MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
Page: Hardening
Pages
3rd party modules AddNewAttributes AuthenticationProject Categories & Types changes CheckList CommitMessageBestPractices Contributing to MISP Project CortexIntegration Critical aspects or features DeploymentTools EnhancedSighting Frequently Asked Questions Hackathon Hardening Home Max and min value for first_seen last_seen NewAttributes Notes: MISP STIX2 Planned features and functionalities Presentations about MISP or mentioning MISP Project dependencies Proxy RedisAllocation ReleaseCheckList Rename default branches master to main STIX2.0 to STIX2.1 changes Sharing guidelines TaxonomiesResearch Use cases UserInterface
1 Hardening
Steve Clement edited this page 2021-10-14 22:17:10 +09:00
Table of Contents

Hardening

MISP being a complete LAMP (Linux-Apache-MySQL-PHP) stack, securing these components is critical if MISP is aimed to be put publicly online. This page presents points to look out for and some resources to achieve this goal.

MISP layer:

  1. MISP has a self diagnostic tool which include security audit. It gives you a good feedback for several severity levels about the current configuration and provides guidelines. It can be accessed at the MISP diagnostic page
  2. MISP also offers feedback on its settings if some of them or not set or contain errors. These are summarized in the instance settings and are highlighted in their individual tabs with colors corresponding to their severity level. Admins are encouraged to double checks the following MISP settings:
    • The General audits (what is logged and how)
    • The GPG settings from the Encryption tab
    • Then entire Security settings tab

Server stack layer:

As for every service accessible online, general server hardening should be put in place. Reference materials where some recommendations can be applicable to a MISP installation can be found in this blogpost. Additional Apache hardening practices can be found here and security recommendation for MySQL in the MySQL documentation.

General best practices:

In addition to the previous points, good security hygiene should be followed. A non-exhaustive list can be found below:

  1. Keep softwares and OS up-to-date and watch out for CVEs on running services
  2. Adequate permissions on files and directories
  3. Expose only to the Internet what is necessary
    • Don't ever expose Redis, MySQL and similar services to anything except to localhost
  4. Necessary services must have SSL/TLS enabled and correctly configured
  5. If the service is public, enable 2FA
  6. If the service is semi-public, enable IP filtering or at least additional basic authentication
  7. Restrict access to database system (e.g. MySQL, Redis) to specific users, IPs and enforce password protection if these services are hosted on a different server
  8. Monitor your system and services and read logs

Finally, additional resources and recommendations can be found in hardening.md.