From 77c11ce1c65fdcdda88274f5db062da7cf43571d Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Sat, 7 Sep 2019 11:10:28 +0200 Subject: [PATCH 1/5] Appendix F: LDAP Authentication --- appendices/README.md | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/appendices/README.md b/appendices/README.md index e03fb93..c94681a 100644 --- a/appendices/README.md +++ b/appendices/README.md @@ -309,3 +309,72 @@ A brief list of online ressources that around #ThreatIntel * [A curated list of awesome malware analysis tools and resources](https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md). Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php). * [An authoritative list of awesome devsecops tools with the help from community experiments and contributions](https://github.com/devsecops/awesome-devsecops/blob/master/README.md).[DEV.SEC.OPS](http://devsecops.org) * [Advance Python IoC extractor](https://github.com/InQuest/python-iocextract) + +# Appendix F: LDAP Authentication + +MISP supports LDAP authentication from version 2.4.xxx. This manual will show how to configure LDAP authentication. + +#### Installation and configuration + +1. Install `mod_ldap` PHP module + ```bash + # for Centos or RHEL + yum install rh-php72-php-ldap + # for Ubuntu or debian + apt install php-ldap + ``` +2. Prepare variables for configuration + +* `{{ LDAP_SERVER }}` – a full LDAP URI of server. For example: `ldap://example.com`. +* `{{ LDAP_BASE_DN }}` – DN for path that contains users. For example: `cn=users,cn=accounts,dc=example,dc=com`. +* `{{ LDAP_BIND_DN }}` – user that can read. For example: `uid=misp,cn=sysaccounts,cn=etc,dc=example,dc=com`. +* `{{ LDAP_BIND_PASSWORD }}` – password for that user. +* `{{ LDAP_USER_GROUP }}` – group with access to MISP. For example: `cn=misp-users,cn=groups,cn=accounts,dc=example,dc=com`. + +3. Configure MISP ApacheSecureAuth in `app/Config/config.php` + + ```php + 'LdapAuth' => array( + 'enabled' => true, + 'name' => 'My Identity provider', + 'ldapServer' => '{{ LDAP_SERVER }}', + 'ldapDN' => '{{ LDAP_BASE_DN }}', + 'ldapSearchFilter' => '(objectclass=inetuser)', + 'ldapReaderUser' => '{{ LDAP_BIND_DN }}', + 'ldapReaderPassword' => '{{ LDAP_BIND_PASSWORD }}', + 'ldapUserGroup' => '{{ LDAP_USER_GROUP }}', + 'updateUser' => true, + ); + ``` + +Required variables: + +* `enabled` – if it is true, all users must log in trought LDAP account. +* `ldapServer` – a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port for TLS encryption. +* `ldapDN` – DN for path that contains users. + +Optional variables: + +* `name` – indentity provider name. Will be shown in login screen and user editing for. Can contain HTML. +* `ldapReaderUser` – DN or RDN LDAP user with permission to read LDAP information about users. +* `ldapReaderPassword` – password for that user. +* `ldapSearchFilter` - LDAP search filter. +* `ldapSearchAttribute` - LDAP attribute that contains username. Default: `uid`. +* `ldapEmailField` - LDAP attribute (string) or attributes (array) that will be checked if contains user e-mail address. If you want to change or add field, you should also add that field/fields to `ldapAttributes`. Default: `mail`. +* `ldapAttributes` – fields that will be fetched from LDAP server. Default: `mail` and `memberof`. +* `ldapUserGroup` - LDAP group that must be assigned to user to access MISP. Default: not set. +* `updateUser` - if `true`, MISP will update existing users information (like e-mail address or role) from LDAP after login. Default: `false`. +* `ldapDefaultOrg` – default organisation ID for user from LDAP. By default it is first organisation in database. +* `ldapDefaultRoleId` - default role for newly created user. It can be integer or array when key contains LDAP group and value assigned role ID. Must be defined if `updateUser` is set to `true` (without that variable, user will be disabled). +* `ldapProtocol` - protocol version used. Default: 3. +* `ldapNetworkTimeout` - timeout for communication with LDAP server in seconds. Default: 5 seconds. +* `ldapAllowReferrals` - follow referrals returned by the LDAP server. Default: `false`. +* `ldapStartTls` - enable STARTTLS. Default: `true`. + +#### Debugging + +Setting LDAP authentication can be sometimes tricky. For debugging, you can check MISP error log (by default in `/var/www/MISP/app/tmp/logs/`) that can contain useful information with problem description. + +#### Caveats + +* When user is disabled in LDAP, it will not disabled in MISP. That means that user cannot login, but for example notification e-mails still works or it is possible to use user Auth key to access MISP information. From 0ae44ee42660234bbd804a66f48bf6ca93a3b77e Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Mon, 9 Sep 2019 17:16:24 +0200 Subject: [PATCH 2/5] Appendix F: LDAP Authentication (second try) --- appendices/README.md | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/appendices/README.md b/appendices/README.md index c94681a..15cfad8 100644 --- a/appendices/README.md +++ b/appendices/README.md @@ -301,15 +301,6 @@ This section lists some projects we know of but not officially support and rely | []() | | Not tested by MISP core team | --> -# Appendix E: Other Threat Intel Ressources - -A brief list of online ressources that around #ThreatIntel - -* [Curated list of awesome cybersecurity companies and solutions.](https://github.com/Annsec/awesome-cybersecurity/blob/master/README.md) (Updated April 2017) -* [A curated list of awesome malware analysis tools and resources](https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md). Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php). -* [An authoritative list of awesome devsecops tools with the help from community experiments and contributions](https://github.com/devsecops/awesome-devsecops/blob/master/README.md).[DEV.SEC.OPS](http://devsecops.org) -* [Advance Python IoC extractor](https://github.com/InQuest/python-iocextract) - # Appendix F: LDAP Authentication MISP supports LDAP authentication from version 2.4.xxx. This manual will show how to configure LDAP authentication. @@ -349,13 +340,13 @@ MISP supports LDAP authentication from version 2.4.xxx. This manual will show ho Required variables: -* `enabled` – if it is true, all users must log in trought LDAP account. +* `enabled` – if it is true, all users must log in through LDAP account. * `ldapServer` – a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port for TLS encryption. -* `ldapDN` – DN for path that contains users. +* `ldapDN` – DN for a path that contains users. Optional variables: -* `name` – indentity provider name. Will be shown in login screen and user editing for. Can contain HTML. +* `name` – identity provider name. Will be shown in the login screen and user editing for. Can contain HTML. * `ldapReaderUser` – DN or RDN LDAP user with permission to read LDAP information about users. * `ldapReaderPassword` – password for that user. * `ldapSearchFilter` - LDAP search filter. @@ -363,8 +354,9 @@ Optional variables: * `ldapEmailField` - LDAP attribute (string) or attributes (array) that will be checked if contains user e-mail address. If you want to change or add field, you should also add that field/fields to `ldapAttributes`. Default: `mail`. * `ldapAttributes` – fields that will be fetched from LDAP server. Default: `mail` and `memberof`. * `ldapUserGroup` - LDAP group that must be assigned to user to access MISP. Default: not set. -* `updateUser` - if `true`, MISP will update existing users information (like e-mail address or role) from LDAP after login. Default: `false`. -* `ldapDefaultOrg` – default organisation ID for user from LDAP. By default it is first organisation in database. +* `createUser` - if `true`, MISP will create new user from LDAP. Default `true`. +* `updateUser` - if `true`, MISP will update existing users information (e-mail address and role) from LDAP after login. Default: `false`. +* `ldapDefaultOrg` – default organization ID for user from LDAP. By default it is the first organization in the database. * `ldapDefaultRoleId` - default role for newly created user. It can be integer or array when key contains LDAP group and value assigned role ID. Must be defined if `updateUser` is set to `true` (without that variable, user will be disabled). * `ldapProtocol` - protocol version used. Default: 3. * `ldapNetworkTimeout` - timeout for communication with LDAP server in seconds. Default: 5 seconds. @@ -373,8 +365,15 @@ Optional variables: #### Debugging -Setting LDAP authentication can be sometimes tricky. For debugging, you can check MISP error log (by default in `/var/www/MISP/app/tmp/logs/`) that can contain useful information with problem description. +Setting LDAP authentication can be sometimes tricky. For debugging, you can check MISP error log (by default in `/var/www/MISP/app/tmp/logs/error.log`) or debug log (by default in `/var/www/MISP/app/tmp/logs/debug.log`) that can contain useful information with problem description. + +#### Migrating existing user to LDAP + +Because LDAP and MISP users are paired by e-mail address, it is possible to migrate existing user account to LDAP managed. When you enable LDAP support and LDAP user will try to log in, an existing user in MISP with the same e-mail address will be found and then assigned to LDAP user. #### Caveats -* When user is disabled in LDAP, it will not disabled in MISP. That means that user cannot login, but for example notification e-mails still works or it is possible to use user Auth key to access MISP information. +* When a user is disabled in LDAP or is removed from the required group, it will be not automatically disabled in MISP. That means that user will be disabled when he tries to login (with form or with Auth key), but for example, notification e-mails will still work until he tries to log in. +* When a user is disabled in LDAP and also in MISP and then enabled in LDAP, it will be enabled in MISP for next login just when `updateUser` is set to `true`. +* Currently it is not possible to log in with both LDAP and local (MISP) accounts. +* Admins can change users email address. But when `updateUser` is set to true, when the user will log in again, the e-mail address will be updated from LDAP. From f6de479c13ddfe29a6db08912db757a3745340eb Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Mon, 9 Sep 2019 19:14:03 +0200 Subject: [PATCH 3/5] require_password_confirmation doesnt work --- appendices/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/appendices/README.md b/appendices/README.md index 15cfad8..0cc3e16 100644 --- a/appendices/README.md +++ b/appendices/README.md @@ -377,3 +377,4 @@ Because LDAP and MISP users are paired by e-mail address, it is possible to migr * When a user is disabled in LDAP and also in MISP and then enabled in LDAP, it will be enabled in MISP for next login just when `updateUser` is set to `true`. * Currently it is not possible to log in with both LDAP and local (MISP) accounts. * Admins can change users email address. But when `updateUser` is set to true, when the user will log in again, the e-mail address will be updated from LDAP. +* `Security.require_password_confirmation` setting currently doesnt work with LDAP authentication. But on the other hand, since user cannot change e-mail address and password, this setting is not important. From d6cf59dfb51e1066b1b3a6e2a8c991c13f6336d1 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 19 Aug 2020 15:51:36 +0900 Subject: [PATCH 4/5] chg: [doc] Added notes on monitoring --- faq/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/faq/README.md b/faq/README.md index 6daa5fe..05200f4 100644 --- a/faq/README.md +++ b/faq/README.md @@ -25,6 +25,14 @@ We recommend a standard LAMP stack on top of Ubuntu >18.04 LTS. For details on t During a [Hackathon](https://hackathon.hack.lu) a small tool called [MISP-Sizer](https://misp-project.org/MISP-sizer/) was conceived. It will give you a **very rough** idea on what requirements are if you have a bigger installation. [source-code is here](https://github.com/MISP/MISP-sizer) + +### How to monitor MISP? + +Currently there are 2 documented ways to monitor MISP. + +Either with [MUNIN](http://munin-monitoring.org/) -> [misp-monitor](https://github.com/SteveClement/misp-monitor) for instructions. +Or [OpenNMS](https://www.opennms.com/) -> [Instructions here](https://www.misp-project.org/2020/08/18/MISP-Monitoring-with-OpenNMS.html) + *** ## Specific questions ### Can I configure MISP encrypted notification emails to contain more information in the subject? From e4d4e3db2565a210d9473af54139d3e3f0913169 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 19 Aug 2020 16:07:21 +0900 Subject: [PATCH 5/5] chg: [doc] confirmed working on recent Debian distros. --- USAGE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/USAGE.md b/USAGE.md index 92a9359..d9ea073 100644 --- a/USAGE.md +++ b/USAGE.md @@ -41,7 +41,7 @@ found 368 vulnerabilities (48 low, 250 moderate, 62 high, 8 critical) ``` -Tested on: *Ubuntu 18.04 LTS* *Debian 9.5/sid/testing* +Tested on: *Ubuntu 18.04/20.04 LTS* *Debian 10.5/sid/testing* [Terminal Recording of npm install lines on Ubuntu 18.04](https://asciinema.org/a/84JZMuGu2QlFH59q6mK8jbdQS) ```bash