MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branches 'oidc-fix-bug' and 'master' of github.com:Diogo-Rego/misp-docker

pull/164/head
diegolamaral 2024-10-04 14:08:56 +00:00
parent dc421c7a8a 754220879b
commit 16b14ad79d
9 changed files with 108 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@
.env
env.hcl
rootca.crt
cert.pem

1
README.md
View File

@ -134,6 +134,7 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat
- Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
- Make sure you are not running an old image or container; when in doubt run `docker system prune --volumes` and clone this repository into an empty directory
- If you receive an error that the 'start_interval' does not match any of the regexes, update Docker following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
## Versioning

85
core/Dockerfile
View File

@ -5,17 +5,13 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base
ENV DEBIAN_FRONTEND noninteractive
# Uncomment when building in corporate environments
# COPY ./rootca.crt /usr/local/share/ca-certificates/rootca.pem
# COPY ./rootca.crt /usr/lib/ssl/cert.pem
# COPY ./cert.pem /usr/local/share/ca-certificates/rootca.pem
# COPY ./cert.pem /usr/lib/ssl/cert.pem
RUN apt-get update; apt-get install -y --no-install-recommends \
lsb-release \
ca-certificates \
curl
RUN curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
RUN dpkg -i /tmp/debsuryorg-archive-keyring.deb
RUN echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
RUN apt-get update
FROM php-base AS composer-build
@ -25,33 +21,27 @@ FROM php-base AS composer-build
ARG CORE_COMMIT
RUN apt-get install -y --no-install-recommends \
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
php8.2 \
php8.2-apcu \
php8.2-curl \
php8.2-xml \
php8.2-intl \
php8.2-bcmath \
php8.2-mbstring \
php8.2-mysql \
php8.2-redis \
php8.2-gd \
php8.2-fpm \
php8.2-zip \
unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
WORKDIR /tmp
ADD https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json /tmp
RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
RUN composer config --no-interaction allow-plugins.composer/installers true
RUN composer install
RUN composer require --with-all-dependencies --no-interaction \
supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle:^7.4.5 \
lstrojny/fxmlrpc \
php-http/message \
php-http/message-factory \
# docker image specific dependencies
elasticsearch/elasticsearch:^8.7.0 \
jakub-onderka/openid-connect-php:^1.0.0 \
aws/aws-sdk-php
@ -64,10 +54,11 @@ FROM php-base AS php-build
RUN apt-get install -y --no-install-recommends \
gcc \
g++ \
git \
make \
php7.4 \
php7.4-dev \
php7.4-xml \
php8.2 \
php8.2-dev \
php8.2-xml \
php-pear \
libbrotli-dev \
libfuzzy-dev \
@ -76,18 +67,20 @@ FROM php-base AS php-build
libzstd-dev \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php7.4
RUN update-alternatives --set php-config /usr/bin/php-config7.4
RUN update-alternatives --set phpize /usr/bin/phpize7.4
RUN update-alternatives --set php /usr/bin/php8.2
RUN update-alternatives --set php-config /usr/bin/php-config8.2
RUN update-alternatives --set phpize /usr/bin/phpize8.2
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib
RUN pecl channel-update pecl.php.net && \
pecl install ssdeep && \
pecl install rdkafka && \
pecl install simdjson && \
pecl install zstd && \
pecl install brotli
# install pect-text-ssdeep 1.2
RUN git clone --recursive --depth=1 https://github.com/JakubOnderka/pecl-text-ssdeep.git /tmp/pecl-text-ssdeep
RUN cd /tmp/pecl-text-ssdeep && phpize && ./configure && make && make install
FROM php-base AS python-build
ENV DEBIAN_FRONTEND noninteractive
@ -186,19 +179,19 @@ FROM php-base
mariadb-client \
rsync \
# PHP Requirements
php7.4 \
php7.4-apcu \
php7.4-curl \
php7.4-xml \
php7.4-intl \
php7.4-bcmath \
php7.4-mbstring \
php7.4-mysql \
php7.4-redis \
php7.4-gd \
php7.4-fpm \
php7.4-zip \
php7.4-ldap \
php8.2 \
php8.2-apcu \
php8.2-curl \
php8.2-xml \
php8.2-intl \
php8.2-bcmath \
php8.2-mbstring \
php8.2-mysql \
php8.2-redis \
php8.2-gd \
php8.2-fpm \
php8.2-zip \
php8.2-ldap \
libmagic1 \
libldap-common \
librdkafka1 \
@ -213,7 +206,7 @@ FROM php-base
curl jq \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN update-alternatives --set php /usr/bin/php7.4
RUN update-alternatives --set php /usr/bin/php8.2
# Install python modules
COPY --from=python-build /wheels /wheels

2
core/files/entrypoint_fpm.sh
View File

@ -33,7 +33,7 @@ change_php_vars() {
echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
/usr/sbin/php-fpm8.2 -R -F & master_pid=$!
# Wait for it
wait "$master_pid"

41
core/files/entrypoint_nginx.sh
View File

@ -226,6 +226,47 @@ init_nginx() {
fi
fi
# Adjust Content-Security-Policy
echo "... adjusting Content-Security-Policy"
# Remove any existing CSP header
sed -i '/add_header Content-Security-Policy/d' /etc/nginx/includes/misp
if [[ -n "$CONTENT_SECURITY_POLICY" ]]; then
# If $CONTENT_SECURITY_POLICY is set, add CSP header
echo "... setting Content-Security-Policy to '$CONTENT_SECURITY_POLICY'"
sed -i "/add_header X-Download-Options/a add_header Content-Security-Policy \"$CONTENT_SECURITY_POLICY\";" /etc/nginx/includes/misp
else
# Otherwise, do not add any CSP headers
echo "... no Content-Security-Policy header will be set as CONTENT_SECURITY_POLICY is not defined"
fi
# Adjust X-Frame-Options
echo "... adjusting X-Frame-Options"
# Remove any existing X-Frame-Options header
sed -i '/add_header X-Frame-Options/d' /etc/nginx/includes/misp
if [[ -z "$X_FRAME_OPTIONS" ]]; then
echo "... setting 'X-Frame-Options SAMEORIGIN'"
sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"SAMEORIGIN\" always;" /etc/nginx/includes/misp
else
echo "... setting 'X-Frame-Options $X_FRAME_OPTIONS'"
sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"$X_FRAME_OPTIONS\";" /etc/nginx/includes/misp
fi
# Adjust HTTP Strict Transport Security (HSTS)
echo "... adjusting HTTP Strict Transport Security (HSTS)"
# Remove any existing HSTS header
sed -i '/add_header Strict-Transport-Security/d' /etc/nginx/includes/misp
if [[ -n "$HSTS_MAX_AGE" ]]; then
# If $HSTS_MAX_AGE is defined, add the HSTS header
echo "... setting HSTS to 'max-age=$HSTS_MAX_AGE; includeSubdomains'"
sed -i "/add_header X-Download-Options/a add_header Strict-Transport-Security \"max-age=$HSTS_MAX_AGE; includeSubdomains\";" /etc/nginx/includes/misp
else
# Otherwise, do nothing, keeping without the HSTS header
echo "... no HSTS header will be set as HSTS_MAX_AGE is not defined"
fi
# Testing for files also test for links, and generalize better to mounted files
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"

2
core/files/etc/nginx/includes/misp
View File

@ -24,7 +24,7 @@ location / {
location ~ ^/[^/]+\.php(/|$) {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 300s;
fastcgi_connect_timeout 300s;

4
docker-compose.yml
View File

@ -193,6 +193,10 @@ services:
- "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
- "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
- "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
# Security Settings
- "HSTS_MAX_AGE=${HSTS_MAX_AGE}"
- "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}"
- "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}"
misp-modules:
image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest}

5
modules/Dockerfile
View File

@ -6,7 +6,12 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
ARG MODULES_COMMIT
ARG LIBFAUP_COMMIT
# Uncomment when building in corporate environments
# COPY ./cert.pem /usr/local/share/ca-certificates/rootca.pem
# COPY ./cert.pem /usr/lib/ssl/cert.pem
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
git \
build-essential \

18
template.env
View File

@ -2,9 +2,9 @@
# Build-time variables
##
CORE_TAG=v2.4.198
CORE_TAG=v2.5.0
MODULES_TAG=v2.4.197
PHP_VER=20190902
PHP_VER=20220829
LIBFAUP_COMMIT=3a26d0a
# PYPY_* vars take precedence over MISP's
@ -20,7 +20,7 @@ LIBFAUP_COMMIT=3a26d0a
# PYPI_MISP_STIX_VERSION"==2.4.194"
# CORE_COMMIT takes precedence over CORE_TAG
# CORE_COMMIT=c56d537
# CORE_COMMIT=0bba3f5
# MODULES_COMMIT takes precedence over MODULES_TAG
# MODULES_COMMIT=de69ae3
@ -199,3 +199,15 @@ SYNCSERVERS_1_PULL_RULES=
# NGINX_X_FORWARDED_FOR=true
# Comma separated list of trusted IP addresses
# NGINX_SET_REAL_IP_FROM=127.0.0.1
# Security Settings
# Maximum time (in seconds) for HSTS (HTTP Strict Transport Security), ensures HTTPS is used.
HSTS_MAX_AGE=
# X-Frame-Options policy configuration: controls whether the site can be embedded in frames or iframes.
# Options: DENY, SAMEORIGIN, ALLOW-FROM <URL> Default: SAMEORIGIN
X_FRAME_OPTIONS=""
# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS.
# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport"
CONTENT_SECURITY_POLICY=""