MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch '2.4' of github.com:MISP/MISP into develop

pull/7255/head
mokaddem 2021-03-25 16:07:30 +01:00
parent bf91225265 f42b1fce3b
commit 0eb106ef34
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
23 changed files with 382 additions and 550 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

262
INSTALL/INSTALL.sh
View File

@ -150,6 +150,8 @@ MISPvars () {
post_max_size="50M"
max_execution_time="300"
memory_limit="2048M"
session0sid_length="32"
session0use_strict_mode="1"
CAKE="${PATH_TO_MISP}/app/Console/cake"
@ -836,6 +838,8 @@ installDepsPhp70 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# Install Php 7.3 deps
@ -1208,6 +1212,8 @@ installDepsPhp74 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# Install Php 7.3 deps
@ -1260,6 +1266,8 @@ installDepsPhp72 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# Install Php 7.0 dependencies
@ -1280,6 +1288,8 @@ installDepsPhp70 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
prepareDB () {
@ -1536,6 +1546,7 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.obscure_subject" true
# FIXME: what if we have not gpg binary but a gpg2 one?
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"
@ -1565,6 +1576,9 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_sighting_db_enable" false
# Plugin Enrichment hover defaults
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_popover_only" false
# Plugin CustomAuth tuneable
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
@ -1599,8 +1613,10 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlocklisting" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlocklisting" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips_authkeys" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_login_change" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_password_change" false
@ -1633,6 +1649,16 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.self_registration_message" "If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators."
# Appease the security audit, #hardening
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.disable_browser_cache" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.check_sec_fetch_site_header" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.csp_enforce" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.advanced_authkeys" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.do_not_log_authkeys" true
# Appease the security audit, #loggin
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.username_in_response_header" true
# It is possible to updateMISP too, only here for reference how to to that on the CLI.
## $SUDO_WWW $RUN_PHP -- $CAKE Admin updateMISP
@ -2032,7 +2058,6 @@ enableReposRHEL () {
sudo subscription-manager refresh
sudo subscription-manager repos --enable rhel-7-server-optional-rpms
sudo subscription-manager repos --enable rhel-7-server-extras-rpms
sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
}
centosEPEL () {
@ -2046,38 +2071,52 @@ centosEPEL () {
enableEPEL () {
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
sudo yum install yum-utils -y
sudo yum-config-manager --enable remi-php74
}
yumInstallCoreDeps () {
# Install the dependencies:
sudo yum install gcc git zip rh-git218 \
httpd24 \
sudo yum install gcc git zip \
mod_ssl \
rh-redis32 \
rh-mariadb102 \
redis \
libxslt-devel zlib-devel ssdeep-devel -y
# Enable and start redis
sudo systemctl enable --now rh-redis32-redis.service
sudo systemctl enable --now redis.service
# Install MariaDB
sudo yum install wget -y
wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
chmod +x mariadb_repo_setup
sudo ./mariadb_repo_setup
rm mariadb_repo_setup
sudo yum install MariaDB-server -y
WWW_USER="apache"
SUDO_WWW="sudo -H -u $WWW_USER"
RUN_PHP="/usr/bin/scl enable rh-php72"
PHP_INI="/etc/opt/rh/rh-php72/php.ini"
# Install PHP 7.2 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php72/
sudo yum install rh-php72 rh-php72-php-fpm rh-php72-php-devel \
rh-php72-php-mysqlnd \
rh-php72-php-mbstring \
rh-php72-php-xml \
rh-php72-php-bcmath \
rh-php72-php-opcache \
rh-php72-php-zip \
rh-php72-php-gd -y
PHP_INI="/etc/opt/remi/php74/php.ini"
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/7/php74/x86_64/repoview/
sudo yum install php74 php74-php-fpm php74-php-devel \
php74-php-mysqlnd \
php74-php-mbstring \
php74-php-xml \
php74-php-bcmath \
php74-php-opcache \
php74-php-zip \
php74-php-pear \
php74-php-brotli \
php74-php-intl \
php74-php-gd -y
# cake has php baked in, thus we link to it
sudo ln -s /usr/bin/php74 /usr/bin/php
# Python 3.6 is now available in RHEL 7.7 base
sudo yum install python3 python3-devel -y
sudo systemctl enable --now rh-php72-php-fpm.service
sudo systemctl enable --now php74-php-fpm.service
}
installCoreRHEL () {
@ -2110,17 +2149,17 @@ installCoreRHEL () {
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
##$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
@ -2143,42 +2182,8 @@ installCoreRHEL () {
# install redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
# lief needs manual compilation
sudo yum install devtoolset-7 cmake3 cppcheck libcxx-devel -y
cd $PATH_TO_MISP/app/files/scripts/lief
$SUDO_WWW git config core.filemode false
$SUDO_WWW mkdir build
cd build
$SUDO_WWW scl enable devtoolset-7 "bash -c 'cmake3 \
-DLIEF_PYTHON_API=on \
-DPYTHON_VERSION=3.6 \
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
-DLIEF_DOC=off \
-DCMAKE_BUILD_TYPE=Release \
..'"
$SUDO_WWW make -j3 pyLIEF
if [ $? == 2 ]; then
# In case you get "internal compiler error: Killed (program cc1plus)"
# You ran out of memory.
# Create some swap
TEMP_DIR=$(mktemp -d)
TEMP_SWAP=${TEMP_DIR}/swap.img
sudo dd if=/dev/zero of=${TEMP_SWAP} bs=1024k count=4000
sudo mkswap ${TEMP_SWAP}
sudo swapon ${TEMP_SWAP}
# And compile again
${SUDO_WWW} make -j3 pyLIEF
sudo swapoff ${TEMP_SWAP}
sudo rm -r ${TEMP_DIR}
fi
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
echo $PATH_TO_MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee $PATH_TO_MISP/venv/lib/python3.6/site-packages/lief.pth
# install magic, pydeep
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
# install magic, pydeep, lief
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara lief
# install PyMISP
cd $PATH_TO_MISP/PyMISP
@ -2186,7 +2191,7 @@ installCoreRHEL () {
# FIXME: Remove libfaup etc once the egg has the library baked-in
# BROKEN: This needs to be tested on RHEL/CentOS
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
sudo yum install libcaca-devel cmake3 -y
cd /tmp
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
@ -2194,21 +2199,20 @@ installCoreRHEL () {
cd gtcaca
$SUDO_CMD mkdir -p build
cd build
$SUDO_CMD cmake .. && $SUDO_CMD make
$SUDO_CMD cmake3 .. && $SUDO_CMD make
sudo make install
cd ../../faup
$SUDO_CMD mkdir -p build
cd build
$SUDO_CMD cmake .. && $SUDO_CMD make
$SUDO_CMD cmake3 .. && $SUDO_CMD make
sudo make install
sudo ldconfig
# Enable dependencies detection in the diagnostics page
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
# The LD_LIBRARY_PATH setting is needed for rh-git218 to work
echo "env[PATH] = /opt/rh/rh-git218/root/usr/bin:/opt/rh/rh-redis32/root/usr/bin:/opt/rh/rh-php72/root/usr/bin:/usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/rh/rh-php72/php-fpm.d/www.conf
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php72/php-fpm.d/www.conf
sudo systemctl restart rh-php72-php-fpm.service
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
sudo systemctl restart php74-php-fpm.service
umask $UMASK
}
@ -2220,31 +2224,20 @@ installCake_RHEL ()
cd $PATH_TO_MISP/app
# Update composer.phar (optional)
#EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
#$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
#$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
#$SUDO_WWW $RUN_PHP "php composer-setup.php"
#$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');"
$SUDO_WWW $RUN_PHP "php composer.phar install"
#$SUDO_WWW php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
#$SUDO_WWW php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
#$SUDO_WWW php composer-setup.php
#$SUDO_WWW php -r "unlink('composer-setup.php');"
$SUDO_WWW php composer.phar install
## sudo yum install php-redis -y
sudo scl enable rh-php72 'pecl channel-update pecl.php.net'
sudo scl enable rh-php72 'yes no|pecl install redis'
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-redis.ini
sudo yum install php74-php-pecl-redis php74-php-pecl-ssdeep php74-php-pecl-gnupg -y
sudo ln -s /usr/lib64/libfuzzy.so /usr/lib/libfuzzy.so
sudo scl enable rh-php72 'pecl install ssdeep'
echo "extension=ssdeep.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-ssdeep.ini
# Install gnupg extension
sudo yum install gpgme-devel -y
sudo scl enable rh-php72 'pecl install gnupg'
echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
sudo systemctl restart rh-php72-php-fpm.service
sudo systemctl restart php74-php-fpm.service
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php.d/timezone.ini
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/remi/php74/php.d/timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
# max_execution_time = 300
# memory_limit = 2048M
# upload_max_filesize = 50M
@ -2253,71 +2246,40 @@ installCake_RHEL ()
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart rh-php72-php-fpm.service
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
sudo systemctl restart php74-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
}
prepareDB_RHEL () {
RUN_MYSQL="/usr/bin/scl enable rh-mariadb102"
# Enable, start and secure your mysql database server
sudo systemctl enable --now rh-mariadb102-mariadb.service
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
sudo systemctl restart rh-mariadb102-mariadb
sudo systemctl enable --now mariadb.service
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb
sudo yum install expect -y
# Kill the anonymous users
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
# Because our hostname varies we'll use some Bash magic here.
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
# Kill off the demo database
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
# No root remote logins
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
# Make sure that NOBODY can access the server without a password
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
# Make our changes take effect
sudo mysql -h $DBHOST -e "FLUSH PRIVILEGES"
## The following needs some thoughts about scl enable foo
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
# We ask interactively your password if not run as root
pw=""
if [[ "$EUID" -ne 0 ]]; then
read -s -p "Enter sudo password: " pw
fi
expect -f - <<-EOF
set timeout 10
spawn sudo scl enable rh-mariadb102 mysql_secure_installation
expect {
"*sudo*" {
send "$pw\r"
exp_continue
}
"Enter current password for root (enter for none):" {
send -- "\r"
}
}
expect "Set root password?"
send -- "y\r"
expect "New password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Re-enter new password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Remove anonymous users?"
send -- "y\r"
expect "Disallow root login remotely?"
send -- "y\r"
expect "Remove test database and access to it?"
send -- "y\r"
expect "Reload privilege tables now?"
send -- "y\r"
expect eof
EOF
sudo yum remove tcl expect -y
sudo systemctl restart rh-mariadb102-mariadb
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
# Import the empty MISP database from MYSQL.sql
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
}
apacheConfig_RHEL () {
@ -2352,13 +2314,12 @@ apacheConfig_RHEL () {
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
sudo chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*
find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
# Only run these if you want to be able to update MISP from the web interface
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
@ -2480,6 +2441,7 @@ configMISP_RHEL () {
# If you want to be able to change configuration parameters from the webinterface:
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
# Generate a GPG encryption key.
@ -2514,13 +2476,13 @@ EOF
configWorkersRHEL () {
echo "[Unit]
Description=MISP background workers
After=rh-mariadb102-mariadb.service rh-redis32-redis.service rh-php72-php-fpm.service
After=mariadb.service redis.service php74-php-fpm.service
[Service]
Type=forking
User=$WWW_USER
Group=$WWW_USER
ExecStart=/usr/bin/scl enable rh-php72 rh-redis32 rh-mariadb102 $PATH_TO_MISP/app/Console/worker/start.sh
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
Restart=always
RestartSec=10

6
INSTALL/INSTALL.sh.sfv
View File

@ -1,5 +1,5 @@
; Generated by RHash v1.4.0 on 2021-03-17 at 11:58.01
; Generated by RHash v1.3.9 on 2021-03-25 at 12:56.17
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
;
; 137809 11:57.59 2021-03-17 INSTALL.sh
INSTALL.sh 5264D3699A8122AD797C52D64DB3BDB59FF98B4E 072391BE950D876396C4C858515D429DCD5ECB1DDA6C52ABD8AC81FB1DA336C0 3BAA227161359FB6449FE7CCDAACF9985362DE128BC09296D6B543646DEA958611786F1B8F816AC11E0C9AAB15149D7E 5A1DF67A94B0F45967EA478EEB610AA33AAD1ABF2D4D27267AB8813C163683C98549071FE05275D5A99BCB08A5A6F703073563E46601E2727DE34ECFE57757D9
; 137691 12:56.17 2021-03-25 INSTALL.sh
INSTALL.sh 5694A8F77384677CA3DC84FB5A5F3C06D6FFF03F 5F3A9B04BEEE449E96F4A698F3FA497390E46E2AD1DBDDED37F54E29FED76221 ABCB35B681F9A5E3568A055465976EC0996C0CC2FD8A39384E05D90413D8300B7356AAE23A540912D7D9907BECCDCD9F 54712D3100DAF92EA6201D86941222F6877B772533D048C8F758332D9B45418B64AA767A0D78C8A39E491BE114F139FFEF5A2E0436EA8503AA593556E56C0992

2
INSTALL/INSTALL.sh.sha1
View File

@ -1 +1 @@
5264d3699a8122ad797c52d64db3bdb59ff98b4e INSTALL.sh
5694a8f77384677ca3dc84fb5a5f3c06d6fff03f INSTALL.sh

2
INSTALL/INSTALL.sh.sha256
View File

@ -1 +1 @@
072391be950d876396c4c858515d429dcd5ecb1dda6c52abd8ac81fb1da336c0 INSTALL.sh
5f3a9b04beee449e96f4a698f3fa497390e46e2ad1dbdded37f54e29fed76221 INSTALL.sh

2
INSTALL/INSTALL.sh.sha384
View File

@ -1 +1 @@
3baa227161359fb6449fe7ccdaacf9985362de128bc09296d6b543646dea958611786f1b8f816ac11e0c9aab15149d7e INSTALL.sh
abcb35b681f9a5e3568a055465976ec0996c0cc2fd8a39384e05d90413d8300b7356aae23a540912d7d9907beccdcd9f INSTALL.sh

2
INSTALL/INSTALL.sh.sha512
View File

@ -1 +1 @@
5a1df67a94b0f45967ea478eeb610aa33aad1abf2d4d27267ab8813c163683c98549071fe05275d5a99bcb08a5a6f703073563e46601e2727de34ecfe57757d9 INSTALL.sh
54712d3100daf92ea6201d86941222f6877b772533d048c8f758332d9b45418b64aa767a0d78c8a39e491be114f139ffef5a2e0436ea8503aa593556e56c0992 INSTALL.sh

3
app/Model/Event.php
View File

@ -6249,7 +6249,8 @@ class Event extends AppModel
foreach ($resolved_data['Tag'] as $tag) {
$tag_id = $this->EventTag->Tag->captureTag($tag, $user);
if ($tag_id) {
$this->EventTag->attachTagToEvent($id, $tag_id);
$tag['id'] = $tag_id;
$this->EventTag->attachTagToEvent($id, $tag);
}
}
}

2
app/Model/EventReport.php
View File

@ -912,7 +912,7 @@ class EventReport extends AppModel
if ($tagId === -1) {
$tagId = $this->EventTag->Tag->captureTag(['name' => $tagName], $user);
}
$this->EventTag->attachTagToEvent($eventId, $tagId);
$this->EventTag->attachTagToEvent($eventId, ['id' => $tagId]);
}
}

8
app/Model/EventTag.php
View File

@ -85,25 +85,25 @@ class EventTag extends AppModel
public function handleEventTag($event_id, $tag, &$nothingToChange = false)
{
if (empty($tag['deleted'])) {
$result = $this->attachTagToEvent($event_id, $tag['id'], $nothingToChange);
$result = $this->attachTagToEvent($event_id, $tag, $nothingToChange);
} else {
$result = $this->detachTagFromEvent($event_id, $tag['id'], $nothingToChange);
}
return $result;
}
public function attachTagToEvent($event_id, $tag_id, &$nothingToChange = false)
public function attachTagToEvent($event_id, $tag, &$nothingToChange = false)
{
$existingAssociation = $this->find('first', array(
'recursive' => -1,
'conditions' => array(
'tag_id' => $tag_id,
'tag_id' => $tag['id'],
'event_id' => $event_id
)
));
if (empty($existingAssociation)) {
$this->create();
if (!$this->save(array('event_id' => $event_id, 'tag_id' => $tag_id))) {
if (!$this->save(array('event_id' => $event_id, 'tag_id' => $tag['id'], 'local' => !empty($tag['local'])))) {
return false;
}
} else {

2
app/Model/Feed.php
View File

@ -1132,7 +1132,7 @@ class Feed extends AppModel
$this->Event->publishRouter($event['Event']['id'], null, $user);
}
if ($feed['Feed']['tag_id']) {
$this->Event->EventTag->attachTagToEvent($event['Event']['id'], $feed['Feed']['tag_id']);
$this->Event->EventTag->attachTagToEvent($event['Event']['id'], ['id' => $feed['Feed']['tag_id']]);
}
return true;
}

237
docs/INSTALL.rhel7.md
View File

@ -21,6 +21,8 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
### 0/ Overview and Assumptions
{!generic/community.md!}
{!generic/rhelVScentos.md!}
!!! warning
@ -85,7 +87,6 @@ enableReposRHEL () {
sudo subscription-manager refresh
sudo subscription-manager repos --enable rhel-7-server-optional-rpms
sudo subscription-manager repos --enable rhel-7-server-extras-rpms
sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
}
# <snippet-end 0_RHEL_SCL.sh>
```
@ -137,10 +138,9 @@ yumUpdate () {
# <snippet-begin 0_RHEL_EPEL.sh>
enableEPEL () {
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum install yum-utils
sudo subscription-manager repos --enable=rhel-7-server-optional-rpms
sudo yum-config-manager --enable remi-php72
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
sudo yum install yum-utils -y
sudo yum-config-manager --enable remi-php74
}
# <snippet-end 0_RHEL_EPEL.sh>
```
@ -148,7 +148,7 @@ enableEPEL () {
### 2/ Dependencies
!!! note
This guide installs PHP 7.2 from SCL
This guide installs PHP 7.4 from Remi's Repo
!!! warning
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
@ -167,37 +167,38 @@ yumInstallCoreDeps () {
sudo systemctl enable --now redis.service
# Install MariaDB
sudo yum install wget
sudo yum install wget -y
wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
chmod +x mariadb_repo_setup
sudo ./mariadb_repo_setup
sudo yum install MariaDB-server
rm mariadb_repo_setup
sudo yum install MariaDB-server -y
WWW_USER="apache"
SUDO_WWW="sudo -H -u $WWW_USER"
RUN_PHP="/usr/bin/scl enable php72"
PHP_INI="/etc/opt/remi/php72/php.ini"
# Install PHP 7.2 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php72/ Obsolete?
sudo yum install php72 php72-php-fpm php72-php-devel \
php72-php-mysqlnd \
php72-php-mbstring \
php72-php-xml \
php72-php-bcmath \
php72-php-opcache \
php72-php-zip \
php72-php-gd -y
PHP_INI="/etc/opt/remi/php74/php.ini"
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/7/php74/x86_64/repoview/
sudo yum install php74 php74-php-fpm php74-php-devel \
php74-php-mysqlnd \
php74-php-mbstring \
php74-php-xml \
php74-php-bcmath \
php74-php-opcache \
php74-php-zip \
php74-php-pear \
php74-php-brotli \
php74-php-intl \
php74-php-gd -y
# cake has php baked in, thus we link to it
sudo ln -s /usr/bin/php74 /usr/bin/php
# Python 3.6 is now available in RHEL 7.7 base
sudo yum install python3 python3-devel -y
sudo systemctl enable --now php72-php-fpm.service
sudo systemctl enable --now php74-php-fpm.service
}
# <snippet-end 0_yumInstallCoreDeps.sh>
```
!!! notice
$RUN_PHP makes php available for you if using php72. e.g: sudo $RUN_PHP "pear list | grep Crypt_GPG"
```bash
# <snippet-begin 0_yumInstallHaveged.sh>
# GPG needs lots of entropy, haveged provides entropy
@ -242,17 +243,17 @@ installCoreRHEL () {
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
##$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
@ -275,42 +276,8 @@ installCoreRHEL () {
# install redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
# lief needs manual compilation
sudo yum install devtoolset-7 cmake3 cppcheck libcxx-devel -y
cd $PATH_TO_MISP/app/files/scripts/lief
$SUDO_WWW git config core.filemode false
$SUDO_WWW mkdir build
cd build
$SUDO_WWW scl enable devtoolset-7 "bash -c 'cmake3 \
-DLIEF_PYTHON_API=on \
-DPYTHON_VERSION=3.6 \
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
-DLIEF_DOC=off \
-DCMAKE_BUILD_TYPE=Release \
..'"
$SUDO_WWW make -j3 pyLIEF
if [ $? == 2 ]; then
# In case you get "internal compiler error: Killed (program cc1plus)"
# You ran out of memory.
# Create some swap
TEMP_DIR=$(mktemp -d)
TEMP_SWAP=${TEMP_DIR}/swap.img
sudo dd if=/dev/zero of=${TEMP_SWAP} bs=1024k count=4000
sudo mkswap ${TEMP_SWAP}
sudo swapon ${TEMP_SWAP}
# And compile again
${SUDO_WWW} make -j3 pyLIEF
sudo swapoff ${TEMP_SWAP}
sudo rm -r ${TEMP_DIR}
fi
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
echo $PATH_TO_MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee $PATH_TO_MISP/venv/lib/python3.6/site-packages/lief.pth
# install magic, pydeep
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
# install magic, pydeep, lief
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara lief
# install PyMISP
cd $PATH_TO_MISP/PyMISP
@ -318,7 +285,7 @@ installCoreRHEL () {
# FIXME: Remove libfaup etc once the egg has the library baked-in
# BROKEN: This needs to be tested on RHEL/CentOS
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
sudo yum install libcaca-devel cmake3 -y
cd /tmp
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
@ -326,22 +293,20 @@ installCoreRHEL () {
cd gtcaca
$SUDO_CMD mkdir -p build
cd build
$SUDO_CMD cmake .. && $SUDO_CMD make
$SUDO_CMD cmake3 .. && $SUDO_CMD make
sudo make install
cd ../../faup
$SUDO_CMD mkdir -p build
cd build
$SUDO_CMD cmake .. && $SUDO_CMD make
$SUDO_CMD cmake3 .. && $SUDO_CMD make
sudo make install
sudo ldconfig
# Enable dependencies detection in the diagnostics page
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
# OBSOLETE?
# The LD_LIBRARY_PATH setting is needed for rh-git218 to work
echo "env[PATH] = /opt/rh/rh-git218/root/usr/bin:/opt/rh/rh-php72/root/usr/bin:/usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/rh/rh-php72/php-fpm.d/www.conf
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php72/php-fpm.d/www.conf
sudo systemctl restart php72-php-fpm.service
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
sudo systemctl restart php74-php-fpm.service
umask $UMASK
}
# <snippet-end 1_mispCoreInstall_RHEL.sh>
@ -363,31 +328,20 @@ installCake_RHEL ()
cd $PATH_TO_MISP/app
# Update composer.phar (optional)
#EXPECTED_SIGNATURE="$(wget -q -O - https://composer.github.io/installer.sig)"
#$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
#$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
#$SUDO_WWW $RUN_PHP "php composer-setup.php"
#$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');"
$SUDO_WWW $RUN_PHP "php composer.phar install"
#$SUDO_WWW php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
#$SUDO_WWW php -r "if (hash_file('SHA384', 'composer-setup.php') === '$EXPECTED_SIGNATURE') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
#$SUDO_WWW php composer-setup.php
#$SUDO_WWW php -r "unlink('composer-setup.php');"
$SUDO_WWW php composer.phar install
## sudo yum install php-redis -y
sudo scl enable rh-php72 'pecl channel-update pecl.php.net'
sudo scl enable rh-php72 'yes no|pecl install redis'
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-redis.ini
sudo yum install php74-php-pecl-redis php74-php-pecl-ssdeep php74-php-pecl-gnupg -y
sudo ln -s /usr/lib64/libfuzzy.so /usr/lib/libfuzzy.so
sudo scl enable rh-php72 'pecl install ssdeep'
echo "extension=ssdeep.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-ssdeep.ini
# Install gnupg extension
sudo yum install gpgme-devel -y
sudo scl enable rh-php72 'pecl install gnupg'
echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
sudo systemctl restart rh-php72-php-fpm.service
sudo systemctl restart php74-php-fpm.service
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php.d/timezone.ini
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/remi/php74/php.d/timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
# max_execution_time = 300
# memory_limit = 2048M
# upload_max_filesize = 50M
@ -396,7 +350,9 @@ installCake_RHEL ()
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart rh-php72-php-fpm.service
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
sudo systemctl restart php74-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
@ -438,64 +394,31 @@ permissions_RHEL () {
```bash
# <snippet-begin 1_prepareDB_RHEL.sh>
prepareDB_RHEL () {
RUN_MYSQL="/usr/bin/scl enable rh-mariadb102"
# Enable, start and secure your mysql database server
sudo systemctl enable --now rh-mariadb102-mariadb.service
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
sudo systemctl restart rh-mariadb102-mariadb
sudo systemctl enable --now mariadb.service
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb
sudo yum install expect -y
# Kill the anonymous users
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
# Because our hostname varies we'll use some Bash magic here.
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
# Kill off the demo database
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
# No root remote logins
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
# Make sure that NOBODY can access the server without a password
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
# Make our changes take effect
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES"
## The following needs some thoughts about scl enable foo
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
# We ask interactively your password if not run as root
pw=""
if [[ "$EUID" -ne 0 ]]; then
read -s -p "Enter sudo password: " pw
fi
expect -f - <<-EOF
set timeout 10
spawn sudo scl enable rh-mariadb102 mysql_secure_installation
expect {
"*sudo*" {
send "$pw\r"
exp_continue
}
"Enter current password for root (enter for none):" {
send -- "\r"
}
}
expect "Set root password?"
send -- "y\r"
expect "New password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Re-enter new password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Remove anonymous users?"
send -- "y\r"
expect "Disallow root login remotely?"
send -- "y\r"
expect "Remove test database and access to it?"
send -- "y\r"
expect "Reload privilege tables now?"
send -- "y\r"
expect eof
EOF
sudo yum remove tcl expect -y
sudo systemctl restart rh-mariadb102-mariadb
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
# Import the empty MISP database from MYSQL.sql
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
}
# <snippet-end 1_prepareDB_RHEL.sh>
```
@ -544,13 +467,12 @@ apacheConfig_RHEL () {
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
sudo chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*
find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
# Only run these if you want to be able to update MISP from the web interface
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
@ -673,6 +595,7 @@ configMISP_RHEL () {
# If you want to be able to change configuration parameters from the webinterface:
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
# Generate a GPG encryption key.
@ -721,13 +644,13 @@ EOF
configWorkersRHEL () {
echo "[Unit]
Description=MISP background workers
After=rh-mariadb102-mariadb.service rh-redis32-redis.service rh-php72-php-fpm.service
After=mariadb.service redis.service php74-php-fpm.service
[Service]
Type=forking
User=$WWW_USER
Group=$WWW_USER
ExecStart=/usr/bin/scl enable rh-php72 rh-redis32 rh-mariadb102 $PATH_TO_MISP/app/Console/worker/start.sh
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
Restart=always
RestartSec=10

355
docs/INSTALL.rhel8.md
View File

@ -29,6 +29,11 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup.
!!! notice
This document also serves as a source for the [INSTALL-misp.sh](https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.sh) script.
Which explains why you will see the use of shell *functions* in various steps.
Henceforth the document will also follow a more logical flow. In the sense that all the dependencies are installed first then config files are generated, etc...
!!! notice
Maintenance for CentOS 8 will end on: December 31st, 2021 [Source[0]](https://wiki.centos.org/About/Product) [Source[1]](https://linuxlifecycle.com/)
CentOS 8 [NetInstallURL](http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=BaseOS)
@ -69,20 +74,20 @@ sudo hostnamectl set-hostname misp.local # Your choice, in a production environm
```
## 1.3/ **[RHEL]** Register the system for updates with Red Hat Subscription Manager
Can be skipped if the Machine has been registered during install phase.
```bash
# <snippet-begin 0_RHEL_register.sh>
sudo subscription-manager register --auto-attach # register your system to an account and attach to a current subscription
# <snippet-end 0_RHEL_register.sh>
```
## 1.4/ **[RHEL]** Enable the optional, extras and Software Collections (SCL) repos
## 1.4/ **[RHEL]** Enable the optional repos (obsolete in v8)
```bash
# <snippet-begin 0_RHEL_SCL.sh>
# To be confirmed, no access to RHSCL
sudo subscription-manager refresh
sudo subscription-manager repos --enable rhel-8-server-optional-rpms
sudo subscription-manager repos --enable rhel-8-server-extras-rpms
sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
# The following is needed for -devel repos and ONLY for misp-modules, ignore if not needed
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
# Software Collections is available for Red Hat Enterprise Linux 7 and previous supported releases. Starting with Red Hat Enterprise Linux 8, the content traditionally consumed via Software Collections is now part of Application Streams. Please see the Application Streams Life Cycle documentation for that release. Source: https://access.redhat.com/support/policy/updates/rhscl
# <snippet-end 0_RHEL_SCL.sh>
```
@ -91,31 +96,31 @@ sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
sudo yum install drpm -y
```
## 1.5.b/ Install vim (optional)
```bash
# Because vim is just so practical
sudo yum install vim -y
```
## 1.5/ Update the system and reboot
```bash
# <snippet-begin 0_yum-update.sh>
sudo yum update -y
yumUpdate () {
sudo yum update -y
}
# <snippet-end 0_yum-update.sh>
```
## 1.6/ **[RHEL]** Install the EPEL repo
## 1.6/ **[RHEL]** Install the EPEL and remi repo
```bash
# <snippet-begin 0_RHEL_EPEL.sh>
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
enableEPEL () {
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-8.rpm -y
sudo yum install yum-utils -y
sudo dnf module enable php:remi-7.4 -y
}
# <snippet-end 0_RHEL_EPEL.sh>
```
### 2/ Dependencies
!!! note
This guide installs PHP 7.2 from SCL
This guide installs PHP 7.4 from Remi's repo
!!! warning
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
@ -135,33 +140,44 @@ yumInstallCoreDeps () {
python3-devel python3-pip python3-virtualenv \
python3-policycoreutils \
policycoreutils-python-utils \
libxslt-devel zlib-devel -y
# ssdeep-devel available: dnf install https://extras.getpagespeed.com/release-el8-latest.rpm
libxslt-devel zlib-devel ssdeep-devel -y
sudo alternatives --set python /usr/bin/python3
# Enable and start redis
sudo systemctl enable --now redis.service
PHP_INI=/etc/php.ini
sudo yum install php php-fpm php-devel php-pear \
php-mysqlnd \
php-mbstring \
php-xml \
php-bcmath \
php-opcache \
php-json \
php-zip \
php-gd -y
PHP_INI="/etc/opt/remi/php74/php.ini"
# Install PHP 7.4 from Remi's repo, see https://rpms.remirepo.net/enterprise/8/php74/x86_64/repoview/
sudo yum install php php-fpm php-devel \
php-mysqlnd \
php-mbstring \
php-xml \
php-bcmath \
php-opcache \
php-zip \
php-pear \
php-brotli \
php-intl \
php-gd -y
# cake has php baked in, thus we link to it, ignore if this fails or exists.
sudo ln -s /usr/bin/php74 /usr/bin/php
}
# <snippet-end 0_yumInstallCoreDeps.sh>
```
!!! notice
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
This guide installs PHP 7.2
```bash
# <snippet-begin 0_yumInstallHaveged.sh>
# GPG needs lots of entropy, haveged provides entropy
# /!\ Only do this if you're not running rngd to provide randomness and your kernel randomness is not sufficient.
sudo yum install haveged -y
sudo systemctl enable --now haveged.service
# <snippet-end 0_yumInstallHaveged.sh>
```
!!! notice
If we want to use httpd from RHEL base we can use the rh-php72-php-fpm service instead
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
This guide installs PHP 7.4
## 2.05/ Start the PHP FPM service and enable to start on boot
```bash
@ -176,17 +192,12 @@ TODO: Add a CentOS/RHEL rng thing, à la haveged (not in base anymore) or simila
```bash
# <snippet-begin 1_mispCoreInstall_RHEL.sh>
installCoreRHEL () {
# Download MISP using git in the /var/www/ directory.
sudo mkdir $PATH_TO_MISP
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP
cd /var/www
# Download MISP using git in the $PATH_TO_MISP directory.
sudo mkdir -p $(dirname $PATH_TO_MISP)
sudo chown $WWW_USER:$WWW_USER $(dirname $PATH_TO_MISP)
cd $(dirname $PATH_TO_MISP)
$SUDO_WWW git clone https://github.com/MISP/MISP.git
cd $PATH_TO_MISP
##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# Fetch submodules
$SUDO_WWW git submodule update --init --recursive
@ -212,6 +223,11 @@ installCoreRHEL () {
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
@ -279,7 +295,7 @@ installCoreRHEL () {
# FIXME: Remove libfaup etc once the egg has the library baked-in
# BROKEN: This needs to be tested on RHEL/CentOS
##sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
sudo yum install libcaca-devel cmake3 -y
cd /tmp
[[ ! -d "faup" ]] && $SUDO_CMD git clone https://github.com/stricaud/faup.git faup
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone https://github.com/stricaud/gtcaca.git gtcaca
@ -296,16 +312,14 @@ installCoreRHEL () {
sudo make install
sudo ldconfig
# Enable python3 for php-fpm
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/php-fpm.d/www.conf
sudo systemctl restart php-fpm.service
umask $UMASK
# Enable dependencies detection in the diagnostics page
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/php-fpm.d/www.conf
sudo systemctl restart php-fpm.service
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/remi/php74/php-fpm.d/www.conf
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/remi/php74/php-fpm.d/www.conf
sudo systemctl restart php74-php-fpm.service
# TODO investigate: listen = 127.0.0.1:9000
umask $UMASK
}
# <snippet-end 1_mispCoreInstall_RHEL.sh>
```
@ -331,26 +345,15 @@ installCake_RHEL ()
#$SUDO_WWW php -r "unlink('composer-setup.php');"
$SUDO_WWW php composer.phar install
## sudo yum install php-redis -y
sudo pecl channel-update pecl.php.net
sudo pecl install redis
echo "extension=redis.so" |sudo tee /etc/php-fpm.d/redis.ini
sudo ln -s /etc/php-fpm.d/redis.ini /etc/php.d/99-redis.ini
sudo systemctl restart php-fpm.service
sudo yum install php-pecl-redis php-pecl-ssdeep php-pecl-gnupg -y
# Install gnupg extension
# NOT working on RHEL 8 gpgme-devel not provided
##sudo yum install gpgme-devel -y
##sudo pecl install gnupg
##echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini
##sudo ln -s /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
##sudo systemctl restart rh-php72-php-fpm.service
sudo systemctl restart php-fpm.service
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/php-fpm.d/timezone.ini
sudo ln -s ../php-fpm.d/timezone.ini /etc/php.d/99-timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini
# Recommended: Change some PHP settings in /etc/opt/remi/php74/php.ini
# max_execution_time = 300
# memory_limit = 2048M
# upload_max_filesize = 50M
@ -359,12 +362,14 @@ installCake_RHEL ()
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
sudo systemctl restart php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
}
# <snippet-begin 1_installCake_RHEL.sh>
# <snippet-end 1_installCake_RHEL.sh>
```
### 5/ Set file permissions
@ -373,10 +378,10 @@ installCake_RHEL ()
# Main function to fix permissions to something sane
permissions_RHEL () {
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
## ? chown -R root:apache /var/www/MISP
## ? chown -R root:$WWW_USER $PATH_TO_MISP
sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \;
sudo chmod -R g+r,o= $PATH_TO_MISP
## **Note :** For updates through the web interface to work, apache must own the /var/www/MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions :
## **Note :** For updates through the web interface to work, apache must own the $PATH_TO_MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions :
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+xws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
@ -407,49 +412,26 @@ prepareDB_RHEL () {
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb
sudo yum install expect -y
# Kill the anonymous users
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'localhost'"
# Because our hostname varies we'll use some Bash magic here.
sudo mysql -h $DBHOST -e "DROP USER IF EXISTS ''@'$(hostname)'"
# Kill off the demo database
sudo mysql -h $DBHOST -e "DROP DATABASE IF EXISTS test"
# No root remote logins
sudo mysql -h $DBHOST -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
# Make sure that NOBODY can access the server without a password
sudo mysqladmin -h $DBHOST -u "${DBUSER_ADMIN}" password "${DBPASSWORD_ADMIN}"
# Make our changes take effect
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES"
## The following needs some thoughts about scl enable foo
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
pw="Password1234"
expect -f - <<-EOF
set timeout 10
spawn sudo mysql_secure_installation
expect "*?assword*"
send -- "$pw\r"
expect "Enter current password for root (enter for none):"
send -- "\r"
expect "Set root password?"
send -- "y\r"
expect "New password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Re-enter new password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Remove anonymous users?"
send -- "y\r"
expect "Disallow root login remotely?"
send -- "y\r"
expect "Remove test database and access to it?"
send -- "y\r"
expect "Reload privilege tables now?"
send -- "y\r"
expect eof
EOF
sudo yum remove tcl expect -y
sudo systemctl restart mariadb
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "CREATE DATABASE $DBNAME;"
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT USAGE on *.* to $DBUSER_MISP@localhost IDENTIFIED by '$DBPASSWORD_MISP';"
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
mysql -h $DBHOST -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -h $DBHOST -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE DATABASE ${DBNAME};"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "CREATE USER '${DBUSER_MISP}'@'localhost' IDENTIFIED BY '${DBPASSWORD_MISP}';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT USAGE ON *.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "GRANT ALL PRIVILEGES on ${DBNAME}.* to '${DBUSER_MISP}'@'localhost';"
sudo mysql -h $DBHOST -u "${DBUSER_ADMIN}" -p"${DBPASSWORD_ADMIN}" -e "FLUSH PRIVILEGES;"
# Import the empty MISP database from MYSQL.sql
${SUDO_WWW} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -h $DBHOST -u "${DBUSER_MISP}" -p"${DBPASSWORD_MISP}" ${DBNAME}
}
# <snippet-end 1_prepareDB_RHEL.sh>
```
@ -471,7 +453,7 @@ apacheConfig_RHEL () {
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf
#sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf
sudo rm /etc/httpd/conf.d/ssl.conf
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
@ -488,7 +470,7 @@ apacheConfig_RHEL () {
sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr
sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt
sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
sudo systemctl restart httpd.service
@ -498,13 +480,14 @@ apacheConfig_RHEL () {
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/*.sh"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*.py"
sudo sh -c "chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/*/*.py"
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Vendor/pear/crypt_gpg/scripts/crypt-gpg-pinentry
sudo chcon -t httpd_sys_rw_content_t /tmp
sudo chcon -R -t usr_t $PATH_TO_MISP/venv
sudo sh -c "chcon -R -t bin_t $PATH_TO_MISP/venv/bin/*"
sudo find $PATH_TO_MISP/venv -type f -name "*.so*" -or -name "*.so.*" | xargs sudo chcon -t lib_t
# Only run these if you want to be able to update MISP from the web interface
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib
@ -541,7 +524,7 @@ firewall_RHEL () {
### 8/ Log Rotation
## 8.01/ Enable log rotation
MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs
MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
To rotate these logs install the supplied logrotate script:
FIXME: The below does not work
@ -557,12 +540,12 @@ logRotation_RHEL () {
# Now make logrotate work under SELinux as well
# Allow logrotate to modify the log files
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/MISP(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "$PATH_TO_MISP(/.*)?"
sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?"
sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs
# Impact of the following: ?!?!?!!?111
##sudo restorecon -R /var/www/MISP/
##sudo restorecon -R $PATH_TO_MISP
# Allow logrotate to read /var/www
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
@ -627,6 +610,7 @@ configMISP_RHEL () {
# If you want to be able to change configuration parameters from the webinterface:
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php
sudo chmod 660 $PATH_TO_MISP/app/Config/config.php
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php
# Generate a GPG encryption key.
@ -668,123 +652,40 @@ EOF
The email address should match the one set in the config.php configuration file
Make sure that you use the same settings in the MISP Server Settings tool
## 9.06/ Use MISP's background workers
## 9.06a/ Create a systemd unit for the workers
```bash
echo "[Unit]
Description=MISP background workers
After=mariadb.service redis.service fpm.service
[Service]
Type=forking
User=apache
Group=apache
ExecStart=/var/www/MISP/app/Console/worker/start.sh
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
```
Make the workers' script executable and reload the systemd units :
```bash
sudo chmod +x /var/www/MISP/app/Console/worker/start.sh
sudo systemctl daemon-reload
sudo checkmodule -M -m -o /tmp/workerstartsh.mod $PATH_TO_MISP/INSTALL/workerstartsh.te
sudo semodule_package -o /tmp/workerstartsh.pp -m /tmp/workerstartsh.mod
sudo semodule -i /tmp/workerstartsh.pp
```
## 9.06b/ Start the workers and enable them on boot
```bash
sudo systemctl enable --now misp-workers.service
```
## 9.07/ misp-modules (Broken on RHEL8)
Here are CentOS 8 packages of openjpeg2-devel: https://centos.pkgs.org/8/centos-powertools-x86_64/openjpeg2-devel-2.3.0-8.el8.x86_64.rpm.html
## 9.06/ Use MISP background workers
```bash
# some misp-modules dependencies
sudo yum install openjpeg2-devel -y
# <snippet-begin 3_configWorkers_RHEL.sh>
configWorkersRHEL () {
echo "[Unit]
Description=MISP background workers
After=mariadb.service redis.service php-fpm.service
sudo chmod 2777 /usr/local/src
sudo chown root:users /usr/local/src
cd /usr/local/src/
$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
cd misp-modules
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-core poppler-cpp-devel -y
# pip install
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
## poppler/cpp/poppler-document.h missing, under my current setup I cannot find it in the repos.
[Service]
Type=forking
User=$WWW_USER
Group=$WWW_USER
ExecStart=$PATH_TO_MISP/app/Console/worker/start.sh
Restart=always
RestartSec=10
echo "[Unit]
Description=MISP modules
After=misp-workers.service
[Install]
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
[Service]
Type=simple
User=apache
Group=apache
ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules l 127.0.0.1 s\"
Restart=always
RestartSec=10
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
sudo systemctl daemon-reload
[Install]
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
sudo systemctl daemon-reload
# Test misp-modules
$SUDO_WWW $PATH_TO_MISP/venv/bin/misp-modules -l 127.0.0.1 -s
sudo systemctl enable --now misp-modules
# Enable Enrichment, set better timeouts
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
# TODO:"Investigate why the next one fails"
#$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_asn_history_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_btc_steroids_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ipasn_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_syntax_validator_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_query_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pdf_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_docx_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_xlsx_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pptx_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ods_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_odt_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules, set better timeout
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_enable" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_port" 6666
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_timeout" 300
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_mispjson_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_openiocimport_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_threatanalyzer_import_enabled" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules, set better timeout
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_enable" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_port" 6666
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_timeout" 300
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
sudo systemctl enable --now misp-workers.service
}
# <snippet-end 3_configWorkers_RHEL.sh>
```
{!generic/misp-dashboard-centos.md!}
{!generic/misp-modules-centos.md!}
{!generic/MISP_CAKE_init.md!}
{!generic/misp-dashboard-centos.md!}
{!generic/INSTALL.done.md!}
{!generic/recommended.actions.md!}
@ -792,7 +693,7 @@ sudo systemctl enable --now misp-modules
### 11/ LIEF Installation
*lief* is required for the Advanced Attachment Handler and requires manual compilation
The installation is explained in section **[3.01](https://misp.github.io/MISP/xINSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
The installation is explained in section **[3.01](https://misp.github.io/MISP/INSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
### 12/ Known Issues
## 12.01/ Workers cannot be started or restarted from the web page
@ -801,7 +702,7 @@ Possible also due to package being installed via SCL, attempting to start worker
systemctl restart misp-workers.service
```
!!! note
!!! note
No other functions were tested after the conclusion of this install. There may be issue that aren't addressed<br />
via this guide and will need additional investigation.

2
docs/INSTALL.ubuntu1804.md
View File

@ -121,6 +121,8 @@ installDepsPhp72 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# <snippet-end 0_installDepsPhp72.sh>
```

2
docs/INSTALL.ubuntu2004.md
View File

@ -121,6 +121,8 @@ installDepsPhp74 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# <snippet-end 0_installDepsPhp74.sh>
```

18
docs/generic/MISP_CAKE_init.md
View File

@ -39,6 +39,7 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.obscure_subject" true
# FIXME: what if we have not gpg binary but a gpg2 one?
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"
@ -68,6 +69,9 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_sighting_db_enable" false
# Plugin Enrichment hover defaults
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_popover_only" false
# Plugin CustomAuth tuneable
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
@ -102,8 +106,10 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlocklisting" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlocklisting" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips_authkeys" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_login_change" false
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_password_change" false
@ -136,6 +142,16 @@ coreCAKE () {
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.self_registration_message" "If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators."
# Appease the security audit, #hardening
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.disable_browser_cache" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.check_sec_fetch_site_header" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.csp_enforce" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.advanced_authkeys" true
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.do_not_log_authkeys" true
# Appease the security audit, #loggin
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.username_in_response_header" true
# It is possible to updateMISP too, only here for reference how to to that on the CLI.
## $SUDO_WWW $RUN_PHP -- $CAKE Admin updateMISP

2
docs/generic/globalVariables.md
View File

@ -84,6 +84,8 @@ MISPvars () {
post_max_size="50M"
max_execution_time="300"
memory_limit="2048M"
session0sid_length="32"
session0use_strict_mode="1"
CAKE="${PATH_TO_MISP}/app/Console/cake"

10
docs/generic/misp-modules-centos.md
View File

@ -1,10 +1,14 @@
## 9.07/ misp-modules
```bash
# <snippet-begin 3_misp-modules_RHEL.sh>
mispmodulesRHEL () {
# some misp-modules dependencies
# some misp-modules dependencies for RHEL<8
sudo yum install openjpeg-devel gcc-c++ poppler-cpp-devel pkgconfig python-devel redhat-rpm-config -y
# some misp-modules dependencies for RHEL8
sudo yum install openjpeg2-devel gcc-c++ poppler-cpp-devel pkgconfig python2-devel redhat-rpm-config -y
sudo chmod 2777 /usr/local/src
sudo chown root:users /usr/local/src
cd /usr/local/src/
@ -14,7 +18,11 @@ mispmodulesRHEL () {
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install pyfaup censys
# some misp-modules dependencies for RHEL<8
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel -y
# some misp-modules dependencies for RHEL8
sudo dnf install https://packages.endpoint.com/rhel/8/main/x86_64/endpoint-repo-8-1.ep8.noarch.rpm
sudo yum install zbar-devel opencv-devel -y
echo "[Unit]
Description=MISP modules

2
docs/generic/supportFunctions.md
View File

@ -672,6 +672,8 @@ installDepsPhp70 () {
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
}
# <snippet-end 0_installDepsPhp70.sh>

2
docs/xINSTALL.centos6.md
View File

@ -285,6 +285,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
sudo service rh-php70-php-fpm restart
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa ${PATH_TO_MISP}/INSTALL/setup/config.php ${PATH_TO_MISP}/app/Plugin/CakeResque/Config/config.php

2
docs/xINSTALL.centos7.md
View File

@ -268,6 +268,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
sudo systemctl restart rh-php72-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:

2
docs/xINSTALL.debian10.md
View File

@ -345,6 +345,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
# Restart apache
sudo systemctl restart apache2

2
docs/xINSTALL.debian9.md
View File

@ -367,6 +367,8 @@ for key in upload_max_filesize post_max_size max_execution_time max_input_time m
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
# Restart apache
sudo systemctl restart apache2

5
docs/xINSTALL.tsurugi.md
View File

@ -118,6 +118,9 @@ function installMISPonTsurugi() {
post_max_size=50M
max_execution_time=300
memory_limit=2048M
session.sid_length=32
session.use_strict_mode=1
PHP_INI=/etc/php/7.0/apache2/php.ini
# apt config
@ -410,6 +413,8 @@ function installMISPonTsurugi() {
do
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo sed -i "s/^\(session.sid_length\).*/\1 = $(eval echo \${session0sid_length})/" $PHP_INI
sudo sed -i "s/^\(session.use_strict_mode\).*/\1 = $(eval echo \${session0use_strict_mode})/" $PHP_INI
systemctl restart apache2