MISP/INSTALL/INSTALL.rhel7.txt

INSTALLATION INSTRUCTIONS for RHEL 7.4
-------------------------
Contributor: Jez Kerwin - web*at*jezlabs(.)com


Table of Contents
-----------------
0/ Overview and Assumptions
1/ Base OS and additional repositories
2/ Dependencies Installation
3/ MISP Install
4/ Post MISP Install

+----------------------------------------+
|   0/ Overview and Assumptions          |
+----------------------------------------+
This document details the steps to install MISP on Red Hat Enterprise Linux 7.x (RHEL 7.x). At time of this writing it
was tested on version 7.4.

The following assumptions with regard to this installation have been made.

0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos
0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server
0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features

+----------------------------------------------+
|   1/ OS Install and additional repositories  |
+----------------------------------------------+

1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically.

1.2/ Configure system hostname
hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN

1.3/ Register the system for updates with Red Hat Subscription Manager
subscription-manager register # register your system to an account
subscription-manager attach   # attach your system to a current subscription

1.4/ Enable the optional, extras and Software Collections (SCL) repos
subscription-mmanager repos --enable rhel-7-server-optional-rpms
subscription-mmanager repos --enable rhel-7-server-extras-rpms
subscription-mmanager repos --enable rhel-server-rhscl-7-rpms

1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
yum install deltarpm

1.5/ Update the system and reboot
yum udpate

## NOTE: As time of writing performing a yum update results in the rhel-7-server-rt-beta-rpms being forbidden
## The repo can be disabled using the following command
subscription-manager repos --disable rhel-7-server-rt-beta-rpms

1.6/ Install the EPEL repo
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

+-----------------------------+
|   2/ Install Dependencies   |
+-----------------------------+
Once the system is installed and updated, the following steps can be performed as root

2.01/ Install some base system dependencies
yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip

2.02/ Install MariaDB 10.2 from SCL
yum install rh-mariadb102

2.03/ Start the MariaDB service and enable it to start on boot
systemctl start rh-mariadb102-mariadb.service
systemctl enable rh-mariadb102-mariadb.service

## MISP 2.4 requires PHP 5.5 as a minimum, we need a higher version than base RHEL provides.
## This guide installs PHP 7.1 from SCL

2.04/ Install PHP 7.1 from SCL
yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache

## If we want to use httpd from RHEL base we can use the rh-php71-php-fpm service instead
2.05/ Start the PHP FPM service and enable to start on boot
systemctl start rh-php71-php-fpm.service
systemctl enable rh-php71-php-fpm.service

2.06/ Install redis 3.2 from SCL
yum install rh-redis32

2.07/ Start redis service and enable to start on boot
systemctl start rh-redis32-redis.service
systemctl enable rh-redis32-redis.service

2.08/ Start a SCL shell with rh-mariadb102 rh-php71 and rh-redis32 enabled
scl enable rh-mariadb102 rh-php71 rh-redis32 bash

2.08/ Secure the MariaDB installation, run the following command and follow the prompts
mysqld_secure_installation

2.10/ Update the PHP extension repository and install required package
pear channel-update pear.php.net
pear install Crypt_GPG

2.11/ Install haveged and enable to start on boot to provide entropy for GPG
yum install haveged
systemctl start haveged
systemctl enable haveged

+---------------------+
|   3/ MISP Download  |
+---------------------+

3.01/ Download MISP code using git in /var/www/ directory
cd /var/www
git clone https://github.com/MISP/MISP.git
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)

3.02/ Make git ignore filesystem permission differences
git config core.filemode false

3.03/ Install Mitre's STIX and its dependencies by running the following commands:
pip install importlib
yum install python-six
cd /var/www/MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
git checkout v2.1.0.12
git config core.filemode false
# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
python setup.py install
cd /var/www/MISP/app/files/scripts/python-stix
git checkout v1.1.1.4
git config core.filemode false
python setup.py install

3.04/ Install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
git checkout v1.0.2
git config core.filemode false
python setup.py install
umask $UMASK

+---------------------+
|   4/ CakePHP        |
+---------------------+

4.01/ CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it ignore this
message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
git submodule init
git submodule update

4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
cd /var/www/MISP/app
php composer.phar require kamisama/cake-resque:4.1.2
php composer.phar config vendor-dir Vendor
php composer.phar install

4.03/ Install and configure php redis connector through pecl
pecl install redis
echo "extension=redis.so" > /etc/opt/rh/rh-php56/php-fpm.d/redis.ini
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php56/php.d/99-redis.ini
systemctl restart rh-php56-php-fpm.service

4.04/ Set a timezone in php.ini
echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php71/php-fpm.d/timezone.ini
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php71/php.d/99-timezone.ini

4.05/ To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php

+----------------------------+
|   5/ Set file permissions  |
+----------------------------+

5.01/ Make sure the permissions are set correctly using the following commands as root:
chown -R root:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
chown apache:apache /var/www/MISP/app/files
chown apache:apache /var/www/MISP/app/files/terms
chown apache:apache /var/www/MISP/app/files/scripts/tmp
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
chown -R apache:apache /var/www/MISP/app/tmp
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
chown -R apache:apache /var/www/MISP/app/webroot/img/custom

+--------------------------------+
|   6/ Create database and user  |
+--------------------------------+

6.01/ Set database to listen on localhost only
echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
systemctl restart rh-mariadb102-mariadb

6.02/ Start MariaDB shell and create database
mysql -u root -p

MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit

6.03/ Import the empty MySQL database from MYSQL.sql
cd /var/www/MISP
mysql -u misp -p misp < INSTALL/MYSQL.sql

+--------------------------------+
|   7/ Apache Configuration      |
+--------------------------------+

7.01/ Copy a sample vhost config to Apache configuration directory
cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf

7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom

7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip
setsebool -P httpd_can_network_connect on

7.03/ Enable and start the httpd service
systemctl enable httpd.service
systemctl start httpd.service

7.04/ Open a hole in the firewalld service
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: yum install mod_ssl
# Check out the apache.misp.ssl file for an example

+--------------------------------+
|   8/ Log Rotation              |
+--------------------------------+
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:

cp INSTALL/misp.logrotate /etc/logrotate.d/misp

8.01/ Allow logrotate to work under SELinux and modify the log files
semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"