From 894c7d28a36ad26a15c9221d50f268826551b712 Mon Sep 17 00:00:00 2001 From: Sebastien Tricaud Date: Mon, 10 Feb 2020 23:50:38 -0800 Subject: [PATCH] Adding instructions to build a Debian Package It does not build a Debian package that can be pushed to the distribution yet, but it provides an easy way to have a Debian package for MISP for minimal configuration efforts. It is installed in /usr/share/misp and there are too many things happening in that directory, such as logs, instead of being in /var/log/misp/. However it can be useful to a lot of people, and I will gradually improve it over time. -- STR --- README.debian | 23 +++ app/Model/Attribute.php | 5 + build-deb.sh | 4 + debian/README | 1 + debian/changelog | 5 + debian/config | 20 ++ debian/control | 41 +++++ debian/files | 2 + debian/install | 6 + debian/misp.apache2 | 1 + debian/misp.apache2.conf | 28 +++ debian/misp.substvars | 3 + debian/patches/Add-CakeResque-Config.patch | 203 +++++++++++++++++++++ debian/patches/series | 1 + debian/postinst | 74 ++++++++ debian/rules | 6 + debian/source/format | 1 + debian/templates | 35 ++++ 18 files changed, 459 insertions(+) create mode 100644 README.debian create mode 100755 build-deb.sh create mode 100644 debian/README create mode 100644 debian/changelog create mode 100755 debian/config create mode 100644 debian/control create mode 100644 debian/files create mode 100644 debian/install create mode 100644 debian/misp.apache2 create mode 100644 debian/misp.apache2.conf create mode 100644 debian/misp.substvars create mode 100644 debian/patches/Add-CakeResque-Config.patch create mode 100644 debian/patches/series create mode 100644 debian/postinst create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/templates diff --git a/README.debian b/README.debian new file mode 100644 index 000000000..1b620d94c --- /dev/null +++ b/README.debian @@ -0,0 +1,23 @@ +MISP Debian Package +=================== + +The actual MISP Debian package is experimental. It is not something that can be pushed to Debian yet, +however it is still a valid Debian package that can be deployed and it makes the installation much +easier. + +How to use? +----------- + +* Get all the MISP dependencies into this tree, such as galaxies, whitelists, etc. +* Rename to root folder to misp-2.4.220/ +* Run ./build-deb.sh + +Known Weaknesses +---------------- + +* For now, it only install MISP to use a MySQL backend. +* We could not use the outdated CakePHP Debian package (2.x), it is now 4.x, so CakePHP must be pulled into app/Lib/cakephp +* MISP is installed in /usr/share/misp/ including where it logs, etc. +* No individual package for misp-galaxies, misp-taxonomies etc. +* /usr/share/misp is set to www-data, it will be changed in a future version +* It installs MISP using Apache only, no SSL etc. diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 998df7218..905e8183c 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -660,6 +660,11 @@ class Attribute extends AppModel public function afterSave($created, $options = array()) { + //STR + $myfile = fopen("/tmp/newfile.txt", "w") or die("Unable to open file!"); + fwrite($myfile, implode("|",$this->data['Attribute'])); + fclose($myfile); + $passedEvent = false; if (isset($options['parentEvent'])) { $passedEvent = $options['parentEvent']; diff --git a/build-deb.sh b/build-deb.sh new file mode 100755 index 000000000..df3a46386 --- /dev/null +++ b/build-deb.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +dpkg-buildpackage -b -rfakeroot -us -uc + diff --git a/debian/README b/debian/README new file mode 100644 index 000000000..d0b3e96e7 --- /dev/null +++ b/debian/README @@ -0,0 +1 @@ +* We cannot use cakephp package from debian, as it is outdated. CakePHP is provided along with MISP. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..5227ba642 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +misp (2.4.220-1) UNRELEASED; urgency=low + + * First package of MISP + + -- Sebastien Tricaud Wed, 29 Jan 2020 16:32:33 -0800 diff --git a/debian/config b/debian/config new file mode 100755 index 000000000..4a75d2712 --- /dev/null +++ b/debian/config @@ -0,0 +1,20 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +db_input critical misp/configure_mariadb || true +db_go + +db_get misp/configure_mariadb +if [ "$RET" = "Yes" ]; then + db_input critical misp/mariadb_host || true + db_go + db_input critical misp/mariadb_rootpwd || true + db_go + db_input critical misp/mariadb_mispdb || true + db_go + db_input critical misp/mariadb_mispdbuser || true + db_go + db_input critical misp/mariadb_setmisppwd || true + db_go +fi diff --git a/debian/control b/debian/control new file mode 100644 index 000000000..7f96c3ea5 --- /dev/null +++ b/debian/control @@ -0,0 +1,41 @@ +Source: misp +Maintainer: Sebastien Tricaud +Section: Web +Priority: optional +Standards-Version: 2.4.220 +Build-Depends: debhelper (>= 11), dh-apache2 +Homepage: http://misp.software +Vcs-Browser: https://github.com/misp/misp +Vcs-Git: https://github.com/MISP/MISP.git + +Package: misp +Architecture: all +Pre-Depends: ${misc:Pre-Depends} +Depends: libapache2-mod-php | php-cgi | php, + python3, + composer, + mariadb-client, + openssl, + zip, + unzip, + moreutils, + php-mysql, + php-redis, + php-gd, + php-gnupg, + php-json, + php-xml, + php-readline, + php-mbstring, + php7.3-opcache, + ${misc:Depends} +Recommends: ${misc:Recommends}, redis-server, mariadb-server +Description: Threat Intelligence Platform + The MISP threat sharing platform is a free and open source software helping + information sharing of threat intelligence including cyber security indicators. + . + A threat intelligence platform for gathering, sharing, storing and correlating + Indicators of Compromise of targeted attacks, threat intelligence, financial + fraud information, vulnerability information or even counter-terrorism + information. + \ No newline at end of file diff --git a/debian/files b/debian/files new file mode 100644 index 000000000..a4da1c349 --- /dev/null +++ b/debian/files @@ -0,0 +1,2 @@ +misp_2.4.220-1_all.deb Web optional +misp_2.4.220-1_amd64.buildinfo Web optional diff --git a/debian/install b/debian/install new file mode 100644 index 000000000..2bb2d7645 --- /dev/null +++ b/debian/install @@ -0,0 +1,6 @@ +app usr/share/misp +Plugin usr/share/misp +tools usr/share/misp +cti-python-stix2 usr/share/misp +PyMISP usr/share/misp +INSTALL/MYSQL.sql usr/share/doc/misp diff --git a/debian/misp.apache2 b/debian/misp.apache2 new file mode 100644 index 000000000..251447e08 --- /dev/null +++ b/debian/misp.apache2 @@ -0,0 +1 @@ +site debian/misp.apache2.conf diff --git a/debian/misp.apache2.conf b/debian/misp.apache2.conf new file mode 100644 index 000000000..46dadaeb7 --- /dev/null +++ b/debian/misp.apache2.conf @@ -0,0 +1,28 @@ + + ServerAdmin me@me.local + ServerName misp.local + DocumentRoot /usr/share/misp/app/webroot + + Options -Indexes + AllowOverride all + Order allow,deny + Allow from all + + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + + ServerSignature Off + + Header always set X-Content-Type-Options nosniff + Header always set X-Frame-Options SAMEORIGIN + Header always unset "X-Powered-By" + + # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy + ## Example: + # Header always set X-XSS-Protection "1; mode=block" + # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src + # Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'" + diff --git a/debian/misp.substvars b/debian/misp.substvars new file mode 100644 index 000000000..ae53d089d --- /dev/null +++ b/debian/misp.substvars @@ -0,0 +1,3 @@ +misc:Recommends=apache2 ( >= 2.4.6-4~ ) | httpd +misc:Depends=debconf (>= 0.5) | debconf-2.0 +misc:Pre-Depends= diff --git a/debian/patches/Add-CakeResque-Config.patch b/debian/patches/Add-CakeResque-Config.patch new file mode 100644 index 000000000..89a2c0326 --- /dev/null +++ b/debian/patches/Add-CakeResque-Config.patch @@ -0,0 +1,203 @@ +--- misp/app/Plugin/CakeResque/Config/config.php 1969-12-31 16:00:00.000000000 -0800 ++++ misp-2.4.220/app/Plugin/CakeResque/Config/config.php 2020-02-06 15:03:21.645491394 -0800 +@@ -0,0 +1,200 @@ ++ ++ * @copyright Copyright 2012, Wan Qi Chen ++ * @link http://cakeresque.kamisama.me ++ * @package CakeResque ++ * @subpackage CakeResque.Config ++ * @since 3.4.0 ++ * @license MIT License (http://www.opensource.org/licenses/mit-license.php) ++ */ ++ ++/** ++ * Configure the default value for Resque ++ * ++ * ## Mandatory indexes : ++ * Redis ++ * Redis server settings ++ * Worker ++ * Workers default settings ++ * Resque ++ * Default values used to init the php-resque library path ++ * ++ * ## Optional indexes : ++ * Queues ++ * An array of queues to start with Resque::load() ++ * Used when you have multiple queues, as you don't need ++ * to start each queues individually each time you start Resque ++ * Env ++ * Additional environment variables to pass to Resque ++ * Log ++ * Log handler and its arguments, to save the log with Monolog ++ * ++ * ++ * There are many ways to configure the plugin: ++ * ++ * 1. This file is automagically loaded by the bootstrapping process, when no 'CakeResque' ++ * configuration key exists. ++ * ++ * CakePlugin::load('CakeResque', array('bootstrap' => true)); ++ * ++ * 2. If a 'CakeResque' configuration key already exists, the default configuration will not be loaded, ++ * and the 'CakeResque' key is expected to contain all the values present in the default configuration. ++ * ++ * Configure::load('my_cakeresque_config'); ++ * CakePlugin::load('CakeResque', array('bootstrap' => true)); ++ * ++ * 3. Another way to configure the plugin is to load it using a custom bootstrap file. ++ * ++ * CakePlugin::load('CakeResque', array('bootstrap' => 'my_bootstrap')); ++ * ++ * // APP/Plugin/CakeResque/Config/my_bootstrap.php ++ * require_once dirname(__DIR__) . DS . 'Lib' . DS . 'CakeResque.php'; ++ * $config = array(); // Custom configuration ++ * CakeResque::init($config); ++ * ++ * @see CakeResque::init(), CakeResque::loadConfig(). ++ */ ++$config['CakeResque'] = array( ++ 'Redis' => array( ++ 'host' => 'localhost', // Redis server hostname ++ 'port' => 6379, // Redis server port ++ 'database' => 0, // Redis database number ++ 'namespace' => 'resque', // Redis keys namespace ++ 'password' => null // Redis password ++ ), ++ ++ 'Worker' => array( ++ 'queue' => 'default', // Name of the default queue ++ 'interval' => 5, // Number of second between each poll ++ 'workers' => 1, // Number of workers to create ++ // 'user' => 'www-data' // User running the worker process ++ ++ // Path to the log file ++ // Can be an ++ // - absolute path, ++ // - an relative path, that will be relative to ++ // app/tmp/logs folder ++ // - a simple filename, file will be created inside app/tmp/logs ++ 'log' => TMP . 'logs' . DS . 'resque-worker-error.log', ++ ++ // Log Verbose mode ++ // true to log more debugging informations ++ // Can also be enabled per worker, by starting with --verbose ++ 'verbose' => false ++ ), ++ 'Job' => array( ++ // Whether to track job status ++ // Enabling this will allow you to track a job status by its ID ++ // Job status are purged after 24 hours ++ // ++ // You can also define per-job tracking by passing true/false when calling ++ // CakeResque::enqueue(), CakeResque::enqueueAt() or CakeResque::enqueueIn() ++ 'track' => false ++ ), ++ /* ++ 'Queues' => array( ++ array( ++ 'queue' => 'default', // Use default values from above for missing interval and count indexes ++ 'user' => 'www-data' // If PHP is running as a different user on you webserver ++ ), ++ array( ++ 'queue' => 'my-second-queue', ++ 'interval' => 10 ++ ) ++ ) ++ */ ++ 'Resque' => array( ++ // Path to the directory containing the worker PID files ++ 'tmpdir' => App::pluginPath('CakeResque') . 'tmp' . DS ++ ), ++ ++ // Other usefull environment variable you wish to set ++ // Passing a key only will search for its value in the $_SERVER scope ++ // eg : array('SERVER_NAME'); => will search for the value in $_SERVER['SERVER_NAME'] ++ // Passing a key and a value will set the env variable to this value ++ // eg : array('ARCH' => 'x64') ++ 'Env' => array(), ++ ++ // Log Handler ++ // If saving the logs in a plain text file doesn't suit you ++ // you can send them to Mysql, or MongoDB, etc ... ++ // In that case, you'll need a handler to manage your logs ++ // All logs outputted by resque will go to the handler. ++ // The classic log file (above) will still be used, for logging ++ // stuff likes php error, or other STDOUT outputted by your job classses ++ // ++ // php-resque-ex uses Monolog to manage all the logging stuff ++ // If you uses the original php-resque library, these settings ++ // will be ignored ++ // ++ // handler ++ // Name of the Handler (the handler classname, without the 'Handler' part) ++ // target ++ // Arguments taken by the handler constructor. If the handler required ++ // multiple arguments, separate them with a comma ++ // ++ // As of now, the following handler are supported: ++ // ++ // [HANDLER] [TARGET] ++ // Cube Cube server address (e.g: udp://127.0.0.1:1180) ++ // RotatingFile Path to the log file (e.g: /path/to/resque.log) ++ // Syslog Facility name ++ // Socket Address (e.g: udp://127.0.0.1:23) ++ // MongoDB MongoDB server address (e.g: mongodb://localhost:27017) ++ 'Log' => array( ++ 'handler' => 'RotatingFile', ++ 'target' => TMP . 'logs' . DS . 'resque.log' ++ ), ++ ++ // Scheduler Worker ++ // It's the worker handling all the scheduled jobs ++ // Only one scheduler worker is permitted to run at one time ++ // It can be paused, resumed and stopped like any other workers ++ // It can be started only with the `startscheduler` command, ++ // or with `load` if Scheduler Worker is enabled. ++ // ++ // Scheduled jobs requires the php-resque-ex-scheduler library, ++ // that should be installed with automatically via the ++ // `composer update` or `composer install` command ++ // ++ // The Scheduler Worker have its own default settings ++ // ++ // @since 2.3.0 ++ // ++ 'Scheduler' => array( ++ // Enable or disable delayed job ++ 'enabled' => true, ++ ++ // Path to the log file ++ 'log' => TMP . 'logs' . DS . 'resque-scheduler-error.log', ++ ++ // Optional ++ // Will not default to settings defined in the global scope above ++ 'Env' => array(), ++ ++ // Optional ++ // Will default to settings defined in the global scope above ++ // Only available setting is `interval` ++ // The worker will always poll a fixed special queue, and only one worker can run at one time ++ 'Worker' => array( ++ 'interval' => 3 ++ ), ++ ++ // Optional ++ // Will default to settings defined in the global scope above ++ 'Log' => array( ++ 'handler' => 'RotatingFile', ++ 'target' => TMP . 'logs' . DS . 'resque-scheduler.log' ++ ) ++ ) ++); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000000000..cbb531dac --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +Add-CakeResque-Config.patch diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..68e3a4991 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,74 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +. /usr/share/debconf/confmodule + +if [ "$1" = "configure" ] ; then + cp /usr/share/misp/app/Config/bootstrap.default.php /usr/share/misp/app/Config/bootstrap.php + cp /usr/share/misp/app/Config/config.default.php /usr/share/misp/app/Config/config.php + cp /usr/share/misp/app/Config/core.default.php /usr/share/misp/app/Config/core.php + cp /usr/share/misp/app/Config/database.default.php /usr/share/misp/app/Config/database.php + + chown -R www-data:www-data /usr/share/misp/app/tmp + chmod -R g+ws /usr/share/misp/app/tmp + chown -R www-data:www-data /usr/share/misp/app/files + chmod -R g+ws /usr/share/misp/app/files + chown -R www-data:www-data /usr/share/misp/app/Config + chmod -R 750 /usr/share/misp/app/Config + + if [ ! -d "/var/www/.composer/" ] + then + mkdir /var/www/.composer + fi + + chown www-data:www-data /var/www/.composer + chown -R www-data:www-data /usr/share/misp/ + + cd /usr/share/misp/app + sudo -u www-data composer dump-autoload + + phpenmod redis + phpenmod gnupg + + a2dissite 000-default || true + a2ensite misp.apache2 || true + a2enmod rewrite + a2enmod headers + + db_get misp/mariadb_host + HOST=$RET + db_get misp/mariadb_rootpwd + ROOTPWD=$RET + db_get misp/mariadb_mispdb + MISPDB=$RET + db_get misp/mariadb_mispdbuser + MISPDBUSER=$RET + db_get misp/mariadb_setmisppwd + MISPDBUSERPWD=$RET + db_stop + + mysql -h$HOST -uroot -p$ROOTPWD -e "CREATE USER IF NOT EXISTS '$MISPDBUSER'@'localhost' IDENTIFIED BY '$MISPDBUSERPWD';" + mysql -h$HOST -uroot -p$ROOTPWD -e "GRANT ALL PRIVILEGES ON misp.* TO '$MISPDBUSER'@'localhost';" + mysql -h$HOST -uroot -p$ROOTPWD -e "FLUSH PRIVILEGES;" + mysql -h$HOST -uroot -p$ROOTPWD -e "CREATE DATABASE $MISPDB;" + echo "Creating MISP Database..." + gunzip < /usr/share/doc/misp/MYSQL.sql.gz | mysql -h$HOST -u$MISPDBUSER -p$MISPDBUSERPWD $MISPDB + + # /usr/share/misp/app/Config/database.php + echo "Updating salt..." + sed -i -E "s/'salt'\s=>\s'(\S+)'/'salt' => '`openssl rand -base64 32|tr "/" "-"`'/" /usr/share/misp/app/Config/config.php + + echo "Configuring Database..." + sed -i -E "s/'host'\s=>\s'localhost'/'host' => '$HOST'/" /usr/share/misp/app/Config/database.php + sed -i -E "s/'login'\s=>\s'db login'/'login' => '$MISPDBUSER'/" /usr/share/misp/app/Config/database.php + sed -i -E "s/'password'\s=>\s'db password'/'password' => '$MISPDBUSERPWD'/" /usr/share/misp/app/Config/database.php + sed -i -E "s/'database'\s=>\s'misp'/'database' => '$MISPDB'/" /usr/share/misp/app/Config/database.php + + cd /usr/share/misp/app + composer require resque/php-resque +# No composer.json in current directory, do you want to use the one at /usr/share/misp/app? [Y,n]? Y + echo "{\"major\":2, \"minor\":4, \"hotfix\":220}" > /usr/share/misp/VERSION.json +fi diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..fc431c611 --- /dev/null +++ b/debian/rules @@ -0,0 +1,6 @@ +#!/usr/bin/make -f +%: + dh $@ --with apache2 + +override_dh_auto_install: + dh_auto_build diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/templates b/debian/templates new file mode 100644 index 000000000..8395e131c --- /dev/null +++ b/debian/templates @@ -0,0 +1,35 @@ +Template: misp/information +Type: note +Description: MISP has been installed on your system. + However it will not work unless you configure the following file: + . + /usr/share/misp/app/Config/database.php + +Template: misp/configure_mariadb +Type: select +Choices: Yes, No +Description: Would you like to configure MariaDB for MISP? + +Template: misp/mariadb_host +Type: string +Default: 127.0.0.1 +Description: MariaDB Host + +Template: misp/mariadb_rootpwd +Type: password +Description: MariaDB root user password + +Template: misp/mariadb_mispdb +Type: string +Default: misp +Description: MISP Database name + +Template: misp/mariadb_mispdbuser +Type: string +Default: misp +Description: MISP Database user + +Template: misp/mariadb_setmisppwd +Type: password +Description: Set your MariaDB MISP user password +