diff --git a/.gitignore b/.gitignore index 87da6b8..d153d77 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ .env env.hcl rootca.crt +cert.pem diff --git a/README.md b/README.md index 971a125..ea319da 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,7 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat - Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/) - Make sure you are not running an old image or container; when in doubt run `docker system prune --volumes` and clone this repository into an empty directory +- If you receive an error that the 'start_interval' does not match any of the regexes, update Docker following the steps outlined in https://docs.docker.com/engine/install/ubuntu/) ## Versioning diff --git a/core/Dockerfile b/core/Dockerfile index 20a9f0f..19d8b0d 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -5,17 +5,13 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS php-base ENV DEBIAN_FRONTEND noninteractive # Uncomment when building in corporate environments - # COPY ./rootca.crt /usr/local/share/ca-certificates/rootca.pem - # COPY ./rootca.crt /usr/lib/ssl/cert.pem + # COPY ./cert.pem /usr/local/share/ca-certificates/rootca.pem + # COPY ./cert.pem /usr/lib/ssl/cert.pem RUN apt-get update; apt-get install -y --no-install-recommends \ lsb-release \ ca-certificates \ curl - RUN curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb - RUN dpkg -i /tmp/debsuryorg-archive-keyring.deb - RUN echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list - RUN apt-get update FROM php-base AS composer-build @@ -25,33 +21,27 @@ FROM php-base AS composer-build ARG CORE_COMMIT RUN apt-get install -y --no-install-recommends \ - php7.4 \ - php7.4-apcu \ - php7.4-curl \ - php7.4-xml \ - php7.4-intl \ - php7.4-bcmath \ - php7.4-mbstring \ - php7.4-mysql \ - php7.4-redis \ - php7.4-gd \ - php7.4-fpm \ - php7.4-zip \ + php8.2 \ + php8.2-apcu \ + php8.2-curl \ + php8.2-xml \ + php8.2-intl \ + php8.2-bcmath \ + php8.2-mbstring \ + php8.2-mysql \ + php8.2-redis \ + php8.2-gd \ + php8.2-fpm \ + php8.2-zip \ unzip \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* WORKDIR /tmp - ADD https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json /tmp + RUN curl -o /tmp/composer.json https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json COPY --from=composer:latest /usr/bin/composer /usr/bin/composer RUN composer config --no-interaction allow-plugins.composer/installers true RUN composer install RUN composer require --with-all-dependencies --no-interaction \ - supervisorphp/supervisor:^4.0 \ - guzzlehttp/guzzle:^7.4.5 \ - lstrojny/fxmlrpc \ - php-http/message \ - php-http/message-factory \ - # docker image specific dependencies elasticsearch/elasticsearch:^8.7.0 \ jakub-onderka/openid-connect-php:^1.0.0 \ aws/aws-sdk-php @@ -64,10 +54,11 @@ FROM php-base AS php-build RUN apt-get install -y --no-install-recommends \ gcc \ g++ \ + git \ make \ - php7.4 \ - php7.4-dev \ - php7.4-xml \ + php8.2 \ + php8.2-dev \ + php8.2-xml \ php-pear \ libbrotli-dev \ libfuzzy-dev \ @@ -76,18 +67,20 @@ FROM php-base AS php-build libzstd-dev \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* - RUN update-alternatives --set php /usr/bin/php7.4 - RUN update-alternatives --set php-config /usr/bin/php-config7.4 - RUN update-alternatives --set phpize /usr/bin/phpize7.4 + RUN update-alternatives --set php /usr/bin/php8.2 + RUN update-alternatives --set php-config /usr/bin/php-config8.2 + RUN update-alternatives --set phpize /usr/bin/phpize8.2 RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib RUN pecl channel-update pecl.php.net && \ - pecl install ssdeep && \ pecl install rdkafka && \ pecl install simdjson && \ pecl install zstd && \ pecl install brotli + # install pect-text-ssdeep 1.2 + RUN git clone --recursive --depth=1 https://github.com/JakubOnderka/pecl-text-ssdeep.git /tmp/pecl-text-ssdeep + RUN cd /tmp/pecl-text-ssdeep && phpize && ./configure && make && make install FROM php-base AS python-build ENV DEBIAN_FRONTEND noninteractive @@ -186,19 +179,19 @@ FROM php-base mariadb-client \ rsync \ # PHP Requirements - php7.4 \ - php7.4-apcu \ - php7.4-curl \ - php7.4-xml \ - php7.4-intl \ - php7.4-bcmath \ - php7.4-mbstring \ - php7.4-mysql \ - php7.4-redis \ - php7.4-gd \ - php7.4-fpm \ - php7.4-zip \ - php7.4-ldap \ + php8.2 \ + php8.2-apcu \ + php8.2-curl \ + php8.2-xml \ + php8.2-intl \ + php8.2-bcmath \ + php8.2-mbstring \ + php8.2-mysql \ + php8.2-redis \ + php8.2-gd \ + php8.2-fpm \ + php8.2-zip \ + php8.2-ldap \ libmagic1 \ libldap-common \ librdkafka1 \ @@ -213,7 +206,7 @@ FROM php-base curl jq \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* - RUN update-alternatives --set php /usr/bin/php7.4 + RUN update-alternatives --set php /usr/bin/php8.2 # Install python modules COPY --from=python-build /wheels /wheels diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index e5462b9..2e2c319 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -33,7 +33,7 @@ change_php_vars() { echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Starting PHP FPM" -/usr/sbin/php-fpm7.4 -R -F & master_pid=$! +/usr/sbin/php-fpm8.2 -R -F & master_pid=$! # Wait for it wait "$master_pid" diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index d815e50..76502b2 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -226,6 +226,47 @@ init_nginx() { fi fi + # Adjust Content-Security-Policy + echo "... adjusting Content-Security-Policy" + # Remove any existing CSP header + sed -i '/add_header Content-Security-Policy/d' /etc/nginx/includes/misp + + if [[ -n "$CONTENT_SECURITY_POLICY" ]]; then + # If $CONTENT_SECURITY_POLICY is set, add CSP header + echo "... setting Content-Security-Policy to '$CONTENT_SECURITY_POLICY'" + sed -i "/add_header X-Download-Options/a add_header Content-Security-Policy \"$CONTENT_SECURITY_POLICY\";" /etc/nginx/includes/misp + else + # Otherwise, do not add any CSP headers + echo "... no Content-Security-Policy header will be set as CONTENT_SECURITY_POLICY is not defined" + fi + + # Adjust X-Frame-Options + echo "... adjusting X-Frame-Options" + # Remove any existing X-Frame-Options header + sed -i '/add_header X-Frame-Options/d' /etc/nginx/includes/misp + + if [[ -z "$X_FRAME_OPTIONS" ]]; then + echo "... setting 'X-Frame-Options SAMEORIGIN'" + sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"SAMEORIGIN\" always;" /etc/nginx/includes/misp + else + echo "... setting 'X-Frame-Options $X_FRAME_OPTIONS'" + sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"$X_FRAME_OPTIONS\";" /etc/nginx/includes/misp + fi + + # Adjust HTTP Strict Transport Security (HSTS) + echo "... adjusting HTTP Strict Transport Security (HSTS)" + # Remove any existing HSTS header + sed -i '/add_header Strict-Transport-Security/d' /etc/nginx/includes/misp + + if [[ -n "$HSTS_MAX_AGE" ]]; then + # If $HSTS_MAX_AGE is defined, add the HSTS header + echo "... setting HSTS to 'max-age=$HSTS_MAX_AGE; includeSubdomains'" + sed -i "/add_header X-Download-Options/a add_header Strict-Transport-Security \"max-age=$HSTS_MAX_AGE; includeSubdomains\";" /etc/nginx/includes/misp + else + # Otherwise, do nothing, keeping without the HSTS header + echo "... no HSTS header will be set as HSTS_MAX_AGE is not defined" + fi + # Testing for files also test for links, and generalize better to mounted files if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then echo "... enabling port 80 redirect" diff --git a/core/files/etc/nginx/includes/misp b/core/files/etc/nginx/includes/misp index 892a78b..9c772f2 100644 --- a/core/files/etc/nginx/includes/misp +++ b/core/files/etc/nginx/includes/misp @@ -24,7 +24,7 @@ location / { location ~ ^/[^/]+\.php(/|$) { include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_read_timeout 300s; fastcgi_send_timeout 300s; fastcgi_connect_timeout 300s; diff --git a/docker-compose.yml b/docker-compose.yml index c74f8ac..7a1aa56 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -193,6 +193,10 @@ services: - "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}" - "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}" - "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}" + # Security Settings + - "HSTS_MAX_AGE=${HSTS_MAX_AGE}" + - "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}" + - "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}" misp-modules: image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest} diff --git a/modules/Dockerfile b/modules/Dockerfile index 4800b7c..dca7bb1 100644 --- a/modules/Dockerfile +++ b/modules/Dockerfile @@ -6,7 +6,12 @@ FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build ARG MODULES_COMMIT ARG LIBFAUP_COMMIT + # Uncomment when building in corporate environments + # COPY ./cert.pem /usr/local/share/ca-certificates/rootca.pem + # COPY ./cert.pem /usr/lib/ssl/cert.pem + RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ cmake \ git \ build-essential \ diff --git a/template.env b/template.env index 66edd73..bf18b62 100644 --- a/template.env +++ b/template.env @@ -2,9 +2,9 @@ # Build-time variables ## -CORE_TAG=v2.4.198 +CORE_TAG=v2.5.0 MODULES_TAG=v2.4.197 -PHP_VER=20190902 +PHP_VER=20220829 LIBFAUP_COMMIT=3a26d0a # PYPY_* vars take precedence over MISP's @@ -20,7 +20,7 @@ LIBFAUP_COMMIT=3a26d0a # PYPI_MISP_STIX_VERSION"==2.4.194" # CORE_COMMIT takes precedence over CORE_TAG -# CORE_COMMIT=c56d537 +# CORE_COMMIT=0bba3f5 # MODULES_COMMIT takes precedence over MODULES_TAG # MODULES_COMMIT=de69ae3 @@ -199,3 +199,15 @@ SYNCSERVERS_1_PULL_RULES= # NGINX_X_FORWARDED_FOR=true # Comma separated list of trusted IP addresses # NGINX_SET_REAL_IP_FROM=127.0.0.1 + +# Security Settings +# Maximum time (in seconds) for HSTS (HTTP Strict Transport Security), ensures HTTPS is used. +HSTS_MAX_AGE= + +# X-Frame-Options policy configuration: controls whether the site can be embedded in frames or iframes. +# Options: DENY, SAMEORIGIN, ALLOW-FROM Default: SAMEORIGIN +X_FRAME_OPTIONS="" + +# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS. +# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport" +CONTENT_SECURITY_POLICY=""