From abec006996d4b54e649f2ef26732d7dbf9bfb8f7 Mon Sep 17 00:00:00 2001 From: m5050 Date: Sun, 12 Jan 2025 13:53:57 +0300 Subject: [PATCH 1/7] Add "PHP_MAX_FILE_UPLOADS" and "NGINX_CLIENT_MAX_BODY_SIZE" environment variables (#207) --- core/files/entrypoint.sh | 2 ++ core/files/entrypoint_fpm.sh | 2 ++ core/files/entrypoint_nginx.sh | 4 ++++ docker-compose.yml | 2 ++ template.env | 5 +++++ 5 files changed, 15 insertions(+) diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 33ee9b6..aa4ab32 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -50,6 +50,7 @@ export PHP_MAX_EXECUTION_TIME=${PHP_MAX_EXECUTION_TIME:-300} export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M} export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M} export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300} +export PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50} export PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5} export PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2} @@ -67,6 +68,7 @@ export PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax} export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false} export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM} +export NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M} # start supervisord using the main configuration file so we have a socket interface /usr/bin/supervisord -c /etc/supervisor/supervisord.conf diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index 5afe22f..d2d2606 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -19,6 +19,8 @@ change_php_vars() { sed -i "s/max_execution_time = .*/max_execution_time = ${PHP_MAX_EXECUTION_TIME}/" "$FILE" echo "Configure PHP | Setting 'upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}'" sed -i "s/upload_max_filesize = .*/upload_max_filesize = ${PHP_UPLOAD_MAX_FILESIZE}/" "$FILE" + echo "Configure PHP | Setting 'max_file_uploads = ${PHP_MAX_FILE_UPLOADS}'" + sed -i "s/max_file_uploads = .*/max_file_uploads = ${PHP_MAX_FILE_UPLOADS}/" "$FILE" echo "Configure PHP | Setting 'post_max_size = ${PHP_POST_MAX_SIZE}'" sed -i "s/post_max_size = .*/post_max_size = ${PHP_POST_MAX_SIZE}/" "$FILE" echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'" diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index 9c67626..196ef53 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -225,6 +225,10 @@ init_nginx() { echo "... adjusting 'fastcgi_connect_timeout' to ${FASTCGI_CONNECT_TIMEOUT}" sed -i "s/fastcgi_connect_timeout .*;/fastcgi_connect_timeout ${FASTCGI_CONNECT_TIMEOUT};/" /etc/nginx/includes/misp + # Adjust maximum allowed size of the client request body + echo "... adjusting 'client_max_body_size' to ${NGINX_CLIENT_MAX_BODY_SIZE}" + sed -i "s/client_max_body_size .*;/client_max_body_size ${NGINX_CLIENT_MAX_BODY_SIZE};/" /etc/nginx/includes/misp + # Adjust forwarding header settings (clean up first) sed -i '/real_ip_header/d' /etc/nginx/includes/misp sed -i '/real_ip_recursive/d' /etc/nginx/includes/misp diff --git a/docker-compose.yml b/docker-compose.yml index e085e2a..2d0c8f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -157,6 +157,7 @@ services: # Nginx settings - "NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR}" - "NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}" + - "NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-50M}" # Proxy settings - "PROXY_ENABLE=${PROXY_ENABLE}" - "PROXY_HOST=${PROXY_HOST}" @@ -201,6 +202,7 @@ services: - "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}" - "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}" - "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}" + - "PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-50}" # PHP FPM pool setup - "PHP_FCGI_CHILDREN=${PHP_FCGI_CHILDREN:-5}" - "PHP_FCGI_START_SERVERS=${PHP_FCGI_START_SERVERS:-2}" diff --git a/template.env b/template.env index dfe5038..69bdaac 100644 --- a/template.env +++ b/template.env @@ -200,6 +200,8 @@ SYNCSERVERS_1_PULL_RULES= # PHP_POST_MAX_SIZE=50M # Maximum time PHP spends parsing input data in seconds. # PHP_MAX_INPUT_TIME=300 +# Maximum number of file to upload per request. +# PHP_MAX_FILE_UPLOADS=50 ## PHP FPM pool setup # Maximum number of php-fpm processes, limits the number of simultaneous requests. @@ -252,6 +254,9 @@ SYNCSERVERS_1_PULL_RULES= # Options: DENY, SAMEORIGIN, ALLOW-FROM Default: SAMEORIGIN # X_FRAME_OPTIONS= +# NGINX maximum allowed size of the client request body. +# NGINX_CLIENT_MAX_BODY_SIZE=50M + # Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS. # Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport" # CONTENT_SECURITY_POLICY= From 3d9729db86459ec6d0e1fbf33d6d08086078fdec Mon Sep 17 00:00:00 2001 From: marjatech <72734273+marjatech@users.noreply.github.com> Date: Sun, 12 Jan 2025 11:54:49 +0100 Subject: [PATCH 2/7] remove post-check and pre-check - discouraged IE-only Cache directives (#205) --- core/files/var/www/html/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/files/var/www/html/index.php b/core/files/var/www/html/index.php index 6b5e9c9..c779b69 100644 --- a/core/files/var/www/html/index.php +++ b/core/files/var/www/html/index.php @@ -1,7 +1,7 @@ From 9a5852003a405e019f889bd5be231a3542b0bed0 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Sun, 12 Jan 2025 11:59:57 +0100 Subject: [PATCH 3/7] Include rsyslog for local syslogger (#202) * Include rsyslog for local syslogger * Update Dockerfile --- core/Dockerfile | 2 ++ core/files/etc/supervisor/conf.d/10-supervisor.conf | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/core/Dockerfile b/core/Dockerfile index 57ec171..a8edffc 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -178,6 +178,8 @@ FROM php-base gpg-agent \ mariadb-client \ rsync \ + # Include rsyslog to support syslogger + rsyslog \ # PHP Requirements php8.2 \ php8.2-apcu \ diff --git a/core/files/etc/supervisor/conf.d/10-supervisor.conf b/core/files/etc/supervisor/conf.d/10-supervisor.conf index 8b7c81f..fde3172 100644 --- a/core/files/etc/supervisor/conf.d/10-supervisor.conf +++ b/core/files/etc/supervisor/conf.d/10-supervisor.conf @@ -37,3 +37,12 @@ stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 + +[program:rsyslog] +command=/usr/sbin/rsyslogd -n +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autostart=true +autorestart=true From 3435b7159ed7f59d72b9381fb6725f5e00be393a Mon Sep 17 00:00:00 2001 From: arteta22000 Date: Sun, 12 Jan 2025 12:02:02 +0100 Subject: [PATCH 4/7] Make LdapAuth configurable via environment variables (#209) * Make LdapAuth configurable via environment variables * fix check_env_vars on one line * readme.md update --- README.md | 8 +++ core/files/configure_misp.sh | 96 ++++++++++++++++++++++++++++-------- docker-compose.yml | 57 ++++++++++++++------- template.env | 56 +++++++++++++++------ 4 files changed, 163 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 74879fd..09d1b07 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,14 @@ To override these behaviours edit the docker-compose.yml file's misp-core volume If it is just a default setting that is meant to be set if not already set by the user, add it in one of the `*.default.json` files. If it is a setting controlled by an environment variable which is meant to override whatever is set, add it in one of the `*.envars.json` files (note that you can still specify a default value). +#### LDAP Authentication + +You can configure LDAP authentication in MISP using 2 methods: +- native plugin: LdapAuth (https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth) +- previous approach with ApacheSecureAuth (https://gist.github.com/Kagee/f35ed25216369481437210753959d372). + +LdapAuth is to be recommended, because it doesn't require rproxy apache with the ldap module. + ### Production - It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages) diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index 73900ca..9ba9f03 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -155,36 +155,88 @@ set_up_oidc() { fi } +set_up_apachesecureauth() { + if [[ "$APACHESECUREAUTH_LDAP_ENABLE" != "true" ]]; then + echo "... LDAP APACHESECUREAUTH authentication disabled" + return + fi + + + if [ ! -z "$APACHESECUREAUTH_LDAP_OLD_VAR_DETECT" ]; then + echo "WARNING: old variables used for APACHESECUREAUTH bloc in env file. Switch to the new naming convention." + fi + + # Check required variables + # APACHESECUREAUTH_LDAP_SEARCH_FILTER may be empty + check_env_vars APACHESECUREAUTH_LDAP_APACHE_ENV APACHESECUREAUTH_LDAP_SERVER APACHESECUREAUTH_LDAP_STARTTLS APACHESECUREAUTH_LDAP_READER_USER APACHESECUREAUTH_LDAP_READER_PASSWORD APACHESECUREAUTH_LDAP_DN APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE APACHESECUREAUTH_LDAP_FILTER APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID APACHESECUREAUTH_LDAP_DEFAULT_ORG APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT APACHESECUREAUTH_LDAP_OPT_REFERRALS + + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"ApacheSecureAuth\": { + \"apacheEnv\": \"${APACHESECUREAUTH_LDAP_APACHE_ENV}\", + \"ldapServer\": \"${APACHESECUREAUTH_LDAP_SERVER}\", + \"starttls\": ${APACHESECUREAUTH_LDAP_STARTTLS}, + \"ldapProtocol\": ${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION}, + \"ldapNetworkTimeout\": ${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT}, + \"ldapReaderUser\": \"${APACHESECUREAUTH_LDAP_READER_USER}\", + \"ldapReaderPassword\": \"${APACHESECUREAUTH_LDAP_READER_PASSWORD}\", + \"ldapDN\": \"${APACHESECUREAUTH_LDAP_DN}\", + \"ldapSearchFilter\": \"${APACHESECUREAUTH_LDAP_SEARCH_FILTER}\", + \"ldapSearchAttribut\": \"${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE}\", + \"ldapFilter\": ${APACHESECUREAUTH_LDAP_FILTER}, + \"ldapDefaultRoleId\": ${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID}, + \"ldapDefaultOrg\": \"${APACHESECUREAUTH_LDAP_DEFAULT_ORG}\", + \"ldapAllowReferrals\": ${APACHESECUREAUTH_LDAP_OPT_REFERRALS}, + \"ldapEmailField\": ${APACHESECUREAUTH_LDAP_EMAIL_FIELD} + } + }" > /dev/null + + # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116 + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false +} + set_up_ldap() { - if [[ "$LDAP_ENABLE" != "true" ]]; then - echo "... LDAP authentication disabled" + if [[ "$LDAPAUTH_ENABLE" != "true" ]]; then + echo "... LDAPAUTH authentication disabled" return fi # Check required variables - # LDAP_SEARCH_FILTER may be empty - check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS + # LDAPAUTH_LDAPSEARCHFILTER may be empty + check_env_vars LDAPAUTH_LDAPSERVER LDAPAUTH_LDAPDN LDAPAUTH_LDAPREADERUSER LDAPAUTH_LDAPREADERPASSWORD LDAPAUTH_LDAPSEARCHATTRIBUTE LDAPAUTH_LDAPDEFAULTROLEID LDAPAUTH_LDAPDEFAULTORGID LDAPAUTH_LDAPEMAILFIELD LDAPAUTH_LDAPNETWORKTIMEOUT LDAPAUTH_LDAPPROTOCOL LDAPAUTH_LDAPALLOWREFERRALS LDAPAUTH_STARTTLS LDAPAUTH_MIXEDAUTH LDAPAUTH_UPDATEUSER LDAPAUTH_DEBUG LDAPAUTH_LDAPTLSREQUIRECERT LDAPAUTH_LDAPTLSCUSTOMCACERT LDAPAUTH_LDAPTLSCRLCHECK LDAPAUTH_LDAPTLSPROTOCOLMIN sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ - \"ApacheSecureAuth\": { - \"apacheEnv\": \"${LDAP_APACHE_ENV}\", - \"ldapServer\": \"${LDAP_SERVER}\", - \"starttls\": ${LDAP_STARTTLS}, - \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION}, - \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT}, - \"ldapReaderUser\": \"${LDAP_READER_USER}\", - \"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\", - \"ldapDN\": \"${LDAP_DN}\", - \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\", - \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\", - \"ldapFilter\": ${LDAP_FILTER}, - \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID}, - \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\", - \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS}, - \"ldapEmailField\": ${LDAP_EMAIL_FIELD} - } + \"LdapAuth\": { + \"ldapServer\": \"${LDAPAUTH_LDAPSERVER}\", + \"ldapDn\": \"${LDAPAUTH_LDAPDN}\", + \"ldapReaderUser\": \"${LDAPAUTH_LDAPREADERUSER}\", + \"ldapReaderPassword\": \"${LDAPAUTH_LDAPREADERPASSWORD}\", + \"ldapSearchFilter\": \"${LDAPAUTH_LDAPSEARCHFILTER}\", + \"ldapSearchAttribute\": \"${LDAPAUTH_LDAPSEARCHATTRIBUTE}\", + \"ldapEmailField\": ${LDAPAUTH_LDAPEMAILFIELD}, + \"ldapNetworkTimeout\": ${LDAPAUTH_LDAPNETWORKTIMEOUT}, + \"ldapProtocol\": ${LDAPAUTH_LDAPPROTOCOL}, + \"ldapAllowReferrals\": ${LDAPAUTH_LDAPALLOWREFERRALS}, + \"starttls\": ${LDAPAUTH_STARTTLS}, + \"mixedAuth\": ${LDAPAUTH_MIXEDAUTH}, + \"ldapDefaultOrgId\": ${LDAPAUTH_LDAPDEFAULTORGID}, + \"ldapDefaultRoleId\": ${LDAPAUTH_LDAPDEFAULTROLEID}, + \"updateUser\": ${LDAPAUTH_UPDATEUSER}, + \"debug\": ${LDAPAUTH_DEBUG}, + \"ldapTlsRequireCert\": \"${LDAPAUTH_LDAPTLSREQUIRECERT}\", + \"ldapTlsCustomCaCert\": ${LDAPAUTH_LDAPTLSCUSTOMCACERT}, + \"ldapTlsCrlCheck\": \"${LDAPAUTH_LDAPTLSCRLCHECK}\", + \"ldapTlsProtocolMin\": \"${LDAPAUTH_LDAPTLSPROTOCOLMIN}\" + } }" > /dev/null + # Configure LdapAuth in MISP + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"auth\": [\"LdapAuth.Ldap\"] + } + }" > /dev/null + + # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116 sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false } @@ -449,6 +501,8 @@ echo "MISP | Create sync servers ..." && create_sync_servers echo "MISP | Set Up OIDC ..." && set_up_oidc +echo "MISP | Set Up apachesecureauth ..." && set_up_apachesecureauth + echo "MISP | Set Up LDAP ..." && set_up_ldap echo "MISP | Set Up AAD ..." && set_up_aad diff --git a/docker-compose.yml b/docker-compose.yml index 2d0c8f7..411f49f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -125,23 +125,46 @@ services: - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}" - "OIDC_LOGOUT_URL=${OIDC_LOGOUT_URL}" - "OIDC_SCOPES=${OIDC_SCOPES}" - # LDAP authentication settings - - "LDAP_ENABLE=${LDAP_ENABLE}" - - "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}" - - "LDAP_SERVER=${LDAP_SERVER}" - - "LDAP_STARTTLS=${LDAP_STARTTLS}" - - "LDAP_READER_USER=${LDAP_READER_USER}" - - "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}" - - "LDAP_DN=${LDAP_DN}" - - "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}" - - "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}" - - "LDAP_FILTER=${LDAP_FILTER}" - - "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}" - - "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}" - - "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}" - - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}" - - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}" - - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}" + # APACHESECUREAUTH authentication settings + - "APACHESECUREAUTH_LDAP_OLD_VAR_DETECT=${LDAP_ENABLE}" + - "APACHESECUREAUTH_LDAP_ENABLE=${APACHESECUREAUTH_LDAP_ENABLE:-${LDAP_ENABLE}}" + - "APACHESECUREAUTH_LDAP_APACHE_ENV=${APACHESECUREAUTH_LDAP_APACHE_ENV:-${LDAP_APACHE_ENV}}" + - "APACHESECUREAUTH_LDAP_SERVER=${APACHESECUREAUTH_LDAP_SERVER:-${LDAP_SERVER}}" + - "APACHESECUREAUTH_LDAP_STARTTLS=${APACHESECUREAUTH_LDAP_STARTTLS:-${LDAP_STARTTLS}}" + - "APACHESECUREAUTH_LDAP_READER_USER=${APACHESECUREAUTH_LDAP_READER_USER:-${LDAP_READER_USER}}" + - "APACHESECUREAUTH_LDAP_READER_PASSWORD=${APACHESECUREAUTH_LDAP_READER_PASSWORD:-${LDAP_READER_PASSWORD}}" + - "APACHESECUREAUTH_LDAP_DN=${APACHESECUREAUTH_LDAP_DN:-${LDAP_DN}}" + - "APACHESECUREAUTH_LDAP_SEARCH_FILTER=${APACHESECUREAUTH_LDAP_SEARCH_FILTER:-${LDAP_SEARCH_FILTER}}" + - "APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE=${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE:-${LDAP_SEARCH_ATTRIBUTE}}" + - "APACHESECUREAUTH_LDAP_FILTER=${APACHESECUREAUTH_LDAP_FILTER:-${LDAP_FILTER}}" + - "APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID=${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID:-${LDAP_DEFAULT_ROLE_ID}}" + - "APACHESECUREAUTH_LDAP_DEFAULT_ORG=${APACHESECUREAUTH_LDAP_DEFAULT_ORG:-${LDAP_DEFAULT_ORG}}" + - "APACHESECUREAUTH_LDAP_EMAIL_FIELD=${APACHESECUREAUTH_LDAP_EMAIL_FIELD:-${LDAP_EMAIL_FIELD}}" + - "APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION=${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION:-${LDAP_OPT_PROTOCOL_VERSION}}" + - "APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT=${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT:-${LDAP_OPT_NETWORK_TIMEOUT}}" + - "APACHESECUREAUTH_LDAP_OPT_REFERRALS=${APACHESECUREAUTH_LDAP_OPT_REFERRALS:-${LDAP_OPT_REFERRALS}}" + # LdapAuth MISP authentication settings + - "LDAPAUTH_ENABLE=${LDAPAUTH_ENABLE}" + - "LDAPAUTH_LDAPSERVER=${LDAPAUTH_LDAPSERVER}" + - "LDAPAUTH_LDAPDN=${LDAPAUTH_LDAPDN}" + - "LDAPAUTH_LDAPREADERUSER=${LDAPAUTH_LDAPREADERUSER}" + - "LDAPAUTH_LDAPREADERPASSWORD=${LDAPAUTH_LDAPREADERPASSWORD}" + - "LDAPAUTH_LDAPSEARCHFILTER=${LDAPAUTH_LDAPSEARCHFILTER}" + - "LDAPAUTH_LDAPSEARCHATTRIBUTE=${LDAPAUTH_LDAPSEARCHATTRIBUTE}" + - "LDAPAUTH_LDAPEMAILFIELD=${LDAPAUTH_LDAPEMAILFIELD}" + - "LDAPAUTH_LDAPNETWORKTIMEOUT=${LDAPAUTH_LDAPNETWORKTIMEOUT}" + - "LDAPAUTH_LDAPPROTOCOL=${LDAPAUTH_LDAPPROTOCOL}" + - "LDAPAUTH_LDAPALLOWREFERRALS=${LDAPAUTH_LDAPALLOWREFERRALS}" + - "LDAPAUTH_STARTTLS=${LDAPAUTH_STARTTLS}" + - "LDAPAUTH_MIXEDAUTH=${LDAPAUTH_MIXEDAUTH}" + - "LDAPAUTH_LDAPDEFAULTORGID=${LDAPAUTH_LDAPDEFAULTORGID}" + - "LDAPAUTH_LDAPDEFAULTROLEID=${LDAPAUTH_LDAPDEFAULTROLEID}" + - "LDAPAUTH_UPDATEUSER=${LDAPAUTH_UPDATEUSER}" + - "LDAPAUTH_DEBUG=${LDAPAUTH_DEBUG}" + - "LDAPAUTH_LDAPTLSREQUIRECERT=${LDAPAUTH_LDAPTLSREQUIRECERT}" + - "LDAPAUTH_LDAPTLSCUSTOMCACERT=${LDAPAUTH_LDAPTLSCUSTOMCACERT}" + - "LDAPAUTH_LDAPTLSCRLCHECK=${LDAPAUTH_LDAPTLSCRLCHECK}" + - "LDAPAUTH_LDAPTLSPROTOCOLMIN=${LDAPAUTH_LDAPTLSPROTOCOLMIN}" # AAD authentication settings - "AAD_ENABLE=${AAD_ENABLE}" - "AAD_CLIENT_ID=${AAD_CLIENT_ID}" diff --git a/template.env b/template.env index 69bdaac..418bdc2 100644 --- a/template.env +++ b/template.env @@ -134,22 +134,46 @@ SYNCSERVERS_1_PULL_RULES= # users should not be able to control the HTTP header configured in LDAP_APACHE_ENV # (e.g. REMOTE_USER), this means you must not allow direct access to MISP. # NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word". -# LDAP_ENABLE=true -# LDAP_APACHE_ENV="REMOTE_USER" -# LDAP_SERVER="ldap://your_domain_controller" -# LDAP_STARTTLS=true -# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net" -# LDAP_READER_PASSWORD="password" -# LDAP_DN="OU=Users,DC=domain,DC=net" -# LDAP_SEARCH_FILTER="" -# LDAP_SEARCH_ATTRIBUTE="uid" -# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]" -# LDAP_DEFAULT_ROLE_ID="3" -# LDAP_DEFAULT_ORG="1" -# LDAP_EMAIL_FIELD="[\"mail\"]" -# LDAP_OPT_PROTOCOL_VERSION="3" -# LDAP_OPT_NETWORK_TIMEOUT="-1" -# LDAP_OPT_REFERRALS=false +#APACHESECUREAUTH_LDAP_ENABLE=true +#APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER" +#APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller" +#APACHESECUREAUTH_LDAP_STARTTLS=true +#APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net" +#APACHESECUREAUTH_LDAP_READER_PASSWORD="password" +#APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net" +#APACHESECUREAUTH_LDAP_SEARCH_FILTER="" +#APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid" +#APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]" +#APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3" +#APACHESECUREAUTH_LDAP_DEFAULT_ORG="1" +#APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]" +#APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3" +#APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1" +#APACHESECUREAUTH_LDAP_OPT_REFERRALS=false + +# Enable LDAP (using the MISP plugin native) authentication, according to https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth +# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word". +#LDAPAUTH_ENABLE=true +#LDAPAUTH_LDAPSERVER="ldap://your_domain_controller" +#LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net" +#LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net" +#LDAPAUTH_LDAPREADERPASSWORD="password" +#LDAPAUTH_LDAPSEARCHFILTER="" +#LDAPAUTH_LDAPSEARCHATTRIBUTE="mail" +#LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]" +#LDAPAUTH_LDAPNETWORKTIMEOUT="-1" +#LDAPAUTH_LDAPPROTOCOL="3" +#LDAPAUTH_LDAPALLOWREFERRALS=true +#LDAPAUTH_STARTTLS=false +#LDAPAUTH_MIXEDAUTH=true +#LDAPAUTH_LDAPDEFAULTORGID="1" +#LDAPAUTH_LDAPDEFAULTROLEID="3" +#LDAPAUTH_UPDATEUSER=true +#LDAPAUTH_DEBUG=false +#LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW" +#LDAPAUTH_LDAPTLSCUSTOMCACERT=false +#LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER" +#LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" # Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md # AAD_ENABLE=true From 2a901d8ee78534f120dbe802e3e5a3323439c8ad Mon Sep 17 00:00:00 2001 From: Stefano Ortolani Date: Sun, 12 Jan 2025 11:34:11 +0000 Subject: [PATCH 5/7] Fix comments --- template.env | 74 ++++++++++++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/template.env b/template.env index 418bdc2..1cce6f9 100644 --- a/template.env +++ b/template.env @@ -134,46 +134,46 @@ SYNCSERVERS_1_PULL_RULES= # users should not be able to control the HTTP header configured in LDAP_APACHE_ENV # (e.g. REMOTE_USER), this means you must not allow direct access to MISP. # NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word". -#APACHESECUREAUTH_LDAP_ENABLE=true -#APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER" -#APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller" -#APACHESECUREAUTH_LDAP_STARTTLS=true -#APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net" -#APACHESECUREAUTH_LDAP_READER_PASSWORD="password" -#APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net" -#APACHESECUREAUTH_LDAP_SEARCH_FILTER="" -#APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid" -#APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]" -#APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3" -#APACHESECUREAUTH_LDAP_DEFAULT_ORG="1" -#APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]" -#APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3" -#APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1" -#APACHESECUREAUTH_LDAP_OPT_REFERRALS=false +# APACHESECUREAUTH_LDAP_ENABLE=true +# APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER" +# APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller" +# APACHESECUREAUTH_LDAP_STARTTLS=true +# APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net" +# APACHESECUREAUTH_LDAP_READER_PASSWORD="password" +# APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net" +# APACHESECUREAUTH_LDAP_SEARCH_FILTER="" +# APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid" +# APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]" +# APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3" +# APACHESECUREAUTH_LDAP_DEFAULT_ORG="1" +# APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]" +# APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3" +# APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1" +# APACHESECUREAUTH_LDAP_OPT_REFERRALS=false # Enable LDAP (using the MISP plugin native) authentication, according to https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth # NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word". -#LDAPAUTH_ENABLE=true -#LDAPAUTH_LDAPSERVER="ldap://your_domain_controller" -#LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net" -#LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net" -#LDAPAUTH_LDAPREADERPASSWORD="password" -#LDAPAUTH_LDAPSEARCHFILTER="" -#LDAPAUTH_LDAPSEARCHATTRIBUTE="mail" -#LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]" -#LDAPAUTH_LDAPNETWORKTIMEOUT="-1" -#LDAPAUTH_LDAPPROTOCOL="3" -#LDAPAUTH_LDAPALLOWREFERRALS=true -#LDAPAUTH_STARTTLS=false -#LDAPAUTH_MIXEDAUTH=true -#LDAPAUTH_LDAPDEFAULTORGID="1" -#LDAPAUTH_LDAPDEFAULTROLEID="3" -#LDAPAUTH_UPDATEUSER=true -#LDAPAUTH_DEBUG=false -#LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW" -#LDAPAUTH_LDAPTLSCUSTOMCACERT=false -#LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER" -#LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" +# LDAPAUTH_ENABLE=true +# LDAPAUTH_LDAPSERVER="ldap://your_domain_controller" +# LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net" +# LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net" +# LDAPAUTH_LDAPREADERPASSWORD="password" +# LDAPAUTH_LDAPSEARCHFILTER="" +# LDAPAUTH_LDAPSEARCHATTRIBUTE="mail" +# LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]" +# LDAPAUTH_LDAPNETWORKTIMEOUT="-1" +# LDAPAUTH_LDAPPROTOCOL="3" +# LDAPAUTH_LDAPALLOWREFERRALS=true +# LDAPAUTH_STARTTLS=false +# LDAPAUTH_MIXEDAUTH=true +# LDAPAUTH_LDAPDEFAULTORGID="1" +# LDAPAUTH_LDAPDEFAULTROLEID="3" +# LDAPAUTH_UPDATEUSER=true +# LDAPAUTH_DEBUG=false +# LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW" +# LDAPAUTH_LDAPTLSCUSTOMCACERT=false +# LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER" +# LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" # Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md # AAD_ENABLE=true From 3019026a744fcb93ee698367bd803d510d05afb6 Mon Sep 17 00:00:00 2001 From: Friddrick <73302423+Friddrick@users.noreply.github.com> Date: Sun, 12 Jan 2025 13:44:01 +0200 Subject: [PATCH 6/7] Update Backup info in README.md (#171) * Update Backup info in README.md --- README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/README.md b/README.md index 09d1b07..d3dd4af 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,45 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt" ``` +## Database Management + +It is possible to backup and restore the underlying database using volume archiving. +The process is *NOT* battle-tested, so it is *NOT* to be followed uncritically. + +### Backup + +1. Stop the MISP containers: + ```bash + docker compose down + ``` + +2. Create an archive of the `misp-docker_mysql_data` volume using `tar`: + ```bash + tar -cvzf /root/misp_mysql_backup.tar.gz /var/lib/docker/volumes/misp-docker_mysql_data/ + ``` + +3. Start the MISP containers: + ```bash + docker compose up + ``` + +### Restore + +1. Stop the MISP containers: + ```bash + docker compose down + ``` + +2. Unpack the backup and overwrite existing data by using the `--overwrite` option to replace existing files: + ```bash + tar -xvzf /path_to_backup/misp_mysql_backup.tar.gz -C /var/lib/docker/volumes/misp-docker_mysql_data/ --overwrite + ``` + +3. Start the MISP containers: + ```bash + docker compose up + ``` + ## Troubleshooting - Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/) From 2b9390e25388fa54126ce711f4f7028996850b8f Mon Sep 17 00:00:00 2001 From: marjatech <72734273+marjatech@users.noreply.github.com> Date: Mon, 13 Jan 2025 10:19:58 +0100 Subject: [PATCH 7/7] Remove doubled X-XSS-Protection Header (#204) --- core/files/etc/nginx/includes/misp | 1 - 1 file changed, 1 deletion(-) diff --git a/core/files/etc/nginx/includes/misp b/core/files/etc/nginx/includes/misp index 7f748e1..7a6aac6 100644 --- a/core/files/etc/nginx/includes/misp +++ b/core/files/etc/nginx/includes/misp @@ -11,7 +11,6 @@ add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; -add_header X-XSS-Protection "1; mode=block" always; # remove X-Powered-By and nginx version, which is an information leak fastcgi_hide_header X-Powered-By;