mirror of https://github.com/MISP/MISP
chg: [doc] Added more changes to the RHEL/CentOS install doc.
parent
937b7cf484
commit
28c15d029b
|
@ -236,7 +236,7 @@ $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
|
|||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
|
||||
|
||||
# lief needs manual compilation
|
||||
sudo yum install devtoolset-7 cmake3 -y
|
||||
sudo yum install devtoolset-7 cmake3 cppcheck -y
|
||||
|
||||
# FIXME: This does not work!
|
||||
cd $PATH_TO_MISP/app/files/scripts/lief
|
||||
|
@ -249,19 +249,17 @@ $SUDO_WWW scl enable devtoolset-7 rh-python36 "bash -c 'cmake3 \
|
|||
-DLIEF_DOC=off \
|
||||
-DCMAKE_BUILD_TYPE=Release \
|
||||
..'"
|
||||
#-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
|
||||
$SUDO_WWW make -j3
|
||||
sudo make install
|
||||
cd api/python/lief_pybind11-prefix/src/lief_pybind11
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/python setup.py install
|
||||
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install https://github.com/lief-project/packages/raw/lief-master-latest/pylief-0.9.0.dev.zip
|
||||
$SUDO_WWW make -j3 pyLIEF
|
||||
|
||||
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
|
||||
echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth
|
||||
|
||||
# install magic, pydeep
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git
|
||||
|
||||
# install PyMISP
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||
|
||||
# Enable python3 for php-fpm
|
||||
echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php72/sysconfig/php-fpm
|
||||
|
@ -286,6 +284,9 @@ sudo systemctl restart rh-php72-php-fpm.service
|
|||
CakePHP is now included as a submodule of MISP and has been fetch by a previous step.
|
||||
|
||||
```bash
|
||||
# <snippet-begin 1_installCake_RHEL.sh>
|
||||
installCake_RHEL ()
|
||||
{
|
||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
|
||||
sudo mkdir /usr/share/httpd/.composer
|
||||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.composer
|
||||
|
@ -323,11 +324,15 @@ sudo systemctl restart rh-php72-php-fpm.service
|
|||
|
||||
# To use the scheduler worker for scheduled tasks, do the following:
|
||||
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
}
|
||||
# <snippet-begin 1_installCake_RHEL.sh>
|
||||
```
|
||||
|
||||
# 5/ Set file permissions
|
||||
```bash
|
||||
# Make sure the permissions are set correctly using the following commands as root:
|
||||
# <snippet-begin 2_permissions_RHEL.sh>
|
||||
# Main function to fix permissions to something sane
|
||||
permissions_RHEL () {
|
||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
|
||||
## ? chown -R root:apache /var/www/MISP
|
||||
sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \;
|
||||
|
@ -347,21 +352,27 @@ sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config
|
|||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/tmp
|
||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/orgs
|
||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/custom
|
||||
}
|
||||
# <snippet-end 2_permissions_RHEL.sh>
|
||||
```
|
||||
|
||||
# 6/ Create database and user
|
||||
## 6.01/ Set database to listen on localhost only
|
||||
|
||||
## 6.01/ Set database to listen on localhost oncology's
|
||||
```bash
|
||||
# <snippet-begin 1_prepareDB_RHEL.sh>
|
||||
prepareDB_RHEL () {
|
||||
# Enable, start and secure your mysql database server
|
||||
sudo systemctl enable --now rh-mariadb102-mariadb.service
|
||||
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
```
|
||||
|
||||
```bash
|
||||
sudo yum install expect -y
|
||||
|
||||
## The following needs some thoughts about scl enable foo
|
||||
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
|
||||
|
||||
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
|
||||
pw="Password1234"
|
||||
|
||||
|
@ -393,32 +404,15 @@ EOF
|
|||
sudo yum remove tcl expect -y
|
||||
|
||||
sudo systemctl restart rh-mariadb102-mariadb
|
||||
```
|
||||
|
||||
## 6.02/ Manual procedur: Start a MariaDB shell and create the database
|
||||
```bash
|
||||
# Enter the mysql shell
|
||||
scl enable rh-mariadb102 'mysql -u root -p'
|
||||
```
|
||||
|
||||
```
|
||||
MariaDB [(none)]> create database misp;
|
||||
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
|
||||
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
|
||||
MariaDB [(none)]> exit
|
||||
```
|
||||
|
||||
## 6.02a/ Same as Manual but for copy/paste foo:
|
||||
```bash
|
||||
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
|
||||
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBNAME@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
|
||||
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
|
||||
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
|
||||
```
|
||||
|
||||
## 6.03/ Import the empty MySQL database from MYSQL.sql
|
||||
```bash
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
|
||||
}
|
||||
# <snippet-end 1_prepareDB_RHEL.sh>
|
||||
```
|
||||
|
||||
# 7/ Apache Configuration
|
||||
|
@ -432,6 +426,8 @@ $SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "m
|
|||
If it is disabled, you can ignore the **chcon/setsebool/semanage/checkmodule/semodule*** commands.
|
||||
|
||||
```bash
|
||||
# <snippet-begin 1_apacheConfig_RHEL.sh>
|
||||
apacheConfig_RHEL () {
|
||||
# Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/
|
||||
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
|
||||
|
||||
|
@ -477,12 +473,16 @@ sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
|||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom
|
||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq
|
||||
}
|
||||
# <snippet-end 1_apacheConfig_RHEL.sh>
|
||||
```
|
||||
|
||||
!!! warning
|
||||
Todo: Revise all permissions so update in Web UI works.
|
||||
|
||||
```bash
|
||||
# <snippet-begin 1_firewall_RHEL.sh>
|
||||
firewall_RHEL () {
|
||||
# Allow httpd to connect to the redis server and php-fpm over tcp/ip
|
||||
sudo setsebool -P httpd_can_network_connect on
|
||||
|
||||
|
@ -496,10 +496,8 @@ sudo systemctl enable --now httpd.service
|
|||
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
|
||||
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
|
||||
sudo firewall-cmd --reload
|
||||
|
||||
# We seriously recommend using only HTTPS / SSL !
|
||||
# Add SSL support by running: sudo yum install mod_ssl
|
||||
# Check out the apache.misp.ssl file for an example
|
||||
}
|
||||
# <snippet-end 1_firewall_RHEL.sh>
|
||||
```
|
||||
|
||||
# 8/ Log Rotation
|
||||
|
@ -508,6 +506,8 @@ MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
|
|||
To rotate these logs install the supplied logrotate script:
|
||||
|
||||
```bash
|
||||
# <snippet-begin 2_logRotation_RHEL.sh>
|
||||
logRotation_RHEL () {
|
||||
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
|
||||
# To rotate these logs install the supplied logrotate script:
|
||||
|
||||
|
@ -527,11 +527,15 @@ sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs
|
|||
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
|
||||
sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
|
||||
sudo semodule -i /tmp/misplogrotate.pp
|
||||
}
|
||||
# <snippet-end 2_logRotation_RHEL.sh>
|
||||
```
|
||||
|
||||
# 9/ MISP Configuration
|
||||
|
||||
```bash
|
||||
# <snippet-begin 2_configMISP_RHEL.sh>
|
||||
configMISP_RHEL () {
|
||||
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
|
||||
|
@ -610,6 +614,8 @@ sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/gpg.asc
|
|||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
}
|
||||
# <snippet-end 2_configMISP_RHEL.sh>
|
||||
```
|
||||
|
||||
Review:
|
||||
|
@ -624,12 +630,6 @@ then
|
|||
echo 'exit 0' | sudo tee -a /etc/rc.local
|
||||
sudo chmod u+x /etc/rc.local
|
||||
fi
|
||||
|
||||
# TODO: Fix static path with PATH_TO_MISP
|
||||
sudo sed -i -e '$i \su -s /bin/bash apache -c "scl enable rh-php72 /var/www/MISP/app/Console/worker/start.sh" > /tmp/worker_start_rc.local.log\n' /etc/rc.local
|
||||
# Make sure it will execute
|
||||
sudo chmod +x /etc/rc.local
|
||||
|
||||
```
|
||||
|
||||
!!! note
|
||||
|
@ -681,20 +681,27 @@ cd /usr/local/src/
|
|||
$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
# pip install
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||
sudo yum install rubygem-rouge rubygem-asciidoctor -y
|
||||
##sudo gem install asciidoctor-pdf --pre
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel -y
|
||||
|
||||
# install additional dependencies for extended object generation and extraction
|
||||
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install maec python-magic pathlib
|
||||
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
|
||||
echo "[Unit]
|
||||
Description=MISP's modules
|
||||
After=misp-workers.service
|
||||
|
||||
# Start misp-modules
|
||||
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s &
|
||||
[Service]
|
||||
Type=simple
|
||||
User=apache
|
||||
Group=apache
|
||||
ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules –l 127.0.0.1 –s\"
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
# TODO: Fix static path with PATH_TO_MISP
|
||||
sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &\n' /etc/rc.local
|
||||
[Install]
|
||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable --now misp-modules
|
||||
```
|
||||
|
||||
{!generic/misp-dashboard-centos.md!}
|
||||
|
@ -708,46 +715,11 @@ sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.
|
|||
# 11/ LIEF Installation
|
||||
*lief* is required for the Advanced Attachment Handler and requires manual compilation
|
||||
|
||||
## 11.01/ Install cmake3 devtoolset-7 from SCL
|
||||
```bash
|
||||
yum install devtoolset-7 cmake3
|
||||
```
|
||||
|
||||
## 11.02/ Create the directory and download the source code
|
||||
```bash
|
||||
cd /var/www/MISP/app/files/scripts
|
||||
git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||
```
|
||||
|
||||
## 11.03/ Compile lief and install it
|
||||
```bash
|
||||
cd /var/www/MISP/app/files/scripts/lief
|
||||
mkdir build
|
||||
cd build
|
||||
scl enable devtoolset-7 rh-python36 'bash -c "cmake3 \
|
||||
-DLIEF_PYTHON_API=on \
|
||||
-DLIEF_DOC=off \
|
||||
-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
|
||||
-DCMAKE_BUILD_TYPE=Release \
|
||||
-DPYTHON_VERSION=3.6 \
|
||||
.."'
|
||||
make -j3
|
||||
cd api/python
|
||||
scl enable rh-python36 'python3 setup.py install || :'
|
||||
# when running setup.py, pip will download and install remote LIEF packages that will prevent MISP from detecting the packages that you compiled ; remove them
|
||||
find /opt/rh/rh-python36/root/ -name "*lief*" -exec rm -rf {} \;
|
||||
```
|
||||
|
||||
## 11.04/ Test lief installation, if no error, package installed
|
||||
```bash
|
||||
scl enable rh-python36 python3
|
||||
>> import lief
|
||||
```
|
||||
The installation is explained in section **[3.01](https://misp.github.io/MISP/INSTALL.rhel7/#301-download-misp-code-using-git-in-varwww-directory)**
|
||||
|
||||
# 12/ Known Issues
|
||||
## 12.01/ Workers cannot be started or restarted from the web page
|
||||
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in
|
||||
error. Worker's can be restarted via the CLI using the following command.
|
||||
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command.
|
||||
```bash
|
||||
systemctl restart misp-workers.service
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue