MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: [docs] Remove some migrated INSTALL guides, move FreeBSD to old, will not be supported in the future.

pull/3784/head
Steve Clement 2018-10-21 21:52:40 +09:00
parent 6d7b830c75
commit 2aecfb7e0e
4 changed files with 0 additions and 1427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
INSTALL/UPDATE.txt
View File

@ -1,103 +0,0 @@
# In general, updating MISP between point releases (for exampe 2.4.50 -> 2.4.53) happens with one of the following two options (both are to be executed as root):
# Option 1: To update to the latest commit from the 2.4 branch simply pull the latest commit
cd /var/www/MISP
git pull origin 2.4
git submodule update --init --recursive
# Option 2: If you want to stick to a point release instead of pulling the latest commit directly:
cd /var/www/MISP
git fetch
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
git submodule update --init --recursive
# If you would like to upgrade from a minor version to another, look at the UPGRADE.txt file instead (such as 2.3.142 -> 2.4.13)
# If for any reason something goes wrong with the above instructions, walk through the following manual upgrade
# 1. Update the MISP code to the latest hotfix.
As user root, do the following:
cd /var/www/MISP
git fetch
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# 2. Update CakePHP to the latest supported version (if for some reason it doesn't get updated automatically with git submodule)
cd /var/www/MISP
git submodule update --init --recursive
# 3. Update Mitre's STIX and its dependencies
cd /var/www/MISP/app/files/scripts/
rm -rf python-cybox
rm -rf python-stix
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-stix
python3 setup.py install
# 4. Update mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
rm -rf mixbox
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
python3 setup.py install
# 5. install PyMISP
cd /var/www/MISP/PyMISP
python3 setup.py install
# 6. For RHEL/CentOS: enable python3 for php-fpm
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php71/sysconfig/php-fpm
sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php71/php-fpm.d/www.conf
systemctl restart rh-php71-php-fpm.service
# 7. Update CakeResque and its dependencies
cd /var/www/MISP/app
# Edit composer.json so that cake-resque is allowed to be updated
# "kamisama/cake-resque": ">=4.1.2"
vim composer.json
php composer.phar self-update
# if behind a proxy use HTTP_PROXY="http://yourproxy:port" php composer.phar self-update
php composer.phar update
# To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# 8. Make sure all file permissions are set correctly
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP/
chown -R www-data:www-data /var/www/MISP/
# 9. Restart the CakeResque workers
su - www-data -s /bin/bash -c 'bash /var/www/MISP/app/Console/worker/start.sh'
# You can also do this using the MISP application by navigating to the workers tab in the server settings and clicking on the "Restart all workers" button.
# 10. Add any new dependencies that might have been added since you've last updated (shown below)
# 11. Add requirements for the pubsub optional feature
pip install pyzmq

0
INSTALL/xINSTALL.FreeBSD.txt → INSTALL/old/xINSTALL.FreeBSD.txt
View File

589
INSTALL/xINSTALL.centos7.txt
View File

@ -1,589 +0,0 @@
INSTALLATION INSTRUCTIONS
------------------------- for CentOS 7.x
0/ MISP CentOS 7 Minimal NetInstall - Status
--------------------------------------------
Maintained and tested by @SteveClement, CentOS 7.5-1804 on 20180906
CentOS 7.5-1804 NetInstallURL: http://mirror.centos.org/centos/7.5.1804/os/x86_64/
Some configurables used below:
```
# CentOS Specific
RUN_PHP='/usr/bin/scl enable rh-php56 '
RUN_PYTHON='/usr/bin/scl enable rh-python36 '
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/opt/rh/rh-php56/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal CentOS install
-------------------------
Install a minimal CentOS 7.x system with the software:
- OpenSSH server
- LAMP server (actually, this is done below)
- Mail server
# Make sure you set your hostname CORRECTLY vs. like an animal (manually in /etc/hostname)
hostnamectl set-hostname misp.local # or whatever you want it to be
# Make sure your system is up2date:
sudo yum update -y
2/ Dependencies *
----------------
Once the system is installed you can perform the following steps as root or with sudo:
# We need some packages from the Extra Packages for Enterprise Linux repository
sudo yum install epel-release -y
# Since MISP 2.4 PHP 5.5 is a minimal requirement, so we need a newer version than CentOS base provides
# Software Collections is a way do to this, see https://wiki.centos.org/AdditionalResources/Repositories/SCL
sudo yum install centos-release-scl -y
# Install the dependencies:
sudo yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip python-zmq libxslt-devel zlib-devel -y
# Install PHP 5.6 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php56/
sudo yum install rh-php56 rh-php56-php-fpm rh-php56-php-devel rh-php56-php-mysqlnd rh-php56-php-mbstring rh-php56-php-xml rh-php56-php-bcmath rh-php56-php-opcache -y
# Install Python 3.6 from SCL, see
# https://www.softwarecollections.org/en/scls/rhscl/rh-python36/
sudo yum install rh-python36 -y
# rh-php56-php only provided mod_php for httpd24-httpd from SCL
# if we want to use httpd from CentOS base we can use rh-php56-php-fpm instead
sudo systemctl enable rh-php56-php-fpm.service
sudo systemctl start rh-php56-php-fpm.service
$RUN_PHP "pear channel-update pear.php.net"
sudo $RUN_PHP "pear install Crypt_GPG" # we need version >1.3.0
NOTE: $RUN_PHP makes php available for you if using rh-php56. e.g: $RUN_PHP "pear list | grep Crypt_GPG"
# GPG needs lots of entropy, haveged provides entropy
sudo yum install haveged -y
sudo systemctl enable haveged.service
sudo systemctl start haveged.service
# Enable and start redis
sudo systemctl enable redis.service
sudo systemctl start redis.service
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
cd /var/www/
sudo git clone https://github.com/MISP/MISP.git
cd /var/www/MISP
sudo git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# Make git ignore filesystem permission differences
sudo git config core.filemode false
# Fetch submodules
cd /var/www/MISP
sudo git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo git submodule foreach --recursive git config core.filemode false
# install Mitre's STIX and its dependencies by running the following commands:
sudo yum install python-importlib python-lxml python-dateutil python-six -y
cd /var/www/MISP/app/files/scripts
sudo git clone https://github.com/CybOXProject/python-cybox.git
sudo git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
sudo git config core.filemode false
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
sudo $RUN_PYTHON "python3 setup.py install"
cd /var/www/MISP/app/files/scripts/python-stix
sudo git config core.filemode false
sudo $RUN_PYTHON "python3 setup.py install"
# install maec
sudo $RUN_PYTHON "pip install maec"
# install zmq
sudo $RUN_PYTHON "pip install zmq"
# install redis
sudo $RUN_PYTHON "pip install redis"
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
sudo git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
sudo git config core.filemode false
sudo $RUN_PYTHON "python3 setup.py install"
# install PyMISP
cd /var/www/MISP/PyMISP
sudo $RUN_PYTHON "python3 setup.py install"
# Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php56/sysconfig/php-fpm
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php56/php-fpm.d/www.conf
sudo systemctl restart rh-php56-php-fpm.service
umask $UMASK
4/ CakePHP
-----------
# CakePHP is now included as a submodule of MISP and has been fetch by a previous step.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
sudo chown -R apache:apache /var/www/MISP
sudo mkdir /usr/share/httpd/.composer
sudo chown apache:apache /usr/share/httpd/.composer
cd /var/www/MISP/app
sudo -u apache $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2"
sudo -u apache $RUN_PHP "php composer.phar config vendor-dir Vendor"
sudo -u apache $RUN_PHP "php composer.phar install"
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis using "yum install php-redis"
sudo $RUN_PHP "pecl install redis-2.2.8"
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php56/php-fpm.d/redis.ini
sudo ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php56/php.d/99-redis.ini
sudo systemctl restart rh-php56-php-fpm.service
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Europe/Luxembourg"' |sudo tee /etc/opt/rh/rh-php56/php-fpm.d/timezone.ini
sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php56/php.d/99-timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php56/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart rh-php56-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Make sure the permissions are set correctly using the following commands as root:
sudo chown -R root:apache /var/www/MISP
sudo find /var/www/MISP -type d -exec chmod g=rx {} \;
sudo chmod -R g+r,o= /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/files
sudo chown apache:apache /var/www/MISP/app/files/terms
sudo chown apache:apache /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chown -R apache:apache /var/www/MISP/app/Config
sudo chown -R apache:apache /var/www/MISP/app/tmp
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/custom
6/ Create a database and user
-----------------------------
# Enable, start and secure your mysql database server
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
# If you want to continue copy pasting set the MySQL root password to $DBPASSWORD_ADMIN
echo $DBPASSWORD_ADMIN
sudo mysql_secure_installation
# Additionally, it is probably a good idea to make the database server listen on localhost only
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb.service
# Enter the mysql shell
mysql -u root -p
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
```
copy/paste:
```
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
```
# Import the empty MySQL database from MYSQL.sql
sudo -u apache cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration
-----------------------
# Now configure your apache server with the DocumentRoot /var/www/MISP/app/webroot/
# A sample vhost can be found in /var/www/MISP/INSTALL/apache.misp.centos7
sudo cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
# Since SELinux is enabled, we need to allow httpd to write to certain directories
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
:warning: Revise all permissions so update in Web UI works.
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
# Allow httpd to connect to the redis server and php-fpm over tcp/ip
sudo setsebool -P httpd_can_network_connect on
# Enable and start the httpd service
sudo systemctl enable httpd.service
sudo systemctl start httpd.service
# Open a hole in the iptables firewall
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: yum install mod_ssl
# Check out the apache.misp.ssl file for an example
/!\ WARNING - To be fixed - Place holder
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
8/ Log rotation
---------------
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo chmod 0640 /etc/logrotate.d/misp
# Now make logrotate work under SELinux as well
# Allow logrotate to modify the log files
sudo semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
sudo chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
# Allow logrotate to read /var/www
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
sudo semodule -i /tmp/misplogrotate.pp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
sudo -u apache cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u apache tee $PATH_TO_MISP/app/Config/database.php
# Configure the fields in the newly created files:
# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally
# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');`
# database.php : login, port, password, database
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# If you want to be able to change configuration parameters from the webinterface:
sudo chown apache:apache /var/www/MISP/app/Config/config.php
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
# Set some MISP directives with the command line tool
sudo $RUN_PHP "$CAKE Live $MISP_LIVE"
# Change base url
sudo $RUN_PHP "$CAKE Baseurl $MISP_BASEURL"
# Generate a GPG encryption key.
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo gpg --homedir /var/www/MISP/.gnupg --batch --gen-key /tmp/gen-key-script
sudo rm -f /tmp/gen-key-script
sudo chown -R apache:apache /var/www/MISP/.gnupg
# And export the public key to the webroot
sudo gpg --homedir /var/www/MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS |sudo tee /var/www/MISP/app/webroot/gpg.asc
sudo chown apache:apache /var/www/MISP/app/webroot/gpg.asc
# Start the workers to enable background jobs
chmod +x /var/www/MISP/app/Console/worker/start.sh
sudo -u apache $RUN_PHP /var/www/MISP/app/Console/worker/start.sh
# To make the background workers start on boot
vi /etc/rc.local
# Add the following line at the end
su -s /bin/bash apache -c 'scl enable rh-php56 /var/www/MISP/app/Console/worker/start.sh'
# and make sure it will execute
sudo chmod +x /etc/rc.local
# Initialize user and fetch Auth Key
sudo -E $RUN_PHP "$CAKE userInit -q"
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $RUN_PHP "$CAKE Admin setSetting "Session.autoRegenerate" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
# Enable GnuPG
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.email" "admin@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg""
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.password" "Password1234""
# Enable Enrichment set better timeouts
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666"
# Enable Import modules set better timout
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_port" 6666"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true"
# Enable Export modules set better timout
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_port" 6666"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true"
# Enable installer org and tune some configurables
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.host_org_id" 1"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.email" "info@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disable_emailing" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.contact" "info@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disablerestalert" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true"
# Provisional Cortex tunes
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_enable" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_timeout" 120"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_authkey" """
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true"
# Various plugin sightings settings
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_policy" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_anonymise" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_range" 365"
# Plugin CustomAuth tuneable
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false"
# RPZ Plugin settings
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_retry" "30m""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost.""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ns_alt" """
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost""
# Force defaults to make MISP Server Settings less RED
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.language" "eng""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.proposals_block_attributes" false"
## Redis block
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_port" 6379"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_database" 13"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_password" """
# Force defaults to make MISP Server Settings less YELLOW
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.extended_alert_subject" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_threat_level" 4"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
##sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableEventBlacklisting" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.log_client_ip" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.log_auth" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disableUserSelfManagement" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_event_alert" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_old_event_alert" false"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_old_event_alert_age" """
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.footermidleft" "This is an initial install""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings""
# Force defaults to make MISP Server Settings less GREEN
sudo $RUN_PHP "$CAKE Admin setSetting "Security.password_policy_length" 12"
##sudo $RUN_PHP "$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'"
# Tune global time outs
sudo $RUN_PHP "$CAKE Admin setSetting "Session.autoRegenerate" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
# Now log in using the webinterface: http://misp/users/login
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
chown -R apache:apache /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date
Recommended actions
-------------------
- By default CakePHP exposes his name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL
- Keep your software up2date (MISP, CakePHP and everything else)
- Log and audit

735
INSTALL/xINSTALL.debian_testing.txt
View File

@ -1,735 +0,0 @@
INSTALLATION INSTRUCTIONS
------------------------- for Debian testing "buster" server
0/ MISP testing dev install - Status
------------------------------------
This is mostly the install [@SteveClement](https://twitter.com/SteveClement)
uses for testing, qc and random development.
Maintained and tested by @SteveClement on 20180705
Some configurables used below:
```
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.2/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal Debian install
-------------------------
# Install a minimal Debian testing "buster" server system with the software:
- OpenSSH server
- Web server, apache FTW!
- This guide assumes a user name of 'misp'
# Make sure you can sudo
```
misp@debian:~$ sudo ls
[sudo] password for misp:
misp is not in the sudoers file. This incident will be reported.
```
su -
adduser misp sudo
# install etckeeper (optional)
sudo apt install -y etckeeper
# Make sure your system is up2date:
sudo apt update
sudo apt -y dist-upgrade
# Network Interface Name salvage (optional)
This will bring back 'ethX' e.g: eth0
```
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
DEFAULT_GRUB=/etc/default/grub
for key in GRUB_CMDLINE_LINUX
do
sudo sed -i "s/^\($key\)=.*/\1=\"$(eval echo \${$key})\"/" $DEFAULT_GRUB
done
sudo grub-mkconfig -o /boot/grub/grub.cfg
```
# install postfix, there will be some questions.
sudo apt install -y postfix
# Postfix Configuration: Satellite system
# change the relay server later with:
sudo postconf -e 'relayhost = example.com'
sudo postfix reload
2/ Install LAMP & dependencies
------------------------------
Once the system is installed you can perform the following steps:
# Install all the dependencies: (some might already be installed)
sudo apt install -y \
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php7.2-json php7.2-xml php7.2-mysql php7.2-opcache php7.2-readline \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
# Start rng-tools to get more entropy (optional)
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
sudo apt install rng-tools
sudo service rng-tools start
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
# Enable modules, settings, and default of SSL in Apache
sudo a2dismod status
sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Install PHP external dependencies
sudo pear channel-update pear.php.net
sudo pear install Crypt_GPG
sudo pecl channel-update pecl.php.net
sudo pecl install redis
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
# Switch to python3 by default (optional)
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
To flip between the 2 pythons: sudo update-alternatives --config python
# Apply all changes
sudo systemctl restart apache2
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
sudo mkdir $PATH_TO_MISP
sudo chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
# Make git ignore filesystem permission differences
sudo -u www-data git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
sudo pip3 install .
# install mixbox to accomodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
sudo pip3 install .
cd $PATH_TO_MISP
sudo -u www-data git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach --recursive git config core.filemode false
# install PyMISP
cd $PATH_TO_MISP/PyMISP
sudo pip3 install .
4/ CakePHP
-----------
# CakePHP is included as a submodule of MISP.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd $PATH_TO_MISP/app
# Make composer cache happy
sudo mkdir /var/www/.composer ; sudo chown www-data:www-data /var/www/.composer
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www-data cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following commands:
sudo chown -R www-data:www-data $PATH_TO_MISP
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
6/ Create a database and user
-----------------------------
# Enter the mysql shell
sudo mysql -u root -p
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
```
copy/paste:
```
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
```
# Import the empty MISP database from MYSQL.sql
sudo -u www-data cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration
-----------------------
# Now configure your Apache webserver with the DocumentRoot $PATH_TO_MISP/app/webroot/
# If the apache version is 2.4:
sudo cp $PATH_TO_MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
============================================= Begin sample working SSL config for MISP
<VirtualHost _default_:80>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
# Recommended: Change some PHP settings in /etc/php/7.2/apache2/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
# Restart apache
sudo systemctl restart apache2
8/ Log rotation
---------------
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u www-data tee $PATH_TO_MISP/app/Config/database.php
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Set some MISP directives with the command line tool
sudo $CAKE Live $MISP_LIVE
# Change base url
sudo $CAKE Baseurl $MISP_BASEURL
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Generate a GPG encryption key.
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
# To make the background workers start on boot
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
if [ ! -e /etc/rc.local ]
then
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
echo 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod u+x /etc/rc.local
fi
# Initialize user and fetch Auth Key
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Enable GnuPG
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
# Enable Enrichment set better timeouts
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules set better timout
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules set better timout
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
# Enable installer org and tune some configurables
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
# Provisional Cortex tunes
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
# Various plugin sightings settings
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
# Plugin CustomAuth tuneable
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
# RPZ Plugin settings
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
# Force defaults to make MISP Server Settings less RED
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
## Redis block
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
# Force defaults to make MISP Server Settings less YELLOW
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
# Force defaults to make MISP Server Settings less GREEN
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Set MISP Live
sudo $CAKE Live $MISP_LIVE
# Update the galaxies…
sudo $CAKE Admin updateGalaxies
# Updating the taxonomies…
sudo $CAKE Admin updateTaxonomies
# Updating the warning lists…
sudo $CAKE Admin updateWarningLists
# Updating the notice lists…
## sudo $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
# Start the workers
sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo pip3 install maec lief python-magic wand
sudo pip3 install git+https://github.com/kbandla/pydeep.git
# install STIX2.0 library to support STIX 2.0 export:
sudo pip3 install stix2
sudo gem install pygments.rb
sudo gem install asciidoctor-pdf --pre
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
sudo chmod -R 750 $PATH_TO_MISP/<directory path with an indicated issue>
sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# $PATH_TO_MISP/app/tmp/logs/error.log
# $PATH_TO_MISP/app/tmp/logs/resque-worker-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-------------------
# set PATH so it includes viper if it exists
if [ -d "/usr/local/src/viper" ] ; then
PATH="$PATH:/usr/local/src/viper"
fi
# set PATH so it includes viper if it exists
if [ -d "/var/www/MISP/app/Console" ] ; then
PATH="$PATH:/var/www/MISP/app/Console"
fi
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following commands
# ZeroMQ depends on the Python client for Redis
sudo apt install python3-redis -y
## install pyzmq
sudo apt install python3-zmq -y
MISP Dashboard
--------------
cd /var/www
sudo mkdir misp-dashboard
sudo chown www-data:www-data misp-dashboard
sudo -u www-data git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
sudo /var/www/misp-dashboard/install_dependencies.sh
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sudo sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
sudo sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf
sudo apt install libapache2-mod-wsgi-py3
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
sudo a2ensite misp-dashboard
sudo systemctl reload apache2
# Enable ZeroMQ for misp-dashboard
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
Install viper framework
-----------------------
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
sudo git clone https://github.com/viper-framework/viper.git
cd viper
sudo git git submodule update --init --recursive
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment
sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" ~/.viper/viper.conf
sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" ~/.viper/viper.conf
sqlite3 ~/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'
Install mail to misp
--------------------
cd /usr/local/src/
sudo apt-get install -y cmake
sudo git clone https://github.com/MISP/mail_to_misp.git
sudo git clone git://github.com/stricaud/faup.git
cd faup
sudo mkdir -p build
cd build
sudo cmake .. && sudo make
sudo make install
sudo ldconfig
cd ../../
cd mail_to_misp
sudo pip3 install -r requirements.txt
sudo cp mail_to_misp_config.py-example mail_to_misp_config.py
sudo sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
sudo sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py