From 28c15d029bddbf97dd98d8500f6036a2650ed14e Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 24 Apr 2019 18:47:27 +0900 Subject: [PATCH 1/2] chg: [doc] Added more changes to the RHEL/CentOS install doc. --- docs/INSTALL.rhel7.md | 600 ++++++++++++++++++++---------------------- 1 file changed, 286 insertions(+), 314 deletions(-) diff --git a/docs/INSTALL.rhel7.md b/docs/INSTALL.rhel7.md index 15c1b85fc..e9204d671 100644 --- a/docs/INSTALL.rhel7.md +++ b/docs/INSTALL.rhel7.md @@ -236,7 +236,7 @@ $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis # lief needs manual compilation -sudo yum install devtoolset-7 cmake3 -y +sudo yum install devtoolset-7 cmake3 cppcheck -y # FIXME: This does not work! cd $PATH_TO_MISP/app/files/scripts/lief @@ -249,19 +249,17 @@ $SUDO_WWW scl enable devtoolset-7 rh-python36 "bash -c 'cmake3 \ -DLIEF_DOC=off \ -DCMAKE_BUILD_TYPE=Release \ ..'" -#-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \ -$SUDO_WWW make -j3 -sudo make install -cd api/python/lief_pybind11-prefix/src/lief_pybind11 -$SUDO_WWW $PATH_TO_MISP/venv/bin/python setup.py install -$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install https://github.com/lief-project/packages/raw/lief-master-latest/pylief-0.9.0.dev.zip +$SUDO_WWW make -j3 pyLIEF + +# The following adds a PYTHONPATH to where the pyLIEF module has been compiled +echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth # install magic, pydeep $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git # install PyMISP cd $PATH_TO_MISP/PyMISP -$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U . # Enable python3 for php-fpm echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php72/sysconfig/php-fpm @@ -286,139 +284,135 @@ sudo systemctl restart rh-php72-php-fpm.service CakePHP is now included as a submodule of MISP and has been fetch by a previous step. ```bash -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP -sudo mkdir /usr/share/httpd/.composer -sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.composer -cd $PATH_TO_MISP/app -# Update composer.phar (optional) -#$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" -#$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" -#$SUDO_WWW $RUN_PHP "php composer-setup.php" -#$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');" -$SUDO_WWW $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2" -$SUDO_WWW $RUN_PHP "php composer.phar config vendor-dir Vendor" -$SUDO_WWW $RUN_PHP "php composer.phar install" +# +installCake_RHEL () +{ + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP + sudo mkdir /usr/share/httpd/.composer + sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.composer + cd $PATH_TO_MISP/app + # Update composer.phar (optional) + #$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + #$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === '48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" + #$SUDO_WWW $RUN_PHP "php composer-setup.php" + #$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');" + $SUDO_WWW $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2" + $SUDO_WWW $RUN_PHP "php composer.phar config vendor-dir Vendor" + $SUDO_WWW $RUN_PHP "php composer.phar install" -## sudo yum install php-redis -y -sudo scl enable rh-php72 'pecl channel-update pecl.php.net' -sudo scl enable rh-php72 'pecl install redis' -echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/redis.ini -sudo ln -s /etc/opt/rh/rh-php72/php-fpm.d/redis.ini /etc/opt/rh/rh-php72/php.d/99-redis.ini -sudo systemctl restart rh-php72-php-fpm.service + ## sudo yum install php-redis -y + sudo scl enable rh-php72 'pecl channel-update pecl.php.net' + sudo scl enable rh-php72 'pecl install redis' + echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/redis.ini + sudo ln -s /etc/opt/rh/rh-php72/php-fpm.d/redis.ini /etc/opt/rh/rh-php72/php.d/99-redis.ini + sudo systemctl restart rh-php72-php-fpm.service -# If you have not yet set a timezone in php.ini -echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/timezone.ini -sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php72/php.d/99-timezone.ini + # If you have not yet set a timezone in php.ini + echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/timezone.ini + sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php72/php.d/99-timezone.ini -# Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini -# max_execution_time = 300 -# memory_limit = 512M -# upload_max_filesize = 50M -# post_max_size = 50M -for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit -do - sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI -done -sudo systemctl restart rh-php72-php-fpm.service + # Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini + # max_execution_time = 300 + # memory_limit = 512M + # upload_max_filesize = 50M + # post_max_size = 50M + for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit + do + sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI + done + sudo systemctl restart rh-php72-php-fpm.service -# To use the scheduler worker for scheduled tasks, do the following: -sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php + # To use the scheduler worker for scheduled tasks, do the following: + sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php +} +# ``` # 5/ Set file permissions ```bash -# Make sure the permissions are set correctly using the following commands as root: -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP -## ? chown -R root:apache /var/www/MISP -sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \; -sudo chmod -R g+r,o= $PATH_TO_MISP -## **Note :** For updates through the web interface to work, apache must own the /var/www/MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions : -sudo chmod -R 750 $PATH_TO_MISP -sudo chmod -R g+xws $PATH_TO_MISP/app/tmp -sudo chmod -R g+ws $PATH_TO_MISP/app/files -sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp -sudo chmod -R g+rw $PATH_TO_MISP/venv -sudo chmod -R g+rw $PATH_TO_MISP/.git -sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files -sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/terms -sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/scripts/tmp -sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Plugin/CakeResque/tmp -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/tmp -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/orgs -sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/custom +# +# Main function to fix permissions to something sane +permissions_RHEL () { + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP + ## ? chown -R root:apache /var/www/MISP + sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \; + sudo chmod -R g+r,o= $PATH_TO_MISP + ## **Note :** For updates through the web interface to work, apache must own the /var/www/MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions : + sudo chmod -R 750 $PATH_TO_MISP + sudo chmod -R g+xws $PATH_TO_MISP/app/tmp + sudo chmod -R g+ws $PATH_TO_MISP/app/files + sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp + sudo chmod -R g+rw $PATH_TO_MISP/venv + sudo chmod -R g+rw $PATH_TO_MISP/.git + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/terms + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/scripts/tmp + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Plugin/CakeResque/tmp + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/tmp + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/orgs + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/custom +} +# ``` # 6/ Create database and user -## 6.01/ Set database to listen on localhost only + +## 6.01/ Set database to listen on localhost oncology's ```bash -# Enable, start and secure your mysql database server -sudo systemctl enable --now rh-mariadb102-mariadb.service -echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf -echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf -sudo systemctl restart rh-mariadb102-mariadb -``` +# +prepareDB_RHEL () { + # Enable, start and secure your mysql database server + sudo systemctl enable --now rh-mariadb102-mariadb.service + echo [mysqld] |sudo tee /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf + echo bind-address=127.0.0.1 |sudo tee -a /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf + sudo systemctl restart rh-mariadb102-mariadb -```bash -sudo yum install expect -y + sudo yum install expect -y -# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines -pw="Password1234" + ## The following needs some thoughts about scl enable foo + #if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then -expect -f - <<-EOF - set timeout 10 + # Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines + pw="Password1234" - spawn sudo scl enable rh-mariadb102 mysql_secure_installation - expect "*?assword*" - send -- "$pw\r" - expect "Enter current password for root (enter for none):" - send -- "\r" - expect "Set root password?" - send -- "y\r" - expect "New password:" - send -- "${DBPASSWORD_ADMIN}\r" - expect "Re-enter new password:" - send -- "${DBPASSWORD_ADMIN}\r" - expect "Remove anonymous users?" - send -- "y\r" - expect "Disallow root login remotely?" - send -- "y\r" - expect "Remove test database and access to it?" - send -- "y\r" - expect "Reload privilege tables now?" - send -- "y\r" - expect eof + expect -f - <<-EOF + set timeout 10 + + spawn sudo scl enable rh-mariadb102 mysql_secure_installation + expect "*?assword*" + send -- "$pw\r" + expect "Enter current password for root (enter for none):" + send -- "\r" + expect "Set root password?" + send -- "y\r" + expect "New password:" + send -- "${DBPASSWORD_ADMIN}\r" + expect "Re-enter new password:" + send -- "${DBPASSWORD_ADMIN}\r" + expect "Remove anonymous users?" + send -- "y\r" + expect "Disallow root login remotely?" + send -- "y\r" + expect "Remove test database and access to it?" + send -- "y\r" + expect "Reload privilege tables now?" + send -- "y\r" + expect eof EOF -sudo yum remove tcl expect -y + sudo yum remove tcl expect -y -sudo systemctl restart rh-mariadb102-mariadb -``` + sudo systemctl restart rh-mariadb102-mariadb -## 6.02/ Manual procedur: Start a MariaDB shell and create the database -```bash -# Enter the mysql shell -scl enable rh-mariadb102 'mysql -u root -p' -``` + scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'" + scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBNAME@localhost IDENTIFIED by '$DBPASSWORD_MISP';\"" + scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\"" + scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'" -``` -MariaDB [(none)]> create database misp; -MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX'; -MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ; -MariaDB [(none)]> exit -``` - -## 6.02a/ Same as Manual but for copy/paste foo: -```bash -scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'CREATE DATABASE $DBNAME;'" -scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT USAGE on *.* to $DBNAME@localhost IDENTIFIED by '$DBPASSWORD_MISP';\"" -scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e \"GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';\"" -scl enable rh-mariadb102 "mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;'" -``` - -## 6.03/ Import the empty MySQL database from MYSQL.sql -```bash -$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME" + $SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME" +} +# ``` # 7/ Apache Configuration @@ -432,74 +426,78 @@ $SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | sudo scl enable rh-mariadb102 "m If it is disabled, you can ignore the **chcon/setsebool/semanage/checkmodule/semodule*** commands. ```bash -# Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/ -# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7 +# +apacheConfig_RHEL () { + # Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/ + # A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7 -sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf -sudo rm /etc/httpd/conf.d/ssl.conf -sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf -sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf + sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf + sudo rm /etc/httpd/conf.d/ssl.conf + sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf + sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf -# If a valid SSL certificate is not already created for the server, create a self-signed certificate: -echo "The Common Name used below will be: ${OPENSSL_CN}" -# This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core) -sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096 -sudo openssl genrsa -des3 -passout pass:x -out /tmp/misp.local.key 4096 -sudo openssl rsa -passin pass:x -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key -sudo rm /tmp/misp.local.key -sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr -sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt -sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt -cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt + # If a valid SSL certificate is not already created for the server, create a self-signed certificate: + echo "The Common Name used below will be: ${OPENSSL_CN}" + # This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core) + sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096 + sudo openssl genrsa -des3 -passout pass:x -out /tmp/misp.local.key 4096 + sudo openssl rsa -passin pass:x -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key + sudo rm /tmp/misp.local.key + sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr + sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt + sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt + cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt -sudo systemctl restart httpd.service + sudo systemctl restart httpd.service -# Since SELinux is enabled, we need to allow httpd to write to certain directories -sudo chcon -t usr_t $PATH_TO_MISP/venv -sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files -sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/terms -sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp -sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp -sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake -sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh -sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py -sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py -sudo chcon -t httpd_sys_script_exec_t /usr/bin/ps -sudo chcon -t httpd_sys_script_exec_t /usr/bin/grep -sudo chcon -t httpd_sys_script_exec_t /usr/bin/awk -sudo chcon -t httpd_sys_script_exec_t /usr/bin/gpg -sudo chcon -R -t usr_t $PATH_TO_MISP/venv -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq + # Since SELinux is enabled, we need to allow httpd to write to certain directories + sudo chcon -t usr_t $PATH_TO_MISP/venv + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/terms + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py + sudo chcon -t httpd_sys_script_exec_t /usr/bin/ps + sudo chcon -t httpd_sys_script_exec_t /usr/bin/grep + sudo chcon -t httpd_sys_script_exec_t /usr/bin/awk + sudo chcon -t httpd_sys_script_exec_t /usr/bin/gpg + sudo chcon -R -t usr_t $PATH_TO_MISP/venv + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq +} +# ``` !!! warning Todo: Revise all permissions so update in Web UI works. ```bash -# Allow httpd to connect to the redis server and php-fpm over tcp/ip -sudo setsebool -P httpd_can_network_connect on +# +firewall_RHEL () { + # Allow httpd to connect to the redis server and php-fpm over tcp/ip + sudo setsebool -P httpd_can_network_connect on -# Allow httpd to send emails from php -sudo setsebool -P httpd_can_sendmail on + # Allow httpd to send emails from php + sudo setsebool -P httpd_can_sendmail on -# Enable and start the httpd service -sudo systemctl enable --now httpd.service + # Enable and start the httpd service + sudo systemctl enable --now httpd.service -# Open a hole in the iptables firewall -sudo firewall-cmd --zone=public --add-port=80/tcp --permanent -sudo firewall-cmd --zone=public --add-port=443/tcp --permanent -sudo firewall-cmd --reload - -# We seriously recommend using only HTTPS / SSL ! -# Add SSL support by running: sudo yum install mod_ssl -# Check out the apache.misp.ssl file for an example + # Open a hole in the iptables firewall + sudo firewall-cmd --zone=public --add-port=80/tcp --permanent + sudo firewall-cmd --zone=public --add-port=443/tcp --permanent + sudo firewall-cmd --reload +} +# ``` # 8/ Log Rotation @@ -508,108 +506,116 @@ MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs To rotate these logs install the supplied logrotate script: ```bash -# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs -# To rotate these logs install the supplied logrotate script: +# +logRotation_RHEL () { + # MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs + # To rotate these logs install the supplied logrotate script: -sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp -sudo chmod 0640 /etc/logrotate.d/misp + sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp + sudo chmod 0640 /etc/logrotate.d/misp -# Now make logrotate work under SELinux as well -# Allow logrotate to modify the log files -sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/MISP(/.*)?" -sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?" -sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs -sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs -# Impact of the following: ?!?!?!!?111 -##sudo restorecon -R /var/www/MISP/ + # Now make logrotate work under SELinux as well + # Allow logrotate to modify the log files + sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/MISP(/.*)?" + sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?" + sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs + # Impact of the following: ?!?!?!!?111 + ##sudo restorecon -R /var/www/MISP/ -# Allow logrotate to read /var/www -sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te -sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod -sudo semodule -i /tmp/misplogrotate.pp + # Allow logrotate to read /var/www + sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te + sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod + sudo semodule -i /tmp/misplogrotate.pp +} +# ``` # 9/ MISP Configuration ```bash -# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied -$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php -$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php -$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php -$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php +# +configMISP_RHEL () { + # There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php -echo " 'Database/Mysql', - //'datasource' => 'Database/Postgres', - 'persistent' => false, - 'host' => '$DBHOST', - 'login' => '$DBUSER_MISP', - 'port' => 3306, // MySQL & MariaDB - //'port' => 5432, // PostgreSQL - 'password' => '$DBPASSWORD_MISP', - 'database' => '$DBNAME', - 'prefix' => '', - 'encoding' => 'utf8', - ); -}" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php + echo " 'Database/Mysql', + //'datasource' => 'Database/Postgres', + 'persistent' => false, + 'host' => '$DBHOST', + 'login' => '$DBUSER_MISP', + 'port' => 3306, // MySQL & MariaDB + //'port' => 5432, // PostgreSQL + 'password' => '$DBPASSWORD_MISP', + 'database' => '$DBNAME', + 'prefix' => '', + 'encoding' => 'utf8', + ); + }" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php -# Configure the fields in the newly created files: -# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally -# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');` -# database.php : login, port, password, database -# DATABASE_CONFIG has to be filled -# With the default values provided in section 6, this would look like: -# class DATABASE_CONFIG { -# public $default = array( -# 'datasource' => 'Database/Mysql', -# 'persistent' => false, -# 'host' => 'localhost', -# 'login' => 'misp', // grant usage on *.* to misp@localhost -# 'port' => 3306, -# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; -# 'database' => 'misp', // create database misp; -# 'prefix' => '', -# 'encoding' => 'utf8', -# ); -#} + # Configure the fields in the newly created files: + # config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally + # core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');` + # database.php : login, port, password, database + # DATABASE_CONFIG has to be filled + # With the default values provided in section 6, this would look like: + # class DATABASE_CONFIG { + # public $default = array( + # 'datasource' => 'Database/Mysql', + # 'persistent' => false, + # 'host' => 'localhost', + # 'login' => 'misp', // grant usage on *.* to misp@localhost + # 'port' => 3306, + # 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; + # 'database' => 'misp', // create database misp; + # 'prefix' => '', + # 'encoding' => 'utf8', + # ); + #} -# Important! Change the salt key in $PATH_TO_MISP/app/Config/config.php -# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user -# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, -# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) + # Important! Change the salt key in $PATH_TO_MISP/app/Config/config.php + # The admin user account will be generated on the first login, make sure that the salt is changed before you create that user + # If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, + # delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) -# If you want to be able to change configuration parameters from the webinterface: -sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php -sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php + # If you want to be able to change configuration parameters from the webinterface: + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php -# Generate a GPG encryption key. -cat >/tmp/gen-key-script </tmp/gen-key-script < ``` Review: @@ -624,12 +630,6 @@ then echo 'exit 0' | sudo tee -a /etc/rc.local sudo chmod u+x /etc/rc.local fi - -# TODO: Fix static path with PATH_TO_MISP -sudo sed -i -e '$i \su -s /bin/bash apache -c "scl enable rh-php72 /var/www/MISP/app/Console/worker/start.sh" > /tmp/worker_start_rc.local.log\n' /etc/rc.local -# Make sure it will execute -sudo chmod +x /etc/rc.local - ``` !!! note @@ -681,20 +681,27 @@ cd /usr/local/src/ $SUDO_WWW git clone https://github.com/MISP/misp-modules.git cd misp-modules # pip install -$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS -$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . -sudo yum install rubygem-rouge rubygem-asciidoctor -y -##sudo gem install asciidoctor-pdf --pre +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U . +sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel -y -# install additional dependencies for extended object generation and extraction -$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install maec python-magic pathlib -$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git +echo "[Unit] +Description=MISP's modules +After=misp-workers.service -# Start misp-modules -$SUDO_WWW ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s & +[Service] +Type=simple +User=apache +Group=apache +ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules –l 127.0.0.1 –s\" +Restart=always +RestartSec=10 -# TODO: Fix static path with PATH_TO_MISP -sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &\n' /etc/rc.local +[Install] +WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service + +sudo systemctl daemon-reload +sudo systemctl enable --now misp-modules ``` {!generic/misp-dashboard-centos.md!} @@ -708,46 +715,11 @@ sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0. # 11/ LIEF Installation *lief* is required for the Advanced Attachment Handler and requires manual compilation -## 11.01/ Install cmake3 devtoolset-7 from SCL -```bash -yum install devtoolset-7 cmake3 -``` - -## 11.02/ Create the directory and download the source code -```bash -cd /var/www/MISP/app/files/scripts -git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief -``` - -## 11.03/ Compile lief and install it -```bash -cd /var/www/MISP/app/files/scripts/lief -mkdir build -cd build -scl enable devtoolset-7 rh-python36 'bash -c "cmake3 \ --DLIEF_PYTHON_API=on \ --DLIEF_DOC=off \ --DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \ --DCMAKE_BUILD_TYPE=Release \ --DPYTHON_VERSION=3.6 \ -.."' -make -j3 -cd api/python -scl enable rh-python36 'python3 setup.py install || :' -# when running setup.py, pip will download and install remote LIEF packages that will prevent MISP from detecting the packages that you compiled ; remove them -find /opt/rh/rh-python36/root/ -name "*lief*" -exec rm -rf {} \; -``` - -## 11.04/ Test lief installation, if no error, package installed -```bash -scl enable rh-python36 python3 ->> import lief -``` +The installation is explained in section **[3.01](https://misp.github.io/MISP/INSTALL.rhel7/#301-download-misp-code-using-git-in-varwww-directory)** # 12/ Known Issues ## 12.01/ Workers cannot be started or restarted from the web page -Possible also due to package being installed via SCL, attempting to start workers through the web page will result in -error. Worker's can be restarted via the CLI using the following command. +Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command. ```bash systemctl restart misp-workers.service ``` From cf67195b2daf4d90508aadd1f5f66ec3c39987ca Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Thu, 25 Apr 2019 11:25:56 +0900 Subject: [PATCH 2/2] chg: [doc] Updated RHEL8(BETA) doc, core works, misp-modules do not, LIEF does not. chg: [doc] Some notes for rhel7 --- docs/INSTALL.rhel7.md | 22 +- docs/xINSTALL.rhel8.md | 935 +++++++++++++++++++++++------------------ 2 files changed, 555 insertions(+), 402 deletions(-) diff --git a/docs/INSTALL.rhel7.md b/docs/INSTALL.rhel7.md index e9204d671..d9432a050 100644 --- a/docs/INSTALL.rhel7.md +++ b/docs/INSTALL.rhel7.md @@ -54,6 +54,19 @@ PHP_INI=/etc/opt/rh/rh-php72/php.ini # ``` +!!! note + For fresh installs the following tips might be handy.
+ Allow ssh to pass the firewall on the CLI + ```bash + firewall-cmd --zone=public --add-port=22/tcp --permanent + firewall-cmd --reload + ``` +
+ To quickly make sure if NetworkManager handles your network interface on boot, check in the following location: + ``` + /etc/sysconfig/network-scripts/ifcfg-* + ``` + # 1/ OS Install and additional repositories ## 1.1/ Complete a minimal RHEL/CentOS installation, configure IP address to connect automatically. @@ -203,7 +216,8 @@ sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools # install Mitre's STIX and its dependencies by running the following commands: -sudo yum install python-lxml python-dateutil python-six -y +## Probably not needed +##sudo yum install python-lxml python-dateutil python-six -y cd $PATH_TO_MISP/app/files/scripts $SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git @@ -358,7 +372,7 @@ permissions_RHEL () { # 6/ Create database and user -## 6.01/ Set database to listen on localhost oncology's +## 6.01/ Set database to listen on localhost only ```bash # prepareDB_RHEL () { @@ -440,8 +454,8 @@ apacheConfig_RHEL () { echo "The Common Name used below will be: ${OPENSSL_CN}" # This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core) sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096 - sudo openssl genrsa -des3 -passout pass:x -out /tmp/misp.local.key 4096 - sudo openssl rsa -passin pass:x -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key + sudo openssl genrsa -des3 -passout pass:xxxx -out /tmp/misp.local.key 4096 + sudo openssl rsa -passin pass:xxxx -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key sudo rm /tmp/misp.local.key sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt diff --git a/docs/xINSTALL.rhel8.md b/docs/xINSTALL.rhel8.md index 340593c7c..c4e9e8ad0 100644 --- a/docs/xINSTALL.rhel8.md +++ b/docs/xINSTALL.rhel8.md @@ -1,6 +1,22 @@ # INSTALLATION INSTRUCTIONS for RHEL 8.x (beta) ------------------------- +### -1/ Installer and Manual install instructions + +Make sure you are reading the parsed version of this Document. When in doubt [click here](https://misp.github.io/MISP/xINSTALL.rhel8/). + +!!! warning + In the **future**, to install MISP on a fresh RHEL 8 install all you need to do is: + + ```bash + # Please check the installer options first to make the best choice for your install + curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh | bash -s + + # This will install MISP Core and misp-modules (recommended) + curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh | bash -s -- -c -M + ``` + **The above does NOT work yet** + ## 0/ Overview and Assumptions {!generic/community.md!} @@ -11,9 +27,6 @@ The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate. Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup. -!!! warning - This is a carbon copy of the 7.5 document. This will change once we get around updating this document. - This document details the steps to install MISP on Red Hat Enterprise Linux 8.x BETA (RHEL 8.x). At time of this writing it could be tested on version 8.0 BETA. The following assumptions with regard to this installation have been made. @@ -21,7 +34,19 @@ The following assumptions with regard to this installation have been made. ### 0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates ### 0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos ### 0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server -### 0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features +### 0.4/ This document will bootstrap a MISP instance running over HTTPS. A full test of all features have yet to be done. [The following GitHub issue](https://github.com/MISP/MISP/issues/4084) details some shortcomings. + +{!generic/globalVariables.md!} + +```bash +# +# RHEL/CentOS Specific +SUDO_WWW='sudo -H -u apache' +WWW_USER='apache' + +PHP_INI=/etc/php.ini +# +``` !!! note For fresh installs the following tips might be handy.
@@ -40,378 +65,555 @@ The following assumptions with regard to this installation have been made. ## 1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically. -## 1.2/ Configure system hostname +## 1.2/ Configure system hostname (if not done during install) ```bash -sudo hostnamectl set-hostname misp # Your choice, in a production environment, it's best to use a FQDN +sudo hostnamectl set-hostname misp.local # Your choice, in a production environment, it's best to use a FQDN ``` -## 1.3/ Register the system for updates with Red Hat Subscription Manager +## 1.3/ **[RHEL]** Register the system for updates with Red Hat Subscription Manager ```bash -sudo subscription-manager register # register your system to an account -sudo subscription-manager attach # attach your system to a current subscription +# +sudo subscription-manager register --auto-attach # register your system to an account and attach to a current subscription +# ``` -## 1.4/ Enable the optional, extras and Software Collections (SCL) repos +## 1.4/ **[RHEL]** Enable the optional, extras and Software Collections (SCL) repos ```bash +# To be confirmed, no access to RHSCL sudo subscription-manager repos --enable rhel-8-server-optional-rpms sudo subscription-manager repos --enable rhel-8-server-extras-rpms sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms ``` -### 1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates +### 1.5a/ Install the deltarpm package to help reduce download size when installing updates (optional) ```bash -sudo yum install deltarpm -y +sudo yum install drpm -y +``` + +### 1.5.b/ Install vim (optional) +```bash +# Because vim is just so practical +sudo yum install vim -y ``` ## 1.5/ Update the system and reboot ```bash +# sudo yum update -y +# ``` +## 1.6/ **[RHEL]** Install the EPEL repo + !!! note - At the time of writing performing a yum update results in the rhel-8-server-rt-beta-rpms being forbidden.
- The repo can be disabled using the following command - ```bash - sudo subscription-manager repos --disable rhel-8-server-rt-beta-rpms - ``` + There is no epel-releas-latest-8 yet, but the RHEL 7 seems to work for testing. -## 1.6/ Install the EPEL repo ```bash -sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y +# +sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y +# ``` -## 1.7/ Install the SCL repo -```bash -sudo yum install centos-release-scl -y -``` - -# 2/ Install Dependencies -Once the system is installed and updated, the following steps can be performed as root - -## 2.01/ Install some base system dependencies -```bash -sudo yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip ssdeep-devel -y -``` - -## 2.02/ Install MariaDB 10.2 from SCL -```bash -sudo yum install rh-mariadb102 -y -``` - -## 2.03/ Start the MariaDB service and enable it to start on boot -```bash -sudo systemctl start rh-mariadb102-mariadb.service -sudo systemctl enable rh-mariadb102-mariadb.service -``` - -!!! note - MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.
- This guide installs PHP 7.2 from SCL +# 2/ Dependencies !!! warning [PHP 5.6 will be EOL in December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In future only PHP7 will be supported. -## 2.04/ Install PHP 7.2 from SCL +## 2.01/ Install some base system dependencies ```bash -sudo yum install rh-php72 rh-php72-php-fpm rh-php72-php-devel rh-php72-php-mysqlnd rh-php72-php-mbstring rh-php72-php-xml rh-php72-php-bcmath rh-php72-php-opcache -y +# +# Install the dependencies: +sudo yum install @httpd -y +sudo yum install gcc git zip \ + httpd \ + mod_ssl \ + redis \ + mariadb \ + python3-devel python3-pip python3-virtualenv \ + libxslt-devel zlib-devel ssdeep-devel -y +sudo alternatives --set python /usr/bin/python3 + +# Enable and start redis +sudo systemctl enable --now redis.service + +sudo yum install php php-fpm php-devel php-pear \ + php-mysqlnd \ + php-mbstring \ + php-xml \ + php-bcmath \ + php-opcache \ + php-json \ + php-gd -y +# ``` +!!! note + MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.
+ This guide installs PHP 7.2 + !!! note If we want to use httpd from RHEL base we can use the rh-php72-php-fpm service instead ## 2.05/ Start the PHP FPM service and enable to start on boot ```bash -systemctl start rh-php72-php-fpm.service -systemctl enable rh-php72-php-fpm.service -``` - -## 2.06/ Install redis 3.2 from SCL -```bash -yum install rh-redis32 +sudo systemctl enable --now php-fpm.service ``` ## 2.07/ Start redis service and enable to start on boot ```bash -systemctl start rh-redis32-redis.service -systemctl enable rh-redis32-redis.service +sudo systemctl enable --now redis.service ``` -## 2.08/ Start a SCL shell with rh-mariadb102 rh-php72 and rh-redis32 enabled ```bash -scl enable rh-mariadb102 rh-php72 rh-redis32 bash +# +# GPG needs lots of entropy, haveged provides entropy +# /!\ Only do this if you're not running rngd to provide randomness and your kernel randomness is not sufficient. +sudo yum install haveged -y +sudo systemctl enable --now haveged.service +# ``` -## 2.08/ Secure the MariaDB installation, run the following command and follow the prompts -```bash -mysql_secure_installation -``` - -## 2.10/ Update the PHP extension repository and install required package -```bash -pear channel-update pear.php.net -pear install Crypt_GPG -``` - -## 2.11/ Install haveged and enable to start on boot to provide entropy for GPG -```bash -yum install haveged -systemctl start haveged -systemctl enable haveged -``` - -## 2.12/ Install Python 3.6 from SCL -```bash -yum install rh-python36 -``` - -# 3/ MISP Download +# 3/ MISP code ## 3.01/ Download MISP code using git in /var/www/ directory + ```bash +# +# Download MISP using git in the /var/www/ directory. +sudo mkdir $PATH_TO_MISP +sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP cd /var/www -git clone https://github.com/MISP/MISP.git -cd MISP -git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) +$SUDO_WWW git clone https://github.com/MISP/MISP.git +cd $PATH_TO_MISP +##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) # if the last shortcut doesn't work, specify the latest version manually # example: git checkout tags/v2.4.XY # the message regarding a "detached HEAD state" is expected behaviour # (you only have to create a new branch, if you want to change stuff and do a pull request for example) -``` -## 3.02/ Make git ignore filesystem permission differences -```bash -git config core.filemode false -``` +# Fetch submodules +$SUDO_WWW git submodule update --init --recursive +# Make git ignore filesystem permission differences for submodules +$SUDO_WWW git submodule foreach --recursive git config core.filemode false -## 3.03/ Install Mitre's STIX and its dependencies by running the following commands -```bash -pip install importlib -yum install python-six -cd /var/www/MISP/app/files/scripts -git clone https://github.com/CybOXProject/python-cybox.git -git clone https://github.com/STIXProject/python-stix.git -cd /var/www/MISP/app/files/scripts/python-cybox -git config core.filemode false -# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules +# Install packaged pears +sudo pear channel-update pear.php.net +sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml +sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml + +# Create a python3 virtualenv +$SUDO_WWW virtualenv-3 -p python3 $PATH_TO_MISP/venv +sudo mkdir /usr/share/httpd/.cache +sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools + +cd $PATH_TO_MISP/app/files/scripts +$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git +$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git +$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief +$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git + +cd $PATH_TO_MISP/app/files/scripts/python-cybox +# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules UMASK=$(umask) umask 0022 -scl enable rh-python36 'python3 setup.py install' -cd /var/www/MISP/app/files/scripts/python-stix -git config core.filemode false -scl enable rh-python36 'python3 setup.py install' -``` +cd $PATH_TO_MISP/app/files/scripts/python-stix +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . + +# install mixbox to accommodate the new STIX dependencies: +cd $PATH_TO_MISP/app/files/scripts/mixbox +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . + +# install STIX2.0 library to support STIX 2.0 export: +cd $PATH_TO_MISP/cti-python-stix2 +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . + +# install maec +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec + +# install zmq +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq + +# install redis +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis + +# lief needs manual compilation +sudo yum install devtoolset-8 cmake3 cppcheck -y + +cd $PATH_TO_MISP/app/files/scripts/lief +$SUDO_WWW mkdir build +cd build +$SUDO_WWW cmake3 \ +-DLIEF_PYTHON_API=on \ +-DPYTHON_VERSION=3.6 \ +-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \ +-DLIEF_DOC=off \ +-DCMAKE_BUILD_TYPE=Release \ +.. +$SUDO_WWW make -j3 pyLIEF + +# The following adds a PYTHONPATH to where the pyLIEF module has been compiled +echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth + +# install magic, pydeep +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git + +# install PyMISP +cd $PATH_TO_MISP/PyMISP +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U . + +# Enable python3 for php-fpm +sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/php-fpm.d/www.conf +sudo systemctl restart php-fpm.service -## 3.04/ Install mixbox to accommodate the new STIX dependencies -```bash -cd /var/www/MISP/app/files/scripts/ -git clone https://github.com/CybOXProject/mixbox.git -cd /var/www/MISP/app/files/scripts/mixbox -git config core.filemode false -scl enable rh-python36 'python3 setup.py install' umask $UMASK -``` -## 3.05/ Enable python3 for php-fpm -```bash -echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php72/sysconfig/php-fpm -sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php72/php-fpm.d/www.conf -systemctl restart rh-php72-php-fpm.service +# Enable dependencies detection in the diagnostics page +# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings. +echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/php-fpm.d/www.conf +sudo systemctl restart php-fpm.service +# ``` # 4/ CakePHP +## 4.01/ Install CakeResque along with its dependencies if you intend to use the built in background jobs -## 4.01/ CakePHP is now included as a submodule of MISP - -!!! note - Execute the following commands to let git fetch it ignore this - ``` - message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque' - ``` +!!! notice + CakePHP is now included as a submodule of MISP and has been fetch by a previous step. ```bash -cd /var/www/MISP -git submodule update --init --recursive -# Make git ignore filesystem permission differences for submodules -git submodule foreach --recursive git config core.filemode false -``` +# +installCake_RHEL () +{ + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP + sudo mkdir /usr/share/httpd/.composer + sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.composer + cd $PATH_TO_MISP/app + # Update composer.phar (optional) + #$SUDO_WWW php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + #$SUDO_WWW php -r "if (hash_file('SHA384', 'composer-setup.php') === '48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" + #$SUDO_WWW php composer-setup.php + #$SUDO_WWW php -r "unlink('composer-setup.php');" + $SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2 + $SUDO_WWW php composer.phar config vendor-dir Vendor + $SUDO_WWW php composer.phar install -## 4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs -```bash -cd /var/www/MISP/app -php composer.phar require kamisama/cake-resque:4.1.2 -php composer.phar config vendor-dir Vendor -php composer.phar install -``` + ## sudo yum install php-redis -y + sudo pecl channel-update pecl.php.net + sudo pecl install redis + echo "extension=redis.so" |sudo tee /etc/php-fpm.d/redis.ini + sudo ln -s /etc/php-fpm.d/redis.ini /etc/php.d/99-redis.ini + sudo systemctl restart php-fpm.service -## 4.03/ Install and configure php redis connector through pecl -```bash -pecl install redis -echo "extension=redis.so" > /etc/opt/rh/rh-php72/php-fpm.d/redis.ini -ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php72/php.d/99-redis.ini -systemctl restart rh-php72-php-fpm.service -``` + # If you have not yet set a timezone in php.ini + echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/php-fpm.d/timezone.ini + sudo ln -s ../php-fpm.d/timezone.ini /etc/php.d/99-timezone.ini -## 4.04/ Set a timezone in php.ini -```bash -echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php72/php-fpm.d/timezone.ini -ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php72/php.d/99-timezone.ini -``` + # Recommended: Change some PHP settings in /etc/opt/rh/rh-php72/php.ini + # max_execution_time = 300 + # memory_limit = 512M + # upload_max_filesize = 50M + # post_max_size = 50M + for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit + do + sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI + done + sudo systemctl restart php-fpm.service -## 4.05/ To use the scheduler worker for scheduled tasks, do the following: -```bash -cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php + # To use the scheduler worker for scheduled tasks, do the following: + sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php +} +# ``` # 5/ Set file permissions -## 5.01/ Make sure the permissions are set correctly using the following commands as root: ```bash -chown -R root:apache /var/www/MISP -find /var/www/MISP -type d -exec chmod g=rx {} \; -chmod -R g+r,o= /var/www/MISP -chown apache:apache /var/www/MISP/app/files -chown apache:apache /var/www/MISP/app/files/terms -chown apache:apache /var/www/MISP/app/files/scripts/tmp -chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp -chown -R apache:apache /var/www/MISP/app/tmp -chown -R apache:apache /var/www/MISP/app/webroot/img/orgs -chown -R apache:apache /var/www/MISP/app/webroot/img/custom +# +# Main function to fix permissions to something sane +permissions_RHEL () { + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP + ## ? chown -R root:apache /var/www/MISP + sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \; + sudo chmod -R g+r,o= $PATH_TO_MISP + ## **Note :** For updates through the web interface to work, apache must own the /var/www/MISP folder and its subfolders as shown above, which can lead to security issues. If you do not require updates through the web interface to work, you can use the following more restrictive permissions : + sudo chmod -R 750 $PATH_TO_MISP + sudo chmod -R g+xws $PATH_TO_MISP/app/tmp + sudo chmod -R g+ws $PATH_TO_MISP/app/files + sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp + sudo chmod -R g+rw $PATH_TO_MISP/venv + sudo chmod -R g+rw $PATH_TO_MISP/.git + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/terms + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/files/scripts/tmp + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Plugin/CakeResque/tmp + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/tmp + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/orgs + sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/app/webroot/img/custom +} +# ``` # 6/ Create database and user + ## 6.01/ Set database to listen on localhost only ```bash -echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf -echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf -systemctl restart rh-mariadb102-mariadb -``` +# +prepareDB_RHEL () { + # Enable, start and secure your mysql database server + sudo systemctl enable --now mariadb.service + echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf + echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf + sudo systemctl restart mariadb -## 6.02/ Start MariaDB shell and create database -```bash -mysql -u root -p -``` + sudo yum install expect -y -``` -MariaDB [(none)]> create database misp; -MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX'; -MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ; -MariaDB [(none)]> exit -``` + ## The following needs some thoughts about scl enable foo + #if [[ ! -e /var/opt/rh/rh-mariadb102/lib/mysql/misp/users.ibd ]]; then -## 6.03/ Import the empty MySQL database from MYSQL.sql -```bash -cd /var/www/MISP -mysql -u misp -p misp < INSTALL/MYSQL.sql + # Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines + pw="Password1234" + + expect -f - <<-EOF + set timeout 10 + + spawn sudo mysql_secure_installation + expect "*?assword*" + send -- "$pw\r" + expect "Enter current password for root (enter for none):" + send -- "\r" + expect "Set root password?" + send -- "y\r" + expect "New password:" + send -- "${DBPASSWORD_ADMIN}\r" + expect "Re-enter new password:" + send -- "${DBPASSWORD_ADMIN}\r" + expect "Remove anonymous users?" + send -- "y\r" + expect "Disallow root login remotely?" + send -- "y\r" + expect "Remove test database and access to it?" + send -- "y\r" + expect "Reload privilege tables now?" + send -- "y\r" + expect eof +EOF + + sudo yum remove tcl expect -y + + sudo systemctl restart mariadb + + mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "CREATE DATABASE $DBNAME;" + mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT USAGE on *.* to $DBNAME@localhost IDENTIFIED by '$DBPASSWORD_MISP';" + mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "GRANT ALL PRIVILEGES on $DBNAME.* to '$DBUSER_MISP'@'localhost';" + mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e 'FLUSH PRIVILEGES;' + + $SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME +} +# ``` # 7/ Apache Configuration -## 7.01/ Copy a sample vhost config to Apache configuration directory -```bash -cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf -``` -## 7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories -```bash -chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files -chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms -chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp -chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp -chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp -chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs -chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom -``` +!!! notice + SELinux note, to check if it is running: + ```bash + $ sestatus + SELinux status: disabled + ``` + If it is disabled, you can ignore the **chcon/setsebool/semanage/checkmodule/semodule*** commands. -## 7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip ```bash -setsebool -P httpd_can_network_connect on -``` +# +apacheConfig_RHEL () { + # Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/ + # A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7 -## 7.03/ Enable and start the httpd service -```bash -systemctl enable httpd.service -systemctl start httpd.service -``` + sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf + sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf + sudo rm /etc/httpd/conf.d/ssl.conf + sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf + sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf -## 7.04/ Open a hole in the firewalld service -```bash -firewall-cmd --zone=public --add-port=80/tcp --permanent -firewall-cmd --reload + # If a valid SSL certificate is not already created for the server, create a self-signed certificate: + echo "The Common Name used below will be: ${OPENSSL_CN}" + # This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core) + sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096 + sudo openssl genrsa -des3 -passout pass:xxxx -out /tmp/misp.local.key 4096 + sudo openssl rsa -passin pass:xxxx -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key + sudo rm /tmp/misp.local.key + sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.csr + sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt + sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt + cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt + + sudo systemctl restart httpd.service + + # Since SELinux is enabled, we need to allow httpd to write to certain directories + sudo chcon -t usr_t $PATH_TO_MISP/venv + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/terms + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Plugin/CakeResque/tmp + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/cake + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py + sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py + sudo chcon -t httpd_sys_script_exec_t /usr/bin/ps + sudo chcon -t httpd_sys_script_exec_t /usr/bin/grep + sudo chcon -t httpd_sys_script_exec_t /usr/bin/awk + sudo chcon -t httpd_sys_script_exec_t /usr/bin/gpg + sudo chcon -R -t usr_t $PATH_TO_MISP/venv + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq +} +# ``` !!! warning - We seriously recommend using only HTTPS / SSL ! - Add SSL support by running: yum install mod_ssl - Check out the apache.misp.ssl file for an example + Todo: Revise all permissions so update in Web UI works. + +```bash +# +firewall_RHEL () { + # Allow httpd to connect to the redis server and php-fpm over tcp/ip + sudo setsebool -P httpd_can_network_connect on + + # Allow httpd to send emails from php + sudo setsebool -P httpd_can_sendmail on + + # Enable and start the httpd service + sudo systemctl enable --now httpd.service + + # Open a hole in the iptables firewall + sudo firewall-cmd --zone=public --add-port=80/tcp --permanent + sudo firewall-cmd --zone=public --add-port=443/tcp --permanent + sudo firewall-cmd --reload +} +# +``` # 8/ Log Rotation +## 8.01/ Enable log rotation MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs To rotate these logs install the supplied logrotate script: -``` -cp INSTALL/misp.logrotate /etc/logrotate.d/misp -chmod 0640 /etc/logrotate.d/misp -``` -## 8.01/ Allow logrotate to work under SELinux and modify the log files ```bash -semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?" -chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs -``` +# +logRotation_RHEL () { + # MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs + # To rotate these logs install the supplied logrotate script: -## 8.02/ Allow logrotate to read /var/www -```bash -checkmodule -M -m -o /tmp/misplogrotate.mod INSTALL/misplogrotate.te -semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod -semodule -i /tmp/misplogrotate.pp + sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp + sudo chmod 0640 /etc/logrotate.d/misp + + # Now make logrotate work under SELinux as well + # Allow logrotate to modify the log files + sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/MISP(/.*)?" + sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?" + sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs + sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs + # Impact of the following: ?!?!?!!?111 + ##sudo restorecon -R /var/www/MISP/ + + # Allow logrotate to read /var/www + sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te + sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod + sudo semodule -i /tmp/misplogrotate.pp +} +# ``` # 9/ MISP Configuration -## 9.01/ There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied + ```bash -cd /var/www/MISP/app/Config -cp -a bootstrap.default.php bootstrap.php -cp -a database.default.php database.php -cp -a core.default.php core.php -cp -a config.default.php config.php -``` +# +configMISP_RHEL () { + # There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php + $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php -## 9.02/ Configure the fields in the newly created files -```bash -# Configure the fields in the newly created files: -# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally -# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');` -# database.php : login, port, password, database -# DATABASE_CONFIG has to be filled -# With the default values provided in section 6, this would look like: -# class DATABASE_CONFIG { -# public $default = array( -# 'datasource' => 'Database/Mysql', -# 'persistent' => false, -# 'host' => 'localhost', -# 'login' => 'misp', // grant usage on *.* to misp@localhost -# 'port' => 3306, -# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; -# 'database' => 'misp', // create database misp; -# 'prefix' => '', -# 'encoding' => 'utf8', -# ); -#} + echo " 'Database/Mysql', + //'datasource' => 'Database/Postgres', + 'persistent' => false, + 'host' => '$DBHOST', + 'login' => '$DBUSER_MISP', + 'port' => 3306, // MySQL & MariaDB + //'port' => 5432, // PostgreSQL + 'password' => '$DBPASSWORD_MISP', + 'database' => '$DBNAME', + 'prefix' => '', + 'encoding' => 'utf8', + ); + }" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php -# Important! Change the salt key in /var/www/MISP/app/Config/config.php -# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user -# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, -# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) -``` + # Configure the fields in the newly created files: + # config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally + # core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');` + # database.php : login, port, password, database + # DATABASE_CONFIG has to be filled + # With the default values provided in section 6, this would look like: + # class DATABASE_CONFIG { + # public $default = array( + # 'datasource' => 'Database/Mysql', + # 'persistent' => false, + # 'host' => 'localhost', + # 'login' => 'misp', // grant usage on *.* to misp@localhost + # 'port' => 3306, + # 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; + # 'database' => 'misp', // create database misp; + # 'prefix' => '', + # 'encoding' => 'utf8', + # ); + #} -## 9.03/ If you want to be able to change configuration parameters from the webinterface: -``` -chown apache:apache /var/www/MISP/app/Config/config.php -chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php -``` + # Important! Change the salt key in $PATH_TO_MISP/app/Config/config.php + # The admin user account will be generated on the first login, make sure that the salt is changed before you create that user + # If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, + # delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) -## 9.04/ Generate an encryption key -```bash -gpg --gen-key -mv ~/.gnupg /var/www/MISP/ -chown -R apache:apache /var/www/MISP/.gnupg -chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.gnupg + # If you want to be able to change configuration parameters from the webinterface: + sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP/app/Config/config.php + sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php + + # Generate a GPG encryption key. + cat >/tmp/gen-key-script < ``` !!! note @@ -422,156 +624,93 @@ chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.gnupg The email address should match the one set in the config.php configuration file Make sure that you use the same settings in the MISP Server Settings tool -## 9.05/ export the public key to the webroot +## 9.06/ Use MISP's background workers +### 9.06a/ Create a systemd unit for the workers ```bash -sudo -u apache gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc -``` +echo "[Unit] +Description=MISP's background workers +After=mariadb.service redis.service fpm.service -## 9.06/ Start the workers to enable background jobs +[Service] +Type=forking +User=apache +Group=apache +ExecStart=/var/www/MISP/app/Console/worker/start.sh +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service +``` +sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te + sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod + sudo semodule -i /tmp/misplogrotate.pp + +Make the workers' script executable and reload the systemd units : ```bash -chmod +x /var/www/MISP/app/Console/worker/start.sh -su -s /bin/bash apache -c 'scl enable rh-php72 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh' +sudo chmod +x /var/www/MISP/app/Console/worker/start.sh +sudo systemctl daemon-reload +sudo checkmodule -M -m -o /tmp/workerstartsh.mod $PATH_TO_MISP/INSTALL/workerstartsh.te +sudo semodule_package -o /tmp/workerstartsh.pp -m /tmp/workerstartsh.mod +sudo semodule -i /tmp/workerstartsh.pp ``` -## 9.07a/ To make the background workers start on boot +### 9.06b/ Start the workers and enable them on boot ```bash -vi /etc/rc.local +sudo systemctl enable --now misp-workers.service ``` -## 9.07b/ Add the following line at the end +### 9.07/ misp-modules (Broken on RHEL8) ```bash -su -s /bin/bash apache -c 'scl enable rh-php72 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh' +# some misp-modules dependencies +sudo yum install openjpeg2-devel -y + +sudo chmod 2777 /usr/local/src +sudo chown root:users /usr/local/src +cd /usr/local/src/ +$SUDO_WWW git clone https://github.com/MISP/misp-modules.git +cd misp-modules +# pip install +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS +$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U . +sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-core -y + +echo "[Unit] +Description=MISP's modules +After=misp-workers.service + +[Service] +Type=simple +User=apache +Group=apache +ExecStart=\"${PATH_TO_MISP}/venv/bin/misp-modules –l 127.0.0.1 –s\" +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service + +sudo systemctl daemon-reload +sudo systemctl enable --now misp-modules ``` +{!generic/misp-dashboard-centos.md!} -## 9.07c/ and make sure it will execute -```bash -chmod +x /etc/rc.local -``` +{!generic/MISP_CAKE_init.md!} -!!! note - Now log in using the webinterface: http://misp/users/login
- The default user/pass = admin@admin.test/admin
- Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
- It is especially vital that no critical issues remain!
- Don't forget to change the email, password and authentication key after installation. +{!generic/INSTALL.done.md!} -!!! note - Once done, have a look at the diagnostics
- If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
- you can do this by running the following commands:
- ``` - chmod -R 750 /var/www/MISP/ - chown -R apache:apache /var/www/MISP/ - ``` - -!!! warning - Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items - -!!! note - If anything goes wrong, make sure that you check MISP's logs for errors: - ``` - # /var/www/MISP/app/tmp/logs/error.log - # /var/www/MISP/app/tmp/logs/resque-worker-error.log - # /var/www/MISP/app/tmp/logs/resque-scheduler-error.log - # /var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date - ``` - -# 10/ Post Install - -## 10.01/ Allow apache to write to /var/www/MISP/app/tmp/logs -If the result from the diagnostic page is that the directory is not writable, try the following. -``` -chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs/ -``` - -!!! note - This may mean that logrotate cannot access the logs directory, will require further investigation - -## 10.02/ Change php.ini settings to suggested limits from diagnostic page. -```bash -# Edit /etc/opt/rh/rh-php72/php.ini and set the following settings -max_execution_time = 300 -memory_limit = 512M -upload_max_filesize = 50M -post_max_size = 50M -``` - -## 10.03/ Restart rh-php72 for settings to take effect -```bash -systemctl restart rh-php72-php-fpm -``` - -## 10.04/ Install pymisp and pydeep for Advanced Attachment handler -```bash -pip install pymisp -pip install git+https://github.com/kbandla/pydeep.git -``` - -## 10.05/ Install pymisp also in Python 3 -```bash -scl enable rh-python36 pip3 install pymisp -``` +{!generic/recommended.actions.md!} # 11/ LIEF Installation *lief* is required for the Advanced Attachment Handler and requires manual compilation -## 11.01/ Install cmake3 devtoolset-7 from SCL -```bash -yum install devtoolset-7 cmake3 -``` - -## 11.02/ Enable devtoolset-7 -```bash -scl enable devtoolset-7 bash -``` - -## 11.03/ Set env variable, create directories and download source code -```bash -mkdir -p /tmp/LIEF -mkdir -p /tmp/LIEF_INSTALL -export LIEF_TMP=/tmp/LIEF -export LIEF_INSTALL=/tmp/LIEF_INSTALL -export LIEF_BRANCH=master -cd $LIEF_TMP -git clone --branch $LIEF_BRANCH --single-branch https://github.com/lief-project/LIEF.git LIEF -``` - -## 11.04/ Compile lief and install -```bash -cd $LIEF_TMP/LIEF -mkdir -p build -cd build -scl enable devtoolset-7 'bash -c "cmake3 \ --DLIEF_PYTHON_API=on \ --DLIEF_DOC=off \ --DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \ --DCMAKE_BUILD_TYPE=Release \ --DPYTHON_VERSION=2.7 \ -.."' -make -j3 -cd api/python -scl enable rh-python36 python3 setup.py install || : -# you can ignore the error about finding suitable distribution -cd $LIEF_TMP/LIEF/build -make install -make package -``` - -## 11.05/ Test lief installation, if no error, package installed -```bash -python ->> import lief -``` +The installation is explained in section **[3.01](https://misp.github.io/MISP/xINSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)** # 12/ Known Issues -## 12.01/ PHP CLI cannot determine version -PHP CLI Version cannot be determined. Possibly due to PHP being installed through SCL - -## 12.02/ Workers cannot be started or restarted from the web page -Possible also due to package being installed via SCL, attempting to start workers through the web page will result in -error. Worker's can be restarted via the CLI using the following command. +## 12.01/ Workers cannot be started or restarted from the web page +Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command. ```bash -su -s /bin/bash apache -c 'scl enable rh-php72 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh' +systemctl restart misp-workers.service ``` !!! note