b/config/default.rules
new file mode 100644
index 0000000..88398c1
--- /dev/null
+++ b/config/default.rules
@@ -0,0 +1,54 @@
+# Harden the `chmod` function
+sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
+sp.disable_function.function("chmod").param("mode").value_r("o\\+w$").drop();
+
+# Prevent various `mail`-related vulnerabilities
+sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
+
+##Prevent various `include`-related vulnerabilities
+sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow();
+sp.disable_function.function_r("^(?:require|include)_once$").drop();
+sp.disable_function.function_r("^require|include$").drop();
+
+# Prevent `system`-related injections
+sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n]").drop();
+sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n]").drop();
+
+# Prevent runtime modification of interesting things
+sp.disable_function.function("ini_set").param("var_name").value("assert.active").drop();
+sp.disable_function.function("ini_set").param("var_name").value("zend.assertions").drop();
+sp.disable_function.function("ini_set").param("var_name").value("memory_limit").drop();
+sp.disable_function.function("ini_set").param("var_name").value("include_path").drop();
+sp.disable_function.function("ini_set").param("var_name").value("open_basedir").drop();
+
+# Detect some backdoors via environnement recon
+sp.disable_function.function("ini_get").param("var_name").value_r("(?:allow_url_fopen|open_basedir|suhosin)").drop();
+sp.disable_function.function("function_exists").param("function_name").value_r("(?:eval|exec|system)").drop();
+sp.disable_function.function("is_callable").param("var").value_r("(?:eval|exec|system)").drop();
+
+# Ghetto sqli hardening
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("/\\*").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("--").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("#").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r(";.*;").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("benchmark").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("sleep").drop();
+sp.disable_function.function_r("mysqli?_query").param("query").value_r("information_schema").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("/\\*").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("--").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("#").drop();
+sp.disable_function.function("PDO::query").param("query").value_r(";.*;").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("benchmark\\s*\\(").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("sleep\\s*\\(").drop();
+sp.disable_function.function("PDO::query").param("query").value_r("information_schema").drop();
+
+# Ghetto sqli detection
+sp.disable_function.function_r("mysqli?_query").ret("FALSE").drop();
+sp.disable_function.function_r("PDO::query").ret("FALSE").drop();
+
+#File upload
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
+sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
-- 
cgit v1.3