2018-10-22 03:38:31 +02:00
# INSTALLATION INSTRUCTIONS for RHEL 7.x
2018-10-18 05:27:29 +02:00
-------------------------
2018-10-22 03:38:31 +02:00
## 0/ Overview and Assumptions
2018-10-25 09:38:15 +02:00
2019-01-30 14:17:48 +01:00
{!generic/rhelVScentos.md!}
2018-10-25 09:38:15 +02:00
!!! warning
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup.
2018-10-18 05:27:29 +02:00
This document details the steps to install MISP on Red Hat Enterprise Linux 7.x (RHEL 7.x). At time of this writing it
2018-10-24 09:18:14 +02:00
was tested on version 7.5.
2018-10-18 05:27:29 +02:00
The following assumptions with regard to this installation have been made.
2018-10-22 03:38:31 +02:00
### 0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
### 0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos
### 0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server
### 0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 1/ OS Install and additional repositories
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically.
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.2/ Configure system hostname
```bash
2018-10-25 09:38:15 +02:00
sudo hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.3/ Register the system for updates with Red Hat Subscription Manager
```bash
2018-10-25 09:38:15 +02:00
sudo subscription-manager register --auto-attach # register your system to an account and attach to a current subscription
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.4/ Enable the optional, extras and Software Collections (SCL) repos
```bash
2018-10-25 09:38:15 +02:00
sudo subscription-manager refresh
sudo subscription-manager repos --enable rhel-7-server-optional-rpms
sudo subscription-manager repos --enable rhel-7-server-extras-rpms
# This fails on a Trial subscription, it seems.
##sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
### 1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
```bash
2018-10-25 09:38:15 +02:00
sudo yum install deltarpm -y
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.5/ Update the system and reboot
```bash
2018-10-25 09:38:15 +02:00
yum update -y
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! note
As time of writing performing a yum update results in the rhel-7-server-rt-beta-rpms being forbidden.< br / >
The repo can be disabled using the following command
```bash
subscription-manager repos --disable rhel-7-server-rt-beta-rpms
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.6/ Install the EPEL repo
```bash
2018-10-25 09:38:15 +02:00
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 1.7/ Install the SCL repo
```bash
2018-10-18 05:27:29 +02:00
yum install centos-release-scl
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 2/ Install Dependencies
2018-10-18 05:27:29 +02:00
Once the system is installed and updated, the following steps can be performed as root
2018-10-22 03:38:31 +02:00
## 2.01/ Install some base system dependencies
```bash
2018-10-18 05:27:29 +02:00
yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip ssdeep-devel
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.02/ Install MariaDB 10.2 from SCL
```bash
2018-10-18 05:27:29 +02:00
yum install rh-mariadb102
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.03/ Start the MariaDB service and enable it to start on boot
```bash
2019-02-07 10:02:39 +01:00
systemctl enable --now rh-mariadb102-mariadb.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! note
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.< br / >
This guide installs PHP 7.1 from SCL
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! warning
[PHP 5.6 will be EOL in December 2018 ](https://secure.php.net/supported-versions.php ). Please update accordingly. In future only PHP7 will be supported.
## 2.04/ Install PHP 7.1 from SCL
```bash
2018-10-18 05:27:29 +02:00
yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache
2018-10-22 03:38:31 +02:00
```
!!! note
If we want to use httpd from RHEL base we can use the rh-php71-php-fpm service instead
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.05/ Start the PHP FPM service and enable to start on boot
```bash
2019-02-07 10:02:39 +01:00
systemctl enable --now rh-php71-php-fpm.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.06/ Install redis 3.2 from SCL
```bash
2018-10-18 05:27:29 +02:00
yum install rh-redis32
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.07/ Start redis service and enable to start on boot
```bash
2019-02-07 10:02:39 +01:00
systemctl enable --now rh-redis32-redis.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.08/ Secure the MariaDB installation, run the following command and follow the prompts
```bash
2019-02-07 10:02:39 +01:00
scl enable rh-mariadb102 'mysql_secure_installation'
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.10/ Update the PHP extension repository and install required package
```bash
2019-02-07 10:02:39 +01:00
scl enable rh-php71 rh-redis32 bash
2018-10-18 05:27:29 +02:00
pear channel-update pear.php.net
pear install Crypt_GPG
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.11/ Install haveged and enable to start on boot to provide entropy for GPG
```bash
2018-10-18 05:27:29 +02:00
yum install haveged
2019-02-07 10:02:39 +01:00
systemctl enable --now haveged
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 2.12/ Install Python 3.6 from SCL
```bash
2018-10-18 05:27:29 +02:00
yum install rh-python36
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 3/ MISP Download
## 3.01/ Download MISP code using git in /var/www/ directory
```bash
2018-10-18 05:27:29 +02:00
cd /var/www
git clone https://github.com/MISP/MISP.git
2018-10-24 09:18:14 +02:00
cd MISP
2018-10-18 05:27:29 +02:00
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1` )
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 3.02/ Make git ignore filesystem permission differences
```bash
2018-10-18 05:27:29 +02:00
git config core.filemode false
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 3.03/ Install Mitre's STIX and its dependencies by running the following commands
```bash
2018-10-18 05:27:29 +02:00
pip install importlib
yum install python-six
cd /var/www/MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
git config core.filemode false
# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
scl enable rh-python36 'python3 setup.py install'
cd /var/www/MISP/app/files/scripts/python-stix
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-25 11:37:02 +02:00
## 3.04/ Install mixbox to accommodate the new STIX dependencies
2018-10-22 03:38:31 +02:00
```bash
2018-10-18 05:27:29 +02:00
cd /var/www/MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
umask $UMASK
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 3.05/ Enable python3 for php-fpm
```bash
2018-10-18 05:27:29 +02:00
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php71/sysconfig/php-fpm
sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php71/php-fpm.d/www.conf
systemctl restart rh-php71-php-fpm.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 4/ CakePHP
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 4.01/ CakePHP is now included as a submodule of MISP
!!! note
Execute the following commands to let git fetch it ignore this
```
message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
```
```bash
2018-10-18 05:27:29 +02:00
cd /var/www/MISP
git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
git submodule foreach --recursive git config core.filemode false
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
```bash
2018-10-18 05:27:29 +02:00
cd /var/www/MISP/app
php composer.phar require kamisama/cake-resque:4.1.2
php composer.phar config vendor-dir Vendor
php composer.phar install
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 4.03/ Install and configure php redis connector through pecl
```bash
2019-02-07 10:02:39 +01:00
scl enable rh-php71 'pecl install redis'
2018-10-18 05:27:29 +02:00
echo "extension=redis.so" > /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
systemctl restart rh-php71-php-fpm.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 4.04/ Set a timezone in php.ini
```bash
2018-10-18 05:27:29 +02:00
echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php71/php-fpm.d/timezone.ini
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php71/php.d/99-timezone.ini
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 4.05/ To use the scheduler worker for scheduled tasks, do the following:
```bash
2018-10-18 05:27:29 +02:00
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2019-01-22 12:11:41 +01:00
## 4.06/ Install Crypt_GPG and Console_CommandLine
```bash
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
```
2018-10-22 03:38:31 +02:00
# 5/ Set file permissions
## 5.01/ Make sure the permissions are set correctly using the following commands as root:
```bash
2018-10-18 05:27:29 +02:00
chown -R root:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
chown apache:apache /var/www/MISP/app/files
chown apache:apache /var/www/MISP/app/files/terms
chown apache:apache /var/www/MISP/app/files/scripts/tmp
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
chown -R apache:apache /var/www/MISP/app/tmp
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 6/ Create database and user
## 6.01/ Set database to listen on localhost only
```bash
2018-10-18 05:27:29 +02:00
echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
systemctl restart rh-mariadb102-mariadb
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 6.02/ Start MariaDB shell and create database
```bash
2019-02-07 10:02:39 +01:00
scl enable rh-mariadb102 'mysql -u root -p'
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 6.03/ Import the empty MySQL database from MYSQL.sql
```bash
2018-10-18 05:27:29 +02:00
cd /var/www/MISP
mysql -u misp -p misp < INSTALL / MYSQL . sql
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 7/ Apache Configuration
## 7.01/ Copy a sample vhost config to Apache configuration directory
```bash
2018-10-18 05:27:29 +02:00
cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories
```bash
2018-10-18 05:27:29 +02:00
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip
```bash
2018-10-18 05:27:29 +02:00
setsebool -P httpd_can_network_connect on
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 7.03/ Enable and start the httpd service
```bash
2019-02-07 10:02:39 +01:00
systemctl enable --now httpd.service
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 7.04/ Open a hole in the firewalld service
```bash
2018-10-18 05:27:29 +02:00
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! warning
We seriously recommend using only HTTPS / SSL !
Add SSL support by running: yum install mod_ssl
Check out the apache.misp.ssl file for an example
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 8/ Log Rotation
2019-02-07 09:31:47 +01:00
## 8.01/ Enable log rotation
2018-10-22 03:38:31 +02:00
MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
To rotate these logs install the supplied logrotate script:
```
2018-10-18 05:27:29 +02:00
cp INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2019-02-07 09:31:47 +01:00
## 8.02/ Allow logrotate to work under SELinux and modify the log files
2018-10-22 03:38:31 +02:00
```bash
2018-10-18 05:27:29 +02:00
semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2019-02-07 09:31:47 +01:00
## 8.03/ Allow logrotate to read /var/www
2018-10-22 03:38:31 +02:00
```bash
2018-10-18 05:27:29 +02:00
checkmodule -M -m -o /tmp/misplogrotate.mod INSTALL/misplogrotate.te
semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
semodule -i /tmp/misplogrotate.pp
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 9/ MISP Configuration
## 9.01/ There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
```bash
2018-10-18 05:27:29 +02:00
cd /var/www/MISP/app/Config
cp -a bootstrap.default.php bootstrap.php
cp -a database.default.php database.php
cp -a core.default.php core.php
cp -a config.default.php config.php
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.02/ Configure the fields in the newly created files
```bash
2018-10-18 05:27:29 +02:00
# Configure the fields in the newly created files:
# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally
# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');`
# database.php : login, port, password, database
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.03/ If you want to be able to change configuration parameters from the webinterface:
```
2018-10-18 05:27:29 +02:00
chown apache:apache /var/www/MISP/app/Config/config.php
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.04/ Generate an encryption key
```bash
2018-10-18 05:27:29 +02:00
gpg --gen-key
mv ~/.gnupg /var/www/MISP/
chown -R apache:apache /var/www/MISP/.gnupg
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.gnupg
2018-10-22 03:38:31 +02:00
```
!!! note
There is a bug that if a passphrase is added MISP will produce an error on the diagnostic page.< br / >
/!\ THIS WANTS TO BE VERIFIED AND LINKED WITH A CORRESPONDING ISSUE.
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! note
The email address should match the one set in the config.php configuration file
Make sure that you use the same settings in the MISP Server Settings tool
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.05/ export the public key to the webroot
```bash
2018-10-18 05:27:29 +02:00
sudo -u apache gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.06/ Start the workers to enable background jobs
```bash
2018-10-18 05:27:29 +02:00
chmod +x /var/www/MISP/app/Console/worker/start.sh
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.07a/ To make the background workers start on boot
```bash
2018-10-18 05:27:29 +02:00
vi /etc/rc.local
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.07b/ Add the following line at the end
```bash
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 9.07c/ and make sure it will execute
```bash
chmod +x /etc/rc.local
```
2018-10-25 03:07:02 +02:00
{!generic/INSTALL.done.md!}
2018-10-22 03:38:31 +02:00
2018-10-25 03:07:02 +02:00
{!generic/recommended.actions.md!}
2018-10-22 03:38:31 +02:00
# 10/ Post Install
## 10.01/ Allow apache to write to /var/www/MISP/app/tmp/logs
If the result from the diagnostic page is that the directory is not writable, try the following.
```
2018-10-18 05:27:29 +02:00
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs/
2018-10-22 03:38:31 +02:00
```
!!! note
This may mean that logrotate cannot access the logs directory, will require further investigation
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 10.02/ Change php.ini settings to suggested limits from diagnostic page.
```bash
2018-10-18 05:27:29 +02:00
# Edit /etc/opt/rh/rh-php71/php.ini and set the following settings
max_execution_time = 300
memory_limit = 512M
upload_max_filesize = 50M
post_max_size = 50M
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 10.03/ Restart rh-php71 for settings to take effect
```bash
2018-10-18 05:27:29 +02:00
systemctl restart rh-php71-php-fpm
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 10.04/ Install pymisp and pydeep for Advanced Attachment handler
```bash
2018-10-18 05:27:29 +02:00
pip install pymisp
pip install git+https://github.com/kbandla/pydeep.git
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 10.05/ Install pymisp also in Python 3
```bash
2018-10-18 05:27:29 +02:00
scl enable rh-python36 pip3 install pymisp
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 11/ LIEF Installation
*lief* is required for the Advanced Attachment Handler and requires manual compilation
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 11.01/ Install cmake3 devtoolset-7 from SCL
```bash
2018-10-18 05:27:29 +02:00
yum install devtoolset-7 cmake3
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 11.02/ Enable devtoolset-7
```bash
2018-10-18 05:27:29 +02:00
scl enable devtoolset-7 bash
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 11.03/ Set env variable, create directories and download source code
```bash
2018-10-18 05:27:29 +02:00
mkdir -p /tmp/LIEF
mkdir -p /tmp/LIEF_INSTALL
export LIEF_TMP=/tmp/LIEF
export LIEF_INSTALL=/tmp/LIEF_INSTALL
export LIEF_BRANCH=master
cd $LIEF_TMP
git clone --branch $LIEF_BRANCH --single-branch https://github.com/lief-project/LIEF.git LIEF
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 11.04/ Compile lief and install
```bash
2018-10-18 05:27:29 +02:00
cd $LIEF_TMP/LIEF
mkdir -p build
cd build
scl enable devtoolset-7 'bash -c "cmake3 \
-DLIEF_PYTHON_API=on \
-DLIEF_DOC=off \
-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
-DCMAKE_BUILD_TYPE=Release \
-DPYTHON_VERSION=2.7 \
.."'
make -j3
cd api/python
scl enable rh-python36 python3 setup.py install || :
# you can ignore the error about finding suitable distribution
cd $LIEF_TMP/LIEF/build
make install
make package
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 11.05/ Test lief installation, if no error, package installed
```bash
2018-10-18 05:27:29 +02:00
python
>> import lief
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
# 12/ Known Issues
## 12.01/ PHP CLI cannot determine version
PHP CLI Version cannot be determined. Possibly due to PHP being installed through SCL
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
## 12.02/ Workers cannot be started or restarted from the web page
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in
error. Worker's can be restarted via the CLI using the following command.
```bash
2018-10-18 05:27:29 +02:00
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
2018-10-22 03:38:31 +02:00
```
2018-10-18 05:27:29 +02:00
2018-10-22 03:38:31 +02:00
!!! note
No other functions were tested after the conclusion of this install. There may be issue that aren't addressed< br / >
via this guide and will need additional investigation.
2018-11-21 08:46:37 +01:00
{!generic/hardening.md!}