From 2078a599fbfc3e7a758c8c94ba1c931138364676 Mon Sep 17 00:00:00 2001 From: Anders Einar Hilden Date: Tue, 1 Aug 2023 17:59:47 +0200 Subject: [PATCH] Add/document AUTOGEN_ADMIN_KEY, AUTOCONF_GPG, MISP_EMAIL, MISP_CONTACT AUTOCONF_ADMIN_KEY renamed to AUTOGEN_ADMIN_KEY. If ADMIN_KEY is set, that will still be set, AUTOGEN_ADMIN_KEY only turns off automatic generation. AUTOCONF_GPG behaves as before. MISP_EMAIL sets MISP.email and GPG-related email. MISP_CONTACT sets MISP.contact (support email) --- README.md | 6 ++--- server/files/configure_misp.sh | 42 ++++++++++++++++++---------------- template.env | 37 +++++++++++++++++++++++------- 3 files changed, 54 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index e9f754b..f9c45f9 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ Pull the entire repository, you can build the images using `docker-compose build Once you have the docker container up you can access the container by running `docker-compose exec misp /bin/bash`. This will provide you with a root shell. You can use `apt update` and then install any tools you wish to use. -Finally, copy any changes you make outside of the container for commiting to your branch. +Finally, copy any changes you make outside of the container for commiting to your branch. `git diff -- [dir with changes]` could be used to reduce the number of changes in a patch file, however, be careful when using the `git diff` command. ### Updating @@ -92,7 +92,7 @@ Updating the images should be as simple as `docker-compose pull` which, unless c ### Building -If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose build` +If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose build` ## Image file sizes @@ -114,7 +114,7 @@ The `docker-compose.yml` file allows further configuration settings: ``` "MYSQL_HOST=db" "MYSQL_USER=misp" -"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. +"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. "MYSQL_DATABASE=misp" "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) diff --git a/server/files/configure_misp.sh b/server/files/configure_misp.sh index b156a1e..bdb4515 100755 --- a/server/files/configure_misp.sh +++ b/server/files/configure_misp.sh @@ -15,6 +15,8 @@ init_configuration(){ # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this echo "... configuring default settings" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$HOSTNAME" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3) sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt" @@ -60,7 +62,7 @@ configure_gnupg() { Key-Type: RSA Key-Length: 3072 Name-Real: MISP Admin -Name-Email: $ADMIN_EMAIL +Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL} Expire-Date: 0 Passphrase: $GPG_PASSPHRASE %commit @@ -80,12 +82,12 @@ GPGEOF if [ ! -f ${GPG_ASC} ]; then echo "... exporting GPG key" - sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC} + sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC} else echo "... found exported key ${GPG_ASC}" fi - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${ADMIN_EMAIL}" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)" @@ -101,26 +103,26 @@ apply_updates() { init_user() { # Create the main user if it is not there already sudo -u www-data /var/www/MISP/app/Console/cake userInit -q 2>&1 > /dev/null - echo "... setting admin email to '${ADMIN_EMAIL}'" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" ${ADMIN_EMAIL} + echo "UPDATE misp.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQLCMD} + if [ ! -z "$ADMIN_ORG" ]; then echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD} fi - if [ "$AUTOCONF_ADMIN_KEY" == "true" ]; then - if [ ! -z "$ADMIN_KEY" ]; then - echo "... setting admin key to '${ADMIN_KEY}'" - CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}") - else - echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)" - CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1) - fi - ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'` - echo "... admin user key set to '${ADMIN_KEY}'" + if [ -n "$ADMIN_KEY" ]; then + echo "... setting admin key to '${ADMIN_KEY}'" + CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}") + elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then + echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)" + CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1) else - ADMIN_KEY="" - echo "... admin user key auto configuration disabled" + echo "... admin user key auto generation disabled" + fi + + if [[ -v CHANGE_CMD[@] ]]; then + ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}') + echo "... admin user key set to '${ADMIN_KEY}'" fi if [ ! -z "$ADMIN_PASSWORD" ]; then @@ -129,9 +131,9 @@ init_user() { PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value") sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1 sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/' - sudo -u www-data /var/www/MISP/app/Console/cake User change_pw ${ADMIN_EMAIL} ${ADMIN_PASSWORD} - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" ${PASSWORD_POLICY} - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" ${PASSWORD_LENGTH} + sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}" else echo "... setting admin password skipped" fi diff --git a/template.env b/template.env index c1812e2..063fe87 100644 --- a/template.env +++ b/template.env @@ -1,24 +1,25 @@ MISP_TAG=v2.4.174 MODULES_TAG=v2.4.174 PHP_VER=20190902 + # MISP_COMMIT takes precedence over MISP_TAG # MISP_COMMIT=c56d537 # MODULES_COMMIT takes precedence over MODULES_TAG # MODULES_COMMIT=de69ae3 -# default to MISP's default (admin@admin.test) +# Email/username for user #1, defaults to MISP's default (admin@admin.test) ADMIN_EMAIL= -# default to MISP's default (Org1) +# name of org #1, default to MISP's default (ORGNAME) ADMIN_ORG= -# default to an automatically generated one +# defaults to an automatically generated one ADMIN_KEY= -# default to MISP's default (admin) +# defaults to MISP's default (admin) ADMIN_PASSWORD= -# default to 'passphrase' +# defaults to 'passphrase' GPG_PASSPHRASE= -# default to 1 (the admin user) +# defaults to 1 (the admin user) CRON_USER_ID= -# default to 'https://localhost' +# defaults to 'https://localhost' HOSTNAME= # optional and used by the mail sub-system @@ -28,10 +29,30 @@ SMARTHOST_USER= SMARTHOST_PASSWORD= SMARTHOST_ALIASES= -# comma separated list of IDs of syncservers (e.g. SYNCSERVERS=1) +# optional comma separated list of IDs of syncservers (e.g. SYNCSERVERS=1) +# For this to work ADMIN_KEY must be set, or AUTOGEN_ADMIN_KEY must be true (default) SYNCSERVERS= # note: if you have more than one syncserver, you need to update docker-compose.yml SYNCSERVERS_1_URL= SYNCSERVERS_1_NAME= SYNCSERVERS_1_UUID= SYNCSERVERS_1_KEY= + +# These variables allows overriding some MISP email values. +# They all default to ADMIN_EMAIL. + +# MISP.email, used for notifications. Also used +# for GnuPG.email and GPG autogeneration. +# MISP_EMAIL= + +# MISP.contact, the e-mail address that +# MISP should include as a contact address +# for the instance's support team. +# MISP_CONTACT= + +# Enable GPG autogeneration (default true) +# AUTOCONF_GPG=true + +# Enable admin (user #1) API key autogeneration +# if ADMIN_KEY is not set above (default true) +# AUTOGEN_ADMIN_KEY=true