mirror of https://github.com/MISP/MISP
chg: [doc] Leveled RHEL7/RHEL8 Install procedure (WiP)
parent
4d590160da
commit
93a55a1e89
|
@ -211,16 +211,15 @@ installCoreRHEL () {
|
||||||
$SUDO_WWW git config core.filemode false
|
$SUDO_WWW git config core.filemode false
|
||||||
|
|
||||||
# Install packaged pears
|
# Install packaged pears
|
||||||
sudo $RUN_PHP "pear channel-update pear.php.net"
|
sudo $RUN_PHP -- pear channel-update pear.php.net
|
||||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml"
|
sudo $RUN_PHP -- pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
|
||||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml"
|
sudo $RUN_PHP -- pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
|
||||||
|
|
||||||
# Create a python3 virtualenv
|
# Create a python3 virtualenv
|
||||||
$SUDO_WWW $RUN_PYTHON "virtualenv -p python3 $PATH_TO_MISP/venv"
|
$SUDO_WWW $RUN_PYTHON -- virtualenv -p python3 $PATH_TO_MISP/venv
|
||||||
sudo mkdir /usr/share/httpd/.cache
|
sudo mkdir /usr/share/httpd/.cache
|
||||||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
|
|
||||||
|
|
||||||
cd $PATH_TO_MISP/app/files/scripts
|
cd $PATH_TO_MISP/app/files/scripts
|
||||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||||
|
@ -466,6 +465,7 @@ apacheConfig_RHEL () {
|
||||||
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
|
# A sample vhost can be found in $PATH_TO_MISP/INSTALL/apache.misp.centos7
|
||||||
|
|
||||||
sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
|
sudo cp $PATH_TO_MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
|
||||||
|
#sudo sed -i "s/SetHandler/\#SetHandler/g" /etc/httpd/conf.d/misp.ssl.conf
|
||||||
sudo rm /etc/httpd/conf.d/ssl.conf
|
sudo rm /etc/httpd/conf.d/ssl.conf
|
||||||
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
|
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
|
||||||
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
|
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
|
||||||
|
@ -653,17 +653,6 @@ EOF
|
||||||
# <snippet-end 2_configMISP_RHEL.sh>
|
# <snippet-end 2_configMISP_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
```bash
|
|
||||||
# In case you have no /etc/rc.local make a bare-bones one.
|
|
||||||
if [ ! -e /etc/rc.local ]
|
|
||||||
then
|
|
||||||
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
|
|
||||||
echo 'exit 0' | sudo tee -a /etc/rc.local
|
|
||||||
sudo chmod u+x /etc/rc.local
|
|
||||||
fi
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! note
|
!!! note
|
||||||
There is a bug that if a passphrase is added MISP will produce an error on the diagnostic page.<br />
|
There is a bug that if a passphrase is added MISP will produce an error on the diagnostic page.<br />
|
||||||
/!\ THIS WANTS TO BE VERIFIED AND LINKED WITH A CORRESPONDING ISSUE.
|
/!\ THIS WANTS TO BE VERIFIED AND LINKED WITH A CORRESPONDING ISSUE.
|
||||||
|
@ -702,7 +691,7 @@ sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now misp-workers.service
|
sudo systemctl enable --now misp-workers.service
|
||||||
```
|
```
|
||||||
|
|
||||||
## 9.07/ misp-modules (WIP!)
|
## 9.07/ misp-modules
|
||||||
```bash
|
```bash
|
||||||
# some misp-modules dependencies
|
# some misp-modules dependencies
|
||||||
sudo yum install openjpeg-devel gcc-c++ poppler-cpp-devel pkgconfig python-devel redhat-rpm-config -y
|
sudo yum install openjpeg-devel gcc-c++ poppler-cpp-devel pkgconfig python-devel redhat-rpm-config -y
|
||||||
|
|
|
@ -19,7 +19,7 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
|
||||||
```
|
```
|
||||||
**The above does NOT work yet**
|
**The above does NOT work yet**
|
||||||
|
|
||||||
## 0/ Overview and Assumptions
|
### 0/ Overview and Assumptions
|
||||||
|
|
||||||
{!generic/community.md!}
|
{!generic/community.md!}
|
||||||
|
|
||||||
|
@ -31,6 +31,10 @@ Make sure you are reading the parsed version of this Document. When in doubt [cl
|
||||||
|
|
||||||
This document details the steps to install MISP on Red Hat Enterprise Linux 8.x (RHEL 8.x).
|
This document details the steps to install MISP on Red Hat Enterprise Linux 8.x (RHEL 8.x).
|
||||||
|
|
||||||
|
This document details the steps to install MISP on Red Hat Enterprise Linux 8.x (RHEL 8.x) and CentOS 8.x.
|
||||||
|
At time of this writing it was tested on versions 8.0 for RHEL.
|
||||||
|
This is a joint RHEL/CentOS install guide. The authors tried to make it contextually evident what applies to which flavor.
|
||||||
|
|
||||||
The following assumptions with regard to this installation have been made.
|
The following assumptions with regard to this installation have been made.
|
||||||
|
|
||||||
- A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
|
- A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
|
||||||
|
@ -71,18 +75,21 @@ sudo subscription-manager register --auto-attach # register your system to an ac
|
||||||
|
|
||||||
## 1.4/ **[RHEL]** Enable the optional, extras and Software Collections (SCL) repos
|
## 1.4/ **[RHEL]** Enable the optional, extras and Software Collections (SCL) repos
|
||||||
```bash
|
```bash
|
||||||
|
# <snippet-begin 0_RHEL_SCL.sh>
|
||||||
# To be confirmed, no access to RHSCL
|
# To be confirmed, no access to RHSCL
|
||||||
|
sudo subscription-manager refresh
|
||||||
sudo subscription-manager repos --enable rhel-8-server-optional-rpms
|
sudo subscription-manager repos --enable rhel-8-server-optional-rpms
|
||||||
sudo subscription-manager repos --enable rhel-8-server-extras-rpms
|
sudo subscription-manager repos --enable rhel-8-server-extras-rpms
|
||||||
sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
|
sudo subscription-manager repos --enable rhel-server-rhscl-8-rpms
|
||||||
|
# <snippet-end 0_RHEL_SCL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
### 1.5a/ Install the deltarpm package to help reduce download size when installing updates (optional)
|
## 1.5a/ Install the deltarpm package to help reduce download size when installing updates (optional)
|
||||||
```bash
|
```bash
|
||||||
sudo yum install drpm -y
|
sudo yum install drpm -y
|
||||||
```
|
```
|
||||||
|
|
||||||
### 1.5.b/ Install vim (optional)
|
## 1.5.b/ Install vim (optional)
|
||||||
```bash
|
```bash
|
||||||
# Because vim is just so practical
|
# Because vim is just so practical
|
||||||
sudo yum install vim -y
|
sudo yum install vim -y
|
||||||
|
@ -106,7 +113,10 @@ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noa
|
||||||
# <snippet-end 0_RHEL_EPEL.sh>
|
# <snippet-end 0_RHEL_EPEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 2/ Dependencies
|
### 2/ Dependencies
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
This guide installs PHP 7.2 from SCL
|
||||||
|
|
||||||
!!! warning
|
!!! warning
|
||||||
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
|
[PHP 5.6 and 7.0 aren't supported since December 2018](https://secure.php.net/supported-versions.php). Please update accordingly. In the future only PHP7 will be supported.
|
||||||
|
@ -114,23 +124,25 @@ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noa
|
||||||
## 2.01/ Install some base system dependencies
|
## 2.01/ Install some base system dependencies
|
||||||
```bash
|
```bash
|
||||||
# <snippet-begin 0_yumInstallCoreDeps.sh>
|
# <snippet-begin 0_yumInstallCoreDeps.sh>
|
||||||
# Install the dependencies:
|
yumInstallCoreDeps () {
|
||||||
sudo yum install @httpd -y
|
# Install the dependencies:
|
||||||
sudo yum install gcc git zip \
|
sudo yum install @httpd -y
|
||||||
httpd \
|
sudo yum install gcc git zip \
|
||||||
mod_ssl \
|
httpd \
|
||||||
redis \
|
mod_ssl \
|
||||||
mariadb \
|
redis \
|
||||||
mariadb-server \
|
mariadb \
|
||||||
python3-devel python3-pip python3-virtualenv \
|
mariadb-server \
|
||||||
libxslt-devel zlib-devel ssdeep-devel -y
|
python3-devel python3-pip python3-virtualenv \
|
||||||
sudo alternatives --set python /usr/bin/python3
|
python3-policycoreutils \
|
||||||
|
libxslt-devel zlib-devel ssdeep-devel -y
|
||||||
|
sudo alternatives --set python /usr/bin/python3
|
||||||
|
|
||||||
# Enable and start redis
|
# Enable and start redis
|
||||||
sudo systemctl enable --now redis.service
|
sudo systemctl enable --now redis.service
|
||||||
|
|
||||||
PHP_INI=/etc/php.ini
|
PHP_INI=/etc/php.ini
|
||||||
sudo yum install php php-fpm php-devel php-pear \
|
sudo yum install php php-fpm php-devel php-pear \
|
||||||
php-mysqlnd \
|
php-mysqlnd \
|
||||||
php-mbstring \
|
php-mbstring \
|
||||||
php-xml \
|
php-xml \
|
||||||
|
@ -138,14 +150,15 @@ sudo yum install php php-fpm php-devel php-pear \
|
||||||
php-opcache \
|
php-opcache \
|
||||||
php-json \
|
php-json \
|
||||||
php-gd -y
|
php-gd -y
|
||||||
|
}
|
||||||
# <snippet-end 0_yumInstallCoreDeps.sh>
|
# <snippet-end 0_yumInstallCoreDeps.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
!!! note
|
!!! notice
|
||||||
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
|
MISP 2.4 requires PHP 5.6 as a minimum, we need a higher version than base RHEL provides.<br />
|
||||||
This guide installs PHP 7.2
|
This guide installs PHP 7.2
|
||||||
|
|
||||||
!!! note
|
!!! notice
|
||||||
If we want to use httpd from RHEL base we can use the rh-php72-php-fpm service instead
|
If we want to use httpd from RHEL base we can use the rh-php72-php-fpm service instead
|
||||||
|
|
||||||
## 2.05/ Start the PHP FPM service and enable to start on boot
|
## 2.05/ Start the PHP FPM service and enable to start on boot
|
||||||
|
@ -167,106 +180,117 @@ sudo systemctl enable --now haveged.service
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# <snippet-begin 1_mispCoreInstall_RHEL.sh>
|
# <snippet-begin 1_mispCoreInstall_RHEL.sh>
|
||||||
# Download MISP using git in the /var/www/ directory.
|
installCoreRHEL () {
|
||||||
sudo mkdir $PATH_TO_MISP
|
# Download MISP using git in the /var/www/ directory.
|
||||||
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP
|
sudo mkdir $PATH_TO_MISP
|
||||||
cd /var/www
|
sudo chown $WWW_USER:$WWW_USER $PATH_TO_MISP
|
||||||
$SUDO_WWW git clone https://github.com/MISP/MISP.git
|
cd /var/www
|
||||||
cd $PATH_TO_MISP
|
$SUDO_WWW git clone https://github.com/MISP/MISP.git
|
||||||
##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
cd $PATH_TO_MISP
|
||||||
# if the last shortcut doesn't work, specify the latest version manually
|
##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
||||||
# example: git checkout tags/v2.4.XY
|
# if the last shortcut doesn't work, specify the latest version manually
|
||||||
# the message regarding a "detached HEAD state" is expected behaviour
|
# example: git checkout tags/v2.4.XY
|
||||||
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
|
# the message regarding a "detached HEAD state" is expected behaviour
|
||||||
|
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
|
||||||
|
|
||||||
# Fetch submodules
|
# Fetch submodules
|
||||||
$SUDO_WWW git submodule update --init --recursive
|
$SUDO_WWW git submodule update --init --recursive
|
||||||
# Make git ignore filesystem permission differences for submodules
|
# Make git ignore filesystem permission differences for submodules
|
||||||
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
|
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
|
||||||
# Make git ignore filesystem permission differences
|
# Make git ignore filesystem permission differences
|
||||||
$SUDO_WWW git config core.filemode false
|
$SUDO_WWW git config core.filemode false
|
||||||
|
|
||||||
# Install packaged pears
|
# Install packaged pears
|
||||||
sudo $RUN_PHP "pear channel-update pear.php.net"
|
sudo $RUN_PHP -- pear channel-update pear.php.net
|
||||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml"
|
sudo $RUN_PHP -- pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
|
||||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml"
|
sudo $RUN_PHP -- pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
|
||||||
|
|
||||||
# Create a python3 virtualenv
|
# Create a python3 virtualenv
|
||||||
$SUDO_WWW virtualenv-3 -p python3 $PATH_TO_MISP/venv
|
$SUDO_WWW virtualenv-3 -p python3 $PATH_TO_MISP/venv
|
||||||
sudo mkdir /usr/share/httpd/.cache
|
sudo mkdir /usr/share/httpd/.cache
|
||||||
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
|
||||||
|
|
||||||
cd $PATH_TO_MISP/app/files/scripts
|
cd $PATH_TO_MISP/app/files/scripts
|
||||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||||
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
$SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief
|
||||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||||
|
|
||||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||||
UMASK=$(umask)
|
UMASK=$(umask)
|
||||||
umask 0022
|
umask 0022
|
||||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||||
|
|
||||||
# install mixbox to accommodate the new STIX dependencies:
|
# install mixbox to accommodate the new STIX dependencies:
|
||||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||||
|
|
||||||
# install STIX2.0 library to support STIX 2.0 export:
|
# install STIX2.0 library to support STIX 2.0 export:
|
||||||
cd $PATH_TO_MISP/cti-python-stix2
|
cd $PATH_TO_MISP/cti-python-stix2
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
|
||||||
|
|
||||||
# install maec
|
# install maec
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
|
||||||
|
|
||||||
# install zmq
|
# install zmq
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
|
||||||
|
|
||||||
# install redis
|
# install redis
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis
|
||||||
|
|
||||||
# lief needs manual compilation
|
# lief needs manual compilation
|
||||||
sudo yum groupinstall "Development Tools" -y
|
sudo yum groupinstall "Development Tools" -y
|
||||||
sudo yum install cmake3 cppcheck -y
|
sudo yum install cmake3 cppcheck -y
|
||||||
|
|
||||||
cd $PATH_TO_MISP/app/files/scripts/lief
|
cd $PATH_TO_MISP/app/files/scripts/lief
|
||||||
$SUDO_WWW mkdir build
|
$SUDO_WWW mkdir build
|
||||||
cd build
|
cd build
|
||||||
$SUDO_WWW cmake3 \
|
$SUDO_WWW cmake3 \
|
||||||
-DLIEF_PYTHON_API=on \
|
-DLIEF_PYTHON_API=on \
|
||||||
-DPYTHON_VERSION=3.6 \
|
-DPYTHON_VERSION=3.6 \
|
||||||
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
|
-DPYTHON_EXECUTABLE=$PATH_TO_MISP/venv/bin/python \
|
||||||
-DLIEF_DOC=off \
|
-DLIEF_DOC=off \
|
||||||
-DCMAKE_BUILD_TYPE=Release \
|
-DCMAKE_BUILD_TYPE=Release \
|
||||||
..
|
..
|
||||||
$SUDO_WWW make -j3 pyLIEF
|
$SUDO_WWW make -j3 pyLIEF
|
||||||
|
|
||||||
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
|
# In case you get "internal compiler error: Killed (program cc1plus)"
|
||||||
echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth
|
# You ran out of memory.
|
||||||
|
# Create some swap
|
||||||
|
# sudo dd if=/dev/zero of=/var/swap.img bs=1024k count=4000
|
||||||
|
# sudo mkswap /var/swap.img
|
||||||
|
# sudo swapon /var/swap.img
|
||||||
|
# And compile again
|
||||||
|
# $SUDO_WWW make -j3 pyLIEF
|
||||||
|
|
||||||
# install magic, pydeep
|
# The following adds a PYTHONPATH to where the pyLIEF module has been compiled
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git
|
echo /var/www/MISP/app/files/scripts/lief/build/api/python |$SUDO_WWW tee /var/www/MISP/venv/lib/python3.6/site-packages/lief.pth
|
||||||
|
|
||||||
# install PyMISP
|
# install magic, pydeep
|
||||||
cd $PATH_TO_MISP/PyMISP
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
|
||||||
|
|
||||||
# Enable python3 for php-fpm
|
# install PyMISP
|
||||||
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/php-fpm.d/www.conf
|
cd $PATH_TO_MISP/PyMISP
|
||||||
sudo systemctl restart php-fpm.service
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||||
|
|
||||||
umask $UMASK
|
# Enable python3 for php-fpm
|
||||||
|
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/php-fpm.d/www.conf
|
||||||
|
sudo systemctl restart php-fpm.service
|
||||||
|
|
||||||
# Enable dependencies detection in the diagnostics page
|
umask $UMASK
|
||||||
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
|
|
||||||
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/php-fpm.d/www.conf
|
# Enable dependencies detection in the diagnostics page
|
||||||
sudo systemctl restart php-fpm.service
|
# This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings.
|
||||||
|
echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/php-fpm.d/www.conf
|
||||||
|
sudo systemctl restart php-fpm.service
|
||||||
|
}
|
||||||
# <snippet-end 1_mispCoreInstall_RHEL.sh>
|
# <snippet-end 1_mispCoreInstall_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 4/ CakePHP
|
### 4/ CakePHP
|
||||||
## 4.01/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
|
## 4.01/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
|
||||||
|
|
||||||
!!! notice
|
!!! notice
|
||||||
|
@ -296,6 +320,14 @@ installCake_RHEL ()
|
||||||
sudo ln -s /etc/php-fpm.d/redis.ini /etc/php.d/99-redis.ini
|
sudo ln -s /etc/php-fpm.d/redis.ini /etc/php.d/99-redis.ini
|
||||||
sudo systemctl restart php-fpm.service
|
sudo systemctl restart php-fpm.service
|
||||||
|
|
||||||
|
# Install gnupg extension
|
||||||
|
# NOT working on RHEL 8 gpgme-devel not provided
|
||||||
|
##sudo yum install gpgme-devel -y
|
||||||
|
##sudo pecl install gnupg
|
||||||
|
##echo "extension=gnupg.so" |sudo tee /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini
|
||||||
|
##sudo ln -s /etc/opt/rh/rh-php72/php-fpm.d/gnupg.ini /etc/opt/rh/rh-php72/php.d/99-gnupg.ini
|
||||||
|
##sudo systemctl restart rh-php72-php-fpm.service
|
||||||
|
|
||||||
# If you have not yet set a timezone in php.ini
|
# If you have not yet set a timezone in php.ini
|
||||||
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/php-fpm.d/timezone.ini
|
echo 'date.timezone = "Asia/Tokyo"' |sudo tee /etc/php-fpm.d/timezone.ini
|
||||||
sudo ln -s ../php-fpm.d/timezone.ini /etc/php.d/99-timezone.ini
|
sudo ln -s ../php-fpm.d/timezone.ini /etc/php.d/99-timezone.ini
|
||||||
|
@ -317,7 +349,7 @@ installCake_RHEL ()
|
||||||
# <snippet-begin 1_installCake_RHEL.sh>
|
# <snippet-begin 1_installCake_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 5/ Set file permissions
|
### 5/ Set file permissions
|
||||||
```bash
|
```bash
|
||||||
# <snippet-begin 2_permissions_RHEL.sh>
|
# <snippet-begin 2_permissions_RHEL.sh>
|
||||||
# Main function to fix permissions to something sane
|
# Main function to fix permissions to something sane
|
||||||
|
@ -345,7 +377,7 @@ permissions_RHEL () {
|
||||||
# <snippet-end 2_permissions_RHEL.sh>
|
# <snippet-end 2_permissions_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 6/ Create database and user
|
### 6/ Create database and user
|
||||||
|
|
||||||
## 6.01/ Set database to listen on localhost only
|
## 6.01/ Set database to listen on localhost only
|
||||||
```bash
|
```bash
|
||||||
|
@ -404,7 +436,7 @@ EOF
|
||||||
# <snippet-end 1_prepareDB_RHEL.sh>
|
# <snippet-end 1_prepareDB_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 7/ Apache Configuration
|
### 7/ Apache Configuration
|
||||||
|
|
||||||
!!! notice
|
!!! notice
|
||||||
SELinux note, to check if it is running:
|
SELinux note, to check if it is running:
|
||||||
|
@ -429,7 +461,9 @@ apacheConfig_RHEL () {
|
||||||
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
|
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
|
||||||
echo "The Common Name used below will be: ${OPENSSL_CN}"
|
echo "The Common Name used below will be: ${OPENSSL_CN}"
|
||||||
# This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core)
|
# This will take a rather long time, be ready. (13min on a VM, 8GB Ram, 1 core)
|
||||||
sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096
|
if [[ ! -e "/etc/pki/tls/certs/dhparam.pem" ]]; then
|
||||||
|
sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096
|
||||||
|
fi
|
||||||
sudo openssl genrsa -des3 -passout pass:xxxx -out /tmp/misp.local.key 4096
|
sudo openssl genrsa -des3 -passout pass:xxxx -out /tmp/misp.local.key 4096
|
||||||
sudo openssl rsa -passin pass:xxxx -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key
|
sudo openssl rsa -passin pass:xxxx -in /tmp/misp.local.key -out /etc/pki/tls/private/misp.local.key
|
||||||
sudo rm /tmp/misp.local.key
|
sudo rm /tmp/misp.local.key
|
||||||
|
@ -441,7 +475,6 @@ apacheConfig_RHEL () {
|
||||||
sudo systemctl restart httpd.service
|
sudo systemctl restart httpd.service
|
||||||
|
|
||||||
# Since SELinux is enabled, we need to allow httpd to write to certain directories
|
# Since SELinux is enabled, we need to allow httpd to write to certain directories
|
||||||
sudo chcon -t usr_t $PATH_TO_MISP/venv
|
|
||||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files
|
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files
|
||||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/terms
|
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/terms
|
||||||
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
|
sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/tmp
|
||||||
|
@ -450,16 +483,13 @@ apacheConfig_RHEL () {
|
||||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh
|
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/Console/worker/start.sh
|
||||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py
|
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmq.py
|
||||||
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py
|
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/mispzmq/mispzmqtest.py
|
||||||
sudo chcon -t httpd_sys_script_exec_t /usr/bin/ps
|
sudo chcon -t httpd_sys_script_exec_t $PATH_TO_MISP/app/files/scripts/lief/build/api/python/lief.so
|
||||||
sudo chcon -t httpd_sys_script_exec_t /usr/bin/grep
|
sudo chcon -t httpd_sys_rw_content_t /tmp
|
||||||
sudo chcon -t httpd_sys_script_exec_t /usr/bin/awk
|
|
||||||
sudo chcon -t httpd_sys_script_exec_t /usr/bin/gpg
|
|
||||||
sudo chcon -R -t usr_t $PATH_TO_MISP/venv
|
sudo chcon -R -t usr_t $PATH_TO_MISP/venv
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.git
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Lib
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp
|
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/orgs
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/webroot/img/custom
|
||||||
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/files/scripts/mispzmq
|
||||||
|
@ -490,11 +520,13 @@ firewall_RHEL () {
|
||||||
# <snippet-end 1_firewall_RHEL.sh>
|
# <snippet-end 1_firewall_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 8/ Log Rotation
|
### 8/ Log Rotation
|
||||||
## 8.01/ Enable log rotation
|
## 8.01/ Enable log rotation
|
||||||
MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
|
MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs
|
||||||
To rotate these logs install the supplied logrotate script:
|
To rotate these logs install the supplied logrotate script:
|
||||||
|
|
||||||
|
FIXME: The below does not work
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# <snippet-begin 2_logRotation_RHEL.sh>
|
# <snippet-begin 2_logRotation_RHEL.sh>
|
||||||
logRotation_RHEL () {
|
logRotation_RHEL () {
|
||||||
|
@ -521,7 +553,7 @@ logRotation_RHEL () {
|
||||||
# <snippet-end 2_logRotation_RHEL.sh>
|
# <snippet-end 2_logRotation_RHEL.sh>
|
||||||
```
|
```
|
||||||
|
|
||||||
# 9/ MISP Configuration
|
### 9/ MISP Configuration
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# <snippet-begin 2_configMISP_RHEL.sh>
|
# <snippet-begin 2_configMISP_RHEL.sh>
|
||||||
|
@ -597,6 +629,7 @@ EOF
|
||||||
sudo gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
|
sudo gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
|
||||||
sudo rm -f /tmp/gen-key-script
|
sudo rm -f /tmp/gen-key-script
|
||||||
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/.gnupg
|
sudo chown -R $WWW_USER:$WWW_USER $PATH_TO_MISP/.gnupg
|
||||||
|
sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/.gnupg
|
||||||
|
|
||||||
# And export the public key to the webroot
|
# And export the public key to the webroot
|
||||||
sudo gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS |sudo tee $PATH_TO_MISP/app/webroot/gpg.asc
|
sudo gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS |sudo tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||||
|
@ -617,10 +650,10 @@ EOF
|
||||||
Make sure that you use the same settings in the MISP Server Settings tool
|
Make sure that you use the same settings in the MISP Server Settings tool
|
||||||
|
|
||||||
## 9.06/ Use MISP's background workers
|
## 9.06/ Use MISP's background workers
|
||||||
### 9.06a/ Create a systemd unit for the workers
|
## 9.06a/ Create a systemd unit for the workers
|
||||||
```bash
|
```bash
|
||||||
echo "[Unit]
|
echo "[Unit]
|
||||||
Description=MISP's background workers
|
Description=MISP background workers
|
||||||
After=mariadb.service redis.service fpm.service
|
After=mariadb.service redis.service fpm.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
@ -634,9 +667,6 @@ RestartSec=10
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
|
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-workers.service
|
||||||
```
|
```
|
||||||
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
|
|
||||||
sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
|
|
||||||
sudo semodule -i /tmp/misplogrotate.pp
|
|
||||||
|
|
||||||
Make the workers' script executable and reload the systemd units :
|
Make the workers' script executable and reload the systemd units :
|
||||||
```bash
|
```bash
|
||||||
|
@ -647,12 +677,12 @@ sudo semodule_package -o /tmp/workerstartsh.pp -m /tmp/workerstartsh.mod
|
||||||
sudo semodule -i /tmp/workerstartsh.pp
|
sudo semodule -i /tmp/workerstartsh.pp
|
||||||
```
|
```
|
||||||
|
|
||||||
### 9.06b/ Start the workers and enable them on boot
|
## 9.06b/ Start the workers and enable them on boot
|
||||||
```bash
|
```bash
|
||||||
sudo systemctl enable --now misp-workers.service
|
sudo systemctl enable --now misp-workers.service
|
||||||
```
|
```
|
||||||
|
|
||||||
### 9.07/ misp-modules (Broken on RHEL8)
|
## 9.07/ misp-modules (Broken on RHEL8)
|
||||||
```bash
|
```bash
|
||||||
# some misp-modules dependencies
|
# some misp-modules dependencies
|
||||||
sudo yum install openjpeg2-devel -y
|
sudo yum install openjpeg2-devel -y
|
||||||
|
@ -666,9 +696,10 @@ sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-core popple
|
||||||
# pip install
|
# pip install
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
||||||
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U .
|
||||||
|
## poppler/cpp/poppler-document.h missing, under my current setup I cannot find it in the repos.
|
||||||
|
|
||||||
echo "[Unit]
|
echo "[Unit]
|
||||||
Description=MISP's modules
|
Description=MISP modules
|
||||||
After=misp-workers.service
|
After=misp-workers.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
@ -683,8 +714,51 @@ RestartSec=10
|
||||||
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
|
WantedBy=multi-user.target" |sudo tee /etc/systemd/system/misp-modules.service
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
|
# Test misp-modules
|
||||||
|
$SUDO_WWW $PATH_TO_MISP/venv/bin/misp-modules -l 127.0.0.1 -s
|
||||||
sudo systemctl enable --now misp-modules
|
sudo systemctl enable --now misp-modules
|
||||||
|
|
||||||
|
# Enable Enrichment, set better timeouts
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||||
|
# TODO:"Investigate why the next one fails"
|
||||||
|
#$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_asn_history_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_btc_steroids_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ipasn_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_syntax_validator_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_yara_query_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pdf_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_docx_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_xlsx_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_pptx_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_ods_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_odt_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||||
|
|
||||||
|
# Enable Import modules, set better timeout
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_mispjson_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_openiocimport_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_threatanalyzer_import_enabled" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||||
|
|
||||||
|
# Enable Export modules, set better timeout
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||||
|
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||||
```
|
```
|
||||||
|
|
||||||
{!generic/misp-dashboard-centos.md!}
|
{!generic/misp-dashboard-centos.md!}
|
||||||
|
|
||||||
{!generic/MISP_CAKE_init.md!}
|
{!generic/MISP_CAKE_init.md!}
|
||||||
|
@ -693,12 +767,12 @@ sudo systemctl enable --now misp-modules
|
||||||
|
|
||||||
{!generic/recommended.actions.md!}
|
{!generic/recommended.actions.md!}
|
||||||
|
|
||||||
# 11/ LIEF Installation
|
### 11/ LIEF Installation
|
||||||
*lief* is required for the Advanced Attachment Handler and requires manual compilation
|
*lief* is required for the Advanced Attachment Handler and requires manual compilation
|
||||||
|
|
||||||
The installation is explained in section **[3.01](https://misp.github.io/MISP/xINSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
|
The installation is explained in section **[3.01](https://misp.github.io/MISP/xINSTALL.rhel8/#301-download-misp-code-using-git-in-varwww-directory)**
|
||||||
|
|
||||||
# 12/ Known Issues
|
### 12/ Known Issues
|
||||||
## 12.01/ Workers cannot be started or restarted from the web page
|
## 12.01/ Workers cannot be started or restarted from the web page
|
||||||
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command.
|
Possible also due to package being installed via SCL, attempting to start workers through the web page will result in error. Worker's can be restarted via the CLI using the following command.
|
||||||
```bash
|
```bash
|
||||||
|
|
Loading…
Reference in New Issue