2023-12-29 08:46:29 +01:00
This project is now archived as there is an official docker MISP project available at [https://github.com/MISP/misp-docker ](https://github.com/MISP/misp-docker ).
2016-09-27 08:49:04 +02:00
Docker MISP Container
=====================
2020-04-16 18:38:04 +02:00
### Latest Update: 4-14-2020
2018-03-08 00:48:48 +01:00
2018-06-01 05:01:47 +02:00
Following the Official MISP Ubuntu 18.04 LTS build instructions.
2018-06-01 05:10:56 +02:00
2019-01-16 02:49:20 +01:00
Latest Upstream Change Included: a62bca4e169c919413bba4e6ce978e30aae9183e
2018-03-08 00:48:48 +01:00
Github repo + build script here:
https://github.com/harvard-itsecurity/docker-misp
(note: after a git pull, update ```build.sh``` with your own passwords/FQDN, and then build the image)
2016-09-27 08:49:04 +02:00
# What is this?
This is an easy and highly customizable Docker container with MISP -
Malware Information Sharing Platform & Threat Sharing (http://www.misp-project.org)
Our goal was to provide a way to setup + run MISP in less than a minute!
We follow the official MISP installation steps everywhere possible,
while adding automation around tedious manual steps and configurations.
We have done this without sacrificing options and the ability to
customize MISP for your unique environment! Some examples include:
auto changing the salt hash, auto initializing the database, auto generating GPG
keys, auto generating working + secure configs, and adding custom
passwords/domain names/email addresses/ssl certificates.
2017-02-13 21:24:45 +01:00
The misp-modules extensions functionality has been included and can be
accessed from http://[dockerhostip]:6666/modules.
2017-02-14 15:12:32 +01:00
(thanks to Conrad)
2017-02-13 21:24:45 +01:00
2018-02-12 22:50:11 +01:00
# Build Docker container vs using Dockerhub binary?
We always recommend building your own Docker MISP image using our "build.sh" script.
This allows you to change all the passwords and customize a few config options.
That said, you can pull down the Dockerhub binary image, but this is
_not_ supported or recommended. It's there purely for convenience, and so that you can "get
a feel" for MISP without building it. It will by default contain "LOCALHOST" as all configured host everywhere, and this will only work on the same system or if you proxy/port forward.
Building your own MISP Docker image is incredibly simple:
```
git clone https://github.com/harvard-itsecurity/docker-misp.git
cd docker-misp
# modify build.sh, specifically for:
2019-03-16 19:35:30 +01:00
# 1.) all passwords (MYSQL, GPG)
2018-02-12 22:50:11 +01:00
# 2.) change at LEAST "MISP_FQDN" to your FQDN (domain)
# Build the docker image - will take a bit, but it's a one time thing!
# Run this from the root of "docker-misp"
./build.sh
```
2018-02-12 23:07:37 +01:00
This will produce an image called: ```harvarditsecurity/docker-misp```
2018-02-12 22:50:11 +01:00
2016-09-27 08:49:04 +02:00
# How to run it in 3 steps:
2018-03-08 00:48:48 +01:00
About ```$docker-root``` - If you are running Docker on a Mac, there are some mount directory restrictions by default (see: https://docs.docker.com/docker-for-mac/osxfs/#namespaces). Your ```$docker-root``` needs to be either one of the supported defaults ("Users", "Volumes", "private", or "tmp"), otherwise, you must go to "Preferences" -> "File Sharing" and add your chosen $docker-root to the list.
We would suggest using ```/docker``` for your ```$docker-root```, and if using a Mac, adding that to the File Sharing list.
2018-07-08 03:28:29 +02:00
Once you have your DB directory created (```mkdir -p /docker/misp-db```), follow the 3 steps:
2016-09-27 08:49:04 +02:00
## 1. Initialize Database
```
docker run -it --rm \
2018-03-08 00:48:48 +01:00
-v $docker-root/misp-db:/var/lib/mysql \
2016-09-27 08:49:04 +02:00
harvarditsecurity/misp /init-db
```
## 2. Start the container
```
docker run -it -d \
-p 443:443 \
-p 80:80 \
-p 3306:3306 \
2020-04-16 18:38:04 +02:00
-p 6666:6666 \
2018-03-08 00:48:48 +01:00
-v $docker-root/misp-db:/var/lib/mysql \
2016-09-27 08:49:04 +02:00
harvarditsecurity/misp
```
## 3. Access Web URL
```
Go to: https://localhost (or your "MISP_FQDN" setting)
Login: admin@admin.test
Password: admin
```
And change the password! :)
# What can you customize/pass during build?
You can customize the ```build.sh``` script to pass custom:
* MYSQL_MISP_PASSWORD
* POSTFIX_RELAY_HOST
* MISP_FQDN
* MISP_EMAIL
2019-03-16 19:35:30 +01:00
* MISP_GPG_PASSWORD
2016-09-27 08:49:04 +02:00
See build.sh for an example on how to customize and build your own image with custom defaults.
# How to use custom SSL Certificates:
During run-time, override ```/etc/ssl/private```
```
docker run -it -d \
-p 443:443 \
-p 80:80 \
-p 3306:3306 \
2018-03-08 00:48:48 +01:00
-v $docker-root/certs:/etc/ssl/private \
-v $docker-root/misp-db:/var/lib/mysql \
2016-09-27 08:49:04 +02:00
harvarditsecurity/misp
```
And in your ```/certs``` dir, create private/public certs with file names:
* misp.key
2017-09-25 15:26:37 +02:00
* misp.crt
2016-09-27 08:49:04 +02:00
2017-02-09 17:25:59 +01:00
# Security note in regards to key generation:
We have added "rng-tools" in order to help with entropy generation,
2017-02-13 21:24:45 +01:00
since users have mentioned that during the pgp generation, some
systems have a hard time creating enough "randomness". This in turn
uses a pseudo-random generator, which is not 100% secure. If this is a
concern for a production environment, you can either 1.) take out the
"rng-tools" part from the Dockerfile and re-build the container, or
2.) replace the keys with your own! For most users, this should not
ever be an issue. The "rng-tools" is removed as part of the build
process after it has been used.
2020-04-16 18:38:04 +02:00
# Using a reverse proxy/SSL offloading (Traefik, Caddy, HAProxy, Nginx, etc)
You will need to removing the SSL block (see: `/etc/apache2/sites-available/default-ssl.conf` )
And replace the HTTP block (see: `/etc/apache2/sites-available/000-default.conf` with:
```
< VirtualHost * :80 >
ServerAdmin admin@localhost
ServerName localhost
DocumentRoot /var/www/MISP/app/webroot
< Directory / var / www / MISP / app / webroot >
Options -Indexes
AllowOverride all
< / Directory >
LogLevel warn
ErrorLog /var/log/apache2/misp_error.log
CustomLog /var/log/apache2/misp_access.log combined
ServerSignature Off
< / VirtualHost >
```
If you don't want to build a new image with this, you can simply add to your run-time:
(note again: $docker-root is the place holder for your docker container and configs path)
```
-v $docker-root/apache.conf:/etc/apache2/sites-available/000-default.conf
```
2017-02-13 21:24:45 +01:00
# Contributions:
2018-06-13 05:55:02 +02:00
Conrad Crampton: @radder5 - RNG Tools and MISP Modules
2018-06-01 05:10:56 +02:00
Jeremy Barlow: @jbarlow -mcafee - Cleanup, configs, conveniences, python 2 vs 3 compatibility
2017-02-09 17:25:59 +01:00
2018-06-13 05:55:02 +02:00
Matt Saunders: @matt -saunders - Fixed all install warnings and errors
2019-03-17 02:56:03 +01:00
Matija Čoklica: @XizzoR - Discovered problem where GPG key was empty, lots of python/misp modules debugging (thanks!)
2019-03-16 19:35:30 +01:00
2016-09-27 08:49:04 +02:00
# Help/Questions/Comments:
For help or more info, feel free to contact Ventz Petkov: ventz_petkov@harvard.edu
