MISP/tools/misp-wipe/misp-wipe.sh

#!/bin/bash
##
## script to wipe MISP on debian/ubuntu
##
## Adapted from misp-backup by daverstephens@gmail.com
## https://github.com/daverstephens/The-SOC-Shop
## and @alexanderjaeger
## https://github.com/deralexxx/misp-backup

##
## This script can be used to reset a MISP instance
## by clearing all events, orgs and users.
## It is highy recommended to run misp-backup.sh first!
##
## Tested against MISP 2.4.96
##
## Run the script as the standard user with the command below
##
## cp misp-wipe.conf.sample misp-wipe.conf
## vi misp-wipe.conf # adjust values
## sudo bash -x misp-wipe.sh 2>&1 | tee misp-wipe.log
##
## /!\ This might fail or create a random '0' file if using ZSH... (Oh-My...Berk)
##
## Time to set some variables
##

# This makes use of the standard variables used by the installer
eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | awk '/^# <snippet-begin/,0' | grep -v \`\`\`)"
MISPvars > /dev/null 2>&1

LUSER_ID="$(id -u)"

if [[ "${LUSER_ID}" > "0" ]]; then
  echo "Please run this as a privileged user"
  echo "(usually 'sudo !!' will cover you)"
  exit
fi

FILE=${CWD}./misp-wipe.conf
SQL=${CWD}./misp-wipe.sql

# Source configuration file
if [[ -f ${FILE} ]]; then
   echo "File ${FILE} exists."
   . ${FILE}
else
        echo "Config File $FILE does not exist. Please enter values manually"
        ## MySQL stuff
        echo 'Please enter your MySQL root account username'
        read MySQLRUser
        echo 'Please enter your MySQL root account password (will not be echoed)'
        read -s MySQLRPass
fi


# Fill in any missing values with defaults

# MISP path, abort when not set and autodetect fails
([[ -z ${PATH_TO_MISP} ]] && PTM=$(locate MISP/app/webroot/index.php) ; [[ $(echo ${PTM} |sed 's/\/app\/webroot\/index\.php//'| wc -l) > 1 ]] && echo "More then 1 MISP install found: ${PTM} - abort." && exit -1)
PATH_TO_MISP=${PATH_TO_MISP:-$(locate MISP/app/webroot/index.php|sed 's/\/app\/webroot\/index\.php//')}
# database.php
MySQLUUser=$(grep -o -P "(?<='login' => ').*(?=')" ${PATH_TO_MISP}/app/Config/database.php)
MySQLUPass=$(grep -o -P "(?<='password' => ').*(?=')" ${PATH_TO_MISP}/app/Config/database.php)
MISPDB=$(grep -o -P "(?<='database' => ').*(?=')" ${PATH_TO_MISP}/app/Config/database.php)
DB_Port=$(grep -o -P "(?<='port' => ).*(?=,)" ${PATH_TO_MISP}/app/Config/database.php)
MISPDBHost=$(grep -o -P "(?<='host' => ').*(?=')" ${PATH_TO_MISP}/app/Config/database.php)

echo "Clearing data model cache files"
rm -f ${PATH_TO_MISP}/app/tmp/cache/models/myapp_*
rm -f ${PATH_TO_MISP}/app/tmp/cache/persistent/myapp_*

echo "Wiping MySQL tables"
echo "Removes all users and organizations, except default (id=1)"
echo " - Change DELETE FROM to > 0 in misp-wipe.sql to also remove default ones"
echo " - Defaults are created on first login"
MySQLRUser=${MySQLRUser:-$MySQLUUser}
MySQLRPass=${MySQLRPass:-$MySQLUPass}
mysql --host $MISPDBHost -u $MySQLRUser -p$MySQLRPass $MISPDB < $SQL

echo "Inserting default values to MySQL tables"
TMP=/tmp/misp-wipe-$$.sql
cd $PATH_TO_MISP
sed -n '/Default values for initial installation/ { s///; :a; n; p; ba; }' INSTALL/MYSQL.sql | egrep -v '(admin_settings|db_version)' > $TMP
mysql --host $MISPDBHost -u $MySQLRUser -p$MySQLRPass $MISPDB < $TMP
rm -f $TMP

echo "Wiping files"
git clean -f -x app/webroot/img/orgs
#git clean -f -x app/webroot/img/custom
git clean -f -d -x app/tmp
git clean -f -d -x app/files

echo "Updating taxonomies"
baseurl=$(grep -o -P "(?<='baseurl' => ').*(?=')" $PATH_TO_MISP/app/Config/config.php)
AuthKey=$(echo 'select authkey from users where role_id = 1 order by id limit 1;' | mysql -u $MySQLRUser -p$MySQLRPass $MISPDB 2>/dev/null | tail -1)
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/taxonomies/update

echo "Updating warninglists"
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/warninglists/update

echo "Updating noticelists"
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/noticelists/update

echo "Updating galaxies"
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/galaxies/update

echo "Updating objectTemplates"
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/objectTemplates/update

echo "Updating decayingModel"
curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -o /dev/null -s -X POST ${baseurl}/decayingModel/update

if [ "$ENABLE_WARNINGLISTS" = "true" ]; then
  echo "Enabling warninglists"
  wls=$(curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -s -X POST ${baseurl}/warninglists/index | jq -r '.Warninglists[] | select(.Warninglist.enabled == false) | .Warninglist.id' 2>/dev/null)
  for wl in $wls; do
    curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -d "{\"id\":$wl}" -o /dev/null -s -X POST ${baseurl}/warninglists/toggleEnable
  done
fi

if [ "$ENABLE_NOTICELISTS" = "true" ]; then
  echo "Enabling noticelists"
  nls=$(curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -s -X POST ${baseurl}/noticelists/index | jq -r '.[] | select(.Noticelist.enabled == false) | .Noticelist.id' 2>/dev/null)
  for nl in $nls; do
    curl --header "Authorization: $AuthKey" --header "Accept: application/json" --header "Content-Type: application/json" -d "{\"Noticelist\":{\"data\":$nl}}" -o /dev/null -s -X POST ${baseurl}/noticelists/toggleEnable
  done
fi

echo 'MISP Wipe Complete!!!'