SNGCheck

The SNGCheck tool provides runtime checks for common Snuffleupagus configuration mistakes. Checks include:

• Feature checks: Find unused or misconfigured snuffleupagus features.
• Unit tests for INI protection feature: Assert that certain INI changes only work within the configured range.
• Unit tests for disabled functions: Assert that certain functions can or cannot be called with the configured parameters.
• Regex overlap check for disabled functions and cookies: Check that rules do not overlap by matching names against regular expressions.

All checks are performed by extracting the configuration from a running PHP instance loaded with snuffleupagus. After that the configuration is checked against features and configured unit tests.

INI unit tests

A unit test for INI settings is made up of a special comment line added to the snuffleupagus configuration, followed by PASS or FAIL, followed by the INI setting's key and value, e.g.

#%INI FAIL highlight.comment abc
#%INI PASS highlight.comment #aabbcc

Disabled functions unit tests

Just like INI unit tests the disabled functions unit test start with a special comment, followed by PASS or FAIL. Then there is the name of the function to test against the rules, followed by key/value pairs with the following keys available:

• FILENAME: filename of the hypothetical file
• HASH: hash value of the hypothetical file
• PARAM: parameter name
• POS: parameter position
• LINE: line number in the hypothetical file
• RET: return value of the function
• VALUE: value of the parameter specified by POS or PARAM, or all parameters if POS/PARAM are missing
• KEY: key for array matching as provided by some rules
• VAR: variable name provided by some rules
• IP: IP address for CIDR matching

Examples:

#%DF PASS system POS 0 PARAM cmd VALUE "echo 123"
#%DF PASS system RET 2
#%DF PASS shell_exec PARAM cmd VALUE id IP 0.0.0.1