MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [doc] Added some RHEL FAQ pointers among others (#156) 

chg: [doc] Added some RHEL FAQ pointers among others
pull/160/head
Steve Clement 2019-05-08 12:10:19 +09:00 committed by GitHub
parent 3d0e01b431 90f996771a
commit e0541848f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
faq/README.md
View File

@ -61,6 +61,54 @@ Then find the individual event's metadata that was deleted
If you have any permission issues, please [set the permissions](https://misp.github.io/MISP/INSTALL.ubuntu1804/#5-set-the-permissions) to something sane first.
### RHEL/CentOS
There are a plethora of issues that might arise when using SELinux when it comes to permissions.
First, please familiarize yourself with [the basics](https://opensource.com/article/18/7/sysadmin-guide-selinux) of SELinux.
RedHat has a comprehensive [SELINUX USER'S AND ADMINISTRATOR'S GUIDE](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index).
For file system permissions, refer to the [install guide](https://misp.github.io/MISP/INSTALL.rhel7/#5-set-file-permissions) first.
Another way to see what SELinux might not be happy about is to use **ausearch**. This assumes Audit is enabled.
```bash
# Just php-fpm
sudo ausearch -c 'php-fpm' --message AVC
# All messages
sudo ausearch --message AVC
```
#### Redis Connection problems
If you have the following in **error.log**
```
2019-05-08 10:16:05 Error: [RedisException] Permission denied
Request URL: /events/view/1
Stack Trace:
#0 /var/www/MISP/app/Model/AppModel.php(1776): Redis->connect('127.0.0.1', 6379)
#1 /var/www/MISP/app/Model/Feed.php(329): AppModel->setupRedis()
#2 /var/www/MISP/app/Model/Event.php(2073): Feed->attachFeedCorrelations(Array, Array, Array, false)
#3 /var/www/MISP/app/Controller/EventsController.php(1547): Event->fetchEvent(Array, Array)
#4 [internal function]: EventsController->view('1')
#5 /var/www/MISP/app/Lib/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs(Object(EventsController), Array)
#6 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction(Object(CakeRequest))
#7 /var/www/MISP/app/Lib/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(EventsController), Object(CakeRequest))
#8 /var/www/MISP/app/webroot/index.php(92): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#9 {main}
```
This means that apache/php-fpm cannot connect over the network (localhost included).
Fix:
```bash
sudo setsebool -P httpd_can_network_connect on
# Perhaps a reload is not needed, but good practice wants us to test it anyways.
sudo systemctl restart rh-php72-php-fpm.service
sudo systemctl restart httpd.service
```
## When to update MISP?
One question might be how often to update MISP.
@ -266,6 +314,26 @@ chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
```
## How to debug misp-dashboard
This is the full chain from MISP to the live dashboard and some tips to find out which link is faulty.
1. MISP
Ensure that ZMQ is installed and enabled with the correct settings
2. MISP ZMQ
You can use MISP/tools/misp-zmq/sub.py which will subscribe to the ZMQ and print the data
3. ZMQ_subscriber
You can change the logging level from logging.INFO to logging.DEBUG and look in the logs for the string Pushed: *
Or add a print statement in the put_in_redis_list function
4. ZMQ_dispatcher
Look in the logs for the string Handling *
5. Server (Flask) and Browser (live Dashboard)
Open the Web developer Network tab in your browser and look for the url /_logs with Content-Type: text/event-stream;
## How to update object templates?
`git submodule update` in your MISP directory (or via the diagnostic page) and just click “Update Objects” in List Object Templates.

59
galaxy/README.md
View File

@ -36,6 +36,64 @@ Galaxies can be reimported from the submodules by clicking the "Update Galaxies"
All galaxies will always be updated, even while browsing a specific galaxy.
### Adding a custom Galaxy repository in MISP (WiP - notFunctional)
[Fork](https://help.github.com/articles/fork-a-repo/) the [misp-galaxy](https://github.com/MISP/misp-galaxy/) repository to your github account.
Once you have forked the repo you can do the following, assuming you have followed the Standard MISP Install.
```bash
cd /var/www/MISP/app/files/
sudo rm -rf misp-galaxy
# Replace the following line with your fork
sudo -u www-data git clone https://github.com/SteveClement/misp-galaxy.git
```
Once this is done double check if you can still see the Galaxies in the Web UI.
> [warning] This will impact the UI "Update MISP" functionality in administration. Your git head might get [detached](https://git-scm.com/docs/gitglossary#gitglossary-aiddefdetachedHEADadetachedHEAD) in your misp-galaxy repo.
### Adding a new Galaxy (WiP - notFuctional)
#### Dependencies
To create your own Galaxies the following tools are needed to run the validation scripts.
- jsonschema (>v2.4)
- jq
- moreutils (sponge)
On a Debian flavoured distribution you can potentially do this:
```bash
sudo apt install jq moreutils python3-jsonschema
sudo wget -O /usr/local/bin/jsonschema https://gist.githubusercontent.com/SteveClement/e6ac60e153e9657913000216fc77c6ef/raw/c273ace06ad338d609dd2c84a0a6e215a268ea11/jsonschema
sudo chmod +x /usr/local/bin/jsonschema # This will only work with jsonschema >2.4 (before no CLI interface was available)
```
#### Create a fork
To add your custom Galaxy it is preferable to [fork](https://help.github.com/articles/fork-a-repo/) the [misp-galaxy](https://github.com/MISP/misp-galaxy/) repository. See above for details.
#### Understanding directory structure
#### Removing a Galaxy to better understand the add
Let's start with removing a single Galaxy.
```bash
cd /var/www/MISP/app/files/misp-galaxy
sudo -u www-data rm galaxies/android.json
sudo -u www-data rm clusters/android.json
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies force
```
After this you will have removed the android Galaxy Cluster.
### Using Galaxies in MISP Events - Example
For this example, we will try to add a cluster to an existing event. This cluster contains information about threat actor known as Sneaky Panda.
@ -52,6 +110,7 @@ A popup will appear proposising to explore a particular galaxy or all at the sam
Wait. No Sneaky Panda? Hm that's strange. Or maybe it is only registred as a alias. Let's have a look! To do so we will use the search field which stay on top of the list. So what do we get? Beijing Group, is it an alias of our threat actor.
![Search](./figures/Search.png)
Pointing the cursor on it will give us the answer.

8
modules/README.md
View File

@ -2,7 +2,15 @@
MISP modules are autonomous modules that can be used for expansion and other services in MISP.
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
MISP modules support is included in MISP starting from version 2.4.28.
[More](https://www.circl.lu/assets/files/misp-training/switch2016/2-misp-modules.pdf)
[MISP modules GitHub Repo](https://github.com/MISP/misp-modules)
## Installation
[Install guide on Ubuntu](https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended)
[Install guide RHEL/CentOS](https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules-on-rhel-based-distributions-)