mirror of https://github.com/MISP/MISP
chg: [doc] Added additional hardening and logging defaults
parent
d4839bfdfa
commit
dd85a3e218
|
|
@ -355,7 +355,7 @@ installCake_RHEL ()
|
|||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
# post_max_size = 50M
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ installDepsPhp72 () {
|
|||
php-intl php-bcmath \
|
||||
php-gd
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ installDepsPhp74 () {
|
|||
php-intl php-bcmath \
|
||||
php-gd
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.obscure_subject" true
|
||||
# FIXME: what if we have not gpg binary but a gpg2 one?
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"
|
||||
|
||||
|
|
@ -68,6 +69,9 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_sighting_db_enable" false
|
||||
|
||||
# Plugin Enrichment hover defaults
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Enrichment_hover_popover_only" false
|
||||
|
||||
# Plugin CustomAuth tuneable
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
|
||||
|
|
@ -102,8 +106,10 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlocklisting" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_user_ips_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_login_change" false
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_user_password_change" false
|
||||
|
|
@ -136,6 +142,16 @@ coreCAKE () {
|
|||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.self_registration_message" "If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators."
|
||||
|
||||
# Appease the security audit, #hardening
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.disable_browser_cache" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.check_sec_fetch_site_header" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.csp_enforce" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.advanced_authkeys" true
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.do_not_log_authkeys" true
|
||||
|
||||
# Appease the security audit, #loggin
|
||||
$SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.username_in_response_header" true
|
||||
|
||||
# It is possible to updateMISP too, only here for reference how to to that on the CLI.
|
||||
## $SUDO_WWW $RUN_PHP -- $CAKE Admin updateMISP
|
||||
|
||||
|
|
|
|||
|
|
@ -84,6 +84,8 @@ MISPvars () {
|
|||
post_max_size="50M"
|
||||
max_execution_time="300"
|
||||
memory_limit="2048M"
|
||||
session.sid_length="32"
|
||||
session.use_strict_mode="1"
|
||||
|
||||
CAKE="${PATH_TO_MISP}/app/Console/cake"
|
||||
|
||||
|
|
|
|||
|
|
@ -668,7 +668,7 @@ installDepsPhp70 () {
|
|||
php-redis php-gnupg \
|
||||
php-gd
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -281,7 +281,7 @@ sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php70/php.d/99-timezone.ini
|
|||
# memory_limit=2048M
|
||||
# upload_max_filesize=50M
|
||||
# post_max_size=50M
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -264,7 +264,7 @@ echo 'date.timezone = "Europe/Luxembourg"' |sudo tee /etc/opt/rh/rh-php72/php.d/
|
|||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
# post_max_size = 50M
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -341,7 +341,7 @@ sudo a2ensite misp-ssl
|
|||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
# post_max_size = 50M
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -363,7 +363,7 @@ sudo a2ensite misp-ssl
|
|||
# memory_limit = 2048M
|
||||
# upload_max_filesize = 50M
|
||||
# post_max_size = 50M
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
|
|
@ -118,6 +118,9 @@ function installMISPonTsurugi() {
|
|||
post_max_size=50M
|
||||
max_execution_time=300
|
||||
memory_limit=2048M
|
||||
session.sid_length=32
|
||||
session.use_strict_mode=1
|
||||
|
||||
PHP_INI=/etc/php/7.0/apache2/php.ini
|
||||
|
||||
# apt config
|
||||
|
|
@ -406,7 +409,7 @@ function installMISPonTsurugi() {
|
|||
a2ensite misp-ssl
|
||||
a2ensite misp-dashboard
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit session.sid_length session.use_strict_mode
|
||||
do
|
||||
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
|
|
|||
Loading…
Reference in New Issue