2018-10-18 06:10:12 +02:00
# INSTALLATION INSTRUCTIONS
## for OpenBSD 6.3-amd64
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
!!! warning
This is not fully working yet. Mostly it is a template for our ongoing documentation efforts :spider:
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
### 0/ WIP! You are warned, this does not work yet!
2018-10-18 09:51:04 +02:00
------------
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! notice
2018-10-18 06:10:12 +02:00
Current issues: php-redis only available in binary for php-56, workaround: use ports.
This guide attempts to offer native httpd or apache2/nginx set-up.
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! warning
As of 20181018 the native httpd server is NOT useable with MISP. Thus ONLY Apache 2.x available.
NO *rewrite* available, just yet. It will be in [the next release ](https://marc.info/?l=openbsd-tech&m=152761257806283&w=2 )
2018-10-18 06:10:12 +02:00
### 1/ Minimal OpenBSD install
2018-10-18 09:51:04 +02:00
------------
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
#### Install standard OpenBSD-amd64 with ports
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
#### System Hardening
2018-10-18 05:27:29 +02:00
- TBD
2018-10-18 06:10:12 +02:00
#### doas & pkg (as root)
```bash
2018-10-18 09:51:04 +02:00
echo https://cdn.openbsd.org/pub/OpenBSD/ > /etc/installurl
2018-10-18 05:27:29 +02:00
echo "permit keepenv setenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel" > /etc/doas.conf
```
2018-10-18 09:51:04 +02:00
##### In case you forgot to fetch ports
```bash
cd /tmp
ftp https://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig}
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz
doas tar -x -z -f /tmp/ports.tar.gz -C /usr
```
2018-10-18 06:10:12 +02:00
#### Update system
```bash
2018-10-18 05:27:29 +02:00
doas syspatch
```
2018-10-18 06:10:12 +02:00
#### Install bash & ntp
```bash
2018-10-18 05:27:29 +02:00
doas pkg_add -v bash ntp
```
2018-10-18 06:10:12 +02:00
#### rc.local - Add ntpdate on boot
```bash
2018-10-18 09:51:04 +02:00
echo "echo -n ' ntpdate'" |doas tee -a /etc/rc.local
echo "/usr/local/sbin/ntpdate -b pool.ntp.org >/dev/null" |doas tee -a /etc/rc.local
2018-10-18 05:27:29 +02:00
```
2018-10-18 06:10:12 +02:00
#### Launch ntpd on boot
```bash
2018-10-18 05:27:29 +02:00
doas rcctl enable xntpd
doas rcctl set xntpd flags "-p /var/run/ntpd.pid"
doas /usr/local/sbin/ntpd -p /var/run/ntpd.pid
```
2018-10-18 06:10:12 +02:00
#### misp user
```bash
2018-10-18 09:51:04 +02:00
doas useradd -m -s /usr/local/bin/bash -G wheel,www misp
2018-10-18 05:27:29 +02:00
```
2018-10-18 06:10:12 +02:00
#### nvim (optional)
```bash
2018-10-18 05:27:29 +02:00
doas pkg_add -v neovim
doas mv /usr/bin/vi /usr/bin/vi-`date +%d%m%y`
doas ln -s /usr/local/bin/nvim /usr/bin/vi
```
2018-10-18 06:10:12 +02:00
#### /etc/httpd.conf
```bash
2018-10-18 09:51:04 +02:00
doas cp /etc/examples/httpd.conf /etc # adjust by hand, or copy/paste the config example below
2018-10-18 05:27:29 +02:00
```
```
# $OpenBSD: httpd.conf,v 1.18 2018/03/23 11:36:41 florian Exp $
#
# Macros
#
ext4_addr="*"
ext6_addr="::"
server "default" {
#listen on $ext4_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
listen on $ext4_addr port 80
listen on $ext4_addr tls port 443
#listen on $ext6_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
listen on $ext6_addr port 80
listen on $ext6_addr tls port 443
root "/htdocs/MISP/app/webroot"
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
directory {
index "index.php"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
2018-10-18 10:36:31 +02:00
location match "/(.*)" {
request rewrite "/$HTTP_HOST/%1"
}
# Temporary Apache 2.x rewrite rules for future foo!
#RewriteRule ^$ webroot/ [L]
#RewriteRule (.*) webroot/$1 [L]
# Temporary Apache 2.x rewrite rules for future foo!
2018-10-18 05:27:29 +02:00
#location "/.well-known/acme-challenge/*" {
# root "/acme"
# root strip 2
#}
#location * {
# block return 302 "https://$HTTP_HOST$REQUEST_URI"
#}
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
#server "example.com" {
# listen on * tls port 443
# listen on :: tls port 443
# tls {
# certificate "/etc/ssl/example.com.fullchain.pem"
# key "/etc/ssl/private/example.com.key"
# }
# location "/pub/*" {
# directory auto index
# }
# location "/.well-known/acme-challenge/*" {
# root "/acme"
# root strip 2
# }
#}
```
2018-10-18 09:51:04 +02:00
#### If a valid SSL certificate is not already created for the server, create a self-signed certificate:
```
# OpenSSL configuration
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_CN='Common Name'
OPENSSL_EMAILADDRESS='info@localhost'
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=< $OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" -keyout /etc/ssl/private/server.key -out /etc/ssl/server.crt
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### mariadb server
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas pkg_add -v mariadb-server
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### start httpd
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 10:36:31 +02:00
##doas /etc/rc.d/httpd -f start
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Enable httpd
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 10:36:31 +02:00
##doas rcctl enable httpd
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Install postfix
!!! notice
When asked, the standard postfix will be enough for a basic setup, option 9.
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas pkg_add -v postfix
doas /usr/local/sbin/postfix-enable
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Install misc dependencies
!!! notice
You need to install python 3.x when asked, option 2.
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas pkg_add -v curl git python redis
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### OpendBSD + Apache/httpd/nginx + MySQL/Mariadb + PHP (optional)
!!! notice
GnuPG 2.x is best, option 3.
```bash
doas pkg_add -v gnupg
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Optional for Apache2
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 10:36:31 +02:00
doas pkg_add -v apache-httpd
2018-10-18 05:27:29 +02:00
doas pkg_add -v fcgi-cgi fcgi
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
#### php7 ports
!!! notice
php-5.6 is marked as end-of-life starting December 2018, use php 7.x instead.
Option 2.
```
doas pkg_add -v php-mysqli php-pcntl php-pdo_mysql
# pecl-redis --> Pull php56
# pear --> Pull php56
```
#### /etc/php-7.0.ini
2018-10-18 05:27:29 +02:00
```
allow_url_fopen = On
```
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
cd /etc/php-7.0
doas cp ../php-7.0.sample/* .
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### php ln
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas ln -s /usr/local/bin/php-7.0 /usr/local/bin/php
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Enable php fpm
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas rcctl enable php70_fpm
2018-10-18 05:27:29 +02:00
```
2018-10-18 09:51:04 +02:00
#### Configure fpm
2018-10-18 05:27:29 +02:00
```
doas vi /etc/php-fpm.conf
2018-10-18 09:51:04 +02:00
# pid = /var/www/run/php-fpm.pid
# error_log = /var/www/logs/php-fpm.log
# listen = /var/www/run/php-fpm.sock
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
doas /etc/rc.d/php70_fpm start
```
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! notice
For native httpd: listen = /var/www/run/php-fpm.sock
For apache2: listen = 127.0.0.1:9000
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
#### Enable redis
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
doas rcctl enable redis
doas /etc/rc.d/redis start
```
2018-10-18 09:51:04 +02:00
#### Enable mysqld
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
doas /usr/local/bin/mysql_install_db
2018-10-18 05:27:29 +02:00
doas rcctl set mysqld status on
doas rcctl set mysqld flags --bind-address=127.0.0.1
doas /etc/rc.d/mysqld start
doas mysql_secure_installation
```
2018-10-18 09:51:04 +02:00
### 2/ MISP code
2018-10-18 05:27:29 +02:00
------------
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# Download MISP using git in the /usr/local/www/ directory.
doas mkdir /var/www/htdocs/MISP
doas chown www:www /var/www/htdocs/MISP
cd /var/www/htdocs/MISP
doas -u www git clone https://github.com/MISP/MISP.git /var/www/htdocs/MISP
2018-10-18 09:51:04 +02:00
doas -u www git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
doas -u www git submodule foreach --recursive git config core.filemode false
2018-10-18 05:27:29 +02:00
# Make git ignore filesystem permission differences
doas -u www git config core.filemode false
doas pkg_add py-pip py3-pip libxml libxslt py3-jsonschema
cd /var/www/htdocs/MISP/app/files/scripts
doas -u www git clone https://github.com/CybOXProject/python-cybox.git
doas -u www git clone https://github.com/STIXProject/python-stix.git
cd /var/www/htdocs/MISP/app/files/scripts/python-cybox
doas python3 setup.py install
cd /var/www/htdocs/MISP/app/files/scripts/python-stix
doas python3 setup.py install
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/htdocs/MISP/app/files/scripts/
doas -u www git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/htdocs/MISP/app/files/scripts/mixbox
doas python3 setup.py install
# install PyMISP
cd /var/www/htdocs/MISP/PyMISP
doas python3 setup.py install
# install support for STIX 2.0
doas pip3.6 install stix2
```
2018-10-18 09:51:04 +02:00
### 3/ CakePHP
2018-10-18 05:27:29 +02:00
-----------
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 09:51:04 +02:00
# CakePHP is included as a submodule of MISP and has been fetched earlier.
2018-10-18 05:27:29 +02:00
cd /var/www/htdocs/MISP
2018-10-18 09:51:04 +02:00
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
2018-10-18 05:27:29 +02:00
cd /var/www/htdocs/MISP/app
doas -u www php composer.phar require kamisama/cake-resque:4.1.2
doas -u www php composer.phar config vendor-dir Vendor
doas -u www php composer.phar install
# To use the scheduler worker for scheduled tasks, do the following:
doas -u www cp -f /var/www/htdocs/MISP/INSTALL/setup/config.php /var/www/htdocs/MISP/app/Plugin/CakeResque/Config/config.php
```
2018-10-18 09:51:04 +02:00
### 4/ Set the permissions
2018-10-18 05:27:29 +02:00
----------------------
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# Check if the permissions are set correctly using the following commands:
doas chown -R www:www /var/www/htdocs/MISP
doas chmod -R 750 /var/www/htdocs/MISP
doas chmod -R g+ws /var/www/htdocs/MISP/app/tmp
doas chmod -R g+ws /var/www/htdocs/MISP/app/files
doas chmod -R g+ws /var/www/htdocs/MISP/app/files/scripts/tmp
```
2018-10-18 09:51:04 +02:00
### 5/ Create a database and user
2018-10-18 05:27:29 +02:00
-----------------------------
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# Enter the mysql shell
doas mysql -u root -p
```
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
```
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# Import the empty MISP database from MYSQL.sql
doas -u www sh -c "mysql -u misp -p misp < /var/www/htdocs/MISP/INSTALL/MYSQL.sql"
# enter the password you set previously
```
2018-10-18 09:51:04 +02:00
### 6/ Apache configuration (optional)
2018-10-18 05:27:29 +02:00
-----------------------
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# Now configure your Apache webserver with the DocumentRoot /var/www/htdocs/MISP/app/webroot/
#2.4
doas mkdir /etc/apache2/sites-available/ /etc/apache2/sites-enabled/
# If the apache version is 2.4:
doas cp /var/www/htdocs/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
doas mkdir /etc/ssl/private/
# If a valid SSL certificate is not already created for the server, create a self-signed certificate: (Make sure to fill the <…>)
2018-10-18 10:36:31 +02:00
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=< $OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" \
-keyout /etc/ssl/private/server.key -out /etc/ssl/server.crt
2018-10-18 05:27:29 +02:00
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
doas mkdir /var/log/apache2/
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
============================================= Begin sample working SSL config for MISP
< VirtualHost < IP , FQDN , or * > :80>
ServerName < your.FQDN.here >
Redirect permanent / https://< your.FQDN.here >
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
< / VirtualHost >
< VirtualHost < IP , FQDN , or * > :443>
ServerAdmin admin@< your.FQDN.here >
ServerName < your.FQDN.here >
DocumentRoot /var/www/htdocs/MISP/app/webroot
< Directory / var / www / htdocs / MISP / app / webroot >
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
< / Directory >
SSLEngine On
2018-10-18 10:36:31 +02:00
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
2018-10-18 05:27:29 +02:00
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
< / VirtualHost >
============================================= End sample working SSL config for MISP
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
# activate new vhost
cd /etc/apache2/sites-enabled/
doas ln -s ../sites-available/misp-ssl.conf
echo "Include /etc/apache2/sites-enabled/*.conf" >> /etc/apache2/httpd2.conf
doas vi /etc/apache2/httpd2.conf
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
/!\ Enable mod_rewrite in httpd2.conf /!\
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
Listen 443
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 10:36:31 +02:00
doas ln -sf /var/www/conf/modules.sample/php-7.0.conf /var/www/conf/modules/php.conf
2018-10-18 05:27:29 +02:00
# Restart apache
doas /etc/rc.d/apache2 restart
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
### 7/ Log rotation (needs to be adapted to OpenBSD, newsyslog does this for you
2018-10-18 05:27:29 +02:00
---------------
2018-10-18 09:51:04 +02:00
!!! notice
MISP saves the stdout and stderr of its workers in /var/www/htdocs/MISP/app/tmp/logs
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
### 8/ MISP configuration
2018-10-18 05:27:29 +02:00
---------------------
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
# There are 4 sample configuration files in /var/www/htdocs/MISP/app/Config that need to be copied
doas -u www cp /var/www/htdocs/MISP/app/Config/bootstrap.default.php /var/www/htdocs/MISP/app/Config/bootstrap.php
doas -u www cp /var/www/htdocs/MISP/app/Config/database.default.php /var/www/htdocs/MISP/app/Config/database.php
doas -u www cp /var/www/htdocs/MISP/app/Config/core.default.php /var/www/htdocs/MISP/app/Config/core.php
doas -u www cp /var/www/htdocs/MISP/app/Config/config.default.php /var/www/htdocs/MISP/app/Config/config.php
# Configure the fields in the newly created files:
2018-10-18 09:51:04 +02:00
doas -u www vi /var/www/htdocs/MISP/app/Config/database.php
2018-10-18 06:10:12 +02:00
```
```
2018-10-18 05:27:29 +02:00
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! danger
Important! Change the salt key in /usr/local/www/MISP/app/Config/config.php
The salt key must be a string at least 32 bytes long.
The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
2018-10-18 05:27:29 +02:00
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
# Change base url in config.php
2018-10-18 09:51:04 +02:00
doas -u www vi /var/www/htdocs/MISP/app/Config/config.php
2018-10-18 05:27:29 +02:00
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# and make sure the file permissions are still OK
doas chown -R www:www /var/www/htdocs/MISP/app/Config
doas chmod -R 750 /var/www/htdocs/MISP/app/Config
# Generate a GPG encryption key.
doas -u www mkdir /var/www/htdocs/MISP/.gnupg
doas chmod 700 /var/www/htdocs/MISP/.gnupg
##### doas -u www gpg --homedir /var/www/htdocs/MISP/.gnupg --gen-key <- Broken
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
doas -u www sh -c "gpg --homedir /var/www/htdocs/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/htdocs/MISP/app/webroot/gpg.asc"
# To make the background workers start on boot
doas chmod +x /var/www/htdocs/MISP/app/Console/worker/start.sh
2018-10-18 09:51:04 +02:00
doas vi /etc/rc.local
2018-10-18 05:27:29 +02:00
# Add the following line before the last line (exit 0). Make sure that you replace www with your apache user:
doas -u www bash /var/www/htdocs/MISP/app/Console/worker/start.sh
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
doas chmod -R 750 /var/www/htdocs/MISP/< directory path with an indicated issue >
doas chown -R www:www /var/www/htdocs/MISP/< directory path with an indicated issue >
2018-10-18 06:10:12 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! notice
Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
!!! notice
If anything goes wrong, make sure that you check MISP's logs for errors:
/var/www/htdocs/MISP/app/tmp/logs/error.log
/var/www/htdocs/MISP/app/tmp/logs/resque-worker-error.log
/var/www/htdocs/MISP/app/tmp/logs/resque-scheduler-error.log
/var/www/htdocs/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
2018-10-18 05:27:29 +02:00
2018-10-18 09:51:04 +02:00
### Recommended actions
2018-10-18 05:27:29 +02:00
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache/httpd
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
2018-10-18 09:51:04 +02:00
### Optional features
2018-10-18 05:27:29 +02:00
-------------------
2018-10-18 09:51:04 +02:00
!!! notice
MISP has a pub/sub feature, using ZeroMQ.
#### ZeroMQ depends on the Python client for Redis
2018-10-18 06:10:12 +02:00
```bash
2018-10-18 05:27:29 +02:00
doas pkg_add -v py3-zmq
```