MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: [doc] Added more changes to the RHEL/CentOS install doc.

pull/4529/head
Steve Clement 2019-04-24 18:47:27 +09:00
parent 937b7cf484
commit 28c15d029b
1 changed files with 286 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
docs/INSTALL.rhel7.md
View File

@ -236,7 +236,7 @@ $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
# lief needs manual compilation
sudo yum install devtoolset-7 cmake3 -y
sudo yum install devtoolset-7 cmake3 cppcheck -y
# FIXME: This does not work!
cd $PATH_TO_MISP/app/files/scripts/lief
@ -249,19 +249,17 @@ $SUDO_WWW scl enable devtoolset-7 rh-python36 "bash -c 'cmake3 \
-DLIEF_DOC=off \
-DCMAKE_BUILD_TYPE=Release \
..'"
#-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
$SUDO_WWW make -j3
sudo make install
cd api/python/lief_pybind11-prefix/src/lief_pybind11
$SUDO_WWW $PATH_TO_MISP/venv/bin/python setup.py install
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install https://github.com/lief-project/packages/raw/lief-master-latest/pylief-0.9.0.dev.zip
$SUDO_WWW make -j3 pyLIEF
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth
# install magic, pydeep
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git
# install PyMISP
cd $PATH_TO_MISP/PyMISP
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
# Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php72/sysconfig/php-fpm
@ -286,6 +284,9 @@ sudo systemctl restart rh-php72-php-fpm.service
CakePHP is now included as a submodule of MISP and has been fetch by a previous step.
```bash
# <snippet-begin 1_installCake_RHEL.sh>
installCake_RHEL ()
{
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
sudo mkdir /usr/share/httpd/.composer
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.composer
@ -323,11 +324,15 @@ sudo systemctl restart rh-php72-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
}
# <snippet-begin 1_installCake_RHEL.sh>
```
# 5/ Set file permissions
```bash
# Make sure the permissions are set correctly using the following commands as root:
# <snippet-begin 2_permissions_RHEL.sh>
# Main function to fix permissions to something sane
permissions_RHEL () {
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP
## ? chown -R root:apache /var/www/MISP
sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \;
@ -347,21 +352,27 @@ sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/tmp
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/orgs
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/custom
}
# <snippet-end 2_permissions_RHEL.sh>
```
# 6/ Create database and user
## 6.01/ Set database to listen on localhost only
## 6.01/ Set database to listen on localhost oncology's
```bash
# <snippet-begin 1_prepareDB_RHEL.sh>
prepareDB_RHEL () {
# Enable, start and secure your mysql database server
sudo systemctl enable --now rh-mariadb102-mariadb.service
echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
sudo systemctl restart rh-mariadb102-mariadb
```
```bash
sudo yum install expect -y
## The following needs some thoughts about scl enable foo
#if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
pw="Password1234"
@ -393,32 +404,15 @@ EOF
sudo yum remove tcl expect -y
sudo systemctl restart rh-mariadb102-mariadb
```
## 6.02/ Manual procedur: Start a MariaDB shell and create the database
```bash
# Enter the mysql shell
scl enable rh-mariadb102 'mysql -u root -p'
```
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
```
## 6.02a/ Same as Manual but for copy/paste foo:
```bash
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'"
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBNAME@localhost IDENTIFIED by '$DBPASSWORD_MISP';\""
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\""
scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'"
```
## 6.03/ Import the empty MySQL database from MYSQL.sql
```bash
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME"
}
# <snippet-end 1_prepareDB_RHEL.sh>
```
# 7/ Apache Configuration
@ -432,6 +426,8 @@ $SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "m
If it is disabled, you can ignore the **chcon/setsebool/semanage/checkmodule/semodule*** commands.
```bash
# <snippet-begin 1_apacheConfig_RHEL.sh>
apacheConfig_RHEL () {
# Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
@ -477,12 +473,16 @@ sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq
}
# <snippet-end 1_apacheConfig_RHEL.sh>
```
!!! warning
Todo: Revise all permissions so update in Web UI works.
```bash
# <snippet-begin 1_firewall_RHEL.sh>
firewall_RHEL () {
# Allow httpd to connect to the redis server and php-fpm over tcp/ip
sudo setsebool -P httpd_can_network_connect on
@ -496,10 +496,8 @@ sudo systemctl enable --now httpd.service
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --reload
# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: sudo yum install mod_ssl
# Check out the apache.misp.ssl file for an example
}
# <snippet-end 1_firewall_RHEL.sh>
```
# 8/ Log Rotation
@ -508,6 +506,8 @@ MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
To rotate these logs install the supplied logrotate script:
```bash
# <snippet-begin 2_logRotation_RHEL.sh>
logRotation_RHEL () {
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
@ -527,11 +527,15 @@ sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
sudo semodule -i /tmp/misplogrotate.pp
}
# <snippet-end 2_logRotation_RHEL.sh>
```
# 9/ MISP Configuration
```bash
# <snippet-begin 2_configMISP_RHEL.sh>
configMISP_RHEL () {
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
@ -610,6 +614,8 @@ sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/gpg.asc
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
}
# <snippet-end 2_configMISP_RHEL.sh>
```
Review:
@ -624,12 +630,6 @@ then
echo 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod u+x /etc/rc.local
fi
# TODO: Fix static path with PATH_TO_MISP
sudo sed -i -e '$i \su -s /bin/bash apache -c "scl enable rh-php72 /var/www/MISP/app/Console/worker/start.sh" > /tmp/worker_start_rc.local.log\n' /etc/rc.local
# Make sure it will execute
sudo chmod +x /etc/rc.local
```
!!! note
@ -681,20 +681,27 @@ cd /usr/local/src/
$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip install
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
sudo yum install rubygem-rouge rubygem-asciidoctor -y
##sudo gem install asciidoctor-pdf --pre
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel -y
# install additional dependencies for extended object generation and extraction
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install maec python-magic pathlib
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
echo "[Unit]
Description=MISP's modules
After=misp-workers.service
# Start misp-modules
$SUDO_WWW ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s &
[Service]
Type=simple
User=apache
Group=apache
ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules l 127.0.0.1 s\"
Restart=always
RestartSec=10
# TODO: Fix static path with PATH_TO_MISP
sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &\n' /etc/rc.local
[Install]
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
sudo systemctl daemon-reload
sudo systemctl enable --now misp-modules
```
{!generic/misp-dashboard-centos.md!}
@ -708,46 +715,11 @@ sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.
# 11/ LIEF Installation
*lief* is required for the Advanced Attachment Handler and requires manual compilation
## 11.01/ Install cmake3 devtoolset-7 from SCL
```bash
yum install devtoolset-7 cmake3
```
## 11.02/ Create the directory and download the source code
```bash
cd /var/www/MISP/app/files/scripts
git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
```
## 11.03/ Compile lief and install it
```bash
cd /var/www/MISP/app/files/scripts/lief
mkdir build
cd build
scl enable devtoolset-7 rh-python36 'bash -c "cmake3 \
-DLIEF_PYTHON_API=on \
-DLIEF_DOC=off \
-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
-DCMAKE_BUILD_TYPE=Release \
-DPYTHON_VERSION=3.6 \
.."'
make -j3
cd api/python
scl enable rh-python36 'python3 setup.py install || :'
# when running setup.py, pip will download and install remote LIEF packages that will prevent MISP from detecting the packages that you compiled ; remove them
find /opt/rh/rh-python36/root/ -name "*lief*" -exec rm -rf {} \;
```
## 11.04/ Test lief installation, if no error, package installed
```bash
scl enable rh-python36 python3
>> import lief
```
The installation is explained in section **[3.01](https://misp.github.io/MISP/INSTALL.rhel7/#301-download-misp-code-using-git-in-varwww-directory)**
# 12/ Known Issues
## 12.01/ Workers cannot be started or restarted from the web page
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in
error. Worker's can be restarted via the CLI using the following command.
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command.
```bash
systemctl restart misp-workers.service
```