Snuffleupagus hardens PHP by "killing bugclasses and virtual-patching the rest".

Snuffleupagus could be interesting to deploy on Alkane.

Configuration needs to be careful, rules should be thought carefully, as for example we have code calling system().

Some notes and thoughts:

Several sites, several rules

As we support multiple php-fpm pools, we could even have the prod pool with a generic restrictive configuration, and move applications needing less restrictive configuration to their own dedicated pool and config.

Virtual patching

One of the killer feature: there are dangerous functions to whitelist with existing code.

As a part of our deployment process, we would run generate_rules.php to restrict those command to existing code, blocking any script modification.