Merge branch '2.4' of github.com:MISP/MISP into 2.4

2019-02-08 16:30:55 +01:00 · 2019-02-08 16:30:55 +01:00 · 6505a4c8dc
parent 4c59cd5978 aef4e51cdb
commit 6505a4c8dc
7 changed files with 49 additions and 62 deletions
--- a/app/Config/config.default.php
+++ b/app/Config/config.default.php
@ -134,6 +134,7 @@ $config = array(
 			'apacheEnv'          => 'REMOTE_USER',           // If proxy variable = HTTP_REMOTE_USER
 			'ldapServer'         => 'ldap://example.com',   // FQDN or IP
 			'ldapProtocol'       => 3,
+			'ldapNetworkTimeout' => -1,  // use -1 for unlimited network timeout
 			'ldapReaderUser'     => 'cn=userWithReadAccess,ou=users,dc=example,dc=com', // DN ou RDN LDAP with reader user right
 			'ldapReaderPassword' => 'UserPassword', // the LDAP reader user password
 			'ldapDN'             => 'dc=example,dc=com',
--- a/app/Controller/Component/Auth/ApacheAuthenticate.php
+++ b/app/Controller/Component/Auth/ApacheAuthenticate.php
@ -51,7 +51,9 @@ class ApacheAuthenticate extends BaseAuthenticate
        $ldaprdn = Configure::read('ApacheSecureAuth.ldapReaderUser');     // DN ou RDN LDAP
        $ldappass = Configure::read('ApacheSecureAuth.ldapReaderPassword');
        $ldapSearchFilter = Configure::read('ApacheSecureAuth.ldapSearchFilter');
+
        // LDAP connection
+        ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, Configure::read('ApacheSecureAuth.ldapNetworkTimeout', -1));
        $ldapconn = ldap_connect(Configure::read('ApacheSecureAuth.ldapServer'))
                or die('LDAP server connection failed');

--- a/app/Controller/ServersController.php
+++ b/app/Controller/ServersController.php
@ -868,10 +868,11 @@ class ServersController extends AppController
            $zmqErrors = array(0 => 'OK', 1 => 'not enabled (so not tested)', 2 => 'Python ZeroMQ library not installed correctly.', 3 => 'ZeroMQ script not running.');
            $stixOperational = array(0 => 'Some of the libraries related to STIX are not installed. Make sure that all libraries listed below are correctly installed.', 1 => 'OK');
            $stixVersion = array(0 => 'Incorrect STIX version installed, found $current, expecting $expected', 1 => 'OK');
+            $stix2Version = array(0 => 'Incorrect STIX2 version installed, found $current, expecting $expected', 1 => 'OK');
            $cyboxVersion = array(0 => 'Incorrect CyBox version installed, found $current, expecting $expected', 1 => 'OK');
            $mixboxVersion = array(0 => 'Incorrect mixbox version installed, found $current, expecting $expected', 1 => 'OK');
            $maecVersion = array(0 => 'Incorrect maec version installed, found $current, expecting $expected', 1 => 'OK');
-            $pymispVersion = array(0 => 'Incorrect pymisp version installed, found $current, expecting $expected', 1 => 'OK');
+            $pymispVersion = array(0 => 'Incorrect PyMISP version installed, found $current, expecting $expected', 1 => 'OK');
            $sessionErrors = array(0 => 'OK', 1 => 'High', 2 => 'Alternative setting used', 3 => 'Test failed');
            $moduleErrors = array(0 => 'OK', 1 => 'System not enabled', 2 => 'No modules found');

@ -991,7 +992,7 @@ class ServersController extends AppController
                }

                // check if the STIX and Cybox libraries are working and the correct version using the test script stixtest.py
-                $stix = $this->Server->stixDiagnostics($diagnostic_errors, $stixVersion, $cyboxVersion, $mixboxVersion, $maecVersion, $pymispVersion);
+                $stix = $this->Server->stixDiagnostics($diagnostic_errors, $stixVersion, $cyboxVersion, $mixboxVersion, $maecVersion, $stix2Version, $pymispVersion);

                // if GnuPG is set up in the settings, try to encrypt a test message
                $gpgStatus = $this->Server->gpgDiagnostics($diagnostic_errors);
@ -1012,7 +1013,7 @@ class ServersController extends AppController
                $sessionStatus = $this->Server->sessionDiagnostics($diagnostic_errors, $sessionCount);
                $this->set('sessionCount', $sessionCount);

-                $additionalViewVars = array('gpgStatus', 'sessionErrors', 'proxyStatus', 'sessionStatus', 'zmqStatus', 'stixVersion', 'cyboxVersion', 'mixboxVersion', 'maecVersion', 'pymispVersion', 'moduleStatus', 'gpgErrors', 'proxyErrors', 'zmqErrors', 'stixOperational', 'stix', 'moduleErrors', 'moduleTypes');
+                $additionalViewVars = array('gpgStatus', 'sessionErrors', 'proxyStatus', 'sessionStatus', 'zmqStatus', 'stixVersion', 'cyboxVersion', 'mixboxVersion', 'maecVersion', 'stix2Version', 'pymispVersion', 'moduleStatus', 'gpgErrors', 'proxyErrors', 'zmqErrors', 'stixOperational', 'stix', 'moduleErrors', 'moduleTypes');
            }
            // check whether the files are writeable
            $writeableDirs = $this->Server->writeableDirsDiagnostics($diagnostic_errors);
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -3777,15 +3777,15 @@ class Server extends AppModel
        return $readableFiles;
    }

-    public function stixDiagnostics(&$diagnostic_errors, &$stixVersion, &$cyboxVersion, &$mixboxVersion, &$maecVersion, &$pymispVersion)
+    public function stixDiagnostics(&$diagnostic_errors, &$stixVersion, &$cyboxVersion, &$mixboxVersion, &$maecVersion, &$stix2Version, &$pymispVersion)
    {
        $result = array();
-        $expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.18.dev0', 'mixbox' => '1.0.3', 'maec' => '4.1.0.14', 'pymisp' => '>2.4.93');
+        $expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.18.dev0', 'mixbox' => '1.0.3', 'maec' => '4.1.0.14', 'stix2' => '1.1.1', 'pymisp' => '>2.4.93');
        // check if the STIX and Cybox libraries are working using the test script stixtest.py
        $scriptResult = shell_exec($this->getPythonVersion() . ' ' . APP . 'files' . DS . 'scripts' . DS . 'stixtest.py');
        $scriptResult = json_decode($scriptResult, true);
        if ($scriptResult == null) {
-            return array('operational' => 0, 'stix' => array('expected' => $expected['stix']), 'cybox' => array('expected' => $expected['cybox']), 'mixbox' => array('expected' => $expected['mixbox']), 'maec' => array('expected' => $expected['maec']), 'pymisp' => array('expected' => $expected['pymisp']));
+            return array('operational' => 0, 'stix' => array('expected' => $expected['stix']), 'cybox' => array('expected' => $expected['cybox']), 'mixbox' => array('expected' => $expected['mixbox']), 'maec' => array('expected' => $expected['maec']), 'stix2' => array('expected' => $expected['stix2']), 'pymisp' => array('expected' => $expected['pymisp']));
        }
        $scriptResult['operational'] = $scriptResult['success'];
        if ($scriptResult['operational'] == 0) {
--- a/app/View/Elements/healthElements/diagnostics.ctp
+++ b/app/View/Elements/healthElements/diagnostics.ctp
@ -203,6 +203,7 @@
    <b>CyBox</b>: <?php echo $stix['cybox']['expected'];?><br />
    <b>mixbox</b>: <?php echo $stix['mixbox']['expected'];?><br />
    <b>maec</b>: <?php echo $stix['maec']['expected'];?><br />
+    <b>STIX2</b>: <?php echo $stix['stix2']['expected'];?><br />
    <b>PyMISP</b>: <?php echo $stix['pymisp']['expected'];?><br />
    <?php echo __('Other versions might work but are not tested / recommended.');?></p>
    <div style="background-color:#f7f7f9;width:400px;">
@ -221,7 +222,7 @@
            if (!$testReadError) {
                $error_count = 0;
                $libraries = '';
-                foreach (array('stix', 'cybox', 'mixbox', 'maec', 'pymisp') as $package) {
+                foreach (array('stix', 'cybox', 'mixbox', 'maec', 'stix2', 'pymisp') as $package) {
                    $lib_colour = 'green';
                    if ($stix[$package]['status'] == 0) {
                        $lib_colour = 'red';
--- a/app/files/scripts/stixtest.py
+++ b/app/files/scripts/stixtest.py
@ -8,6 +8,7 @@ results = {
    'cybox': 0,
    'mixbox': 0,
    'maec': 0,
+    'stix2': 0,
    'pymisp': 0
 }
 try:
@ -40,12 +41,19 @@ try:
 except Exception:
    results['success'] = 0

+try:
+    import stix2
+    results['stix2'] = stix2.__version__
+except Exception:
+    results['success'] = 0
+
 print(json.dumps({
    'success': results['success'],
    'stix': results['stix'],
    'cybox': results['cybox'],
    'mixbox': results['mixbox'],
    'maec': results['maec'],
+    'stix2': results['stix2'],
    'pymisp': results['pymisp']
 }))
-sys.exit(1)
+sys.exit(0)
--- a/docs/INSTALL.rhel7.md
+++ b/docs/INSTALL.rhel7.md
@ -25,7 +25,7 @@ The following assumptions with regard to this installation have been made.

 ## 1.2/ Configure system hostname
 ```bash
-sudo hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN
+sudo hostnamectl set-hostname misp # Your choice, in a production environment, it's best to use a FQDN
 ```

 ## 1.3/ Register the system for updates with Red Hat Subscription Manager
@ -38,8 +38,7 @@ sudo subscription-manager register --auto-attach # register your system to an ac
 sudo subscription-manager refresh 
 sudo subscription-manager repos --enable rhel-7-server-optional-rpms
 sudo subscription-manager repos --enable rhel-7-server-extras-rpms
-# This fails on a Trial subscription, it seems.
-##sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
+sudo subscription-manager repos --enable rhel-server-rhscl-7-rpms
 ```

 ### 1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
@ -64,11 +63,6 @@ yum update -y
 yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
 ```

-## 1.7/ Install the SCL repo
-```bash
-yum install centos-release-scl
-```
-
 # 2/ Install Dependencies
 Once the system is installed and updated, the following steps can be performed as root

@ -84,8 +78,7 @@ yum install rh-mariadb102

 ## 2.03/ Start the MariaDB service and enable it to start on boot
 ```bash
-systemctl start rh-mariadb102-mariadb.service
-systemctl enable rh-mariadb102-mariadb.service
+systemctl enable --now rh-mariadb102-mariadb.service
 ```

 !!! note
@ -93,7 +86,7 @@ systemctl enable rh-mariadb102-mariadb.service
    This guide installs PHP 7.1 from SCL

 !!! warning
-    [PHP 5.6 will be EOL in December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In future only PHP7 will be supported.
+    [PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.

 ## 2.04/ Install PHP 7.1 from SCL
 ```bash
@ -105,8 +98,7 @@ yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh

 ## 2.05/ Start the PHP FPM service and enable to start on boot
 ```bash
-systemctl start rh-php71-php-fpm.service
-systemctl enable rh-php71-php-fpm.service
+systemctl enable --now rh-php71-php-fpm.service
 ```

 ## 2.06/ Install redis 3.2 from SCL
@ -116,22 +108,17 @@ yum install rh-redis32

 ## 2.07/ Start redis service and enable to start on boot
 ```bash
-systemctl start rh-redis32-redis.service
-systemctl enable rh-redis32-redis.service
-```
-
-## 2.08/ Start a SCL shell with rh-mariadb102 rh-php71 and rh-redis32 enabled
-```bash
-scl enable rh-mariadb102 rh-php71 rh-redis32 bash
+systemctl enable --now rh-redis32-redis.service
 ```

 ## 2.08/ Secure the MariaDB installation, run the following command and follow the prompts
 ```bash
-mysql_secure_installation
+scl enable rh-mariadb102 'mysql_secure_installation'
 ```

 ## 2.10/ Update the PHP extension repository and install required package
 ```bash
+scl enable rh-php71 rh-redis32 bash
 pear channel-update pear.php.net
 pear install Crypt_GPG
 ```
@ -139,8 +126,7 @@ pear install Crypt_GPG
 ## 2.11/ Install haveged and enable to start on boot to provide entropy for GPG
 ```bash
 yum install haveged
-systemctl start haveged
-systemctl enable haveged
+systemctl enable --now haveged
 ```

 ## 2.12/ Install Python 3.6 from SCL
@ -228,7 +214,7 @@ php composer.phar install

 ## 4.03/ Install and configure php redis connector through pecl
 ```bash
-pecl install redis
+scl enable rh-php71 'pecl install redis'
 echo "extension=redis.so" > /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
 ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
 systemctl restart rh-php71-php-fpm.service
@ -276,7 +262,7 @@ systemctl restart rh-mariadb102-mariadb

 ## 6.02/ Start MariaDB shell and create database
 ```bash
-mysql -u root -p
+scl enable rh-mariadb102 'mysql -u root -p'
 ```

 ```
@ -316,8 +302,7 @@ setsebool -P httpd_can_network_connect on

 ## 7.03/ Enable and start the httpd service
 ```bash
-systemctl enable httpd.service
-systemctl start httpd.service
+systemctl enable --now httpd.service
 ```

 ## 7.04/ Open a hole in the firewalld service
@ -332,6 +317,7 @@ firewall-cmd --reload
    Check out the apache.misp.ssl file for an example

 # 8/ Log Rotation
+## 8.01/ Enable log rotation
 MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
 To rotate these logs install the supplied logrotate script:
 ```
@ -339,13 +325,13 @@ cp INSTALL/misp.logrotate /etc/logrotate.d/misp
 chmod 0640 /etc/logrotate.d/misp
 ```

-## 8.01/ Allow logrotate to work under SELinux and modify the log files
+## 8.02/ Allow logrotate to work under SELinux and modify the log files
 ```bash
 semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
 chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
 ```

-## 8.02/ Allow logrotate to read /var/www
+## 8.03/ Allow logrotate to read /var/www
 ```bash
 checkmodule -M -m -o /tmp/misplogrotate.mod INSTALL/misplogrotate.te
 semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
@ -486,46 +472,34 @@ scl enable rh-python36 pip3 install pymisp
 yum install devtoolset-7 cmake3
 ```

-## 11.02/ Enable devtoolset-7
+## 11.02/ Create the directory and download the source code
 ```bash
-scl enable devtoolset-7 bash
+cd /var/www/MISP/app/files/scripts
+git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
 ```

-## 11.03/ Set env variable, create directories and download source code
+## 11.03/ Compile lief and install it
 ```bash
-mkdir -p /tmp/LIEF
-mkdir -p /tmp/LIEF_INSTALL
-export LIEF_TMP=/tmp/LIEF
-export LIEF_INSTALL=/tmp/LIEF_INSTALL
-export LIEF_BRANCH=master
-cd $LIEF_TMP
-git clone --branch $LIEF_BRANCH --single-branch https://github.com/lief-project/LIEF.git LIEF
-```
-
-## 11.04/ Compile lief and install
-```bash
-cd $LIEF_TMP/LIEF
-mkdir -p build
+cd /var/www/MISP/app/files/scripts/lief
+mkdir build
 cd build
-scl enable devtoolset-7 'bash -c "cmake3 \
+scl enable devtoolset-7 rh-python36 'bash -c "cmake3 \
 -DLIEF_PYTHON_API=on \
 -DLIEF_DOC=off \
 -DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
 -DCMAKE_BUILD_TYPE=Release \
-DPYTHON_VERSION=2.7 \
+-DPYTHON_VERSION=3.6 \
 .."'
 make -j3
 cd api/python
-scl enable rh-python36 python3 setup.py install || :
-# you can ignore the error about finding suitable distribution
-cd $LIEF_TMP/LIEF/build
-make install
-make package
+scl enable rh-python36 'python3 setup.py install || :'
+# when running setup.py, pip will download and install remote LIEF packages that will prevent MISP from detecting the packages that you compiled ; remove them
+find /opt/rh/rh-python36/root/ -name "*lief*" -exec rm -rf {} \;
 ```

-## 11.05/ Test lief installation, if no error, package installed
+## 11.04/ Test lief installation, if no error, package installed
 ```bash
-python
+scl enable rh-python36 python3
 >> import lief
 ```