MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [tools] Added tool to create MISP INSTALL Docs and push to gh-page, plus it fetche latest Changelog.txt

pull/3784/head
Steve Clement 2018-10-22 09:52:55 +09:00
parent 5c8216c81c
commit bb615b92bf
10 changed files with 19 additions and 969 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
INSTALL/CONFIG.SMIME.txt
View File

@ -1,32 +0,0 @@
#SMIME patch
## Create SMIME directory
mkdir /var/www/MISP/.smime
## Copy your public x509 certificate (for signing) in PEM format
cp email@address.com.pem /var/www/MISP/.smime/email@address.com.pem
## Copy your private key for signing email
cp email@address.com.key /var/www/MISP/.smime/email@address.com.key
### Set permissions
chown www-data:www-data /var/www/MISP/.smime
chmod 500 /var/www/MISP/.smime
chmod 440 /var/www/MISP/.smime/*
## Export the public certificate (for Encipherment) to the webroot
cp public_certificate.pem /var/www/MISP/app/webroot/public_certificate.pem
Due to this action, the MISP users will be able to download your public certificate (for Encipherment) by clicking on the footer
### Set permissions
chown www-data:www-data /var/www/MISP/app/webroot/public_certificate.pem
chmod 440 /var/www/MISP/app/webroot/public_certificate.pem
## Configure the section "SMIME" in the server settings (Administration -> Server settings -> Encryption tab)

67
INSTALL/CONFIG.elasticsearch-logging.txt
View File

@ -1,67 +0,0 @@
# It's possible to send all logs from MISP to an elasticsearch
# endpoint
# First, we'll need an ES PHP library
# Replace according to your requirements
export MISP_DIR=/var/www/MISP
cd $MISP_DIR/app
sudo -u www-data php composer.phar require elasticsearch/elasticsearch
# Ok now we need to configure where we log to
#
# In Administration -> Server Settings & Maintenance -> Plugin Settings
# Under the elasticsearch tab, enable elasticsearch logging, and input
# your connection string
# Note that explicitly specifying the port may be needed, e.g. for AWS instances
# running on 443.
# Also input a log index - all logs will be thrown at this index.
# Now give ES a template to work from
cat << EOF > misp_es_template.json
{
"template": "misp_logging",
"mappings": {
"log": {
"_source": {
"enabled": true
},
"properties": {
"Log.email": {
"type": "keyword"
},
"Log.title": {
"type": "text"
},
"Log.ip": {
"type": "ip"
},
"Log.created": {
"format": "YYYY-MM-dd HH:mm:ss",
"type": "date"
},
"Log.description": {
"type": "text"
},
"Log.org": {
"type": "text"
},
"Log.action": {
"type": "text"
},
"Log.model": {
"type": "text"
},
"Log.change": {
"type": "text"
}
}
}
}
}
EOF
# And put it to ES
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json
# Now MISP will start sending logs to ES! Hooray!

97
INSTALL/CONFIG.s3-attachments.txt
View File

@ -1,97 +0,0 @@
Using S3 as an attachment store
===============================
It is possible to use Amazon's Simple Storage Service (S3) to store event attachments
to allow for a stateless MISP setup (i.e for containerisation)
There's a massive caveat here so let me make this incredibly clear
##############################################
# WARNING WARNING WARNING #
# #
# Storing malware is against amazon's #
# terms of service. #
# #
# DO NOT USE THIS UNLESS YOU HAVE #
# THEIR EXPLICIT PERMISSION #
##############################################
0. Installing Dependencies
--------------------------
Install the AWS PHP SDK
```bash
cd /var/www/MISP/app
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar require aws/aws-sdk-php
```
1. Creating an S3 bucket
-------------------------
Go to https://s3.console.aws.amazon.com/s3/home
And create a bucket. It has to have a globally unique name, and
this cannot be changed later on.
2a. Using an EC2 instance for MISP
-----------------------------------
If you run MISP on EC2, this will be super duper easy peasy.
Simply create an IAM role with the following permissions and assign it to the instance
by right-clicking and selecting "Instance Settings -> Attach/Replace IAM role"
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitMISPAttachmentsToS3",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::your-bucket-name"
]
}
]
}
```
2b. Using AWS access keys
-------------------------
This is not recommended, but it works I think.
Create a new programmatic access user via IAM and apply the same
policy outlined above.
Copy the access keys and save them for the next step
3. Setting up MISP
------------------
In Administration -> Server Settings & Maintenance -> MISP settings
Set MISP.attachments_dir to "s3://"
In Administration -> Server Settings & Maintenance -> Plugin Settings -> S3
Set S3_enable to True
Set S3_bucket-name to the bucket you created earlier
Set S3_region to your region
ONLY IF YOU DID NOT USE THE EC2 METHOD
Set aws_access_key and aws_secret_key to the ones you created in 2b
Now theoretically it should work.
Addendum
========
If you are migrating a server currently in use, simply copy the directory structure from
the attachments folder (usually /var/www/MISP/app/files) to S3 and everything should
continue to work.

435
INSTALL/INSTALL.rhel7.txt
View File

@ -1,435 +0,0 @@
INSTALLATION INSTRUCTIONS for RHEL 7.x
-------------------------
+----------------------------------------+
| 0/ Overview and Assumptions |
+----------------------------------------+
This document details the steps to install MISP on Red Hat Enterprise Linux 7.x (RHEL 7.x). At time of this writing it
was tested on version 7.4.
The following assumptions with regard to this installation have been made.
0.1/ A valid support agreement allowing the system to register to the Red Hat Customer Portal and receive updates
0.2/ The ability to enable additional RPM repositories, specifically the EPEL and Software Collections (SCL) repos
0.3/ This system will have direct or proxy access to the Internet for updates. Or connected to a Red Hat Satellite Server
0.4/ This document is to get a MISP instance up and running over HTTP. I haven't done a full test of all features
+----------------------------------------------+
| 1/ OS Install and additional repositories |
+----------------------------------------------+
1.1/ Complete a minimal RHEL installation, configure IP address to connect automatically.
1.2/ Configure system hostname
hostnamectl set-hostname misp # You're choice, in a production environment, it's best to use a FQDN
1.3/ Register the system for updates with Red Hat Subscription Manager
subscription-manager register # register your system to an account
subscription-manager attach # attach your system to a current subscription
1.4/ Enable the optional, extras and Software Collections (SCL) repos
subscription-manager repos --enable rhel-7-server-optional-rpms
subscription-manager repos --enable rhel-7-server-extras-rpms
subscription-manager repos --enable rhel-server-rhscl-7-rpms
1.5a/ OPTIONAL: Install the deltarpm package to help reduce download size when installing updates
yum install deltarpm
1.5/ Update the system and reboot
yum update
## NOTE: As time of writing performing a yum update results in the rhel-7-server-rt-beta-rpms being forbidden
## The repo can be disabled using the following command
subscription-manager repos --disable rhel-7-server-rt-beta-rpms
1.6/ Install the EPEL repo
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
1.7/ Install the SCL repo
yum install centos-release-scl
+-----------------------------+
| 2/ Install Dependencies |
+-----------------------------+
Once the system is installed and updated, the following steps can be performed as root
2.01/ Install some base system dependencies
yum install gcc git httpd zip python-devel libxslt-devel zlib-devel python-pip ssdeep-devel
2.02/ Install MariaDB 10.2 from SCL
yum install rh-mariadb102
2.03/ Start the MariaDB service and enable it to start on boot
systemctl start rh-mariadb102-mariadb.service
systemctl enable rh-mariadb102-mariadb.service
## MISP 2.4 requires PHP 5.5 as a minimum, we need a higher version than base RHEL provides.
## This guide installs PHP 7.1 from SCL
2.04/ Install PHP 7.1 from SCL
yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache
## If we want to use httpd from RHEL base we can use the rh-php71-php-fpm service instead
2.05/ Start the PHP FPM service and enable to start on boot
systemctl start rh-php71-php-fpm.service
systemctl enable rh-php71-php-fpm.service
2.06/ Install redis 3.2 from SCL
yum install rh-redis32
2.07/ Start redis service and enable to start on boot
systemctl start rh-redis32-redis.service
systemctl enable rh-redis32-redis.service
2.08/ Start a SCL shell with rh-mariadb102 rh-php71 and rh-redis32 enabled
scl enable rh-mariadb102 rh-php71 rh-redis32 bash
2.08/ Secure the MariaDB installation, run the following command and follow the prompts
mysql_secure_installation
2.10/ Update the PHP extension repository and install required package
pear channel-update pear.php.net
pear install Crypt_GPG
2.11/ Install haveged and enable to start on boot to provide entropy for GPG
yum install haveged
systemctl start haveged
systemctl enable haveged
2.12/ Install Python 3.6 from SCL
yum install rh-python36
+---------------------+
| 3/ MISP Download |
+---------------------+
3.01/ Download MISP code using git in /var/www/ directory
cd /var/www
git clone https://github.com/MISP/MISP.git
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
3.02/ Make git ignore filesystem permission differences
git config core.filemode false
3.03/ Install Mitre's STIX and its dependencies by running the following commands:
pip install importlib
yum install python-six
cd /var/www/MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
cd /var/www/MISP/app/files/scripts/python-cybox
git config core.filemode false
# If your umask has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
scl enable rh-python36 'python3 setup.py install'
cd /var/www/MISP/app/files/scripts/python-stix
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
3.04/ Install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
git config core.filemode false
scl enable rh-python36 'python3 setup.py install'
umask $UMASK
3.05/ Enable python3 for php-fpm
echo 'source scl_source enable rh-python36' >> /etc/opt/rh/rh-php71/sysconfig/php-fpm
sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php71/php-fpm.d/www.conf
systemctl restart rh-php71-php-fpm.service
+---------------------+
| 4/ CakePHP |
+---------------------+
4.01/ CakePHP is now included as a submodule of MISP, execute the following commands to let git fetch it ignore this
message: No submodule mapping found in .gitmodules for path 'app/Plugin/CakeResque'
cd /var/www/MISP
git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
git submodule foreach --recursive git config core.filemode false
4.02/ Install CakeResque along with its dependencies if you intend to use the built in background jobs
cd /var/www/MISP/app
php composer.phar require kamisama/cake-resque:4.1.2
php composer.phar config vendor-dir Vendor
php composer.phar install
4.03/ Install and configure php redis connector through pecl
pecl install redis
echo "extension=redis.so" > /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
systemctl restart rh-php71-php-fpm.service
4.04/ Set a timezone in php.ini
echo 'date.timezone = "Australia/Sydney"' > /etc/opt/rh/rh-php71/php-fpm.d/timezone.ini
ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php71/php.d/99-timezone.ini
4.05/ To use the scheduler worker for scheduled tasks, do the following:
cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
+----------------------------+
| 5/ Set file permissions |
+----------------------------+
5.01/ Make sure the permissions are set correctly using the following commands as root:
chown -R root:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
chown apache:apache /var/www/MISP/app/files
chown apache:apache /var/www/MISP/app/files/terms
chown apache:apache /var/www/MISP/app/files/scripts/tmp
chown apache:apache /var/www/MISP/app/Plugin/CakeResque/tmp
chown -R apache:apache /var/www/MISP/app/tmp
chown -R apache:apache /var/www/MISP/app/webroot/img/orgs
chown -R apache:apache /var/www/MISP/app/webroot/img/custom
+--------------------------------+
| 6/ Create database and user |
+--------------------------------+
6.01/ Set database to listen on localhost only
echo [mysqld] > /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 >> /etc/opt/rh/rh-mariadb102/my.cnf.d/bind-address.cnf
systemctl restart rh-mariadb102-mariadb
6.02/ Start MariaDB shell and create database
mysql -u root -p
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
6.03/ Import the empty MySQL database from MYSQL.sql
cd /var/www/MISP
mysql -u misp -p misp < INSTALL/MYSQL.sql
+--------------------------------+
| 7/ Apache Configuration |
+--------------------------------+
7.01/ Copy a sample vhost config to Apache configuration directory
cp /var/www/MISP/INSTALL/apache.misp.centos7 /etc/httpd/conf.d/misp.conf
7.02/ Since SELinux is enabled, we need to allow httpd to write to certain directories
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
7.02/ Allow httpd to connect to the redis server and php-fpm over tcp/ip
setsebool -P httpd_can_network_connect on
7.03/ Enable and start the httpd service
systemctl enable httpd.service
systemctl start httpd.service
7.04/ Open a hole in the firewalld service
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
# We seriously recommend using only HTTPS / SSL !
# Add SSL support by running: yum install mod_ssl
# Check out the apache.misp.ssl file for an example
+--------------------------------+
| 8/ Log Rotation |
+--------------------------------+
# MISP saves the stdout and stderr of it's workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
cp INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
8.01/ Allow logrotate to work under SELinux and modify the log files
semanage fcontext -a -t httpd_log_t "/var/www/MISP/app/tmp/logs(/.*)?"
chcon -R -t httpd_log_t /var/www/MISP/app/tmp/logs
8.02/ Allow logrotate to read /var/www
checkmodule -M -m -o /tmp/misplogrotate.mod INSTALL/misplogrotate.te
semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod
semodule -i /tmp/misplogrotate.pp
+--------------------------------+
| 9/ MISP Configuration |
+--------------------------------+
9.01/ There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
cd /var/www/MISP/app/Config
cp -a bootstrap.default.php bootstrap.php
cp -a database.default.php database.php
cp -a core.default.php core.php
cp -a config.default.php config.php
9.02/ Configure the fields in the newly created files
# Configure the fields in the newly created files:
# config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally
# core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');`
# database.php : login, port, password, database
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
9.03/ If you want to be able to change configuration parameters from the webinterface:
chown apache:apache /var/www/MISP/app/Config/config.php
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Config/config.php
9.04/ Generate an encryption key
gpg --gen-key
mv ~/.gnupg /var/www/MISP/
chown -R apache:apache /var/www/MISP/.gnupg
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.gnupg
## NOTE: There is a bug that if a passphrase is added MISP will produce an error on the diagnostic page.
# The email address should match the one set in the config.php configuration file
# Make sure that you use the same settings in the MISP Server Settings tool
9.05/ export the public key to the webroot
sudo -u apache gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc
9.06/ Start the workers to enable background jobs
chmod +x /var/www/MISP/app/Console/worker/start.sh
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
9.07a/ To make the background workers start on boot
vi /etc/rc.local
9.07b/ Add the following line at the end
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
9.07c/ and make sure it will execute
chmod +x /etc/rc.local
# Now log in using the webinterface: http://misp/users/login
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
chown -R apache:apache /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log //where the actual date is the current date
+---------------------------+
| 10/ Post Install |
+---------------------------+
10.01/ Allow apache to write to /var/www/MISP/app/tmp/logs
# Result from diagnostic is that the directory is not writable.
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs/
# NOTE: This may mean that logrotate cannot access the logs directory, will require further investigation
10.02/ Change php.ini settings to suggested limits from diagnostic page.
# Edit /etc/opt/rh/rh-php71/php.ini and set the following settings
max_execution_time = 300
memory_limit = 512M
upload_max_filesize = 50M
post_max_size = 50M
10.03/ Restart rh-php71 for settings to take effect
systemctl restart rh-php71-php-fpm
10.04/ Install pymisp and pydeep for Advanced Attachment handler
pip install pymisp
pip install git+https://github.com/kbandla/pydeep.git
10.05/ Install pymisp also in Python 3
scl enable rh-python36 pip3 install pymisp
+---------------------------+
| 11/ LIEF Installation |
+---------------------------+
# lief is required for the Advanced Attachment Handler and requires manual compilation
11.01/ Install cmake3 devtoolset-7 from SCL
yum install devtoolset-7 cmake3
11.02/ Enable devtoolset-7
scl enable devtoolset-7 bash
11.03/ Set env variable, create directories and download source code
mkdir -p /tmp/LIEF
mkdir -p /tmp/LIEF_INSTALL
export LIEF_TMP=/tmp/LIEF
export LIEF_INSTALL=/tmp/LIEF_INSTALL
export LIEF_BRANCH=master
cd $LIEF_TMP
git clone --branch $LIEF_BRANCH --single-branch https://github.com/lief-project/LIEF.git LIEF
11.04/ Compile lief and install
cd $LIEF_TMP/LIEF
mkdir -p build
cd build
scl enable devtoolset-7 'bash -c "cmake3 \
-DLIEF_PYTHON_API=on \
-DLIEF_DOC=off \
-DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \
-DCMAKE_BUILD_TYPE=Release \
-DPYTHON_VERSION=2.7 \
.."'
make -j3
cd api/python
scl enable rh-python36 python3 setup.py install || :
# you can ignore the error about finding suitable distribution
cd $LIEF_TMP/LIEF/build
make install
make package
11.05/ Test lief installation, if no error, package installed
python
>> import lief
+---------------------------+
| 12/ Known Issues |
+---------------------------+
12.01/ PHP CLI cannot determine version
# PHP CLI Version cannot be determined. Possibly due to PHP being installed through SCL
12.02/ Workers cannot be started or restarted from the web page
# Possible also due to package being installed via SCL, attempting to start workers through the web page will result in
# error. Worker's can be restarted via the CLI using the following command.
su -s /bin/bash apache -c 'scl enable rh-php71 rh-redis32 rh-mariadb102 /var/www/MISP/app/Console/worker/start.sh'
## NOTE: No other functions were tested after the conclusion of this install. There may be issue that aren't addressed
## via this guide and will need additional investigation.

338
INSTALL/INSTALL.ubuntu1804.txt
View File

@ -1,338 +0,0 @@
INSTALLATION INSTRUCTIONS
------------------------- for Ubuntu 18.04-server
1/ Minimal Ubuntu install
-------------------------
# Install a minimal Ubuntu 18.04-server system with the software:
- OpenSSH server
# Make sure your system is up2date:
sudo apt-get update
sudo apt-get upgrade
# install postfix, there will be some questions.
sudo apt-get install postfix
# Postfix Configuration: Satellite system
# change the relay server later with:
sudo postconf -e 'relayhost = example.com'
sudo postfix reload
2/ Install LAMP & dependencies
------------------------------
Once the system is installed you can perform the following steps:
# Make sure you have enabled the Universe repository (fe. for redis-server), enable it with
# sudo add-apt-repository universe
# Install the dependencies: (some might already be installed)
sudo apt-get install curl gcc git gnupg-agent make python python3 openssl redis-server sudo vim zip
# Install MariaDB (a MySQL fork/alternative)
sudo apt-get install mariadb-client mariadb-server
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
# Install Apache2
sudo apt-get install apache2 apache2-doc apache2-utils
# Enable modules, settings, and default of SSL in Apache
sudo a2dismod status
sudo a2enmod ssl
sudo a2enmod rewrite
sudo a2enmod headers
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Install PHP and dependencies
sudo apt-get install libapache2-mod-php php php-cli php-gnupg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml php-mbstring
# Apply all changes
sudo systemctl restart apache2
3/ MISP code
------------
# Download MISP using git in the /var/www/ directory.
sudo mkdir /var/www/MISP
sudo chown www-data:www-data /var/www/MISP
cd /var/www/MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git /var/www/MISP
sudo -u www-data git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach --recursive git config core.filemode false
# Make git ignore filesystem permission differences
sudo -u www-data git config core.filemode false
# install Mitre's STIX and its dependencies by running the following commands:
sudo apt-get install python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools
cd /var/www/MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
sudo -u www-data git clone https://github.com/MAECProject/python-maec.git
cd /var/www/MISP/app/files/scripts/python-cybox
sudo python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-stix
sudo python3 setup.py install
cd /var/www/MISP/app/files/scripts/python-maec
sudo python3 setup.py install
# install mixbox to accomodate the new STIX dependencies:
cd /var/www/MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd /var/www/MISP/app/files/scripts/mixbox
sudo python3 setup.py install
# install PyMISP
cd /var/www/MISP/PyMISP
sudo python3 setup.py install
# install support for STIX 2.0
sudo pip3 install stix2
4/ CakePHP
-----------
# Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd /var/www/MISP/app
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www-data cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# If you have multiple MISP instances on the same system, don't forget to have a different Redis per MISP instance for the CakeResque workers
# The default Redis port can be updated in Plugin/CakeResque/Config/config.php
5/ Set the permissions
----------------------
# Check if the permissions are set correctly using the following commands:
sudo chown -R www-data:www-data /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
6/ Create a database and user
-----------------------------
# Enter the mysql shell
sudo mysql -u root -p
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
# Import the empty MISP database from MYSQL.sql
sudo -u www-data sh -c "mysql -u misp -p misp < /var/www/MISP/INSTALL/MYSQL.sql"
# enter the password you've set in line 129 when prompted
7/ Apache configuration
-----------------------
# Now configure your Apache webserver with the DocumentRoot /var/www/MISP/app/webroot/
# If the apache version is 2.2:
sudo cp /var/www/MISP/INSTALL/apache.22.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# If the apache version is 2.4:
sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Please find a sample conf file for an SSL enabled conf file in-line below (alternatively use one of the samples provided in /var/www/MISP/INSTALL
# Also remember to verify the SSLCertificateChainFile property in your config file - this is usually commented out for the self-generated certificate in the sample configurations, such as the one pasted below.
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
============================================= Begin sample working SSL config for MISP
<VirtualHost <IP, FQDN, or *>:80>
ServerName <your.FQDN.here>
Redirect permanent / https://<your.FQDN.here>
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost <IP, FQDN, or *>:443>
ServerAdmin admin@<your.FQDN.here>
ServerName <your.FQDN.here>
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
# Restart apache
sudo systemctl restart apache2
8/ Log rotation
---------------
# MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo chmod 0640 /etc/logrotate.d/misp
9/ MISP configuration
---------------------
# There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php
sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php
sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php
sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php
# Configure the fields in the newly created files:
sudo -u www-data vim /var/www/MISP/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in /var/www/MISP/app/Config/config.php
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# Change base url in config.php
/var/www/MISP/app/Console/cake Baseurl https://<your.FQDN.here>
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# and make sure the file permissions are still OK
sudo chown -R www-data:www-data /var/www/MISP/app/Config
sudo chmod -R 750 /var/www/MISP/app/Config
# Generate a GPG encryption key.
sudo -u www-data mkdir /var/www/MISP/.gnupg
sudo chmod 700 /var/www/MISP/.gnupg
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# NOTE: if entropy is not high enough, you can install rng-tools and then run rngd -r /dev/urandom do fix it quickly
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/MISP/app/webroot/gpg.asc"
# To make the background workers start on boot
sudo chmod +x /var/www/MISP/app/Console/worker/start.sh
sudo vim /etc/rc.local
# Add the following line before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
# Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference
# It is especially vital that no critical issues remain!
# start the workers by navigating to the workers tab and clicking restart all workers
# Don't forget to change the email, password and authentication key after installation.
# Once done, have a look at the diagnostics
# If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
# you can do this by running the following commands:
sudo chmod -R 750 /var/www/MISP/<directory path with an indicated issue>
sudo chown -R www-data:www-data /var/www/MISP/<directory path with an indicated issue>
# Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items
# If anything goes wrong, make sure that you check MISP's logs for errors:
# /var/www/MISP/app/tmp/logs/error.log
# /var/www/MISP/app/tmp/logs/resque-worker-error.log
# /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
# /var/www/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
Recommended actions
-------------------
- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
- You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL/MariaDB
- Keep your software up2date (OS, MISP, CakePHP and everything else)
- Log and audit
Optional features
-----------------
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command
sudo pip3 install pyzmq
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
# For the experimental ssdeep correlations, run the following installation:
# installing ssdeep
wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz
tar zxvf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install
ssdeep -h # test
#installing ssdeep_php
sudo pecl install ssdeep
# You should add "extension=ssdeep.so" to mods-available - Check /etc/php for your current version
echo "extension=ssdeep.so" | sudo tee /etc/php/7.2/mods-available/ssdeep.ini
sudo phpenmod ssdeep
sudo service apache2 restart
Optional features: misp-modules
-------------------------------
# If you want to add the misp modules functionality, follow the setup procedure described in misp-modules:
# https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules
# Then the enrichment, export and import modules can be enabled in MISP via the settings.

1
INSTALL/UPDATE.txt Symbolic link
View File

@ -0,0 +1 @@
../docs/UPDATE.md

0
INSTALL/xINSTALL.debian8-postgresql.txt → INSTALL/old/xINSTALL.debian8-postgresql.txt
View File

0
INSTALL/INSTALL.ubuntu1804.with.webmin.txt → docs/INSTALL.ubuntu1804.with.webmin.md
View File

0
INSTALL/xINSTALL.centos6.txt → docs/xINSTALL.centos6.md
View File

18
tools/gen_misp_install_docs.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
set -e
# set -x
if [ -e "/usr/bin/virtualenv" ]; then
echo "Python virtualenv exists, continuing with mkdocs build"
else
echo "NO virtualenv present, bye."
exit 1
fi
if [ -z "$VIRTUAL_ENV" ]; then
virtualenv -p python3 mkdocs
${PWD}/mkdocs/bin/pip install mkdocs mkdocs-material
fi
wget -O ../docs/Changelog.md https://www.misp-project.org/Changelog.txt
cd ../ ; ${PWD}/tools/mkdocs/bin/mkdocs gh-deploy