2017-12-19 02:56:55 +01:00
|
|
|
INSTALLATION INSTRUCTIONS for RHEL 7.4
|
|
|
|
-------------------------
|
|
|
|
Contributor: Jez Kerwin - web*at*jezlabs(.)com
|
2017-12-19 02:02:53 +01:00
|
|
|
|
2017-12-19 02:24:57 +01:00
|
|
|
|
2017-12-19 02:08:09 +01:00
|
|
|
Table of Contents
|
2017-12-19 02:56:55 +01:00
|
|
|
-----------------
|
|
|
|
0/ Overview and Assumptions
|
|
|
|
1/ Base OS and additional repositories
|
|
|
|
2/ Dependencies Installation
|
|
|
|
3/ MISP Install
|
|
|
|
4/ Post MISP Install
|
|
|
|
|
2017-12-19 02:24:57 +01:00
|
|
|
+----------------------------------------+
|
|
|
|
| 0/ Overview and Assumptions |
|
|
|
|
+----------------------------------------+
|
|
|
|
This document details the steps to install MISP on Red Hat Enterprise Linux 7.x (RHEL 7.x). At time of this writing it
|
|
|
|
was tested on version 7.4.
|
|
|
|
|
|
|
|
The following assumptions with regard to this installation have been made.
|
|
|
|
|
2017-12-19 02:56:55 +01:00
|
|
|
0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
|
|
|
|
0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos
|
2017-12-19 09:26:33 +01:00
|
|
|
0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server
|
|
|
|
0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features
|
2017-12-19 02:24:57 +01:00
|
|
|
|
2017-12-19 02:56:55 +01:00
|
|
|
+----------------------------------------------+
|
|
|
|
| 1/ OS Install and additional repositories |
|
|
|
|
+----------------------------------------------+
|
2017-12-19 02:24:57 +01:00
|
|
|
|
2017-12-19 09:26:33 +01:00
|
|
|
1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically.
|
2017-12-19 10:42:09 +01:00
|
|
|
|
2017-12-19 09:26:33 +01:00
|
|
|
1.2/ Configure system hostname
|
|
|
|
hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN
|
|
|
|
|
|
|
|
1.3/ Register the system for updates with Red Hat Subscription Manager
|
|
|
|
subscription-manager register # register your system to an account
|
|
|
|
subscription-manager attach # attach your system to a current subscription
|
|
|
|
|
|
|
|
1.4/ Enable the optional, extras and Software Collections (SCL) repos
|
|
|
|
subscription-mmanager repos --enable rhel-7-server-optional-rpms
|
|
|
|
subscription-mmanager repos --enable rhel-7-server-extras-rpms
|
|
|
|
subscription-mmanager repos --enable rhel-server-rhscl-7-rpms
|
|
|
|
|
2017-12-19 10:42:09 +01:00
|
|
|
1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
|
|
|
|
yum install deltarpm
|
|
|
|
|
2017-12-19 09:26:33 +01:00
|
|
|
1.5/ Update the system and reboot
|
|
|
|
yum udpate
|
|
|
|
|
|
|
|
## NOTE: As time of writing performing a yum update results in the rhel-7-server-rt-beta-rpms being forbidden
|
|
|
|
## The repo can be disabled using the following command
|
|
|
|
subscription-manager repos --disable rhel-7-server-rt-beta-rpms
|
|
|
|
|
2017-12-19 10:42:09 +01:00
|
|
|
1.6/ Install the EPEL repo
|
|
|
|
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
|
|
|
|
|
|
|
+-----------------------------+
|
|
|
|
| 2/ Install Dependencies |
|
|
|
|
+-----------------------------+
|
|
|
|
Once the system is installed and updated, the following steps can be performed as root
|
|
|
|
|
|
|
|
2.01/ Install some base system dependencies
|
|
|
|
yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip
|
|
|
|
|
|
|
|
2.02/ Install MariaDB 10.2 from SCL
|
|
|
|
yum install rh-mariadb102
|
|
|
|
|
|
|
|
2.03/ Start the MariaDB service and enable it to start on boot
|
|
|
|
systemctl start rh-mariadb102-mariadb.service
|
|
|
|
systemctl enable rh-mariadb102-mariadb.service
|
|
|
|
|
|
|
|
## MISP 2.4 requires PHP 5.5 as a minimum, we need a higher version than base RHEL provides.
|
|
|
|
## This guide installs PHP 7.1 from SCL
|
|
|
|
|
|
|
|
2.04/ Install PHP 7.1 from SCL
|
|
|
|
yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache
|
|
|
|
|
|
|
|
## If we want to use httpd from RHEL base we can use the rh-php71-php-fpm service instead
|
|
|
|
2.05/ Start the PHP FPM service and enable to start on boot
|
|
|
|
systemctl start rh-php71-php-fpm.service
|
|
|
|
systemctl enable rh-php71-php-fpm.service
|
|
|
|
|
|
|
|
2.06/ Install redis 3.2 from SCL
|
|
|
|
yum install rh-redis32
|
|
|
|
|
|
|
|
2.07/ Start redis service and enable to start on boot
|
|
|
|
systemctl start rh-redis32-redis.service
|
|
|
|
systemctl enable rh-redis32-redis.service
|
|
|
|
|
|
|
|
2.08/ Start a SCL shell with rh-mariadb102 rh-php71 and rh-redis32 enabled
|
|
|
|
scl enable rh-mariadb102 rh-php71 rh-redis32 bash
|
|
|
|
|
|
|
|
2.08/ Secure the MariaDB installation, run the following command and follow the prompts
|
|
|
|
mysqld_secure_installation
|
|
|
|
|
|
|
|
2.10/ Update the PHP extension repository and install required package
|
|
|
|
pear channel-update pear.php.net
|
|
|
|
pear install Crypt_GPG
|
|
|
|
|
|
|
|
2.11/ Install haveged and enable to start on boot to provide entropy for GPG
|
|
|
|
yum install haveged
|
|
|
|
systemctl start haveged
|
|
|
|
systemctl enable haveged
|
|
|
|
|
2017-12-19 12:13:24 +01:00
|
|
|
+---------------------+
|
|
|
|
| 3/ MISP Download |
|
|
|
|
+---------------------+
|
2017-12-19 10:42:09 +01:00
|
|
|
|
|
|
|
3.01/ Download MISP code using git in /var/www/ directory
|
|
|
|
cd /var/www
|
|
|
|
git clone https://github.com/MISP/MISP.git
|
2017-12-19 12:13:24 +01:00
|
|
|
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
|
|
|
# if the last shortcut doesn't work, specify the latest version manually
|
|
|
|
# example: git checkout tags/v2.4.XY
|
|
|
|
# the message regarding a "detached HEAD state" is expected behaviour
|
|
|
|
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
|
|
|
|
|
|
|
|
3.02/ Make git ignore filesystem permission differences
|
|
|
|
git config core.filemode false
|
|
|
|
|
|
|
|
3.03/ Install Mitre's STIX and its dependencies by running the following commands:
|
|
|
|
pip install importlib
|
|
|
|
yum install python-six
|
|
|
|
cd /var/www/MISP/app/files/scripts
|
|
|
|
git clone https://github.com/CybOXProject/python-cybox.git
|
|
|
|
git clone https://github.com/STIXProject/python-stix.git
|
|
|
|
cd /var/www/MISP/app/files/scripts/python-cybox
|
|
|
|
git checkout v2.1.0.12
|
|
|
|
git config core.filemode false
|
|
|
|
# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
|
|
|
UMASK=$(umask)
|
|
|
|
umask 0022
|
|
|
|
python setup.py install
|
|
|
|
cd /var/www/MISP/app/files/scripts/python-stix
|
|
|
|
git checkout v1.1.1.4
|
|
|
|
git config core.filemode false
|
|
|
|
python setup.py install
|
|
|
|
|
|
|
|
3.04/ Install mixbox to accomodate the new STIX dependencies:
|
|
|
|
cd /var/www/MISP/app/files/scripts/
|
|
|
|
git clone https://github.com/CybOXProject/mixbox.git
|
|
|
|
cd /var/www/MISP/app/files/scripts/mixbox
|
|
|
|
git checkout v1.0.2
|
|
|
|
git config core.filemode false
|
|
|
|
python setup.py install
|
|
|
|
umask $UMASK
|
|
|
|
|
|
|
|
+---------------------+
|
|
|
|
| 4/ CakePHP |
|
|
|
|
+---------------------+
|
|
|
|
|
|
|
|
4.01/ CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it ignore this
|
|
|
|
message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
|
|
|
|
git submodule init
|
|
|
|
git submodule update
|
|
|
|
|
|
|
|
4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
|
|
|
|
cd /var/www/MISP/app
|
|
|
|
php composer.phar require kamisama/cake-resque:4.1.2
|
|
|
|
php composer.phar config vendor-dir Vendor
|
|
|
|
php composer.phar install
|
|
|
|
|
|
|
|
4.03/ Install and configure php redis connector through pecl
|
|
|
|
pecl install redis
|
|
|
|
echo "extension=redis.so" > /etc/opt/rh/rh-php56/php-fpm.d/redis.ini
|
|
|
|
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php56/php.d/99-redis.ini
|
|
|
|
systemctl restart rh-php56-php-fpm.service
|
|
|
|
|
|
|
|
4.04/ Set a timezone in php.ini
|
|
|
|
echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php71/php-fpm.d/timezone.ini
|
|
|
|
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php71/php.d/99-timezone.ini
|
|
|
|
|
|
|
|
4.05/ To use the scheduler worker for scheduled tasks, do the following:
|
|
|
|
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
|
|
|
|
|
|
|
|
+----------------------------+
|
|
|
|
| 5/ Set file permissions |
|
|
|
|
+----------------------------+
|
|
|
|
|
|
|
|
5.01/ Make sure the permissions are set correctly using the following commands as root:
|
|
|
|
chown -R root:apache /var/www/MISP
|
|
|
|
find /var/www/MISP -type d -exec chmod g=rx {} \;
|
|
|
|
chmod -R g+r,o= /var/www/MISP
|
|
|
|
chown apache:apache /var/www/MISP/app/files
|
|
|
|
chown apache:apache /var/www/MISP/app/files/terms
|
|
|
|
chown apache:apache /var/www/MISP/app/files/scripts/tmp
|
|
|
|
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
|
|
|
|
chown -R apache:apache /var/www/MISP/app/tmp
|
|
|
|
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
|
|
|
|
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
|
|
|
|
|
|
|
|
+--------------------------------+
|
|
|
|
| 6/ Create database and user |
|
|
|
|
+--------------------------------+
|
|
|
|
|
|
|
|
6.01/ Set database to listen on localhost only
|
|
|
|
echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
|
|
|
echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
|
|
|
systemctl restart rh-mariadb102-mariadb
|
|
|
|
|
|
|
|
6.02/ Start MariaDB shell and create database
|
|
|
|
mysql -u root -p
|
|
|
|
|
|
|
|
MariaDB [(none)]> create database misp;
|
|
|
|
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
|
|
|
|
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
|
|
|
|
MariaDB [(none)]> exit
|
|
|
|
|
|
|
|
6.03/ Import the empty MySQL database from MYSQL.sql
|
|
|
|
cd /var/www/MISP
|
|
|
|
mysql -u misp -p misp < INSTALL/MYSQL.sql
|
|
|
|
|
|
|
|
+--------------------------------+
|
|
|
|
| 7/ Apache Configuration |
|
|
|
|
+--------------------------------+
|
|
|
|
|
|
|
|
7.01/ Copy a sample vhost config to Apache configuration directory
|
|
|
|
cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
|
|
|
|
|
|
|
|
7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories
|
|
|
|
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
|
|
|
|
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
|
|
|
|
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
|
|
|
|
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
|
|
|
|
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
|
|
|
|
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
|
|
|
|
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
|
|
|
|
|
|
|
|
7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip
|
|
|
|
setsebool -P httpd_can_network_connect on
|
|
|
|
|
|
|
|
7.03/ Enable and start the httpd service
|
|
|
|
systemctl enable httpd.service
|
|
|
|
systemctl start httpd.service
|
|
|
|
|
|
|
|
7.04/ Open a hole in the firewalld service
|
|
|
|
firewall-cmd --zone=public --add-port=80/tcp --permanent
|
|
|
|
firewall-cmd --reload
|
|
|
|
|
|
|
|
# We seriously recommend using only HTTPS / SSL !
|
|
|
|
# Add SSL support by running: yum install mod_ssl
|
|
|
|
# Check out the apache.misp.ssl file for an example
|
|
|
|
|
|
|
|
+--------------------------------+
|
|
|
|
| 8/ Log Rotation |
|
|
|
|
+--------------------------------+
|
|
|
|
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
|
|
|
|
# To rotate these logs install the supplied logrotate script:
|
|
|
|
|
|
|
|
cp INSTALL/misp.logrotate /etc/logrotate.d/misp
|
|
|
|
|
|
|
|
8.01/ Allow logrotate to work under SELinux and modify the log files
|
|
|
|
semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
|
2017-12-19 02:56:55 +01:00
|
|
|
|