MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: [doc] Updated and tested basic MISP functionality under CentOS 7.5

pull/3630/head
Steve Clement 2018-09-06 16:22:07 +02:00
parent 24bbfad29e
commit 9ed7a3ddc2
1 changed files with 160 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

230
INSTALL/xINSTALL.centos7.txt
View File

@ -1,6 +1,62 @@
INSTALLATION INSTRUCTIONS
------------------------- for CentOS 7.x
0/ MISP CentOS 7 install - Status
---------------------------------
Maintained and tested by @SteveClement, CentOS 7.5-1804 on 20180906
Some configurables used below:
```
# CentOS Specific
RUN_PHP='/usr/bin/scl enable rh-php56 '
RUN_PYTHON='/usr/bin/scl enable rh-python36 '
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/opt/rh/rh-php56/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal CentOS install
-------------------------
@ -14,95 +70,98 @@ Install a minimal CentOS 7.x system with the software:
hostnamectl set-hostname misp # or whatever you want it to be
# Make sure your system is up2date:
yum update
sudo yum update
2/ Dependencies *
----------------
Once the system is installed you can perform the following steps as root:
Once the system is installed you can perform the following steps as root or with sudo:
# We need some packages from the Extra Packages for Enterprise Linux repository
yum install epel-release
sudo yum install epel-release
# Since MISP 2.4 PHP 5.5 is a minimal requirement, so we need a newer version than CentOS base provides
# Software Collections is a way do to this, see https://wiki.centos.org/AdditionalResources/Repositories/SCL
yum install centos-release-scl
sudo yum install centos-release-scl
# Install the dependencies:
yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip libxslt-devel zlib-devel
sudo yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip libxslt-devel zlib-devel
# Install PHP 5.6 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php56/
yum install rh-php56 rh-php56-php-fpm rh-php56-php-devel rh-php56-php-mysqlnd rh-php56-php-mbstring rh-php56-php-xml rh-php56-php-bcmath rh-php56-php-opcache
sudo yum install rh-php56 rh-php56-php-fpm rh-php56-php-devel rh-php56-php-mysqlnd rh-php56-php-mbstring rh-php56-php-xml rh-php56-php-bcmath rh-php56-php-opcache
# Install Python 3.6 from SCL, see
# https://www.softwarecollections.org/en/scls/rhscl/rh-python36/
yum install rh-python36
sudo yum install rh-python36
# rh-php56-php only provided mod_php for httpd24-httpd from SCL
# if we want to use httpd from CentOS base we can use rh-php56-php-fpm instead
systemctl enable rh-php56-php-fpm.service
systemctl start rh-php56-php-fpm.service
sudo systemctl enable rh-php56-php-fpm.service
sudo systemctl start rh-php56-php-fpm.service
# Start a new shell with rh-php56 enabled
scl enable rh-php56 bash
$RUN_PHP "pear channel-update pear.php.net"
$RUN_PHP "pear install Crypt_GPG" # we need version >1.3.0
pear channel-update pear.php.net
pear install Crypt_GPG # we need version >1.3.0
NOTE: if using rh-php56 the command needs to be run through its terminal: /usr/bin/scl enable rh-php56 "pear list | grep Crypt_GPG"
NOTE: $RUN_PHP makes php available for you if using rh-php56. e.g: $RUN_PHP "pear list | grep Crypt_GPG"
# GPG needs lots of entropy, haveged provides entropy
yum install haveged
systemctl enable haveged.service
systemctl start haveged.service
sudo yum install haveged
sudo systemctl enable haveged.service
sudo systemctl start haveged.service
# Enable and start redis
systemctl enable redis.service
systemctl start redis.service
sudo systemctl enable redis.service
sudo systemctl start redis.service
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
cd /var/www/
git clone https://github.com/MISP/MISP.git
sudo git clone https://github.com/MISP/MISP.git
cd /var/www/MISP
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
sudo git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
# Make git ignore filesystem permission differences
git config core.filemode false
sudo git config core.filemode false
# Fetch submodules
cd /var/www/MISP
sudo git submodule init
sudo git submodule update
# Make git ignore filesystem permission differences for submodules
sudo git submodule foreach git config core.filemode false
# Start new shell with python 3 enabled
scl enable rh-python36 bash
sudo scl enable rh-python36 bash
# install Mitre's STIX and its dependencies by running the following commands:
yum install python-importlib python-lxml python-dateutil python-six
sudo yum install python-importlib python-lxml python-dateutil python-six
cd /var/www/MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
sudo git clone https://github.com/CybOXProject/python-cybox.git
sudo git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
git config core.filemode false
sudo git config core.filemode false
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
python3 setup.py install
$RUN_PYTHON "python3 setup.py install"
cd /var/www/MISP/app/files/scripts/python-stix
git config core.filemode false
python3 setup.py install
$RUN_PYTHON "python3 setup.py install"
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
git config core.filemode false
python3 setup.py install
$RUN_PYTHON "python3 setup.py install"
# install PyMISP
cd /var/www/MISP/PyMISP
python3 setup.py install
$RUN_PYTHON "python3 setup.py install"
# Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php56/sysconfig/php-fpm
@ -113,34 +172,34 @@ umask $UMASK
4/ CakePHP
-----------
# CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it
# ignore this message:
# No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
cd /var/www/MISP
git submodule init
git submodule update
# Make git ignore filesystem permission differences for submodules
git submodule foreach git config core.filemode false
# Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs:
# CakePHP is now included as a submodule of MISP and has been fetch by a previous step.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd /var/www/MISP/app
php composer.phar require kamisama/cake-resque:4.1.2
php composer.phar config vendor-dir Vendor
php composer.phar install
$RUN_PHP "composer.phar require kamisama/cake-resque:4.1.2"
$RUN_PHP "composer.phar config vendor-dir Vendor"
$RUN_PHP "composer.phar install"
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis using "yum install php-redis"
pecl install redis-2.2.8
$RUN_PHP "pecl install redis-2.2.8"
echo "extension=redis.so" > /etc/opt/rh/rh-php56/php-fpm.d/redis.ini
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php56/php.d/99-redis.ini
systemctl restart rh-php56-php-fpm.service
Note: if using rh-php56 redis needs to be installed through its terminal: /usr/bin/scl enable rh-php56 "pecl install redis-2.2.8"
# If you have not yet set a timezone in php.ini
echo 'date.timezone = "Europe/Amsterdam"' > /etc/opt/rh/rh-php56/php-fpm.d/timezone.ini
echo 'date.timezone = "Europe/Luxembourg"' > /etc/opt/rh/rh-php56/php-fpm.d/timezone.ini
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php56/php.d/99-timezone.ini
# Recommended: Change some PHP settings in /etc/opt/rh/rh-php56/php.ini
# max_execution_time = 300
# memory_limit = 512M
# upload_max_filesize = 50M
# post_max_size = 50M
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart rh-php56-php-fpm.service
# To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
@ -148,23 +207,28 @@ cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResqu
----------------------
# Make sure the permissions are set correctly using the following commands as root:
chown -R root:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
chown apache:apache /var/www/MISP/app/files
chown apache:apache /var/www/MISP/app/files/terms
chown apache:apache /var/www/MISP/app/files/scripts/tmp
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
chown -R apache:apache /var/www/MISP/app/tmp
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
sudo chown -R root:apache /var/www/MISP
sudo find /var/www/MISP -type d -exec chmod g=rx {} \;
sudo chmod -R g+r,o= /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/files
sudo chown apache:apache /var/www/MISP/app/files/terms
sudo chown apache:apache /var/www/MISP/app/files/scripts/tmp
sudo chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chown -R apache:apache /var/www/MISP/app/Config
sudo chown -R apache:apache /var/www/MISP/app/tmp
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
sudo chown -R apache:apache /var/www/MISP/app/webroot/img/custom
6/ Create a database and user
-----------------------------
# Enable, start and secure your mysql database server
systemctl enable mariadb.service
systemctl start mariadb.service
mysql_secure_installation
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo mysql_secure_installation
# Additionally, it is probably a good idea to make the database server listen on localhost only
echo [mysqld] > /etc/my.cnf.d/bind-address.cnf
@ -198,6 +262,7 @@ chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
@ -275,15 +340,36 @@ chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
# Generate a GPG encryption key.
# If the following command gives an error message, try it as root from the console
gpg --gen-key
mv ~/.gnupg /var/www/MISP/
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
# The email address should match the one set in the config.php configuration file
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
gpg --homedir /var/www/MISP/.gnupg --batch --gen-key /tmp/gen-key-script
rm -f /tmp/gen-key-script
chown -R apache:apache /var/www/MISP/.gnupg
# The email address should match the one set in the config.php configuration file
# Make sure that you use the same settings in the MISP Server Settings tool (Described on line 246)
# And export the public key to the webroot
sudo -u apache gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc
gpg --homedir /var/www/MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > /var/www/MISP/app/webroot/gpg.asc
chown apache:apache /var/www/MISP/app/webroot/gpg.asc
# Start the workers to enable background jobs
chmod +x /var/www/MISP/app/Console/worker/start.sh
@ -296,6 +382,10 @@ su -s /bin/bash apache -c 'scl enable rh-php56 /var/www/MISP/app/Console/worker/
# and make sure it will execute
chmod +x /etc/rc.local
# Initialize user and fetch Auth Key
sudo -E $RUN_PHP "$CAKE userInit -q"
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Now log in using the webinterface: http://misp/users/login
# The default user/pass = admin@admin.test/admin