mirror of https://github.com/MISP/MISP
Merge branch '2.4' of github.com:MISP/MISP into develop
commit
0eb106ef34
|
@ -150,6 +150,8 @@ MISPvars () {
|
|||
post_max_size="50M"
|
||||
max_execution_time="300"
|
||||
memory_limit="2048M"
|
||||
session0sid_length="32"
|
||||
session0use_strict_mode="1"
|
||||
|
||||
CAKE="${PATH_TO_MISP}/app/Console/cake"
|
||||
|
||||
|
@ -836,6 +838,8 @@ installDepsPhp70 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
|
||||
# Install Php 7.3 deps
|
||||
|
@ -1208,6 +1212,8 @@ installDepsPhp74 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
|
||||
# Install Php 7.3 deps
|
||||
|
@ -1260,6 +1266,8 @@ installDepsPhp72 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
|
||||
# Install Php 7.0 dependencies
|
||||
|
@ -1280,6 +1288,8 @@ installDepsPhp70 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
|
||||
prepareDB () {
|
||||
|
@ -1536,6 +1546,7 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.obscure_subject" true
|
||||
# FIXME: what if we have not gpg binary but a gpg2 one?
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"
|
||||
|
||||
|
@ -1565,6 +1576,9 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_sighting_db_enable" false
|
||||
|
||||
# Plugin Enrichment hover defaults
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_popover_only" false
|
||||
|
||||
# Plugin CustomAuth tuneable
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
|
||||
|
@ -1599,8 +1613,10 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_login_change" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_password_change" false
|
||||
|
@ -1633,6 +1649,16 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.self_registration_message" "If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators."
|
||||
|
||||
# Appease the security audit, #hardening
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.disable_browser_cache" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.check_sec_fetch_site_header" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.csp_enforce" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.advanced_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.do_not_log_authkeys" true
|
||||
|
||||
# Appease the security audit, #loggin
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.username_in_response_header" true
|
||||
|
||||
# It is possible to updateMISP too, only here for reference how to to that on the CLI.
|
||||
## $SUDO_WWW $RUN_PHP -- $CAKE Admin updateMISP
|
||||
|
||||
|
@ -2032,7 +2058,6 @@ enableReposRHEL () {
|
|||
sudo subscription-manager refresh
|
||||
sudo subscription-manager repos --enable rhel-7-server-optional-rpms
|
||||
sudo subscription-manager repos --enable rhel-7-server-extras-rpms
|
||||
sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
|
||||
}
|
||||
|
||||
centosEPEL () {
|
||||
|
@ -2046,38 +2071,52 @@ centosEPEL () {
|
|||
|
||||
enableEPEL () {
|
||||
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
|
||||
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
|
||||
sudo yum install yum-utils -y
|
||||
sudo yum-config-manager --enable remi-php74
|
||||
}
|
||||
|
||||
yumInstallCoreDeps () {
|
||||
# Install the dependencies:
|
||||
sudo yum install gcc git zip rh-git218 \
|
||||
httpd24 \
|
||||
sudo yum install gcc git zip \
|
||||
mod_ssl \
|
||||
rh-redis32 \
|
||||
rh-mariadb102 \
|
||||
redis \
|
||||
libxslt-devel zlib-devel ssdeep-devel -y
|
||||
|
||||
# Enable and start redis
|
||||
sudo systemctl enable --now rh-redis32-redis.service
|
||||
sudo systemctl enable --now redis.service
|
||||
|
||||
# Install MariaDB
|
||||
sudo yum install wget -y
|
||||
wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
|
||||
chmod +x mariadb_repo_setup
|
||||
sudo ./mariadb_repo_setup
|
||||
rm mariadb_repo_setup
|
||||
sudo yum install MariaDB-server -y
|
||||
|
||||
WWW_USER="apache"
|
||||
SUDO_WWW="sudo -H -u $WWW_USER"
|
||||
RUN_PHP="/usr/bin/scl enable rh-php72"
|
||||
PHP_INI="/etc/opt/rh/rh-php72/php.ini"
|
||||
# Install PHP 7.2 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php72/
|
||||
sudo yum install rh-php72 rh-php72-php-fpm rh-php72-php-devel \
|
||||
rh-php72-php-mysqlnd \
|
||||
rh-php72-php-mbstring \
|
||||
rh-php72-php-xml \
|
||||
rh-php72-php-bcmath \
|
||||
rh-php72-php-opcache \
|
||||
rh-php72-php-zip \
|
||||
rh-php72-php-gd -y
|
||||
PHP_INI="/etc/opt/remi/php74/php.ini"
|
||||
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/7/php74/x86_64/repoview/
|
||||
sudo yum install php74 php74-php-fpm php74-php-devel \
|
||||
php74-php-mysqlnd \
|
||||
php74-php-mbstring \
|
||||
php74-php-xml \
|
||||
php74-php-bcmath \
|
||||
php74-php-opcache \
|
||||
php74-php-zip \
|
||||
php74-php-pear \
|
||||
php74-php-brotli \
|
||||
php74-php-intl \
|
||||
php74-php-gd -y
|
||||
|
||||
# cake has php baked in, thus we link to it
|
||||
sudo ln -s /usr/bin/php74 /usr/bin/php
|
||||
|
||||
# Python 3.6 is now available in RHEL 7.7 base
|
||||
sudo yum install python3 python3-devel -y
|
||||
|
||||
sudo systemctl enable --now rh-php72-php-fpm.service
|
||||
sudo systemctl enable --now php74-php-fpm.service
|
||||
}
|
||||
|
||||
installCoreRHEL () {
|
||||
|
@ -2110,17 +2149,17 @@ installCoreRHEL () {
|
|||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||
##$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
@ -2143,42 +2182,8 @@ installCoreRHEL () {
|
|||
# install redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
|
||||
|
||||
# lief needs manual compilation
|
||||
sudo yum install devtoolset-7 cmake3 cppcheck libcxx-devel -y
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/lief
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW mkdir build
|
||||
cd build
|
||||
$SUDO_WWW scl enable devtoolset-7 "bash -c 'cmake3 \
|
||||
-DLIEF_PYTHON_API=on \
|
||||
-DPYTHON_VERSION=3.6 \
|
||||
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
|
||||
-DLIEF_DOC=off \
|
||||
-DCMAKE_BUILD_TYPE=Release \
|
||||
..'"
|
||||
$SUDO_WWW make -j3 pyLIEF
|
||||
|
||||
if [ $? == 2 ]; then
|
||||
# In case you get "internal compiler error: Killed (program cc1plus)"
|
||||
# You ran out of memory.
|
||||
# Create some swap
|
||||
TEMP_DIR=$(mktemp -d)
|
||||
TEMP_SWAP=${TEMP_DIR}/swap.img
|
||||
sudo dd if=/dev/zero of=${TEMP_SWAP} bs=1024k count=4000
|
||||
sudo mkswap ${TEMP_SWAP}
|
||||
sudo swapon ${TEMP_SWAP}
|
||||
# And compile again
|
||||
${SUDO_WWW} make -j3 pyLIEF
|
||||
sudo swapoff ${TEMP_SWAP}
|
||||
sudo rm -r ${TEMP_DIR}
|
||||
fi
|
||||
|
||||
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
|
||||
echo $PATH_TO_MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee $PATH_TO_MISP/venv/lib/python3.6/site-packages/lief.pth
|
||||
|
||||
# install magic, pydeep
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
|
||||
# install magic, pydeep, lief
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara lief
|
||||
|
||||
# install PyMISP
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
|
@ -2186,7 +2191,7 @@ installCoreRHEL () {
|
|||
|
||||
# FIXME: Remove libfaup etc once the egg has the library baked-in
|
||||
# BROKEN: This needs to be tested on RHEL/CentOS
|
||||
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
|
||||
sudo yum install libcaca-devel cmake3 -y
|
||||
cd /tmp
|
||||
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
|
||||
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
|
||||
|
@ -2194,21 +2199,20 @@ installCoreRHEL () {
|
|||
cd gtcaca
|
||||
$SUDO_CMD mkdir -p build
|
||||
cd build
|
||||
$SUDO_CMD cmake .. && $SUDO_CMD make
|
||||
$SUDO_CMD cmake3 .. && $SUDO_CMD make
|
||||
sudo make install
|
||||
cd ../../faup
|
||||
$SUDO_CMD mkdir -p build
|
||||
cd build
|
||||
$SUDO_CMD cmake .. && $SUDO_CMD make
|
||||
$SUDO_CMD cmake3 .. && $SUDO_CMD make
|
||||
sudo make install
|
||||
sudo ldconfig
|
||||
|
||||
# Enable dependencies detection in the diagnostics page
|
||||
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
|
||||
# The LD_LIBRARY_PATH setting is needed for rh-git218 to work
|
||||
echo "env[PATH] = /opt/rh/rh-git218/root/usr/bin:/opt/rh/rh-redis32/root/usr/bin:/opt/rh/rh-php72/root/usr/bin:/usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/rh/rh-php72/php-fpm.d/www.conf
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php72/php-fpm.d/www.conf
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
umask $UMASK
|
||||
}
|
||||
|
||||
|
@ -2220,31 +2224,20 @@ installCake_RHEL ()
|
|||
cd $PATH_TO_MISP/app
|
||||
# Update composer.phar (optional)
|
||||
#EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
|
||||
#$SUDO_WWW $RUN_PHP "php composer-setup.php"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW $RUN_PHP "php composer.phar install"
|
||||
#$SUDO_WWW php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
#$SUDO_WWW php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
|
||||
#$SUDO_WWW php composer-setup.php
|
||||
#$SUDO_WWW php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW php composer.phar install
|
||||
|
||||
## sudo yum install php-redis -y
|
||||
sudo scl enable rh-php72 'pecl channel-update pecl.php.net'
|
||||
sudo scl enable rh-php72 'yes no|pecl install redis'
|
||||
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-redis.ini
|
||||
sudo yum install php74-php-pecl-redis php74-php-pecl-ssdeep php74-php-pecl-gnupg -y
|
||||
|
||||
sudo ln -s /usr/lib64/libfuzzy.so /usr/lib/libfuzzy.so
|
||||
sudo scl enable rh-php72 'pecl install ssdeep'
|
||||
echo "extension=ssdeep.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-ssdeep.ini
|
||||
|
||||
# Install gnupg extension
|
||||
sudo yum install gpgme-devel -y
|
||||
sudo scl enable rh-php72 'pecl install gnupg'
|
||||
echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
|
||||
# If you have not yet set a timezone in php.ini
|
||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php.d/timezone.ini
|
||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/remi/php74/php.d/timezone.ini
|
||||
|
||||
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
|
||||
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
|
||||
# max_execution_time = 300
|
||||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
|
@ -2253,71 +2246,40 @@ installCake_RHEL ()
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
}
|
||||
|
||||
prepareDB_RHEL () {
|
||||
RUN_MYSQL="/usr/bin/scl enable rh-mariadb102"
|
||||
# Enable, start and secure your mysql database server
|
||||
sudo systemctl enable --now rh-mariadb102-mariadb.service
|
||||
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
sudo systemctl enable --now mariadb.service
|
||||
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart mariadb
|
||||
|
||||
sudo yum install expect -y
|
||||
# Kill the anonymous users
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
|
||||
# Because our hostname varies we'll use some Bash magic here.
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
|
||||
# Kill off the demo database
|
||||
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
|
||||
# No root remote logins
|
||||
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
|
||||
# Make sure that NOBODY can access the server without a password
|
||||
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
|
||||
# Make our changes take effect
|
||||
sudo mysql -h $DBHOST -e "FLUSH PRIVILEGES"
|
||||
|
||||
## The following needs some thoughts about scl enable foo
|
||||
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
|
||||
|
||||
# We ask interactively your password if not run as root
|
||||
pw=""
|
||||
if [[ "$EUID" -ne 0 ]]; then
|
||||
read -s -p "Enter sudo password: " pw
|
||||
fi
|
||||
|
||||
expect -f - <<-EOF
|
||||
set timeout 10
|
||||
|
||||
spawn sudo scl enable rh-mariadb102 mysql_secure_installation
|
||||
expect {
|
||||
"*sudo*" {
|
||||
send "$pw\r"
|
||||
exp_continue
|
||||
}
|
||||
"Enter current password for root (enter for none):" {
|
||||
send -- "\r"
|
||||
}
|
||||
}
|
||||
expect "Set root password?"
|
||||
send -- "y\r"
|
||||
expect "New password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Re-enter new password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Remove anonymous users?"
|
||||
send -- "y\r"
|
||||
expect "Disallow root login remotely?"
|
||||
send -- "y\r"
|
||||
expect "Remove test database and access to it?"
|
||||
send -- "y\r"
|
||||
expect "Reload privilege tables now?"
|
||||
send -- "y\r"
|
||||
expect eof
|
||||
EOF
|
||||
|
||||
sudo yum remove tcl expect -y
|
||||
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
|
||||
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
|
||||
# Import the empty MISP database from MYSQL.sql
|
||||
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
|
||||
}
|
||||
|
||||
apacheConfig_RHEL () {
|
||||
|
@ -2352,13 +2314,12 @@ apacheConfig_RHEL () {
|
|||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
|
||||
sudo chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*
|
||||
find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
|
||||
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
|
||||
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
|
||||
# Only run these if you want to be able to update MISP from the web interface
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
||||
|
@ -2480,6 +2441,7 @@ configMISP_RHEL () {
|
|||
|
||||
# If you want to be able to change configuration parameters from the webinterface:
|
||||
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
# Generate a GPG encryption key.
|
||||
|
@ -2514,13 +2476,13 @@ EOF
|
|||
configWorkersRHEL () {
|
||||
echo "[Unit]
|
||||
Description=MISP background workers
|
||||
After=rh-mariadb102-mariadb.service rh-redis32-redis.service rh-php72-php-fpm.service
|
||||
After=mariadb.service redis.service php74-php-fpm.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
User=$WWW_USER
|
||||
Group=$WWW_USER
|
||||
ExecStart=/usr/bin/scl enable rh-php72 rh-redis32 rh-mariadb102 $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
; Generated by RHash v1.4.0 on 2021-03-17 at 11:58.01
|
||||
; Generated by RHash v1.3.9 on 2021-03-25 at 12:56.17
|
||||
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
|
||||
;
|
||||
; 137809 11:57.59 2021-03-17 INSTALL.sh
|
||||
INSTALL.sh 5264D3699A8122AD797C52D64DB3BDB59FF98B4E 072391BE950D876396C4C858515D429DCD5ECB1DDA6C52ABD8AC81FB1DA336C0 3BAA227161359FB6449FE7CCDAACF9985362DE128BC09296D6B543646DEA958611786F1B8F816AC11E0C9AAB15149D7E 5A1DF67A94B0F45967EA478EEB610AA33AAD1ABF2D4D27267AB8813C163683C98549071FE05275D5A99BCB08A5A6F703073563E46601E2727DE34ECFE57757D9
|
||||
; 137691 12:56.17 2021-03-25 INSTALL.sh
|
||||
INSTALL.sh 5694A8F77384677CA3DC84FB5A5F3C06D6FFF03F 5F3A9B04BEEE449E96F4A698F3FA497390E46E2AD1DBDDED37F54E29FED76221 ABCB35B681F9A5E3568A055465976EC0996C0CC2FD8A39384E05D90413D8300B7356AAE23A540912D7D9907BECCDCD9F 54712D3100DAF92EA6201D86941222F6877B772533D048C8F758332D9B45418B64AA767A0D78C8A39E491BE114F139FFEF5A2E0436EA8503AA593556E56C0992
|
||||
|
|
|
@ -1 +1 @@
|
|||
5264d3699a8122ad797c52d64db3bdb59ff98b4e INSTALL.sh
|
||||
5694a8f77384677ca3dc84fb5a5f3c06d6fff03f INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
072391be950d876396c4c858515d429dcd5ecb1dda6c52abd8ac81fb1da336c0 INSTALL.sh
|
||||
5f3a9b04beee449e96f4a698f3fa497390e46e2ad1dbdded37f54e29fed76221 INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
3baa227161359fb6449fe7ccdaacf9985362de128bc09296d6b543646dea958611786f1b8f816ac11e0c9aab15149d7e INSTALL.sh
|
||||
abcb35b681f9a5e3568a055465976ec0996c0cc2fd8a39384e05d90413d8300b7356aae23a540912d7d9907beccdcd9f INSTALL.sh
|
||||
|
|
|
@ -1 +1 @@
|
|||
5a1df67a94b0f45967ea478eeb610aa33aad1abf2d4d27267ab8813c163683c98549071fe05275d5a99bcb08a5a6f703073563e46601e2727de34ecfe57757d9 INSTALL.sh
|
||||
54712d3100daf92ea6201d86941222f6877b772533d048c8f758332d9b45418b64aa767a0d78c8a39e491be114f139ffef5a2e0436ea8503aa593556e56c0992 INSTALL.sh
|
||||
|
|
|
@ -6249,7 +6249,8 @@ class Event extends AppModel
|
|||
foreach ($resolved_data['Tag'] as $tag) {
|
||||
$tag_id = $this->EventTag->Tag->captureTag($tag, $user);
|
||||
if ($tag_id) {
|
||||
$this->EventTag->attachTagToEvent($id, $tag_id);
|
||||
$tag['id'] = $tag_id;
|
||||
$this->EventTag->attachTagToEvent($id, $tag);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -912,7 +912,7 @@ class EventReport extends AppModel
|
|||
if ($tagId === -1) {
|
||||
$tagId = $this->EventTag->Tag->captureTag(['name' => $tagName], $user);
|
||||
}
|
||||
$this->EventTag->attachTagToEvent($eventId, $tagId);
|
||||
$this->EventTag->attachTagToEvent($eventId, ['id' => $tagId]);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -85,25 +85,25 @@ class EventTag extends AppModel
|
|||
public function handleEventTag($event_id, $tag, &$nothingToChange = false)
|
||||
{
|
||||
if (empty($tag['deleted'])) {
|
||||
$result = $this->attachTagToEvent($event_id, $tag['id'], $nothingToChange);
|
||||
$result = $this->attachTagToEvent($event_id, $tag, $nothingToChange);
|
||||
} else {
|
||||
$result = $this->detachTagFromEvent($event_id, $tag['id'], $nothingToChange);
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
public function attachTagToEvent($event_id, $tag_id, &$nothingToChange = false)
|
||||
public function attachTagToEvent($event_id, $tag, &$nothingToChange = false)
|
||||
{
|
||||
$existingAssociation = $this->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array(
|
||||
'tag_id' => $tag_id,
|
||||
'tag_id' => $tag['id'],
|
||||
'event_id' => $event_id
|
||||
)
|
||||
));
|
||||
if (empty($existingAssociation)) {
|
||||
$this->create();
|
||||
if (!$this->save(array('event_id' => $event_id, 'tag_id' => $tag_id))) {
|
||||
if (!$this->save(array('event_id' => $event_id, 'tag_id' => $tag['id'], 'local' => !empty($tag['local'])))) {
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
|
|
|
@ -1132,7 +1132,7 @@ class Feed extends AppModel
|
|||
$this->Event->publishRouter($event['Event']['id'], null, $user);
|
||||
}
|
||||
if ($feed['Feed']['tag_id']) {
|
||||
$this->Event->EventTag->attachTagToEvent($event['Event']['id'], $feed['Feed']['tag_id']);
|
||||
$this->Event->EventTag->attachTagToEvent($event['Event']['id'], ['id' => $feed['Feed']['tag_id']]);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -21,6 +21,8 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
|
|||
|
||||
### 0/ Overview and Assumptions
|
||||
|
||||
{!generic/community.md!}
|
||||
|
||||
{!generic/rhelVScentos.md!}
|
||||
|
||||
!!! warning
|
||||
|
@ -85,7 +87,6 @@ enableReposRHEL () {
|
|||
sudo subscription-manager refresh
|
||||
sudo subscription-manager repos --enable rhel-7-server-optional-rpms
|
||||
sudo subscription-manager repos --enable rhel-7-server-extras-rpms
|
||||
sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
|
||||
}
|
||||
# <snippet-end 0_RHEL_SCL.sh>
|
||||
```
|
||||
|
@ -137,10 +138,9 @@ yumUpdate () {
|
|||
# <snippet-begin 0_RHEL_EPEL.sh>
|
||||
enableEPEL () {
|
||||
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
|
||||
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
|
||||
sudo yum install yum-utils
|
||||
sudo subscription-manager repos --enable=rhel-7-server-optional-rpms
|
||||
sudo yum-config-manager --enable remi-php72
|
||||
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
|
||||
sudo yum install yum-utils -y
|
||||
sudo yum-config-manager --enable remi-php74
|
||||
}
|
||||
# <snippet-end 0_RHEL_EPEL.sh>
|
||||
```
|
||||
|
@ -148,7 +148,7 @@ enableEPEL () {
|
|||
### 2/ Dependencies
|
||||
|
||||
!!! note
|
||||
This guide installs PHP 7.2 from SCL
|
||||
This guide installs PHP 7.4 from Remi's Repo
|
||||
|
||||
!!! warning
|
||||
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
|
||||
|
@ -167,37 +167,38 @@ yumInstallCoreDeps () {
|
|||
sudo systemctl enable --now redis.service
|
||||
|
||||
# Install MariaDB
|
||||
sudo yum install wget
|
||||
sudo yum install wget -y
|
||||
wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
|
||||
chmod +x mariadb_repo_setup
|
||||
sudo ./mariadb_repo_setup
|
||||
sudo yum install MariaDB-server
|
||||
rm mariadb_repo_setup
|
||||
sudo yum install MariaDB-server -y
|
||||
|
||||
WWW_USER="apache"
|
||||
SUDO_WWW="sudo -H -u $WWW_USER"
|
||||
RUN_PHP="/usr/bin/scl enable php72"
|
||||
PHP_INI="/etc/opt/remi/php72/php.ini"
|
||||
# Install PHP 7.2 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php72/ Obsolete?
|
||||
sudo yum install php72 php72-php-fpm php72-php-devel \
|
||||
php72-php-mysqlnd \
|
||||
php72-php-mbstring \
|
||||
php72-php-xml \
|
||||
php72-php-bcmath \
|
||||
php72-php-opcache \
|
||||
php72-php-zip \
|
||||
php72-php-gd -y
|
||||
PHP_INI="/etc/opt/remi/php74/php.ini"
|
||||
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/7/php74/x86_64/repoview/
|
||||
sudo yum install php74 php74-php-fpm php74-php-devel \
|
||||
php74-php-mysqlnd \
|
||||
php74-php-mbstring \
|
||||
php74-php-xml \
|
||||
php74-php-bcmath \
|
||||
php74-php-opcache \
|
||||
php74-php-zip \
|
||||
php74-php-pear \
|
||||
php74-php-brotli \
|
||||
php74-php-intl \
|
||||
php74-php-gd -y
|
||||
|
||||
# cake has php baked in, thus we link to it
|
||||
sudo ln -s /usr/bin/php74 /usr/bin/php
|
||||
|
||||
# Python 3.6 is now available in RHEL 7.7 base
|
||||
sudo yum install python3 python3-devel -y
|
||||
|
||||
sudo systemctl enable --now php72-php-fpm.service
|
||||
sudo systemctl enable --now php74-php-fpm.service
|
||||
}
|
||||
# <snippet-end 0_yumInstallCoreDeps.sh>
|
||||
```
|
||||
|
||||
!!! notice
|
||||
$RUN_PHP makes php available for you if using php72. e.g: sudo $RUN_PHP "pear list | grep Crypt_GPG"
|
||||
|
||||
```bash
|
||||
# <snippet-begin 0_yumInstallHaveged.sh>
|
||||
# GPG needs lots of entropy, haveged provides entropy
|
||||
|
@ -242,17 +243,17 @@ installCoreRHEL () {
|
|||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||
##$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
@ -275,42 +276,8 @@ installCoreRHEL () {
|
|||
# install redis
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
|
||||
|
||||
# lief needs manual compilation
|
||||
sudo yum install devtoolset-7 cmake3 cppcheck libcxx-devel -y
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/lief
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW mkdir build
|
||||
cd build
|
||||
$SUDO_WWW scl enable devtoolset-7 "bash -c 'cmake3 \
|
||||
-DLIEF_PYTHON_API=on \
|
||||
-DPYTHON_VERSION=3.6 \
|
||||
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
|
||||
-DLIEF_DOC=off \
|
||||
-DCMAKE_BUILD_TYPE=Release \
|
||||
..'"
|
||||
$SUDO_WWW make -j3 pyLIEF
|
||||
|
||||
if [ $? == 2 ]; then
|
||||
# In case you get "internal compiler error: Killed (program cc1plus)"
|
||||
# You ran out of memory.
|
||||
# Create some swap
|
||||
TEMP_DIR=$(mktemp -d)
|
||||
TEMP_SWAP=${TEMP_DIR}/swap.img
|
||||
sudo dd if=/dev/zero of=${TEMP_SWAP} bs=1024k count=4000
|
||||
sudo mkswap ${TEMP_SWAP}
|
||||
sudo swapon ${TEMP_SWAP}
|
||||
# And compile again
|
||||
${SUDO_WWW} make -j3 pyLIEF
|
||||
sudo swapoff ${TEMP_SWAP}
|
||||
sudo rm -r ${TEMP_DIR}
|
||||
fi
|
||||
|
||||
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
|
||||
echo $PATH_TO_MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee $PATH_TO_MISP/venv/lib/python3.6/site-packages/lief.pth
|
||||
|
||||
# install magic, pydeep
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
|
||||
# install magic, pydeep, lief
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara lief
|
||||
|
||||
# install PyMISP
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
|
@ -318,7 +285,7 @@ installCoreRHEL () {
|
|||
|
||||
# FIXME: Remove libfaup etc once the egg has the library baked-in
|
||||
# BROKEN: This needs to be tested on RHEL/CentOS
|
||||
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
|
||||
sudo yum install libcaca-devel cmake3 -y
|
||||
cd /tmp
|
||||
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
|
||||
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
|
||||
|
@ -326,22 +293,20 @@ installCoreRHEL () {
|
|||
cd gtcaca
|
||||
$SUDO_CMD mkdir -p build
|
||||
cd build
|
||||
$SUDO_CMD cmake .. && $SUDO_CMD make
|
||||
$SUDO_CMD cmake3 .. && $SUDO_CMD make
|
||||
sudo make install
|
||||
cd ../../faup
|
||||
$SUDO_CMD mkdir -p build
|
||||
cd build
|
||||
$SUDO_CMD cmake .. && $SUDO_CMD make
|
||||
$SUDO_CMD cmake3 .. && $SUDO_CMD make
|
||||
sudo make install
|
||||
sudo ldconfig
|
||||
|
||||
# Enable dependencies detection in the diagnostics page
|
||||
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
|
||||
# OBSOLETE?
|
||||
# The LD_LIBRARY_PATH setting is needed for rh-git218 to work
|
||||
echo "env[PATH] = /opt/rh/rh-git218/root/usr/bin:/opt/rh/rh-php72/root/usr/bin:/usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/rh/rh-php72/php-fpm.d/www.conf
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php72/php-fpm.d/www.conf
|
||||
sudo systemctl restart php72-php-fpm.service
|
||||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
umask $UMASK
|
||||
}
|
||||
# <snippet-end 1_mispCoreInstall_RHEL.sh>
|
||||
|
@ -363,31 +328,20 @@ installCake_RHEL ()
|
|||
cd $PATH_TO_MISP/app
|
||||
# Update composer.phar (optional)
|
||||
#EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
|
||||
#$SUDO_WWW $RUN_PHP "php composer-setup.php"
|
||||
#$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW $RUN_PHP "php composer.phar install"
|
||||
#$SUDO_WWW php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
#$SUDO_WWW php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
|
||||
#$SUDO_WWW php composer-setup.php
|
||||
#$SUDO_WWW php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW php composer.phar install
|
||||
|
||||
## sudo yum install php-redis -y
|
||||
sudo scl enable rh-php72 'pecl channel-update pecl.php.net'
|
||||
sudo scl enable rh-php72 'yes no|pecl install redis'
|
||||
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-redis.ini
|
||||
sudo yum install php74-php-pecl-redis php74-php-pecl-ssdeep php74-php-pecl-gnupg -y
|
||||
|
||||
sudo ln -s /usr/lib64/libfuzzy.so /usr/lib/libfuzzy.so
|
||||
sudo scl enable rh-php72 'pecl install ssdeep'
|
||||
echo "extension=ssdeep.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-ssdeep.ini
|
||||
|
||||
# Install gnupg extension
|
||||
sudo yum install gpgme-devel -y
|
||||
sudo scl enable rh-php72 'pecl install gnupg'
|
||||
echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
|
||||
# If you have not yet set a timezone in php.ini
|
||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php.d/timezone.ini
|
||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/remi/php74/php.d/timezone.ini
|
||||
|
||||
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
|
||||
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
|
||||
# max_execution_time = 300
|
||||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
|
@ -396,7 +350,9 @@ installCake_RHEL ()
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
|
@ -438,64 +394,31 @@ permissions_RHEL () {
|
|||
```bash
|
||||
# <snippet-begin 1_prepareDB_RHEL.sh>
|
||||
prepareDB_RHEL () {
|
||||
RUN_MYSQL="/usr/bin/scl enable rh-mariadb102"
|
||||
# Enable, start and secure your mysql database server
|
||||
sudo systemctl enable --now rh-mariadb102-mariadb.service
|
||||
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
sudo systemctl enable --now mariadb.service
|
||||
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart mariadb
|
||||
|
||||
sudo yum install expect -y
|
||||
# Kill the anonymous users
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
|
||||
# Because our hostname varies we'll use some Bash magic here.
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
|
||||
# Kill off the demo database
|
||||
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
|
||||
# No root remote logins
|
||||
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
|
||||
# Make sure that NOBODY can access the server without a password
|
||||
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
|
||||
# Make our changes take effect
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES"
|
||||
|
||||
## The following needs some thoughts about scl enable foo
|
||||
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
|
||||
|
||||
# We ask interactively your password if not run as root
|
||||
pw=""
|
||||
if [[ "$EUID" -ne 0 ]]; then
|
||||
read -s -p "Enter sudo password: " pw
|
||||
fi
|
||||
|
||||
expect -f - <<-EOF
|
||||
set timeout 10
|
||||
|
||||
spawn sudo scl enable rh-mariadb102 mysql_secure_installation
|
||||
expect {
|
||||
"*sudo*" {
|
||||
send "$pw\r"
|
||||
exp_continue
|
||||
}
|
||||
"Enter current password for root (enter for none):" {
|
||||
send -- "\r"
|
||||
}
|
||||
}
|
||||
expect "Set root password?"
|
||||
send -- "y\r"
|
||||
expect "New password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Re-enter new password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Remove anonymous users?"
|
||||
send -- "y\r"
|
||||
expect "Disallow root login remotely?"
|
||||
send -- "y\r"
|
||||
expect "Remove test database and access to it?"
|
||||
send -- "y\r"
|
||||
expect "Reload privilege tables now?"
|
||||
send -- "y\r"
|
||||
expect eof
|
||||
EOF
|
||||
|
||||
sudo yum remove tcl expect -y
|
||||
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
|
||||
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
|
||||
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
|
||||
# Import the empty MISP database from MYSQL.sql
|
||||
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
|
||||
}
|
||||
# <snippet-end 1_prepareDB_RHEL.sh>
|
||||
```
|
||||
|
@ -544,13 +467,12 @@ apacheConfig_RHEL () {
|
|||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
|
||||
sudo chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*
|
||||
find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
|
||||
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
|
||||
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
|
||||
# Only run these if you want to be able to update MISP from the web interface
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
||||
|
@ -673,6 +595,7 @@ configMISP_RHEL () {
|
|||
|
||||
# If you want to be able to change configuration parameters from the webinterface:
|
||||
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
# Generate a GPG encryption key.
|
||||
|
@ -721,13 +644,13 @@ EOF
|
|||
configWorkersRHEL () {
|
||||
echo "[Unit]
|
||||
Description=MISP background workers
|
||||
After=rh-mariadb102-mariadb.service rh-redis32-redis.service rh-php72-php-fpm.service
|
||||
After=mariadb.service redis.service php74-php-fpm.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
User=$WWW_USER
|
||||
Group=$WWW_USER
|
||||
ExecStart=/usr/bin/scl enable rh-php72 rh-redis32 rh-mariadb102 $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
|
|
|
@ -29,6 +29,11 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
|
|||
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
|
||||
Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup.
|
||||
|
||||
!!! notice
|
||||
This document also serves as a source for the [INSTALL-misp.sh](https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.sh) script.
|
||||
Which explains why you will see the use of shell *functions* in various steps.
|
||||
Henceforth the document will also follow a more logical flow. In the sense that all the dependencies are installed first then config files are generated, etc...
|
||||
|
||||
!!! notice
|
||||
Maintenance for CentOS 8 will end on: December 31st, 2021 [Source[0]](https://wiki.centos.org/About/Product) [Source[1]](https://linuxlifecycle.com/)
|
||||
CentOS 8 [NetInstallURL](http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=BaseOS)
|
||||
|
@ -69,20 +74,20 @@ sudo hostnamectl set-hostname misp.local # Your choice, in a production environm
|
|||
```
|
||||
|
||||
## 1.3/ **[RHEL]** Register the system for updates with Red Hat Subscription Manager
|
||||
Can be skipped if the Machine has been registered during install phase.
|
||||
```bash
|
||||
# <snippet-begin 0_RHEL_register.sh>
|
||||
sudo subscription-manager register --auto-attach # register your system to an account and attach to a current subscription
|
||||
# <snippet-end 0_RHEL_register.sh>
|
||||
```
|
||||
|
||||
## 1.4/ **[RHEL]** Enable the optional, extras and Software Collections (SCL) repos
|
||||
## 1.4/ **[RHEL]** Enable the optional repos (obsolete in v8)
|
||||
```bash
|
||||
# <snippet-begin 0_RHEL_SCL.sh>
|
||||
# To be confirmed, no access to RHSCL
|
||||
sudo subscription-manager refresh
|
||||
sudo subscription-manager repos --enable rhel-8-server-optional-rpms
|
||||
sudo subscription-manager repos --enable rhel-8-server-extras-rpms
|
||||
sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
|
||||
# The following is needed for -devel repos and ONLY for misp-modules, ignore if not needed
|
||||
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
|
||||
# Software Collections is available for Red Hat Enterprise Linux 7 and previous supported releases. Starting with Red Hat Enterprise Linux 8, the content traditionally consumed via Software Collections is now part of Application Streams. Please see the Application Streams Life Cycle documentation for that release. Source: https://access.redhat.com/support/policy/updates/rhscl
|
||||
# <snippet-end 0_RHEL_SCL.sh>
|
||||
```
|
||||
|
||||
|
@ -91,31 +96,31 @@ sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
|
|||
sudo yum install drpm -y
|
||||
```
|
||||
|
||||
## 1.5.b/ Install vim (optional)
|
||||
```bash
|
||||
# Because vim is just so practical
|
||||
sudo yum install vim -y
|
||||
```
|
||||
|
||||
## 1.5/ Update the system and reboot
|
||||
```bash
|
||||
# <snippet-begin 0_yum-update.sh>
|
||||
sudo yum update -y
|
||||
yumUpdate () {
|
||||
sudo yum update -y
|
||||
}
|
||||
# <snippet-end 0_yum-update.sh>
|
||||
```
|
||||
|
||||
## 1.6/ **[RHEL]** Install the EPEL repo
|
||||
|
||||
## 1.6/ **[RHEL]** Install the EPEL and remi repo
|
||||
```bash
|
||||
# <snippet-begin 0_RHEL_EPEL.sh>
|
||||
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
|
||||
enableEPEL () {
|
||||
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
|
||||
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-8.rpm -y
|
||||
sudo yum install yum-utils -y
|
||||
sudo dnf module enable php:remi-7.4 -y
|
||||
}
|
||||
# <snippet-end 0_RHEL_EPEL.sh>
|
||||
```
|
||||
|
||||
### 2/ Dependencies
|
||||
|
||||
!!! note
|
||||
This guide installs PHP 7.2 from SCL
|
||||
This guide installs PHP 7.4 from Remi's repo
|
||||
|
||||
!!! warning
|
||||
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
|
||||
|
@ -135,33 +140,44 @@ yumInstallCoreDeps () {
|
|||
python3-devel python3-pip python3-virtualenv \
|
||||
python3-policycoreutils \
|
||||
policycoreutils-python-utils \
|
||||
libxslt-devel zlib-devel -y
|
||||
# ssdeep-devel available: dnf install https://extras.getpagespeed.com/release-el8-latest.rpm
|
||||
libxslt-devel zlib-devel ssdeep-devel -y
|
||||
sudo alternatives --set python /usr/bin/python3
|
||||
|
||||
# Enable and start redis
|
||||
sudo systemctl enable --now redis.service
|
||||
|
||||
PHP_INI=/etc/php.ini
|
||||
sudo yum install php php-fpm php-devel php-pear \
|
||||
php-mysqlnd \
|
||||
php-mbstring \
|
||||
php-xml \
|
||||
php-bcmath \
|
||||
php-opcache \
|
||||
php-json \
|
||||
php-zip \
|
||||
php-gd -y
|
||||
PHP_INI="/etc/opt/remi/php74/php.ini"
|
||||
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/8/php74/x86_64/repoview/
|
||||
sudo yum install php php-fpm php-devel \
|
||||
php-mysqlnd \
|
||||
php-mbstring \
|
||||
php-xml \
|
||||
php-bcmath \
|
||||
php-opcache \
|
||||
php-zip \
|
||||
php-pear \
|
||||
php-brotli \
|
||||
php-intl \
|
||||
php-gd -y
|
||||
|
||||
# cake has php baked in, thus we link to it, ignore if this fails or exists.
|
||||
sudo ln -s /usr/bin/php74 /usr/bin/php
|
||||
}
|
||||
# <snippet-end 0_yumInstallCoreDeps.sh>
|
||||
```
|
||||
|
||||
!!! notice
|
||||
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
|
||||
This guide installs PHP 7.2
|
||||
```bash
|
||||
# <snippet-begin 0_yumInstallHaveged.sh>
|
||||
# GPG needs lots of entropy, haveged provides entropy
|
||||
# /!\ Only do this if you're not running rngd to provide randomness and your kernel randomness is not sufficient.
|
||||
sudo yum install haveged -y
|
||||
sudo systemctl enable --now haveged.service
|
||||
# <snippet-end 0_yumInstallHaveged.sh>
|
||||
```
|
||||
|
||||
!!! notice
|
||||
If we want to use httpd from RHEL base we can use the rh-php72-php-fpm service instead
|
||||
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
|
||||
This guide installs PHP 7.4
|
||||
|
||||
## 2.05/ Start the PHP FPM service and enable to start on boot
|
||||
```bash
|
||||
|
@ -176,17 +192,12 @@ TODO: Add a CentOS/RHEL rng thing, à la haveged (not in base anymore) or simila
|
|||
```bash
|
||||
# <snippet-begin 1_mispCoreInstall_RHEL.sh>
|
||||
installCoreRHEL () {
|
||||
# Download MISP using git in the /var/www/ directory.
|
||||
sudo mkdir $PATH_TO_MISP
|
||||
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP
|
||||
cd /var/www
|
||||
# Download MISP using git in the $PATH_TO_MISP directory.
|
||||
sudo mkdir -p $(dirname $PATH_TO_MISP)
|
||||
sudo chown $WWW_USER:$WWW_USER $(dirname $PATH_TO_MISP)
|
||||
cd $(dirname $PATH_TO_MISP)
|
||||
$SUDO_WWW git clone https://github.com/MISP/MISP.git
|
||||
cd $PATH_TO_MISP
|
||||
##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
||||
# if the last shortcut doesn't work, specify the latest version manually
|
||||
# example: git checkout tags/v2.4.XY
|
||||
# the message regarding a "detached HEAD state" is expected behaviour
|
||||
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
|
||||
|
||||
# Fetch submodules
|
||||
$SUDO_WWW git submodule update --init --recursive
|
||||
|
@ -212,6 +223,11 @@ installCoreRHEL () {
|
|||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
umask 0022
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
$SUDO_WWW git config core.filemode false
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
|
@ -279,7 +295,7 @@ installCoreRHEL () {
|
|||
|
||||
# FIXME: Remove libfaup etc once the egg has the library baked-in
|
||||
# BROKEN: This needs to be tested on RHEL/CentOS
|
||||
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
|
||||
sudo yum install libcaca-devel cmake3 -y
|
||||
cd /tmp
|
||||
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
|
||||
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
|
||||
|
@ -296,16 +312,14 @@ installCoreRHEL () {
|
|||
sudo make install
|
||||
sudo ldconfig
|
||||
|
||||
# Enable python3 for php-fpm
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/php-fpm.d/www.conf
|
||||
sudo systemctl restart php-fpm.service
|
||||
|
||||
umask $UMASK
|
||||
|
||||
# Enable dependencies detection in the diagnostics page
|
||||
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
|
||||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/php-fpm.d/www.conf
|
||||
sudo systemctl restart php-fpm.service
|
||||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
|
||||
sudo systemctl restart php74-php-fpm.service
|
||||
# TODO investigate: listen = 127.0.0.1:9000
|
||||
|
||||
umask $UMASK
|
||||
}
|
||||
# <snippet-end 1_mispCoreInstall_RHEL.sh>
|
||||
```
|
||||
|
@ -331,26 +345,15 @@ installCake_RHEL ()
|
|||
#$SUDO_WWW php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW php composer.phar install
|
||||
|
||||
## sudo yum install php-redis -y
|
||||
sudo pecl channel-update pecl.php.net
|
||||
sudo pecl install redis
|
||||
echo "extension=redis.so" |sudo tee /etc/php-fpm.d/redis.ini
|
||||
sudo ln -s /etc/php-fpm.d/redis.ini /etc/php.d/99-redis.ini
|
||||
sudo systemctl restart php-fpm.service
|
||||
sudo yum install php-pecl-redis php-pecl-ssdeep php-pecl-gnupg -y
|
||||
|
||||
# Install gnupg extension
|
||||
# NOT working on RHEL 8 gpgme-devel not provided
|
||||
##sudo yum install gpgme-devel -y
|
||||
##sudo pecl install gnupg
|
||||
##echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini
|
||||
##sudo ln -s /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
|
||||
##sudo systemctl restart rh-php72-php-fpm.service
|
||||
sudo systemctl restart php-fpm.service
|
||||
|
||||
# If you have not yet set a timezone in php.ini
|
||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/php-fpm.d/timezone.ini
|
||||
sudo ln -s ../php-fpm.d/timezone.ini /etc/php.d/99-timezone.ini
|
||||
|
||||
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
|
||||
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
|
||||
# max_execution_time = 300
|
||||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
|
@ -359,12 +362,14 @@ installCake_RHEL ()
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
sudo systemctl restart php-fpm.service
|
||||
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
}
|
||||
# <snippet-begin 1_installCake_RHEL.sh>
|
||||
# <snippet-end 1_installCake_RHEL.sh>
|
||||
```
|
||||
|
||||
### 5/ Set file permissions
|
||||
|
@ -373,10 +378,10 @@ installCake_RHEL ()
|
|||
# Main function to fix permissions to something sane
|
||||
permissions_RHEL () {
|
||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
|
||||
## ? chown -R root:apache /var/www/MISP
|
||||
## ? chown -R root:$WWW_USER $PATH_TO_MISP
|
||||
sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \;
|
||||
sudo chmod -R g+r,o= $PATH_TO_MISP
|
||||
## **Note :** For updates through the web interface to work, apache must own the /var/www/MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions :
|
||||
## **Note :** For updates through the web interface to work, apache must own the $PATH_TO_MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions :
|
||||
sudo chmod -R 750 $PATH_TO_MISP
|
||||
sudo chmod -R g+xws $PATH_TO_MISP/app/tmp
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
|
@ -407,49 +412,26 @@ prepareDB_RHEL () {
|
|||
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart mariadb
|
||||
|
||||
sudo yum install expect -y
|
||||
# Kill the anonymous users
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
|
||||
# Because our hostname varies we'll use some Bash magic here.
|
||||
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
|
||||
# Kill off the demo database
|
||||
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
|
||||
# No root remote logins
|
||||
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
|
||||
# Make sure that NOBODY can access the server without a password
|
||||
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
|
||||
# Make our changes take effect
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES"
|
||||
|
||||
## The following needs some thoughts about scl enable foo
|
||||
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
|
||||
|
||||
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
|
||||
pw="Password1234"
|
||||
|
||||
expect -f - <<-EOF
|
||||
set timeout 10
|
||||
|
||||
spawn sudo mysql_secure_installation
|
||||
expect "*?assword*"
|
||||
send -- "$pw\r"
|
||||
expect "Enter current password for root (enter for none):"
|
||||
send -- "\r"
|
||||
expect "Set root password?"
|
||||
send -- "y\r"
|
||||
expect "New password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Re-enter new password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Remove anonymous users?"
|
||||
send -- "y\r"
|
||||
expect "Disallow root login remotely?"
|
||||
send -- "y\r"
|
||||
expect "Remove test database and access to it?"
|
||||
send -- "y\r"
|
||||
expect "Reload privilege tables now?"
|
||||
send -- "y\r"
|
||||
expect eof
|
||||
EOF
|
||||
|
||||
sudo yum remove tcl expect -y
|
||||
|
||||
sudo systemctl restart mariadb
|
||||
|
||||
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "CREATE DATABASE $DBNAME;"
|
||||
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';"
|
||||
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
|
||||
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'
|
||||
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
|
||||
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
|
||||
# Import the empty MISP database from MYSQL.sql
|
||||
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
|
||||
}
|
||||
# <snippet-end 1_prepareDB_RHEL.sh>
|
||||
```
|
||||
|
@ -471,7 +453,7 @@ apacheConfig_RHEL () {
|
|||
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
|
||||
|
||||
sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
|
||||
sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf
|
||||
#sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf
|
||||
sudo rm /etc/httpd/conf.d/ssl.conf
|
||||
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
|
||||
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
|
||||
|
@ -488,7 +470,7 @@ apacheConfig_RHEL () {
|
|||
sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr
|
||||
sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt
|
||||
sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt
|
||||
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
|
||||
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
|
||||
|
||||
sudo systemctl restart httpd.service
|
||||
|
||||
|
@ -498,13 +480,14 @@ apacheConfig_RHEL () {
|
|||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
|
||||
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
|
||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
|
||||
sudo chcon -t httpd_sys_rw_content_t /tmp
|
||||
sudo chcon -R -t usr_t $PATH_TO_MISP/venv
|
||||
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
|
||||
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
|
||||
# Only run these if you want to be able to update MISP from the web interface
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib
|
||||
|
@ -541,7 +524,7 @@ firewall_RHEL () {
|
|||
|
||||
### 8/ Log Rotation
|
||||
## 8.01/ Enable log rotation
|
||||
MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs
|
||||
MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
|
||||
To rotate these logs install the supplied logrotate script:
|
||||
|
||||
FIXME: The below does not work
|
||||
|
@ -557,12 +540,12 @@ logRotation_RHEL () {
|
|||
|
||||
# Now make logrotate work under SELinux as well
|
||||
# Allow logrotate to modify the log files
|
||||
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/MISP(/.*)?"
|
||||
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$PATH_TO_MISP(/.*)?"
|
||||
sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?"
|
||||
sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs
|
||||
# Impact of the following: ?!?!?!!?111
|
||||
##sudo restorecon -R /var/www/MISP/
|
||||
##sudo restorecon -R $PATH_TO_MISP
|
||||
|
||||
# Allow logrotate to read /var/www
|
||||
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
|
||||
|
@ -627,6 +610,7 @@ configMISP_RHEL () {
|
|||
|
||||
# If you want to be able to change configuration parameters from the webinterface:
|
||||
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
|
||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
# Generate a GPG encryption key.
|
||||
|
@ -668,123 +652,40 @@ EOF
|
|||
The email address should match the one set in the config.php configuration file
|
||||
Make sure that you use the same settings in the MISP Server Settings tool
|
||||
|
||||
## 9.06/ Use MISP's background workers
|
||||
## 9.06a/ Create a systemd unit for the workers
|
||||
```bash
|
||||
echo "[Unit]
|
||||
Description=MISP background workers
|
||||
After=mariadb.service redis.service fpm.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
User=apache
|
||||
Group=apache
|
||||
ExecStart=/var/www/MISP/app/Console/worker/start.sh
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
|
||||
```
|
||||
|
||||
Make the workers' script executable and reload the systemd units :
|
||||
```bash
|
||||
sudo chmod +x /var/www/MISP/app/Console/worker/start.sh
|
||||
sudo systemctl daemon-reload
|
||||
sudo checkmodule -M -m -o /tmp/workerstartsh.mod $PATH_TO_MISP/INSTALL/workerstartsh.te
|
||||
sudo semodule_package -o /tmp/workerstartsh.pp -m /tmp/workerstartsh.mod
|
||||
sudo semodule -i /tmp/workerstartsh.pp
|
||||
```
|
||||
|
||||
## 9.06b/ Start the workers and enable them on boot
|
||||
```bash
|
||||
sudo systemctl enable --now misp-workers.service
|
||||
```
|
||||
|
||||
## 9.07/ misp-modules (Broken on RHEL8)
|
||||
|
||||
Here are CentOS 8 packages of openjpeg2-devel: https://centos.pkgs.org/8/centos-powertools-x86_64/openjpeg2-devel-2.3.0-8.el8.x86_64.rpm.html
|
||||
## 9.06/ Use MISP background workers
|
||||
|
||||
```bash
|
||||
# some misp-modules dependencies
|
||||
sudo yum install openjpeg2-devel -y
|
||||
# <snippet-begin 3_configWorkers_RHEL.sh>
|
||||
configWorkersRHEL () {
|
||||
echo "[Unit]
|
||||
Description=MISP background workers
|
||||
After=mariadb.service redis.service php-fpm.service
|
||||
|
||||
sudo chmod 2777 /usr/local/src
|
||||
sudo chown root:users /usr/local/src
|
||||
cd /usr/local/src/
|
||||
$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-core poppler-cpp-devel -y
|
||||
# pip install
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||
## poppler/cpp/poppler-document.h missing, under my current setup I cannot find it in the repos.
|
||||
[Service]
|
||||
Type=forking
|
||||
User=$WWW_USER
|
||||
Group=$WWW_USER
|
||||
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
echo "[Unit]
|
||||
Description=MISP modules
|
||||
After=misp-workers.service
|
||||
[Install]
|
||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=apache
|
||||
Group=apache
|
||||
ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules –l 127.0.0.1 –s\"
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
sudo systemctl daemon-reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
# Test misp-modules
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/misp-modules -l 127.0.0.1 -s
|
||||
sudo systemctl enable --now misp-modules
|
||||
|
||||
# Enable Enrichment, set better timeouts
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
# TODO:"Investigate why the next one fails"
|
||||
#$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_asn_history_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_btc_steroids_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ipasn_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_syntax_validator_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_query_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pdf_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_docx_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_xlsx_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pptx_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ods_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_odt_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
|
||||
# Enable Import modules, set better timeout
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_mispjson_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_openiocimport_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_threatanalyzer_import_enabled" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
|
||||
# Enable Export modules, set better timeout
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
sudo systemctl enable --now misp-workers.service
|
||||
}
|
||||
# <snippet-end 3_configWorkers_RHEL.sh>
|
||||
```
|
||||
|
||||
{!generic/misp-dashboard-centos.md!}
|
||||
{!generic/misp-modules-centos.md!}
|
||||
|
||||
{!generic/MISP_CAKE_init.md!}
|
||||
|
||||
{!generic/misp-dashboard-centos.md!}
|
||||
|
||||
{!generic/INSTALL.done.md!}
|
||||
|
||||
{!generic/recommended.actions.md!}
|
||||
|
@ -792,7 +693,7 @@ sudo systemctl enable --now misp-modules
|
|||
### 11/ LIEF Installation
|
||||
*lief* is required for the Advanced Attachment Handler and requires manual compilation
|
||||
|
||||
The installation is explained in section **[3.01](https://misp.github.io/MISP/xINSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
|
||||
The installation is explained in section **[3.01](https://misp.github.io/MISP/INSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
|
||||
|
||||
### 12/ Known Issues
|
||||
## 12.01/ Workers cannot be started or restarted from the web page
|
||||
|
@ -801,7 +702,7 @@ Possible also due to package being installed via SCL, attempting to start worker
|
|||
systemctl restart misp-workers.service
|
||||
```
|
||||
|
||||
!!! note
|
||||
!!! note
|
||||
No other functions were tested after the conclusion of this install. There may be issue that aren't addressed<br />
|
||||
via this guide and will need additional investigation.
|
||||
|
||||
|
|
|
@ -121,6 +121,8 @@ installDepsPhp72 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
# <snippet-end 0_installDepsPhp72.sh>
|
||||
```
|
||||
|
|
|
@ -121,6 +121,8 @@ installDepsPhp74 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
# <snippet-end 0_installDepsPhp74.sh>
|
||||
```
|
||||
|
|
|
@ -39,6 +39,7 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.obscure_subject" true
|
||||
# FIXME: what if we have not gpg binary but a gpg2 one?
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"
|
||||
|
||||
|
@ -68,6 +69,9 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_sighting_db_enable" false
|
||||
|
||||
# Plugin Enrichment hover defaults
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_popover_only" false
|
||||
|
||||
# Plugin CustomAuth tuneable
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
|
||||
|
@ -102,8 +106,10 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_login_change" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_password_change" false
|
||||
|
@ -136,6 +142,16 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.self_registration_message" "If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators."
|
||||
|
||||
# Appease the security audit, #hardening
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.disable_browser_cache" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.check_sec_fetch_site_header" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.csp_enforce" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.advanced_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.do_not_log_authkeys" true
|
||||
|
||||
# Appease the security audit, #loggin
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.username_in_response_header" true
|
||||
|
||||
# It is possible to updateMISP too, only here for reference how to to that on the CLI.
|
||||
## $SUDO_WWW $RUN_PHP -- $CAKE Admin updateMISP
|
||||
|
||||
|
|
|
@ -84,6 +84,8 @@ MISPvars () {
|
|||
post_max_size="50M"
|
||||
max_execution_time="300"
|
||||
memory_limit="2048M"
|
||||
session0sid_length="32"
|
||||
session0use_strict_mode="1"
|
||||
|
||||
CAKE="${PATH_TO_MISP}/app/Console/cake"
|
||||
|
||||
|
|
|
@ -1,10 +1,14 @@
|
|||
## 9.07/ misp-modules
|
||||
|
||||
```bash
|
||||
# <snippet-begin 3_misp-modules_RHEL.sh>
|
||||
mispmodulesRHEL () {
|
||||
# some misp-modules dependencies
|
||||
# some misp-modules dependencies for RHEL<8
|
||||
sudo yum install openjpeg-devel gcc-c++ poppler-cpp-devel pkgconfig python-devel redhat-rpm-config -y
|
||||
|
||||
# some misp-modules dependencies for RHEL8
|
||||
sudo yum install openjpeg2-devel gcc-c++ poppler-cpp-devel pkgconfig python2-devel redhat-rpm-config -y
|
||||
|
||||
sudo chmod 2777 /usr/local/src
|
||||
sudo chown root:users /usr/local/src
|
||||
cd /usr/local/src/
|
||||
|
@ -14,7 +18,11 @@ mispmodulesRHEL () {
|
|||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install pyfaup censys
|
||||
# some misp-modules dependencies for RHEL<8
|
||||
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel -y
|
||||
# some misp-modules dependencies for RHEL8
|
||||
sudo dnf install https://packages.endpoint.com/rhel/8/main/x86_64/endpoint-repo-8-1.ep8.noarch.rpm
|
||||
sudo yum install zbar-devel opencv-devel -y
|
||||
|
||||
echo "[Unit]
|
||||
Description=MISP modules
|
||||
|
|
|
@ -672,6 +672,8 @@ installDepsPhp70 () {
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
}
|
||||
# <snippet-end 0_installDepsPhp70.sh>
|
||||
|
||||
|
|
|
@ -285,6 +285,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
sudo service rh-php70-php-fpm restart
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
sudo cp -fa ${PATH_TO_MISP}/INSTALL/setup/config.php ${PATH_TO_MISP}/app/Plugin/CakeResque/Config/config.php
|
||||
|
|
|
@ -268,6 +268,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
sudo systemctl restart rh-php72-php-fpm.service
|
||||
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
|
|
|
@ -345,6 +345,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
|
||||
# Restart apache
|
||||
sudo systemctl restart apache2
|
||||
|
|
|
@ -367,6 +367,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
|
|||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
|
||||
# Restart apache
|
||||
sudo systemctl restart apache2
|
||||
|
|
|
@ -118,6 +118,9 @@ function installMISPonTsurugi() {
|
|||
post_max_size=50M
|
||||
max_execution_time=300
|
||||
memory_limit=2048M
|
||||
session.sid_length=32
|
||||
session.use_strict_mode=1
|
||||
|
||||
PHP_INI=/etc/php/7.0/apache2/php.ini
|
||||
|
||||
# apt config
|
||||
|
@ -410,6 +413,8 @@ function installMISPonTsurugi() {
|
|||
do
|
||||
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
|
||||
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
|
||||
|
||||
systemctl restart apache2
|
||||
|
||||
|
|
Loading…
Reference in New Issue