From d34c455fa083f8b7c56da720a9ae922fb5e30ff9 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 10 Jul 2019 13:29:43 +0900 Subject: [PATCH] new: [doc] Hidden NetBSD install (core works) --- docs/xINSTALL.NetBSD.md | 801 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 801 insertions(+) create mode 100644 docs/xINSTALL.NetBSD.md diff --git a/docs/xINSTALL.NetBSD.md b/docs/xINSTALL.NetBSD.md new file mode 100644 index 000000000..a24c4f6e4 --- /dev/null +++ b/docs/xINSTALL.NetBSD.md @@ -0,0 +1,801 @@ +# INSTALLATION INSTRUCTIONS +## for NetBSD 8.1-amd64 + +!!! warning + This is not fully working yet. Mostly it is a template for our ongoing documentation efforts :spider: + LIEF, will probably not be available for a long long time on OpenBSD, until someone is brave enough to make it work. + GnuPG also needs some more TLC. + + https://wiki.netbsd.org/pkgsrc/how_to_install_a_lamp_server/ + +### 0/ WIP! You are warned, this does not work yet! +------------ + +!!! notice + Current issues: php-redis only available in binary for php-56, workaround: use OpenBSD 6.4. + This guide attempts to offer native httpd or apache2/nginx. + +!!! warning + As of 20181018 the native httpd server is NOT useable with MISP on OpenBSD 6.3. + Thus ONLY Apache 2.x available. + NO *rewrite* available, just yet. It will be in [the next release](https://marc.info/?l=openbsd-tech&m=152761257806283&w=2) + +!!! notice + As of OpenBSD 6.4 the native httpd has rewrite rules and php 5.6 is gone too. + +{!generic/globalVariables.md!} + +```bash +export AUTOMAKE_VERSION=1.16 +export AUTOCONF_VERSION=2.69 +``` + +### 1/ Minimal OpenBSD install +------------ + +#### Install standard OpenBSD-amd64 with ports + +- ntpdate on boot +- ntp +- ntpd +- ssh + +#### System Hardening + +- TBD + +#### sudo & pkg (as root) +```bash +su root -c "pkgin install sudo gsed" +su root -c 'gsed -i -e "s/# %wheel ALL=(ALL) NOPASSWD: ALL/%wheel ALL=(ALL) NOPASSWD: ALL/" /usr/pkg/etc/sudoers' +``` + +##### In case you forgot to fetch pkgsrc (optional) + +```bash +cd /usr +env CVS_RSH=ssh sudo cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -P pkgsrc +cd pkgsrc/bootstrap +sudo ./bootstrap +sudo /usr/pkg/sbin/pkg_admin -K /var/db/pkg fetch-pkg-vulnerabilities +``` + +``` +You may wish to have the vulnerabilities file downloaded daily so that it +remains current. This may be done by adding an appropriate entry to the root +users crontab(5) entry. For example the entry + +# Download vulnerabilities file +0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1 +# Audit the installed packages and email results to root +9 3 * * * /usr/pkg/sbin/pkg_admin audit |mail -s "Installed package audit result" \ + root >/dev/null 2>&1 +``` + +#### Install bash +```bash +sudo pkgin install bash +``` + +#### mariadb server +```bash +sudo pkgin install mariadb-server +``` + +#### Install misc dependencies + +```bash +sudo pkgin install curl git python36 py36-pip redis autoconf automake libtool magic +``` + +```bash +sudo pkgin install gnupg2 +``` + +#### Install postfix (optional) + +```bash +sudo pkgin install postfix +``` + +#### vim (optional) +```bash +sudo pkgin install vim +sudo mv /usr/bin/vi /usr/bin/vi-`date +%d%m%y` +sudo ln -s /usr/pkg/bin/vim /usr/bin/vi +``` + +#### misp user #REMOVE +```bash +sudo useradd -m -s /usr/local/bin/bash -G wheel,www misp +``` + +#### apache + php + moz-rootcerts + +```bash +sudo pkgin install php ap24-php73 php73-fpm php73-redis3 php73-mysqli php73-pdo_mysql php73-pcntl php73-json php73-iconv php73-gd +sudo cp /usr/share/examples/openssl/openssl.cnf /etc/openssl/ +sudo mozilla-rootcerts install +sudo cp /usr/pkg/share/examples/rc.d/apache /etc/rc.d/ +echo apache=yes |sudo tee /etc/rc.conf.d/apache +``` + +#### If a valid SSL certificate is not already created for the server, create a self-signed certificate: + +``` +# OpenSSL configuration +OPENSSL_C='LU' +OPENSSL_ST='State' +OPENSSL_L='Location' +OPENSSL_O='Organization' +OPENSSL_OU='Organizational Unit' +OPENSSL_CN='Common Name' +OPENSSL_EMAILADDRESS='info@localhost' +``` + +```bash +sudo openssl req -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" -keyout /usr/pkg/etc/httpd/server.key -out /usr/pkg/etc/httpd/server.crt +``` + +#### start httpd +```bash +sudo /etc/rc.d/httpd -f start +``` + +#### Enable httpd +```bash +sudo rcctl enable httpd +``` + +#### Install Python virtualenv +```bash +sudo ln -sf /usr/pkg/bin/pip3.6 /usr/pkg/bin/pip +sudo ln -s /usr/pkg/bin/python3.6 /usr/pkg/bin/python +sudo ln -s /usr/pkg/bin/python3.6 /usr/pkg/bin/python3 +sudo pkgin install py36-virtualenv +sudo ln -s /usr/pkg/bin/virtualenv-3.6 /usr/pkg/bin/virtualenv +``` + +#### Install ssdeep +``` +sudo mkdir -p /usr/local/src +sudo chown misp:users /usr/local/src +cd /usr/local/src +git clone https://github.com/ssdeep-project/ssdeep.git +cd ssdeep +./bootstrap +./configure --prefix=/usr +make +sudo make install +``` + +#### Apache2 only +```bash +sudo pkg_add -v apache-httpd +sudo pkgin install ap24-fcgid +``` + +#### php7 ports +!!! notice + php-5.6 is marked as end-of-life starting December 2018, use php 7.0 instead. + +#### /usr/pkg/etc/php.ini + +#### Enable redis + +```bash +sudo cp /usr/pkg/share/examples/rc.d/redis /etc/rc.d +echo redis=yes |sudo tee /etc/rc.conf.d/redis +sudo /etc/rc.d/redis start +``` + +#### Enable mysqld +```bash +sudo /usr/pkg/bin/mysql_install_db +sudo cp /usr/pkg/share/examples/rc.d/mysqld /etc/rc.d/ +echo mysqld=yes |sudo tee /etc/rc.conf.d/mysqld +sudo chown -R mariadb:mariadb /var/mariadb +sudo /etc/rc.d/mysqld start +sudo /usr/pkg/bin/mysql_secure_installation +# TODO: Figure out how to properly bind to localhost +##doas rcctl set mysqld flags --bind-address=127.0.0.1 +``` + +### 2/ MISP code +------------ +```bash +# Download MISP using git in the /usr/local/www/ directory. +PATH_TO_MISP=/usr/pkg/share/httpd/htdocs/MISP +sudo mkdir $PATH_TO_MISP +sudo chown www:www $PATH_TO_MISP +cd $PATH_TO_MISP +sudo -u www git clone https://github.com/MISP/MISP.git $PATH_TO_MISP +sudo -u www git submodule update --init --recursive +# Make git ignore filesystem permission differences for submodules +sudo -u www git submodule foreach --recursive git config core.filemode false + +# Make git ignore filesystem permission differences +sudo -u www git config core.filemode false + +#sudo pkgin install py-pip py3-pip libxslt py3-jsonschema +sudo pkgin install libxslt +#sudo virtualenv -ppython3 /usr/local/virtualenvs/MISP +sudo -u www virtualenv -ppython3 $PATH_TO_MISP/venv +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install -U pip + +cd $PATH_TO_MISP/app/files/scripts +sudo -u www git clone https://github.com/CybOXProject/python-cybox.git +sudo -u www git clone https://github.com/STIXProject/python-stix.git +cd $PATH_TO_MISP/app/files/scripts/python-cybox +sudo -u www $PATH_TO_MISP/venv/bin/python setup.py install --global-option=build_ext --global-option="-I/usr/pkg/include/" +cd $PATH_TO_MISP/app/files/scripts/python-stix +sudo -u www $PATH_TO_MISP/venv/bin/python setup.py install + +# install mixbox to accommodate the new STIX dependencies: +cd $PATH_TO_MISP/app/files/scripts/ +sudo -u www git clone https://github.com/CybOXProject/mixbox.git +cd $PATH_TO_MISP/app/files/scripts/mixbox +sudo -u www $PATH_TO_MISP/venv/bin/python setup.py install + +# install PyMISP +cd $PATH_TO_MISP/PyMISP +sudo -u www $PATH_TO_MISP/venv/bin/python setup.py install + +# install support for STIX 2.0 +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install stix2 + +# install python-magic, pydeep and maec +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install python-magic +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install git+https://github.com/kbandla/pydeep.git +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install maec +sudo -u www HOME=/tmp $PATH_TO_MISP/venv/bin/pip install plyara +``` + +### 3/ CakePHP +----------- +```bash +# CakePHP is included as a submodule of MISP and has been fetched earlier. +# Install CakeResque along with its dependencies if you intend to use the built in background jobs: +cd $PATH_TO_MISP/app +sudo -u www php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" +sudo -u www php -r "if (hash_file('SHA384', 'composer-setup.php') === '48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink +('composer-setup.php'); } echo PHP_EOL;" +sudo -u www env HOME=/tmp php composer-setup.php +sudo -u www php -r "unlink('composer-setup.php');" + +sudo -u www HOME=/tmp php composer.phar require kamisama/cake-resque:4.1.2 +sudo -u www HOME=/tmp php composer.phar config vendor-dir Vendor +sudo -u www HOME=/tmp php composer.phar install + +# To use the scheduler worker for scheduled tasks, do the following: +sudo -u www cp -f $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php +``` + +### 4/ Set the permissions +---------------------- +```bash +# Check if the permissions are set correctly using the following commands: +sudo chown -R www:www $PATH_TO_MISP +sudo chmod -R 750 $PATH_TO_MISP +sudo chmod -R g+ws $PATH_TO_MISP/app/tmp +sudo chmod -R g+ws $PATH_TO_MISP/app/files +sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp +``` + +### 5/ Create a database and user +----------------------------- +```bash +# Enter the mysql shell +sudo mysql -u root -p +``` + +``` +MariaDB [(none)]> create database misp; +MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX'; +MariaDB [(none)]> grant all privileges on misp.* to misp@localhost; +MariaDB [(none)]> flush privileges; +MariaDB [(none)]> exit +``` + +```bash +# Import the empty MISP database from MYSQL.sql +sudo -u www sh -c "mysql -u misp -pmisp < /var/www/htdocs/MISP/INSTALL/MYSQL.sql" +# enter the password you set previously +``` + +### 6/ Apache configuration +----------------------- +```bash +# Now configure your Apache webserver with the DocumentRoot /var/www/htdocs/MISP/app/webroot/ + +#2.4 +sudo /usr/pkg/etc/httpd/sites-available /usr/pkg/etc/httpd/sites-enabled + +# If the apache version is 2.4: +sudo cp $PATH_TO_MISP/INSTALL/apache.24.misp.ssl /usr/pkg/etc/httpd/sites-available/misp-ssl.conf + +# Be aware that the configuration files for apache 2.4 and up have changed. +# The configuration file has to have the .conf extension in the sites-available directory +# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html + +# If a valid SSL certificate is not already created for the server, create a self-signed certificate: (Make sure to fill the <…>) + +sudo openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \ +-subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" \ +-keyout /etc/ssl/private/server.key -out /etc/openssl/server.crt +# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/openssl/private/. (Modify path and config to fit your environment) +``` + +``` +============================================= Begin sample working SSL config for MISP +:80> + ServerName + + Redirect permanent / https:// + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + + +:443> + ServerAdmin admin@ + ServerName + DocumentRoot /var/www/htdocs/MISP/app/webroot + + Options -Indexes + AllowOverride all + Order allow,deny + allow from all + + + SSLEngine On + SSLCertificateFile /etc/ssl/server.crt + SSLCertificateKeyFile /etc/ssl/private/server.key +# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + +============================================= End sample working SSL config for MISP +``` + +```bash +# activate new vhost +cd /etc/apache2/sites-enabled/ +doas ln -s ../sites-available/misp-ssl.conf +echo "Include /etc/apache2/sites-enabled/*.conf" |doas tee -a /etc/apache2/httpd2.conf + +doas vi /etc/apache2/httpd2.conf +``` + +``` +/!\ Enable mod_rewrite in httpd2.conf /!\ +LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so +LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so +LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so +LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so +Listen 443 +DirectoryIndex index.php + +# Disable mpm_event, enable mpm_prefork +/usr/pkg/etc/httpd/httpd.conf +LoadModule php7_module lib/httpd/mod_php7.so +SetHandler application/x-httpd-php +AddType application/x-httpd-php .php +DirectoryIndex index.html index.php +/usr/pkg/share/httpd/htdocs +``` + +```bash +doas ln -sf /var/www/conf/modules.sample/php-7.0.conf /var/www/conf/modules/php.conf +# Restart apache +doas /etc/rc.d/apache2 restart +``` + +### 7/ Log rotation (needs to be adapted to OpenBSD, newsyslog does this for you +--------------- +!!! notice + MISP saves the stdout and stderr of its workers in /var/www/htdocs/MISP/app/tmp/logs + +### 8/ MISP configuration +--------------------- +``` +# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied +sudo -u www cp $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php +sudo -u www cp $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php +sudo -u www cp $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php +sudo -u www cp $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php + +# Configure the fields in the newly created files: +sudo -u www vi $PATH_TO_MISP/app/Config/database.php +``` +``` +# DATABASE_CONFIG has to be filled +# With the default values provided in section 6, this would look like: +# class DATABASE_CONFIG { +# public $default = array( +# 'datasource' => 'Database/Mysql', +# 'persistent' => false, +# 'host' => 'localhost', +# 'login' => 'misp', // grant usage on *.* to misp@localhost +# 'port' => 3306, +# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; +# 'database' => 'misp', // create database misp; +# 'prefix' => '', +# 'encoding' => 'utf8', +# ); +#} +``` + +!!! danger + Important! Change the salt key in /usr/local/www/MISP/app/Config/config.php + The salt key must be a string at least 32 bytes long. + The admin user account will be generated on the first login, make sure that the salt is changed before you create that user + If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, + delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) + +``` +# Change base url in config.php +sudo -u www vi $PATH_TO_MISP/app/Config/config.php +# example: 'baseurl' => 'https://', +# alternatively, you can leave this field empty if you would like to use relative pathing in MISP +# 'baseurl' => '', + +# and make sure the file permissions are still OK +sudo chown -R www:www $PATH_TO_MISP/app/Config +sudo chmod -R 750 $PATH_TO_MISP/app/Config + +# Generate a GPG encryption key. +export GPG_REAL_NAME='Autogenerated Key' +export GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!' +export GPG_EMAIL_ADDRESS='admin@admin.test' +export GPG_KEY_LENGTH='2048' +export GPG_PASSPHRASE='Password1234' +echo "%echo Generating a default key + Key-Type: default + Key-Length: $GPG_KEY_LENGTH + Subkey-Type: default + Name-Real: $GPG_REAL_NAME + Name-Comment: $GPG_COMMENT + Name-Email: $GPG_EMAIL_ADDRESS + Expire-Date: 0 + Passphrase: $GPG_PASSPHRASE + # Do a commit here, so that we can later print "done" + %commit +%echo done" > /tmp/gen-key-script +sudo -u www mkdir $PATH_TO_MISP/.gnupg +sudo chmod 700 $PATH_TO_MISP/.gnupg +sudo gpg2 --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script +# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file + +# And export the public key to the webroot +sudo sh -c "gpg2 --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > $PATH_TO_MISP/app/webroot/gpg.asc" + +# To make the background workers start on boot +sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh +sudo vi /etc/rc.local +# Add the following line before the last line (exit 0). Make sure that you replace www with your apache user: +sudo -u www bash $PATH_TO_MISP/app/Console/worker/start.sh +``` + +{!generic/INSTALL.done.md!} + +{!generic/recommended.actions.md!} + +#### MISP Modules +``` +sudo pkgin install jpeg yara +cd /usr/local/src/ +git clone https://github.com/MISP/misp-modules.git +cd misp-modules +# pip3 install +sudo /usr/local/virtualenvs/MISP/bin/pip install -I -r REQUIREMENTS +sudo /usr/local/virtualenvs/MISP/bin/pip install -I . +sudo /usr/local/virtualenvs/MISP/bin/pip install git+https://github.com/VirusTotal/yara-python.git +sudo /usr/local/virtualenvs/MISP/bin/pip install wand +##doas gem install pygments.rb +##doas gem install asciidoctor-pdf --pre +sudo -u www /usr/local/virtualenvs/MISP/bin/misp-modules -l 0.0.0.0 -s & +echo "doas -u www /usr/local/virtualenvs/MISP/bin/misp-modules -l 0.0.0.0 -s &" |doas tee -a /etc/rc.local +``` + +!!! notice + Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items + +!!! notice + If anything goes wrong, make sure that you check MISP's logs for errors: + /var/www/htdocs/MISP/app/tmp/logs/error.log + /var/www/htdocs/MISP/app/tmp/logs/resque-worker-error.log + /var/www/htdocs/MISP/app/tmp/logs/resque-scheduler-error.log + /var/www/htdocs/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date + + +#### MISP Config Automation + +```bash +doas $CAKE Live $MISP_LIVE +AUTH_KEY=$(mysql -u misp -p misp -e "SELECT authkey FROM users;" | tail -1) +# Update the galaxies… +doas $CAKE Admin updateGalaxies + +# Updating the taxonomies… +doas $CAKE Admin updateTaxonomies + +# Updating the warning lists… +doas $CAKE Admin updateWarningLists + +# Updating the notice lists… +## doas $CAKE Admin updateNoticeLists +curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update + +# Updating the object templates… +##doas $CAKE Admin updateObjectTemplates +curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update + +# Tune global time outs +doas $CAKE Admin setSetting "Session.autoRegenerate" 0 +doas $CAKE Admin setSetting "Session.timeout" 600 +doas $CAKE Admin setSetting "Session.cookie_timeout" 3600 + +# Enable GnuPG +doas $CAKE Admin setSetting "GnuPG.email" "admin@admin.test" +doas $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg" +doas $CAKE Admin setSetting "GnuPG.password" "Password1234" + +# Enable Enrichment set better timeouts +doas $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true +doas $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true +doas $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300 +doas $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150 +doas $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true +doas $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true +doas $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1" +doas $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666 + +# Enable Import modules set better timout +doas $CAKE Admin setSetting "Plugin.Import_services_enable" true +doas $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1" +doas $CAKE Admin setSetting "Plugin.Import_services_port" 6666 +doas $CAKE Admin setSetting "Plugin.Import_timeout" 300 +doas $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true +doas $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true + +# Enable Export modules set better timout +doas $CAKE Admin setSetting "Plugin.Export_services_enable" true +doas $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1" +doas $CAKE Admin setSetting "Plugin.Export_services_port" 6666 +doas $CAKE Admin setSetting "Plugin.Export_timeout" 300 +doas $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true + +# Enable installer org and tune some configurables +doas $CAKE Admin setSetting "MISP.host_org_id" 1 +doas $CAKE Admin setSetting "MISP.email" "info@admin.test" +doas $CAKE Admin setSetting "MISP.disable_emailing" true +doas $CAKE Admin setSetting "MISP.contact" "info@admin.test" +doas $CAKE Admin setSetting "MISP.disablerestalert" true +doas $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true + +# Provisional Cortex tunes +doas $CAKE Admin setSetting "Plugin.Cortex_services_enable" false +doas $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" +doas $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000 +doas $CAKE Admin setSetting "Plugin.Cortex_timeout" 120 +doas $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" +doas $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000 +doas $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120 +doas $CAKE Admin setSetting "Plugin.Cortex_services_authkey" "" +doas $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false +doas $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false +doas $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true + +# Various plugin sightings settings +doas $CAKE Admin setSetting "Plugin.Sightings_policy" 0 +doas $CAKE Admin setSetting "Plugin.Sightings_anonymise" false +doas $CAKE Admin setSetting "Plugin.Sightings_range" 365 + +# Plugin CustomAuth tuneable +doas $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false + +# RPZ Plugin settings + +doas $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP" +doas $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1" +doas $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00" +doas $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h" +doas $CAKE Admin setSetting "Plugin.RPZ_retry" "30m" +doas $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d" +doas $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h" +doas $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w" +doas $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost." +doas $CAKE Admin setSetting "Plugin.RPZ_ns_alt" "" +doas $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost" + +# Force defaults to make MISP Server Settings less RED +doas $CAKE Admin setSetting "MISP.language" "eng" +doas $CAKE Admin setSetting "MISP.proposals_block_attributes" false + +## Redis block +doas $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1" +doas $CAKE Admin setSetting "MISP.redis_port" 6379 +doas $CAKE Admin setSetting "MISP.redis_database" 13 +doas $CAKE Admin setSetting "MISP.redis_password" "" + +# Force defaults to make MISP Server Settings less YELLOW +doas $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40 +doas $CAKE Admin setSetting "MISP.extended_alert_subject" false +doas $CAKE Admin setSetting "MISP.default_event_threat_level" 4 +doas $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" +doas $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" +doas $CAKE Admin setSetting "MISP.enableEventBlacklisting" true +doas $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true +doas $CAKE Admin setSetting "MISP.log_client_ip" false +doas $CAKE Admin setSetting "MISP.log_auth" false +doas $CAKE Admin setSetting "MISP.disableUserSelfManagement" false +doas $CAKE Admin setSetting "MISP.block_event_alert" false +doas $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"" +doas $CAKE Admin setSetting "MISP.block_old_event_alert" false +doas $CAKE Admin setSetting "MISP.block_old_event_alert_age" "" +doas $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false +doas $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install" +doas $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly" +doas $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure" +doas $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings" + +# Force defaults to make MISP Server Settings less GREEN +doas $CAKE Admin setSetting "Security.password_policy_length" 12 +doas $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/' +# Tune global time outs +doas $CAKE Admin setSetting "Session.autoRegenerate" 0 +doas $CAKE Admin setSetting "Session.timeout" 600 +doas $CAKE Admin setSetting "Session.cookie_timeout" 3600 +``` + +### Recommended actions +------------------- +- By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior. + +- You should really harden your OS +- You should really harden the configuration of Apache/httpd +- You should really harden the configuration of MySQL/MariaDB +- Keep your software up2date (OS, MISP, CakePHP and everything else) +- Log and audit + + +### Optional features +------------------- + +!!! notice + MISP has a pub/sub feature, using ZeroMQ. + +#### ZeroMQ depends on the Python client for Redis +```bash +doas pkg_add -v py3-zmq zeromq +doas /usr/local/virtualenvs/MISP/bin/pip install pyzmq +``` + +#### misp-dashboard + +!!! notice + Enable ZeroMQ for misp-dashboard + +!!! warning + This still needs more testing, it runs but no data is showing. + + +!!! warning + The install_dependencies.sh script is for Linux ONLY. The following blurp will be a diff of a working OpenBSD version. + +```diff +(DASHENV) obsd# diff -u install_dependencies.sh install_dependencies_obsd.sh +--- install_dependencies.sh Fri Oct 19 12:14:38 2018 ++++ install_dependencies_obsd.sh Fri Oct 19 12:43:22 2018 +@@ -1,14 +1,14 @@ +-#!/bin/bash ++#!/usr/local/bin/bash + + set -e + #set -x + +-sudo apt-get install python3-virtualenv virtualenv screen redis-server unzip -y ++doas pkg_add -v unzip wget + + if [ -z "$VIRTUAL_ENV" ]; then +- virtualenv -p python3 DASHENV ++ virtualenv -p python3 /usr/local/virtualenvs/DASHENV + +- . ./DASHENV/bin/activate ++ . /usr/local/virtualenvs/DASHENV/bin/activate + fi + + pip3 install -U pip argparse redis zmq geoip2 flask phonenumbers pycountry +``` + +``` +cd /var/www +doas mkdir misp-dashboard +doas chown www:www misp-dashboard +doas -u www git clone https://github.com/MISP/misp-dashboard.git +cd misp-dashboard +#/!\ Made on Linux, the next script will fail +#doas /var/www/misp-dashboard/install_dependencies.sh +doas virtualenv -ppython3 /usr/local/virtualenvs/DASHENV +doas /usr/local/virtualenvs/DASHENV/bin/pip install -U pip argparse redis zmq geoip2 flask phonenumbers pycountry + +doas sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg +doas sed -i -e '$i \doas -u www bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local +#/!\ Add port 8001 as a listener +#doas sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf +doas pkg_add -v ap2-mod_wsgi + +echo " + ServerAdmin admin@misp.local + ServerName misp.local + DocumentRoot /var/www/misp-dashboard + + WSGIDaemonProcess misp-dashboard \ + user=misp group=misp \ + python-home=/var/www/misp-dashboard/DASHENV \ + processes=1 \ + threads=15 \ + maximum-requests=5000 \ + listen-backlog=100 \ + queue-timeout=45 \ + socket-timeout=60 \ + connect-timeout=15 \ + request-timeout=60 \ + inactivity-timeout=0 \ + deadlock-timeout=60 \ + graceful-timeout=15 \ + eviction-timeout=0 \ + shutdown-timeout=5 \ + send-buffer-size=0 \ + receive-buffer-size=0 \ + header-buffer-size=0 \ + response-buffer-size=0 \ + server-metrics=Off + WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi + + WSGIProcessGroup misp-dashboard + WSGIApplicationGroup %{GLOBAL} + Require all granted + + LogLevel info + ErrorLog /var/log/apache2/misp-dashboard.local_error.log + CustomLog /var/log/apache2/misp-dashboard.local_access.log combined + ServerSignature Off +" | doas tee /etc/apache2/sites-available/misp-dashboard.conf + +doas ln -s /etc/apache2/sites-available/misp-dashboard.conf /etc/apache2/sites-enabled/misp-dashboard.conf +``` + +Add this to /etc/httpd2.conf +``` +LoadModule wsgi_module /usr/local/lib/apache2/mod_wsgi.so +Listen 8001 +``` + + +``` +doas $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true +doas $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000 +doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost" +doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379 +doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1 +doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq" +doas $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false +doas $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false +doas $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false +``` + +{!generic/hardening.md!}