MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [docs] Added intial mkdocs directory

pull/3784/head
Steve Clement 2018-10-18 12:27:29 +09:00
parent 1bdaedce0d
commit 93d861a6ae
18 changed files with 26503 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/CONFIG.SMIME.md Normal file
View File

@ -0,0 +1,32 @@
#SMIME patch
## Create SMIME directory
mkdir /var/www/MISP/.smime
## Copy your public x509 certificate (for signing) in PEM format
cp email@address.com.pem /var/www/MISP/.smime/email@address.com.pem
## Copy your private key for signing email
cp email@address.com.key /var/www/MISP/.smime/email@address.com.key
### Set permissions
chown www-data:www-data /var/www/MISP/.smime
chmod 500 /var/www/MISP/.smime
chmod 440 /var/www/MISP/.smime/*
## Export the public certificate (for Encipherment) to the webroot
cp public_certificate.pem /var/www/MISP/app/webroot/public_certificate.pem
Due to this action, the MISP users will be able to download your public certificate (for Encipherment) by clicking on the footer
### Set permissions
chown www-data:www-data /var/www/MISP/app/webroot/public_certificate.pem
chmod 440 /var/www/MISP/app/webroot/public_certificate.pem
## Configure the section "SMIME" in the server settings (Administration -> Server settings -> Encryption tab)

67
docs/CONFIG.elasticsearch-logging.md Normal file
View File

@ -0,0 +1,67 @@
# It's possible to send all logs from MISP to an elasticsearch
# endpoint
# First, we'll need an ES PHP library
# Replace according to your requirements
export MISP_DIR=/var/www/MISP
cd $MISP_DIR/app
sudo -u www-data php composer.phar require elasticsearch/elasticsearch
# Ok now we need to configure where we log to
#
# In Administration -> Server Settings & Maintenance -> Plugin Settings
# Under the elasticsearch tab, enable elasticsearch logging, and input
# your connection string
# Note that explicitly specifying the port may be needed, e.g. for AWS instances
# running on 443.
# Also input a log index - all logs will be thrown at this index.
# Now give ES a template to work from
cat << EOF > misp_es_template.json
{
"template": "misp_logging",
"mappings": {
"log": {
"_source": {
"enabled": true
},
"properties": {
"Log.email": {
"type": "keyword"
},
"Log.title": {
"type": "text"
},
"Log.ip": {
"type": "ip"
},
"Log.created": {
"format": "YYYY-MM-dd HH:mm:ss",
"type": "date"
},
"Log.description": {
"type": "text"
},
"Log.org": {
"type": "text"
},
"Log.action": {
"type": "text"
},
"Log.model": {
"type": "text"
},
"Log.change": {
"type": "text"
}
}
}
}
}
EOF
# And put it to ES
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json
# Now MISP will start sending logs to ES! Hooray!

97
docs/CONFIG.s3-attachments.md Normal file
View File

@ -0,0 +1,97 @@
Using S3 as an attachment store
===============================
It is possible to use Amazon's Simple Storage Service (S3) to store event attachments
to allow for a stateless MISP setup (i.e for containerisation)
There's a massive caveat here so let me make this incredibly clear
##############################################
# WARNING WARNING WARNING #
# #
# Storing malware is against amazon's #
# terms of service. #
# #
# DO NOT USE THIS UNLESS YOU HAVE #
# THEIR EXPLICIT PERMISSION #
##############################################
0. Installing Dependencies
--------------------------
Install the AWS PHP SDK
```bash
cd /var/www/MISP/app
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar require aws/aws-sdk-php
```
1. Creating an S3 bucket
-------------------------
Go to https://s3.console.aws.amazon.com/s3/home
And create a bucket. It has to have a globally unique name, and
this cannot be changed later on.
2a. Using an EC2 instance for MISP
-----------------------------------
If you run MISP on EC2, this will be super duper easy peasy.
Simply create an IAM role with the following permissions and assign it to the instance
by right-clicking and selecting "Instance Settings -> Attach/Replace IAM role"
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitMISPAttachmentsToS3",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::your-bucket-name"
]
}
]
}
```
2b. Using AWS access keys
-------------------------
This is not recommended, but it works I think.
Create a new programmatic access user via IAM and apply the same
policy outlined above.
Copy the access keys and save them for the next step
3. Setting up MISP
------------------
In Administration -> Server Settings & Maintenance -> MISP settings
Set MISP.attachments_dir to "s3://"
In Administration -> Server Settings & Maintenance -> Plugin Settings -> S3
Set S3_enable to True
Set S3_bucket-name to the bucket you created earlier
Set S3_region to your region
ONLY IF YOU DID NOT USE THE EC2 METHOD
Set aws_access_key and aws_secret_key to the ones you created in 2b
Now theoretically it should work.
Addendum
========
If you are migrating a server currently in use, simply copy the directory structure from
the attachments folder (usually /var/www/MISP/app/files) to S3 and everything should
continue to work.

22781
docs/Changelog.md Normal file
View File

File diff suppressed because it is too large Load Diff

715
docs/INSTALL.debian9.md Normal file
View File

@ -0,0 +1,715 @@
INSTALLATION INSTRUCTIONS
------------------------- for Debian 9 "stretch" server
0/ MISP debian stable install - Status
--------------------------------------
Maintained and tested by @SteveClement on 20180705
Some configurables used below:
```
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.0/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal Debian install
-------------------------
# Install a minimal Debian 9 "stretch" server system with the software:
- OpenSSH server
- Web server, apache FTW!
- This guide assumes a user name of 'misp'
# install etckeeper (optional)
su -
apt install etckeeper
apt install sudo
adduser misp sudo
# Make sure your system is up2date:
sudo apt update
sudo apt -y dist-upgrade
# Network Interface Name salvage (optional)
This will bring back 'ethX' e.g: eth0
```
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
DEFAULT_GRUB=/etc/default/grub
for key in GRUB_CMDLINE_LINUX
do
sudo sed -i "s/^\($key\)=.*/\1=\"$(eval echo \${$key})\"/" $DEFAULT_GRUB
done
sudo grub-mkconfig -o /boot/grub/grub.cfg
```
# install postfix, there will be some questions.
sudo apt install -y postfix
# Postfix Configuration: Satellite system
# change the relay server later with:
sudo postconf -e 'relayhost = example.com'
sudo postfix reload
2/ Install LAMP & dependencies
------------------------------
Once the system is installed you can perform the following steps:
# Install all the dependencies: (some might already be installed)
sudo apt install -y \
curl gcc git gnupg-agent make openssl redis-server vim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-dev php7.0-json php7.0-xml php7.0-mysql php7.0-readline php-redis php7.0-mbstring php-pear python3 \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
# Start rng-tools to get more entropy (optional)
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
sudo apt install rng-tools
sudo service rng-tools start
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
# Enable modules, settings, and default of SSL in Apache
sudo a2dismod status
sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Install PHP external dependencies
sudo pear channel-update pear.php.net
sudo pear install Crypt_GPG
# Switch to python3 by default (optional)
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.5 2
To flip between the 2 pythons: sudo update-alternatives --config python
# Apply all changes
sudo systemctl restart apache2
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
sudo mkdir $PATH_TO_MISP
sudo chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
# Make git ignore filesystem permission differences
sudo -u www-data git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
sudo -u www-data git clone https://github.com/MAECProject/python-maec.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-maec
sudo pip3 install .
# install mixbox to accomodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
sudo pip3 install .
cd $PATH_TO_MISP
sudo -u www-data git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach --recursive git config core.filemode false
# install PyMISP
cd $PATH_TO_MISP/PyMISP
sudo pip3 install .
4/ CakePHP
-----------
# CakePHP is included as a submodule of MISP.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd $PATH_TO_MISP/app
# Make composer cache happy
sudo mkdir /var/www/.composer ; sudo chown www-data:www-data /var/www/.composer
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www-data cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following commands:
sudo chown -R www-data:www-data $PATH_TO_MISP
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
6/ Create a database and user
-----------------------------
# Enter the mysql shell
sudo mysql -u root -p
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
```
copy/paste:
```
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
```
# Import the empty MISP database from MYSQL.sql
sudo -u www-data cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration
-----------------------
# Now configure your Apache webserver with the DocumentRoot $PATH_TO_MISP/app/webroot/
# If the apache version is 2.4:
sudo cp $PATH_TO_MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
============================================= Begin sample working SSL config for MISP
<VirtualHost <IP, FQDN, or *>:80>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost <IP, FQDN, or *>:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
# Recommended: Change some PHP settings in /etc/php/7.0/apache2/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
# Restart apache
sudo systemctl restart apache2
8/ Log rotation
---------------
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u www-data tee $PATH_TO_MISP/app/Config/database.php
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Set some MISP directives with the command line tool
sudo $CAKE Live $MISP_LIVE
# Change base url
sudo $CAKE Baseurl $MISP_BASEURL
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Generate a GPG encryption key.
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
# To make the background workers start on boot
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
if [ ! -e /etc/rc.local ]
then
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
echo 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod u+x /etc/rc.local
fi
# Initialize user and fetch Auth Key
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Enable GnuPG
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
# Enable Enrichment set better timeouts
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules set better timout
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules set better timout
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
# Enable installer org and tune some configurables
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
# Provisional Cortex tunes
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
# Various plugin sightings settings
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
# Plugin CustomAuth tuneable
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
# RPZ Plugin settings
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
# Force defaults to make MISP Server Settings less RED
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
## Redis block
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
# Force defaults to make MISP Server Settings less YELLOW
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
# Force defaults to make MISP Server Settings less GREEN
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Set MISP Live
sudo $CAKE Live $MISP_LIVE
# Update the galaxies…
sudo $CAKE Admin updateGalaxies
# Updating the taxonomies…
sudo $CAKE Admin updateTaxonomies
# Updating the warning lists…
sudo $CAKE Admin updateWarningLists
# Updating the notice lists…
## sudo $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
# Start the workers
sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo pip3 install maec lief python-magic wand yara
sudo pip3 install git+https://github.com/kbandla/pydeep.git
# install STIX2.0 library to support STIX 2.0 export:
sudo pip3 install stix2
sudo gem install pygments.rb
sudo gem install asciidoctor-pdf --pre
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
sudo chmod -R 750 $PATH_TO_MISP/<directory path with an indicated issue>
sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# $PATH_TO_MISP/app/tmp/logs/error.log
# $PATH_TO_MISP/app/tmp/logs/resque-worker-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-------------------
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following commands
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
## install pyzmq
sudo pip3 install pyzmq
MISP Dashboard
--------------
cd /var/www
sudo mkdir misp-dashboard
sudo chown www-data:www-data misp-dashboard
sudo -u www-data git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
sudo /var/www/misp-dashboard/install_dependencies.sh
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sudo sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
sudo sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf
sudo apt install libapache2-mod-wsgi-py3
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
sudo a2ensite misp-dashboard
# Enable ZeroMQ for misp-dashboard
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
Install viper framework
-----------------------
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
sudo git clone https://github.com/viper-framework/viper.git
cd viper
sudo git submodule update --init --recursive
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment
sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" ~/.viper/viper.conf
sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" ~/.viper/viper.conf
sqlite3 ~/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'
Install mail to misp
--------------------
cd /usr/local/src/
sudo apt-get install -y cmake
sudo git clone https://github.com/MISP/mail_to_misp.git
sudo git clone git://github.com/stricaud/faup.git
cd faup
sudo mkdir -p build
cd build
sudo cmake .. && sudo make
sudo make install
sudo ldconfig
cd ../../
cd mail_to_misp
sudo pip3 install -r requirements.txt
sudo cp mail_to_misp_config.py-example mail_to_misp_config.py
sudo sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
sudo sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py

12
docs/INSTALL.kali.md Normal file
View File

@ -0,0 +1,12 @@
#INSTALLATION INSTRUCTIONS
## for Kali Linux
#0/ Quick MISP Instance on Kali Linux - Status
#1/ Prepare Kali with a MISP User
To install MISP on Kali copy paste this in your r00t shell:
```bash
wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt && bash /tmp/misp-kali.sh
```
!!! warning
Please read the installer script before randomly doing the above.
The script is tested on a plain vanilla Kali Linux Boot CD and installs quite a few dependencies.

435
docs/INSTALL.rhel7.md Normal file
View File

@ -0,0 +1,435 @@
INSTALLATION INSTRUCTIONS for RHEL 7.x
-------------------------
+----------------------------------------+
| 0/ Overview and Assumptions |
+----------------------------------------+
This document details the steps to install MISP on Red Hat Enterprise Linux 7.x (RHEL 7.x). At time of this writing it
was tested on version 7.4.
The following assumptions with regard to this installation have been made.
0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos
0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server
0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features
+----------------------------------------------+
| 1/ OS Install and additional repositories |
+----------------------------------------------+
1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically.
1.2/ Configure system hostname
hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN
1.3/ Register the system for updates with Red Hat Subscription Manager
subscription-manager register # register your system to an account
subscription-manager attach # attach your system to a current subscription
1.4/ Enable the optional, extras and Software Collections (SCL) repos
subscription-manager repos --enable rhel-7-server-optional-rpms
subscription-manager repos --enable rhel-7-server-extras-rpms
subscription-manager repos --enable rhel-server-rhscl-7-rpms
1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
yum install deltarpm
1.5/ Update the system and reboot
yum update
## NOTE: As time of writing performing a yum update results in the rhel-7-server-rt-beta-rpms being forbidden
## The repo can be disabled using the following command
subscription-manager repos --disable rhel-7-server-rt-beta-rpms
1.6/ Install the EPEL repo
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
1.7/ Install the SCL repo
yum install centos-release-scl
+-----------------------------+
| 2/ Install Dependencies |
+-----------------------------+
Once the system is installed and updated, the following steps can be performed as root
2.01/ Install some base system dependencies
yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip ssdeep-devel
2.02/ Install MariaDB 10.2 from SCL
yum install rh-mariadb102
2.03/ Start the MariaDB service and enable it to start on boot
systemctl start rh-mariadb102-mariadb.service
systemctl enable rh-mariadb102-mariadb.service
## MISP 2.4 requires PHP 5.5 as a minimum, we need a higher version than base RHEL provides.
## This guide installs PHP 7.1 from SCL
2.04/ Install PHP 7.1 from SCL
yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache
## If we want to use httpd from RHEL base we can use the rh-php71-php-fpm service instead
2.05/ Start the PHP FPM service and enable to start on boot
systemctl start rh-php71-php-fpm.service
systemctl enable rh-php71-php-fpm.service
2.06/ Install redis 3.2 from SCL
yum install rh-redis32
2.07/ Start redis service and enable to start on boot
systemctl start rh-redis32-redis.service
systemctl enable rh-redis32-redis.service
2.08/ Start a SCL shell with rh-mariadb102 rh-php71 and rh-redis32 enabled
scl enable rh-mariadb102 rh-php71 rh-redis32 bash
2.08/ Secure the MariaDB installation, run the following command and follow the prompts
mysql_secure_installation
2.10/ Update the PHP extension repository and install required package
pear channel-update pear.php.net
pear install Crypt_GPG
2.11/ Install haveged and enable to start on boot to provide entropy for GPG
yum install haveged
systemctl start haveged
systemctl enable haveged
2.12/ Install Python 3.6 from SCL
yum install rh-python36
+---------------------+
| 3/ MISP Download |
+---------------------+
3.01/ Download MISP code using git in /var/www/ directory
cd /var/www
git clone https://github.com/MISP/MISP.git
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
3.02/ Make git ignore filesystem permission differences
git config core.filemode false
3.03/ Install Mitre's STIX and its dependencies by running the following commands:
pip install importlib
yum install python-six
cd /var/www/MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
git config core.filemode false
# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
scl enable rh-python36 'python3 setup.py install'
cd /var/www/MISP/app/files/scripts/python-stix
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
3.04/ Install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
umask $UMASK
3.05/ Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php71/sysconfig/php-fpm
sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php71/php-fpm.d/www.conf
systemctl restart rh-php71-php-fpm.service
+---------------------+
| 4/ CakePHP |
+---------------------+
4.01/ CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it ignore this
message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
cd /var/www/MISP
git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
git submodule foreach --recursive git config core.filemode false
4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
cd /var/www/MISP/app
php composer.phar require kamisama/cake-resque:4.1.2
php composer.phar config vendor-dir Vendor
php composer.phar install
4.03/ Install and configure php redis connector through pecl
pecl install redis
echo "extension=redis.so" > /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
systemctl restart rh-php71-php-fpm.service
4.04/ Set a timezone in php.ini
echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php71/php-fpm.d/timezone.ini
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php71/php.d/99-timezone.ini
4.05/ To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
+----------------------------+
| 5/ Set file permissions |
+----------------------------+
5.01/ Make sure the permissions are set correctly using the following commands as root:
chown -R root:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
chown apache:apache /var/www/MISP/app/files
chown apache:apache /var/www/MISP/app/files/terms
chown apache:apache /var/www/MISP/app/files/scripts/tmp
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
chown -R apache:apache /var/www/MISP/app/tmp
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
+--------------------------------+
| 6/ Create database and user |
+--------------------------------+
6.01/ Set database to listen on localhost only
echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
systemctl restart rh-mariadb102-mariadb
6.02/ Start MariaDB shell and create database
mysql -u root -p
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
6.03/ Import the empty MySQL database from MYSQL.sql
cd /var/www/MISP
mysql -u misp -p misp < INSTALL/MYSQL.sql
+--------------------------------+
| 7/ Apache Configuration |
+--------------------------------+
7.01/ Copy a sample vhost config to Apache configuration directory
cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip
setsebool -P httpd_can_network_connect on
7.03/ Enable and start the httpd service
systemctl enable httpd.service
systemctl start httpd.service
7.04/ Open a hole in the firewalld service
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: yum install mod_ssl
# Check out the apache.misp.ssl file for an example
+--------------------------------+
| 8/ Log Rotation |
+--------------------------------+
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
cp INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
8.01/ Allow logrotate to work under SELinux and modify the log files
semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
8.02/ Allow logrotate to read /var/www
checkmodule -M -m -o /tmp/misplogrotate.mod INSTALL/misplogrotate.te
semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
semodule -i /tmp/misplogrotate.pp
+--------------------------------+
| 9/ MISP Configuration |
+--------------------------------+
9.01/ There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
cd /var/www/MISP/app/Config
cp -a bootstrap.default.php bootstrap.php
cp -a database.default.php database.php
cp -a core.default.php core.php
cp -a config.default.php config.php
9.02/ Configure the fields in the newly created files
# Configure the fields in the newly created files:
# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally
# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');`
# database.php : login, port, password, database
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
9.03/ If you want to be able to change configuration parameters from the webinterface:
chown apache:apache /var/www/MISP/app/Config/config.php
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
9.04/ Generate an encryption key
gpg --gen-key
mv ~/.gnupg /var/www/MISP/
chown -R apache:apache /var/www/MISP/.gnupg
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.gnupg
## NOTE: There is a bug that if a passphrase is added MISP will produce an error on the diagnostic page.
# The email address should match the one set in the config.php configuration file
# Make sure that you use the same settings in the MISP Server Settings tool
9.05/ export the public key to the webroot
sudo -u apache gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc
9.06/ Start the workers to enable background jobs
chmod +x /var/www/MISP/app/Console/worker/start.sh
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
9.07a/ To make the background workers start on boot
vi /etc/rc.local
9.07b/ Add the following line at the end
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
9.07c/ and make sure it will execute
chmod +x /etc/rc.local
# Now log in using the webinterface: http://misp/users/login
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
chown -R apache:apache /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date
+---------------------------+
| 10/ Post Install |
+---------------------------+
10.01/ Allow apache to write to /var/www/MISP/app/tmp/logs
# Result from diagnostic is that the directory is not writable.
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs/
# NOTE: This may mean that logrotate cannot access the logs directory, will require further investigation
10.02/ Change php.ini settings to suggested limits from diagnostic page.
# Edit /etc/opt/rh/rh-php71/php.ini and set the following settings
max_execution_time = 300
memory_limit = 512M
upload_max_filesize = 50M
post_max_size = 50M
10.03/ Restart rh-php71 for settings to take effect
systemctl restart rh-php71-php-fpm
10.04/ Install pymisp and pydeep for Advanced Attachment handler
pip install pymisp
pip install git+https://github.com/kbandla/pydeep.git
10.05/ Install pymisp also in Python 3
scl enable rh-python36 pip3 install pymisp
+---------------------------+
| 11/ LIEF Installation |
+---------------------------+
# lief is required for the Advanced Attachment Handler and requires manual compilation
11.01/ Install cmake3 devtoolset-7 from SCL
yum install devtoolset-7 cmake3
11.02/ Enable devtoolset-7
scl enable devtoolset-7 bash
11.03/ Set env variable, create directories and download source code
mkdir -p /tmp/LIEF
mkdir -p /tmp/LIEF_INSTALL
export LIEF_TMP=/tmp/LIEF
export LIEF_INSTALL=/tmp/LIEF_INSTALL
export LIEF_BRANCH=master
cd $LIEF_TMP
git clone --branch $LIEF_BRANCH --single-branch https://github.com/lief-project/LIEF.git LIEF
11.04/ Compile lief and install
cd $LIEF_TMP/LIEF
mkdir -p build
cd build
scl enable devtoolset-7 'bash -c "cmake3 \
-DLIEF_PYTHON_API=on \
-DLIEF_DOC=off \
-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
-DCMAKE_BUILD_TYPE=Release \
-DPYTHON_VERSION=2.7 \
.."'
make -j3
cd api/python
scl enable rh-python36 python3 setup.py install || :
# you can ignore the error about finding suitable distribution
cd $LIEF_TMP/LIEF/build
make install
make package
11.05/ Test lief installation, if no error, package installed
python
>> import lief
+---------------------------+
| 12/ Known Issues |
+---------------------------+
12.01/ PHP CLI cannot determine version
# PHP CLI Version cannot be determined. Possibly due to PHP being installed through SCL
12.02/ Workers cannot be started or restarted from the web page
# Possible also due to package being installed via SCL, attempting to start workers through the web page will result in
# error. Worker's can be restarted via the CLI using the following command.
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
## NOTE: No other functions were tested after the conclusion of this install. There may be issue that aren't addressed
## via this guide and will need additional investigation.

338
docs/INSTALL.ubuntu1804.md Normal file
View File

@ -0,0 +1,338 @@
INSTALLATION INSTRUCTIONS
------------------------- for Ubuntu 18.04-server
1/ Minimal Ubuntu install
-------------------------
# Install a minimal Ubuntu 18.04-server system with the software:
- OpenSSH server
# Make sure your system is up2date:
sudo apt-get update
sudo apt-get upgrade
# install postfix, there will be some questions.
sudo apt-get install postfix
# Postfix Configuration: Satellite system
# change the relay server later with:
sudo postconf -e 'relayhost = example.com'
sudo postfix reload
2/ Install LAMP & dependencies
------------------------------
Once the system is installed you can perform the following steps:
# Make sure you have enabled the Universe repository (fe. for redis-server), enable it with
# sudo add-apt-repository universe
# Install the dependencies: (some might already be installed)
sudo apt-get install curl gcc git gnupg-agent make python python3 openssl redis-server sudo vim zip
# Install MariaDB (a MySQL fork/alternative)
sudo apt-get install mariadb-client mariadb-server
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
# Install Apache2
sudo apt-get install apache2 apache2-doc apache2-utils
# Enable modules, settings, and default of SSL in Apache
sudo a2dismod status
sudo a2enmod ssl
sudo a2enmod rewrite
sudo a2enmod headers
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Install PHP and dependencies
sudo apt-get install libapache2-mod-php php php-cli php-gnupg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml php-mbstring
# Apply all changes
sudo systemctl restart apache2
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
sudo mkdir /var/www/MISP
sudo chown www-data:www-data /var/www/MISP
cd /var/www/MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git /var/www/MISP
sudo -u www-data git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach --recursive git config core.filemode false
# Make git ignore filesystem permission differences
sudo -u www-data git config core.filemode false
# install Mitre's STIX and its dependencies by running the following commands:
sudo apt-get install python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools
cd /var/www/MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
sudo -u www-data git clone https://github.com/MAECProject/python-maec.git
cd /var/www/MISP/app/files/scripts/python-cybox
sudo python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-stix
sudo python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-maec
sudo python3 setup.py install
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
sudo python3 setup.py install
# install PyMISP
cd /var/www/MISP/PyMISP
sudo python3 setup.py install
# install support for STIX 2.0
sudo pip3 install stix2
4/ CakePHP
-----------
# Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd /var/www/MISP/app
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www-data cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# If you have multiple MISP instances on the same system, don't forget to have a different Redis per MISP instance for the CakeResque workers
# The default Redis port can be updated in Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following commands:
sudo chown -R www-data:www-data /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
6/ Create a database and user
-----------------------------
# Enter the mysql shell
sudo mysql -u root -p
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
# Import the empty MISP database from MYSQL.sql
sudo -u www-data sh -c "mysql -u misp -p misp < /var/www/MISP/INSTALL/MYSQL.sql"
# enter the password you've set in line 129 when prompted
7/ Apache configuration
-----------------------
# Now configure your Apache webserver with the DocumentRoot /var/www/MISP/app/webroot/
# If the apache version is 2.2:
sudo cp /var/www/MISP/INSTALL/apache.22.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# If the apache version is 2.4:
sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Please find a sample conf file for an SSL enabled conf file in-line below (alternatively use one of the samples provided in /var/www/MISP/INSTALL
# Also remember to verify the SSLCertificateChainFile property in your config file - this is usually commented out for the self-generated certificate in the sample configurations, such as the one pasted below.
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
============================================= Begin sample working SSL config for MISP
<VirtualHost <IP, FQDN, or *>:80>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost <IP, FQDN, or *>:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
# Restart apache
sudo systemctl restart apache2
8/ Log rotation
---------------
# MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo chmod 0640 /etc/logrotate.d/misp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php
sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php
sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php
sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php
# Configure the fields in the newly created files:
sudo -u www-data vim /var/www/MISP/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# Change base url in config.php
/var/www/MISP/app/Console/cake Baseurl https://<your.FQDN.here>
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data /var/www/MISP/app/Config
sudo chmod -R 750 /var/www/MISP/app/Config
# Generate a GPG encryption key.
sudo -u www-data mkdir /var/www/MISP/.gnupg
sudo chmod 700 /var/www/MISP/.gnupg
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# NOTE: if entropy is not high enough, you can install rng-tools and then run rngd -r /dev/urandom do fix it quickly
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/MISP/app/webroot/gpg.asc"
# To make the background workers start on boot
sudo chmod +x /var/www/MISP/app/Console/worker/start.sh
sudo vim /etc/rc.local
# Add the following line before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
sudo chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
sudo chown -R www-data:www-data /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-----------------
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command
sudo pip3 install pyzmq
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
# For the experimental ssdeep correlations, run the following installation:
# installing ssdeep
wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz
tar zxvf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install
ssdeep -h # test
#installing ssdeep_php
sudo pecl install ssdeep
# You should add "extension=ssdeep.so" to mods-available - Check /etc/php for your current version
echo "extension=ssdeep.so" | sudo tee /etc/php/7.2/mods-available/ssdeep.ini
sudo phpenmod ssdeep
sudo service apache2 restart
Optional features: misp-modules
-------------------------------
# If you want to add the misp modules functionality, follow the setup procedure described in misp-modules:
# https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules
# Then the enrichment, export and import modules can be enabled in MISP via the settings.

103
docs/UPDATE.md Normal file
View File

@ -0,0 +1,103 @@
# In general, updating MISP between point releases (for exampe 2.4.50 -> 2.4.53) happens with one of the following two options (both are to be executed as root):
# Option 1: To update to the latest commit from the 2.4 branch simply pull the latest commit
cd /var/www/MISP
git pull origin 2.4
git submodule update --init --recursive
# Option 2: If you want to stick to a point release instead of pulling the latest commit directly:
cd /var/www/MISP
git fetch
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
git submodule update --init --recursive
# If you would like to upgrade from a minor version to another, look at the UPGRADE.txt file instead (such as 2.3.142 -> 2.4.13)
# If for any reason something goes wrong with the above instructions, walk through the following manual upgrade
# 1. Update the MISP code to the latest hotfix.
As user root, do the following:
cd /var/www/MISP
git fetch
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# 2. Update CakePHP to the latest supported version (if for some reason it doesn't get updated automatically with git submodule)
cd /var/www/MISP
git submodule update --init --recursive
# 3. Update Mitre's STIX and its dependencies
cd /var/www/MISP/app/files/scripts/
rm -rf python-cybox
rm -rf python-stix
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-stix
python3 setup.py install
# 4. Update mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
rm -rf mixbox
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
python3 setup.py install
# 5. install PyMISP
cd /var/www/MISP/PyMISP
python3 setup.py install
# 6. For RHEL/CentOS: enable python3 for php-fpm
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php71/sysconfig/php-fpm
sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php71/php-fpm.d/www.conf
systemctl restart rh-php71-php-fpm.service
# 7. Update CakeResque and its dependencies
cd /var/www/MISP/app
# Edit composer.json so that cake-resque is allowed to be updated
# "kamisama/cake-resque": ">=4.1.2"
vim composer.json
php composer.phar self-update
# if behind a proxy use HTTP_PROXY="http://yourproxy:port" php composer.phar self-update
php composer.phar update
# To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# 8. Make sure all file permissions are set correctly
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP/
chown -R www-data:www-data /var/www/MISP/
# 9. Restart the CakeResque workers
su - www-data -s /bin/bash -c 'bash /var/www/MISP/app/Console/worker/start.sh'
# You can also do this using the MISP application by navigating to the workers tab in the server settings and clicking on the "Restart all workers" button.
# 10. Add any new dependencies that might have been added since you've last updated (shown below)
# 11. Add requirements for the pubsub optional feature
pip install pyzmq

BIN
docs/img/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
docs/img/misp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

7
docs/index.md Normal file
View File

@ -0,0 +1,7 @@
# Welcome to the official MISP Install Guides
On the following pages you will find stock install instructions for getting a base MISP system running.
For full documentation visit [misp-book](https://www.circl.lu/doc/misp/).
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/fold_left.svg?style=social&label=Follow%20%40MISPProject)](https://twitter.com/MISPProject)

5
docs/license.md Normal file
View File

@ -0,0 +1,5 @@
## License
The MISP INSTALL guides are dual-licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html) and [CC-BY-SA 4.0 international](https://creativecommons.org/licenses/by-sa/4.0/).
* Copyright \(C\) 2014-2018 CIRCL - Computer Incident Response Center Luxembourg

503
docs/xINSTALL.OpenBSD.md Normal file
View File

@ -0,0 +1,503 @@
INSTALLATION INSTRUCTIONS
------------------------- for OpenBSD 6.3-amd64
0/ WIP /!\ You are warned, this does not work yet! /!\
Current issues: php-redis only available in binary for php-56, workaround: use ports.
This guide attempts to offer native httpd or apache2/nginx set-up.
1/ Minimal OpenBSD install
--------------------------
# Install standard OpenBSD-amd64 with ports
## In case you forgot to fetch ports
```
$ cd /tmp
$ ftp https://ftp.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig}
$ signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz
# cd /usr
# tar xzf /tmp/ports.tar.gz
````
# System Hardening
- TBD
# doas & pkg (as root)
```
echo http://ftp.belnet.be/pub/OpenBSD/ > /etc/installurl
echo "permit keepenv setenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel" > /etc/doas.conf
```
# Update system
```
doas syspatch
```
# Install bash & ntp
```
doas pkg_add -v bash ntp
```
# rc.local - Add ntpdate on boot
```
echo -n ' ntpdate'
/usr/local/sbin/ntpdate -b pool.ntp.org >/dev/null
```
# Launch ntpd on boot
```
doas rcctl enable xntpd
doas rcctl set xntpd flags "-p /var/run/ntpd.pid"
doas /usr/local/sbin/ntpd -p /var/run/ntpd.pid
```
# misp user
```
useradd -m -s /usr/local/bin/bash -G wheel,www misp
```
# nvim (optional)
```
doas pkg_add -v neovim
doas mv /usr/bin/vi /usr/bin/vi-`date +%d%m%y`
doas ln -s /usr/local/bin/nvim /usr/bin/vi
```
# /etc/httpd.conf
```
cp /etc/examples/httpd.conf /etc # adjust by hand, or copy/paste the config example below
```
```
# $OpenBSD: httpd.conf,v 1.18 2018/03/23 11:36:41 florian Exp $
#
# Macros
#
ext4_addr="*"
ext6_addr="::"
server "default" {
#listen on $ext4_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
listen on $ext4_addr port 80
listen on $ext4_addr tls port 443
#listen on $ext6_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
listen on $ext6_addr port 80
listen on $ext6_addr tls port 443
root "/htdocs/MISP/app/webroot"
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
directory {
index "index.php"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
#location "/.well-known/acme-challenge/*" {
# root "/acme"
# root strip 2
#}
#location * {
# block return 302 "https://$HTTP_HOST$REQUEST_URI"
#}
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
#server "example.com" {
# listen on * tls port 443
# listen on :: tls port 443
# tls {
# certificate "/etc/ssl/example.com.fullchain.pem"
# key "/etc/ssl/private/example.com.key"
# }
# location "/pub/*" {
# directory auto index
# }
# location "/.well-known/acme-challenge/*" {
# root "/acme"
# root strip 2
# }
#}
```
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
```
doas openssl genrsa -out /etc/ssl/private/server.key
doas openssl req -new -x509 -subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" -key /etc/ssl/private/server.key -out /etc/ssl/server.crt -days 3650
```
# mariadb server
```
pkd_add -v mariadb-server
```
# start httpd
```
/etc/rc.d/httpd -f start
```
# Install postfix
```
doas pkg_add -v postfix
```
# Enable httpd
```
doas rcctl enable httpd
```
# Install misc dependencies
```
doas pkg_add -v curl git python redis
```
# OpendBSD + Apache/httpd/nginx + MySQL/Mariadb + PHP
```
#pkg_add -v apache-httpd
pkg_add -v \
gnupg \
```
# php7 ports
```
php-mysqli
php-pcntl
php-pdo_mysql
pecl-redis
pear
```
# Optional for Apache2
```
doas pkg_add -v fcgi-cgi fcgi
``
# /etc/php-5.6.ini
```
allow_url_fopen = On
```
```
cd /etc/php-5.6
doas cp ../php-5.6.sample/* .
```
# php ln
```
doas ln -s /usr/local/bin/php-5.6 /usr/local/bin/php
```
# Enable php fpm
``
doas rcctl enable php56_fpm
```
# Configure fpm
```
doas vi /etc/php-fpm.conf
```
error_log = log/php-fpm.log
chroot -> remove for the time being
For native httpd: listen = /var/www/run/php-fpm.sock
For apache2: listen = 127.0.0.1:9000
# Enable redis
```
doas rcctl enable redis
doas /etc/rc.d/redis start
```
# Enable mysqld
```
doas rcctl set mysqld status on
doas rcctl set mysqld flags --bind-address=127.0.0.1
doas /etc/rc.d/mysqld start
doas mysql_secure_installation
```
3/ MISP code
------------
```
# Download MISP using git in the /usr/local/www/ directory.
doas mkdir /var/www/htdocs/MISP
doas chown www:www /var/www/htdocs/MISP
cd /var/www/htdocs/MISP
doas -u www git clone https://github.com/MISP/MISP.git /var/www/htdocs/MISP
# Make git ignore filesystem permission differences
doas -u www git config core.filemode false
doas pkg_add py-pip py3-pip libxml libxslt py3-jsonschema
cd /var/www/htdocs/MISP/app/files/scripts
doas -u www git clone https://github.com/CybOXProject/python-cybox.git
doas -u www git clone https://github.com/STIXProject/python-stix.git
cd /var/www/htdocs/MISP/app/files/scripts/python-cybox
doas python3 setup.py install
cd /var/www/htdocs/MISP/app/files/scripts/python-stix
doas python3 setup.py install
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/htdocs/MISP/app/files/scripts/
doas -u www git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/htdocs/MISP/app/files/scripts/mixbox
doas python3 setup.py install
# install PyMISP
cd /var/www/htdocs/MISP/PyMISP
doas python3 setup.py install
# install support for STIX 2.0
doas pip3.6 install stix2
```
4/ CakePHP
-----------
```
# CakePHP is included as a submodule of MISP, execute the following commands to let git fetch it:
cd /var/www/htdocs/MISP
doas -u www git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
doas -u www git submodule foreach --recursive git config core.filemode false
# Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd /var/www/htdocs/MISP/app
doas -u www php composer.phar require kamisama/cake-resque:4.1.2
doas -u www php composer.phar config vendor-dir Vendor
doas -u www php composer.phar install
# To use the scheduler worker for scheduled tasks, do the following:
doas -u www cp -f /var/www/htdocs/MISP/INSTALL/setup/config.php /var/www/htdocs/MISP/app/Plugin/CakeResque/Config/config.php
```
5/ Set the permissions
----------------------
```
# Check if the permissions are set correctly using the following commands:
doas chown -R www:www /var/www/htdocs/MISP
doas chmod -R 750 /var/www/htdocs/MISP
doas chmod -R g+ws /var/www/htdocs/MISP/app/tmp
doas chmod -R g+ws /var/www/htdocs/MISP/app/files
doas chmod -R g+ws /var/www/htdocs/MISP/app/files/scripts/tmp
```
6/ Create a database and user
-----------------------------
```
# Enter the mysql shell
doas mysql -u root -p
```
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
```
```
# Import the empty MISP database from MYSQL.sql
doas -u www sh -c "mysql -u misp -p misp < /var/www/htdocs/MISP/INSTALL/MYSQL.sql"
# enter the password you set previously
```
7/ Apache configuration (optional)
-----------------------
# Now configure your Apache webserver with the DocumentRoot /var/www/htdocs/MISP/app/webroot/
#2.4
doas mkdir /etc/apache2/sites-available/ /etc/apache2/sites-enabled/
# If the apache version is 2.4:
doas cp /var/www/htdocs/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
doas mkdir /etc/ssl/private/
# If a valid SSL certificate is not already created for the server, create a self-signed certificate: (Make sure to fill the <…>)
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
doas mkdir /var/log/apache2/
============================================= Begin sample working SSL config for MISP
<VirtualHost <IP, FQDN, or *>:80>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost <IP, FQDN, or *>:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot /var/www/htdocs/MISP/app/webroot
<Directory /var/www/htdocs/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
cd /etc/apache2/sites-enabled/
doas ln -s ../sites-available/misp-ssl.conf
echo "Include /etc/apache2/sites-enabled/*.conf" >> /etc/apache2/httpd2.conf
doas vi /etc/apache2/httpd2.conf
/!\ Enable mod_rewrite in httpd2.conf /!\
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
Listen 443
# Restart apache
doas /etc/rc.d/apache2 restart
8/ Log rotation (needs to be adapted to OpenBSD, newsyslog does this for you
---------------
# MISP saves the stdout and stderr of its workers in /var/www/htdocs/MISP/app/tmp/logs
9/ MISP configuration
---------------------
# There are 4 sample configuration files in /var/www/htdocs/MISP/app/Config that need to be copied
doas -u www cp /var/www/htdocs/MISP/app/Config/bootstrap.default.php /var/www/htdocs/MISP/app/Config/bootstrap.php
doas -u www cp /var/www/htdocs/MISP/app/Config/database.default.php /var/www/htdocs/MISP/app/Config/database.php
doas -u www cp /var/www/htdocs/MISP/app/Config/core.default.php /var/www/htdocs/MISP/app/Config/core.php
doas -u www cp /var/www/htdocs/MISP/app/Config/config.default.php /var/www/htdocs/MISP/app/Config/config.php
# Configure the fields in the newly created files:
doas -u www vim /var/www/htdocs/MISP/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /usr/local/www/MISP/app/Config/config.php
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# Change base url in config.php
doas -u www vim /var/www/htdocs/MISP/app/Config/config.php
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# and make sure the file permissions are still OK
doas chown -R www:www /var/www/htdocs/MISP/app/Config
doas chmod -R 750 /var/www/htdocs/MISP/app/Config
# Generate a GPG encryption key.
doas -u www mkdir /var/www/htdocs/MISP/.gnupg
doas chmod 700 /var/www/htdocs/MISP/.gnupg
##### doas -u www gpg --homedir /var/www/htdocs/MISP/.gnupg --gen-key <- Broken
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
doas -u www sh -c "gpg --homedir /var/www/htdocs/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/htdocs/MISP/app/webroot/gpg.asc"
# To make the background workers start on boot
doas chmod +x /var/www/htdocs/MISP/app/Console/worker/start.sh
doas vim /etc/rc.local
# Add the following line before the last line (exit 0). Make sure that you replace www with your apache user:
doas -u www bash /var/www/htdocs/MISP/app/Console/worker/start.sh
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
doas chmod -R 750 /var/www/htdocs/MISP/<directory path with an indicated issue>
doas chown -R www:www /var/www/htdocs/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/htdocs/MISP/app/tmp/logs/error.log
# /var/www/htdocs/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/htdocs/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/htdocs/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache/httpd
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-------------------
# MISP has a new pub/sub feature, using ZeroMQ.
# ZeroMQ depends on the Python client for Redis
```
doas pkg_add -v py3-zmq
```

589
docs/xINSTALL.centos7.md Normal file
View File

@ -0,0 +1,589 @@
INSTALLATION INSTRUCTIONS
------------------------- for CentOS 7.x
0/ MISP CentOS 7 Minimal NetInstall - Status
--------------------------------------------
Maintained and tested by @SteveClement, CentOS 7.5-1804 on 20180906
CentOS 7.5-1804 NetInstallURL: http://mirror.centos.org/centos/7.5.1804/os/x86_64/
Some configurables used below:
```
# CentOS Specific
RUN_PHP='/usr/bin/scl enable rh-php56 '
RUN_PYTHON='/usr/bin/scl enable rh-python36 '
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/opt/rh/rh-php56/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal CentOS install
-------------------------
Install a minimal CentOS 7.x system with the software:
- OpenSSH server
- LAMP server (actually, this is done below)
- Mail server
# Make sure you set your hostname CORRECTLY vs. like an animal (manually in /etc/hostname)
hostnamectl set-hostname misp.local # or whatever you want it to be
# Make sure your system is up2date:
sudo yum update -y
2/ Dependencies *
----------------
Once the system is installed you can perform the following steps as root or with sudo:
# We need some packages from the Extra Packages for Enterprise Linux repository
sudo yum install epel-release -y
# Since MISP 2.4 PHP 5.5 is a minimal requirement, so we need a newer version than CentOS base provides
# Software Collections is a way do to this, see https://wiki.centos.org/AdditionalResources/Repositories/SCL
sudo yum install centos-release-scl -y
# Install the dependencies:
sudo yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip python-zmq libxslt-devel zlib-devel -y
# Install PHP 5.6 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php56/
sudo yum install rh-php56 rh-php56-php-fpm rh-php56-php-devel rh-php56-php-mysqlnd rh-php56-php-mbstring rh-php56-php-xml rh-php56-php-bcmath rh-php56-php-opcache -y
# Install Python 3.6 from SCL, see
# https://www.softwarecollections.org/en/scls/rhscl/rh-python36/
sudo yum install rh-python36 -y
# rh-php56-php only provided mod_php for httpd24-httpd from SCL
# if we want to use httpd from CentOS base we can use rh-php56-php-fpm instead
sudo systemctl enable rh-php56-php-fpm.service
sudo systemctl start rh-php56-php-fpm.service
$RUN_PHP "pear channel-update pear.php.net"
sudo $RUN_PHP "pear install Crypt_GPG" # we need version >1.3.0
NOTE: $RUN_PHP makes php available for you if using rh-php56. e.g: $RUN_PHP "pear list | grep Crypt_GPG"
# GPG needs lots of entropy, haveged provides entropy
sudo yum install haveged -y
sudo systemctl enable haveged.service
sudo systemctl start haveged.service
# Enable and start redis
sudo systemctl enable redis.service
sudo systemctl start redis.service
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
cd /var/www/
sudo git clone https://github.com/MISP/MISP.git
cd /var/www/MISP
sudo git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# Make git ignore filesystem permission differences
sudo git config core.filemode false
# Fetch submodules
cd /var/www/MISP
sudo git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo git submodule foreach --recursive git config core.filemode false
# install Mitre's STIX and its dependencies by running the following commands:
sudo yum install python-importlib python-lxml python-dateutil python-six -y
cd /var/www/MISP/app/files/scripts
sudo git clone https://github.com/CybOXProject/python-cybox.git
sudo git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
sudo git config core.filemode false
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
sudo $RUN_PYTHON "python3 setup.py install"
cd /var/www/MISP/app/files/scripts/python-stix
sudo git config core.filemode false
sudo $RUN_PYTHON "python3 setup.py install"
# install maec
sudo $RUN_PYTHON "pip install maec"
# install zmq
sudo $RUN_PYTHON "pip install zmq"
# install redis
sudo $RUN_PYTHON "pip install redis"
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
sudo git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
sudo git config core.filemode false
sudo $RUN_PYTHON "python3 setup.py install"
# install PyMISP
cd /var/www/MISP/PyMISP
sudo $RUN_PYTHON "python3 setup.py install"
# Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php56/sysconfig/php-fpm
sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php56/php-fpm.d/www.conf
sudo systemctl restart rh-php56-php-fpm.service
umask $UMASK
4/ CakePHP
-----------
# CakePHP is now included as a submodule of MISP and has been fetch by a previous step.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
sudo chown -R apache:apache /var/www/MISP
sudo mkdir /usr/share/httpd/.composer
sudo chown apache:apache /usr/share/httpd/.composer
cd /var/www/MISP/app
sudo -u apache $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2"
sudo -u apache $RUN_PHP "php composer.phar config vendor-dir Vendor"
sudo -u apache $RUN_PHP "php composer.phar install"
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis using "yum install php-redis"
sudo $RUN_PHP "pecl install redis-2.2.8"
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php56/php-fpm.d/redis.ini
sudo ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php56/php.d/99-redis.ini
sudo systemctl restart rh-php56-php-fpm.service
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Europe/Luxembourg"' |sudo tee /etc/opt/rh/rh-php56/php-fpm.d/timezone.ini
sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php56/php.d/99-timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php56/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart rh-php56-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
sudo cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Make sure the permissions are set correctly using the following commands as root:
sudo chown -R root:apache /var/www/MISP
sudo find /var/www/MISP -type d -exec chmod g=rx {} \;
sudo chmod -R g+r,o= /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/files
sudo chown apache:apache /var/www/MISP/app/files/terms
sudo chown apache:apache /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chown -R apache:apache /var/www/MISP/app/Config
sudo chown -R apache:apache /var/www/MISP/app/tmp
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/custom
6/ Create a database and user
-----------------------------
# Enable, start and secure your mysql database server
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
# If you want to continue copy pasting set the MySQL root password to $DBPASSWORD_ADMIN
echo $DBPASSWORD_ADMIN
sudo mysql_secure_installation
# Additionally, it is probably a good idea to make the database server listen on localhost only
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb.service
# Enter the mysql shell
mysql -u root -p
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
```
copy/paste:
```
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
```
# Import the empty MySQL database from MYSQL.sql
sudo -u apache cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration
-----------------------
# Now configure your apache server with the DocumentRoot /var/www/MISP/app/webroot/
# A sample vhost can be found in /var/www/MISP/INSTALL/apache.misp.centos7
sudo cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
# Since SELinux is enabled, we need to allow httpd to write to certain directories
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
:warning: Revise all permissions so update in Web UI works.
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
# Allow httpd to connect to the redis server and php-fpm over tcp/ip
sudo setsebool -P httpd_can_network_connect on
# Enable and start the httpd service
sudo systemctl enable httpd.service
sudo systemctl start httpd.service
# Open a hole in the iptables firewall
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: yum install mod_ssl
# Check out the apache.misp.ssl file for an example
/!\ WARNING - To be fixed - Place holder
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
8/ Log rotation
---------------
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo chmod 0640 /etc/logrotate.d/misp
# Now make logrotate work under SELinux as well
# Allow logrotate to modify the log files
sudo semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
sudo chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
# Allow logrotate to read /var/www
sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te
sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
sudo semodule -i /tmp/misplogrotate.pp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
sudo -u apache cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u apache cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u apache tee $PATH_TO_MISP/app/Config/database.php
# Configure the fields in the newly created files:
# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally
# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');`
# database.php : login, port, password, database
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# If you want to be able to change configuration parameters from the webinterface:
sudo chown apache:apache /var/www/MISP/app/Config/config.php
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
# Set some MISP directives with the command line tool
sudo $RUN_PHP "$CAKE Live $MISP_LIVE"
# Change base url
sudo $RUN_PHP "$CAKE Baseurl $MISP_BASEURL"
# Generate a GPG encryption key.
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo gpg --homedir /var/www/MISP/.gnupg --batch --gen-key /tmp/gen-key-script
sudo rm -f /tmp/gen-key-script
sudo chown -R apache:apache /var/www/MISP/.gnupg
# And export the public key to the webroot
sudo gpg --homedir /var/www/MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS |sudo tee /var/www/MISP/app/webroot/gpg.asc
sudo chown apache:apache /var/www/MISP/app/webroot/gpg.asc
# Start the workers to enable background jobs
chmod +x /var/www/MISP/app/Console/worker/start.sh
sudo -u apache $RUN_PHP /var/www/MISP/app/Console/worker/start.sh
# To make the background workers start on boot
vi /etc/rc.local
# Add the following line at the end
su -s /bin/bash apache -c 'scl enable rh-php56 /var/www/MISP/app/Console/worker/start.sh'
# and make sure it will execute
sudo chmod +x /etc/rc.local
# Initialize user and fetch Auth Key
sudo -E $RUN_PHP "$CAKE userInit -q"
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $RUN_PHP "$CAKE Admin setSetting "Session.autoRegenerate" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
# Enable GnuPG
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.email" "admin@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg""
sudo $RUN_PHP "$CAKE Admin setSetting "GnuPG.password" "Password1234""
# Enable Enrichment set better timeouts
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666"
# Enable Import modules set better timout
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_services_port" 6666"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true"
# Enable Export modules set better timout
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_enable" true"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_services_port" 6666"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_timeout" 300"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true"
# Enable installer org and tune some configurables
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.host_org_id" 1"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.email" "info@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disable_emailing" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.contact" "info@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disablerestalert" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true"
# Provisional Cortex tunes
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_enable" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_timeout" 120"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_authkey" """
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true"
# Various plugin sightings settings
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_policy" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_anonymise" false"
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Sightings_range" 365"
# Plugin CustomAuth tuneable
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false"
# RPZ Plugin settings
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_retry" "30m""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost.""
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_ns_alt" """
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost""
# Force defaults to make MISP Server Settings less RED
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.language" "eng""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.proposals_block_attributes" false"
## Redis block
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_port" 6379"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_database" 13"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.redis_password" """
# Force defaults to make MISP Server Settings less YELLOW
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.extended_alert_subject" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_threat_level" 4"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
##sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableEventBlacklisting" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.log_client_ip" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.log_auth" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disableUserSelfManagement" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_event_alert" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_old_event_alert" false"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.block_old_event_alert_age" """
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.footermidleft" "This is an initial install""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure""
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings""
# Force defaults to make MISP Server Settings less GREEN
sudo $RUN_PHP "$CAKE Admin setSetting "Security.password_policy_length" 12"
##sudo $RUN_PHP "$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'"
# Tune global time outs
sudo $RUN_PHP "$CAKE Admin setSetting "Session.autoRegenerate" 0"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
# Now log in using the webinterface: http://misp/users/login
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
chown -R apache:apache /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date
Recommended actions
-------------------
- By default CakePHP exposes his name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL
- Keep your software up2date (MISP, CakePHP and everything else)
- Log and audit

735
docs/xINSTALL.debian_testing.md Normal file
View File

@ -0,0 +1,735 @@
INSTALLATION INSTRUCTIONS
------------------------- for Debian testing "buster" server
0/ MISP testing dev install - Status
------------------------------------
This is mostly the install [@SteveClement](https://twitter.com/SteveClement)
uses for testing, qc and random development.
Maintained and tested by @SteveClement on 20180705
Some configurables used below:
```
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.2/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal Debian install
-------------------------
# Install a minimal Debian testing "buster" server system with the software:
- OpenSSH server
- Web server, apache FTW!
- This guide assumes a user name of 'misp'
# Make sure you can sudo
```
misp@debian:~$ sudo ls
[sudo] password for misp:
misp is not in the sudoers file. This incident will be reported.
```
su -
adduser misp sudo
# install etckeeper (optional)
sudo apt install -y etckeeper
# Make sure your system is up2date:
sudo apt update
sudo apt -y dist-upgrade
# Network Interface Name salvage (optional)
This will bring back 'ethX' e.g: eth0
```
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
DEFAULT_GRUB=/etc/default/grub
for key in GRUB_CMDLINE_LINUX
do
sudo sed -i "s/^\($key\)=.*/\1=\"$(eval echo \${$key})\"/" $DEFAULT_GRUB
done
sudo grub-mkconfig -o /boot/grub/grub.cfg
```
# install postfix, there will be some questions.
sudo apt install -y postfix
# Postfix Configuration: Satellite system
# change the relay server later with:
sudo postconf -e 'relayhost = example.com'
sudo postfix reload
2/ Install LAMP & dependencies
------------------------------
Once the system is installed you can perform the following steps:
# Install all the dependencies: (some might already be installed)
sudo apt install -y \
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php7.2-json php7.2-xml php7.2-mysql php7.2-opcache php7.2-readline \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
# Start rng-tools to get more entropy (optional)
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
sudo apt install rng-tools
sudo service rng-tools start
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
# Enable modules, settings, and default of SSL in Apache
sudo a2dismod status
sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Install PHP external dependencies
sudo pear channel-update pear.php.net
sudo pear install Crypt_GPG
sudo pecl channel-update pecl.php.net
sudo pecl install redis
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
# Switch to python3 by default (optional)
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
To flip between the 2 pythons: sudo update-alternatives --config python
# Apply all changes
sudo systemctl restart apache2
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
sudo mkdir $PATH_TO_MISP
sudo chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
# Make git ignore filesystem permission differences
sudo -u www-data git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
sudo pip3 install .
# install mixbox to accomodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
sudo pip3 install .
cd $PATH_TO_MISP
sudo -u www-data git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach --recursive git config core.filemode false
# install PyMISP
cd $PATH_TO_MISP/PyMISP
sudo pip3 install .
4/ CakePHP
-----------
# CakePHP is included as a submodule of MISP.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd $PATH_TO_MISP/app
# Make composer cache happy
sudo mkdir /var/www/.composer ; sudo chown www-data:www-data /var/www/.composer
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www-data cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following commands:
sudo chown -R www-data:www-data $PATH_TO_MISP
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
6/ Create a database and user
-----------------------------
# Enter the mysql shell
sudo mysql -u root -p
```
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
```
copy/paste:
```
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
```
# Import the empty MISP database from MYSQL.sql
sudo -u www-data cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration
-----------------------
# Now configure your Apache webserver with the DocumentRoot $PATH_TO_MISP/app/webroot/
# If the apache version is 2.4:
sudo cp $PATH_TO_MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
============================================= Begin sample working SSL config for MISP
<VirtualHost _default_:80>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
# Recommended: Change some PHP settings in /etc/php/7.2/apache2/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
# Restart apache
sudo systemctl restart apache2
8/ Log rotation
---------------
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u www-data tee $PATH_TO_MISP/app/Config/database.php
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Set some MISP directives with the command line tool
sudo $CAKE Live $MISP_LIVE
# Change base url
sudo $CAKE Baseurl $MISP_BASEURL
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Generate a GPG encryption key.
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
# To make the background workers start on boot
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
if [ ! -e /etc/rc.local ]
then
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
echo 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod u+x /etc/rc.local
fi
# Initialize user and fetch Auth Key
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Enable GnuPG
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
# Enable Enrichment set better timeouts
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules set better timout
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules set better timout
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
# Enable installer org and tune some configurables
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
# Provisional Cortex tunes
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
# Various plugin sightings settings
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
# Plugin CustomAuth tuneable
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
# RPZ Plugin settings
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
# Force defaults to make MISP Server Settings less RED
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
## Redis block
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
# Force defaults to make MISP Server Settings less YELLOW
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
# Force defaults to make MISP Server Settings less GREEN
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Set MISP Live
sudo $CAKE Live $MISP_LIVE
# Update the galaxies…
sudo $CAKE Admin updateGalaxies
# Updating the taxonomies…
sudo $CAKE Admin updateTaxonomies
# Updating the warning lists…
sudo $CAKE Admin updateWarningLists
# Updating the notice lists…
## sudo $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
# Start the workers
sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo pip3 install maec lief python-magic wand
sudo pip3 install git+https://github.com/kbandla/pydeep.git
# install STIX2.0 library to support STIX 2.0 export:
sudo pip3 install stix2
sudo gem install pygments.rb
sudo gem install asciidoctor-pdf --pre
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
sudo chmod -R 750 $PATH_TO_MISP/<directory path with an indicated issue>
sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# $PATH_TO_MISP/app/tmp/logs/error.log
# $PATH_TO_MISP/app/tmp/logs/resque-worker-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-------------------
# set PATH so it includes viper if it exists
if [ -d "/usr/local/src/viper" ] ; then
PATH="$PATH:/usr/local/src/viper"
fi
# set PATH so it includes viper if it exists
if [ -d "/var/www/MISP/app/Console" ] ; then
PATH="$PATH:/var/www/MISP/app/Console"
fi
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following commands
# ZeroMQ depends on the Python client for Redis
sudo apt install python3-redis -y
## install pyzmq
sudo apt install python3-zmq -y
MISP Dashboard
--------------
cd /var/www
sudo mkdir misp-dashboard
sudo chown www-data:www-data misp-dashboard
sudo -u www-data git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
sudo /var/www/misp-dashboard/install_dependencies.sh
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sudo sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
sudo sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf
sudo apt install libapache2-mod-wsgi-py3
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
sudo a2ensite misp-dashboard
sudo systemctl reload apache2
# Enable ZeroMQ for misp-dashboard
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
Install viper framework
-----------------------
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
sudo git clone https://github.com/viper-framework/viper.git
cd viper
sudo git git submodule update --init --recursive
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment
sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" ~/.viper/viper.conf
sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" ~/.viper/viper.conf
sqlite3 ~/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'
Install mail to misp
--------------------
cd /usr/local/src/
sudo apt-get install -y cmake
sudo git clone https://github.com/MISP/mail_to_misp.git
sudo git clone git://github.com/stricaud/faup.git
cd faup
sudo mkdir -p build
cd build
sudo cmake .. && sudo make
sudo make install
sudo ldconfig
cd ../../
cd mail_to_misp
sudo pip3 install -r requirements.txt
sudo cp mail_to_misp_config.py-example mail_to_misp_config.py
sudo sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
sudo sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py

3
docs/xINSTALL.md Normal file
View File

@ -0,0 +1,3 @@
!!! warning
All guides prefixed with 'x' are not being actively maintained by the MISP core maintainers.
If you want to change that, please reach out on [gitter](https://gitter.im/MISP/MISP).

81
mkdocs.yml Normal file
View File

@ -0,0 +1,81 @@
# Requirements: mkdocs >1.x && mkdocs-material
# Project information
site_name: MISP Install Documentation
site_description: MISP Project - Install Guides
site_author: MISP Project
site_url: https://www.misp-project.org/
# Repository
repo_name: SteveClement/MISP
repo_url: https://github.com/SteveClement/MISP
edit_uri: ""
# Copyright
copyright: "Copyright &copy; 2019 MISP Project"
# Options
extra:
search:
languages: "en"
social:
- type: globe
link: https://www.misp-project.org/
- type: github-alt
link: https://github.com/MISP
- type: twitter
link: https://twitter.com/MISPProject
theme:
name: material
language: en
favicon: img/favicon.ico
logo: img/misp.png
# Extensions
markdown_extensions:
- markdown.extensions.admonition
- markdown.extensions.codehilite:
guess_lang: false
- markdown.extensions.def_list
- markdown.extensions.footnotes
- markdown.extensions.meta
- markdown.extensions.toc:
permalink: true
- pymdownx.arithmatex
- pymdownx.betterem:
smart_enable: all
- pymdownx.caret
- pymdownx.critic
- pymdownx.details
- pymdownx.emoji:
emoji_generator: !!python/name:pymdownx.emoji.to_svg
- pymdownx.inlinehilite
- pymdownx.magiclink
- pymdownx.mark
- pymdownx.smartsymbols
- pymdownx.superfences
- pymdownx.tasklist:
custom_checkbox: true
- pymdownx.tilde
nav:
- Home: 'index.md'
- Install Guides:
- 'Ubuntu 18.04': 'INSTALL.ubuntu1804.md'
- 'Debian stable': 'INSTALL.debian9.md'
- 'Kali Linux': 'INSTALL.kali.md'
- 'Redhat Enterprise Linux 7': 'INSTALL.rhel7.md'
- xInstall Guides:
- 'Warning': 'xINSTALL.md'
- 'Centos 7': 'xINSTALL.centos7.md'
- 'Debian testing': 'xINSTALL.debian_testing.md'
- 'OpenBSD 6.3': 'xINSTALL.OpenBSD.md'
- Config Guides:
- 'Elastic Search Logging': 'CONFIG.elasticsearch-logging.md'
- 'Amazon S3 attachments': 'CONFIG.s3-attachments.md'
- 'S/MIME': 'CONFIG.SMIME.md'
- Update MISP: 'UPDATE.md'
- About:
- 'MISP Release Notes': 'Changelog.md'
- 'License': 'license.md'