From 25dd423617a6726013b3a5ac3885338d9da9c19b Mon Sep 17 00:00:00 2001 From: Stefano Ortolani Date: Tue, 6 Dec 2022 17:13:23 +0000 Subject: [PATCH] Tidy things up before publishing (#11) Co-authored-by: Stefano Ortolani --- .github/FUNDING.yml | 12 ---- .github/workflows/release-latest.yml | 2 +- .github/workflows/test-build-latest.yml | 2 +- .gitignore | 8 +-- .travis.yml | 12 ---- README.md | 68 +++++++++++++++------- build-docker-compose.yml | 17 ------ docker-compose.yml | 46 +++++++-------- modules/hooks/build | 17 ------ modules/hooks/post_push | 4 -- public/.keep | 0 server/Dockerfile | 4 +- server/files/entrypoint_internal.sh | 20 +++++-- server/files/entrypoint_nginx.sh | 75 ++++++++++--------------- server/hooks/build | 17 ------ server/hooks/post_push | 4 -- template.env | 21 ++++++- 17 files changed, 142 insertions(+), 187 deletions(-) delete mode 100644 .github/FUNDING.yml delete mode 100644 .travis.yml delete mode 100644 build-docker-compose.yml delete mode 100755 modules/hooks/build delete mode 100755 modules/hooks/post_push delete mode 100644 public/.keep delete mode 100755 server/hooks/build delete mode 100755 server/hooks/post_push diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 16bce6f..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,12 +0,0 @@ -# These are supported funding model platforms - -github: [coolacid] -patreon: # Replace with a single Patreon username -open_collective: # Replace with a single Open Collective username -ko_fi: # Replace with a single Ko-fi username -tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -liberapay: # Replace with a single Liberapay username -issuehunt: # Replace with a single IssueHunt username -otechie: # Replace with a single Otechie username -custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] diff --git a/.github/workflows/release-latest.yml b/.github/workflows/release-latest.yml index 16d4326..27e9e8b 100644 --- a/.github/workflows/release-latest.yml +++ b/.github/workflows/release-latest.yml @@ -18,7 +18,7 @@ jobs: env: GITHUB_CONTEXT: ${{ toJson(github) }} run: | - docker compose --file build-docker-compose.yml --env-file template.env build + docker compose --env-file template.env build # Tag the image with the commit SHA[0:7] DOCKER_IMG_TAG=`echo "${{ github.sha }}" | cut -c 1-7` docker tag ${{ secrets.DOCKER_USERNAME }}/misp-docker:core-latest ${{ secrets.DOCKER_USERNAME }}/misp-docker:core-$DOCKER_IMG_TAG diff --git a/.github/workflows/test-build-latest.yml b/.github/workflows/test-build-latest.yml index 465fccb..fd63c3f 100644 --- a/.github/workflows/test-build-latest.yml +++ b/.github/workflows/test-build-latest.yml @@ -15,4 +15,4 @@ jobs: - uses: actions/checkout@v3 - name: Build the Docker images - run: docker compose --file build-docker-compose.yml --env-file template.env build + run: docker compose --env-file template.env build diff --git a/.gitignore b/.gitignore index 628cfb6..468adc1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ -/logs/ -/files/ -/ssl/ /configs/ +/files/ +/gnupg/ +/logs/ /public/ -.gnupg +/ssl/ .env diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 6d6fe0f..0000000 --- a/.travis.yml +++ /dev/null @@ -1,12 +0,0 @@ -language: minimal - -env: - - DOCKER_COMPOSE_VERSION=1.25.3 - -before_install: - - curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` | sudo tee /usr/local/bin/docker-compose >/dev/null - - sudo chmod +x /usr/local/bin/docker-compose - -script: - - docker-compose -f docker-compose.yml -f build-docker-compose.yml build - diff --git a/README.md b/README.md index 53266bf..e9de301 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,11 @@ -# CoolAcid's MISP Docker images +# TAU's MISP Docker images -[![Codacy Badge](https://api.codacy.com/project/badge/Grade/e9b0c08774a84b9e8e0454f3ac83651f)](https://app.codacy.com/manual/coolacid/docker-misp?utm_source=github.com&utm_medium=referral&utm_content=coolacid/docker-misp&utm_campaign=Badge_Grade_Dashboard) -[![CodeFactor](https://www.codefactor.io/repository/github/coolacid/docker-misp/badge/master)](https://www.codefactor.io/repository/github/coolacid/docker-misp/overview/master) -[![Build Status](https://travis-ci.org/coolacid/docker-misp.svg?branch=master)](https://travis-ci.org/coolacid/docker-misp) +[![Build Status](https://img.shields.io/github/workflow/status/ostefano/docker-misp/Build%20the%20Docker%20images%20and%20push%20them%20to%20Docker%20Hub)](https://hub.docker.com/repository/docker/ostefano/misp-docker) [![Gitter chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/MISP/Docker) -A (nearly) production ready Dockered MISP +A production ready Dockered MISP based on CoolAcid's MISP Docker image (https://github.com/coolacid/docker-misp). -This is based on some of the work from the DSCO docker build, nearly all of the details have been rewritten. +Like CoolAcid's MISP docker image, this is based on some of the work from the DSCO docker build, nearly all of the details have been rewritten. - Components are split out where possible, currently this is only the MISP modules - Over writable configuration files @@ -17,15 +15,30 @@ This is based on some of the work from the DSCO docker build, nearly all of the - Images directly from docker hub, no build required - Slimmed down images by using build stages and slim parent image, removes unnecessary files from images -## Docker Tags +Additionally, this fork features the following improvements: -[Docker hub](https://hub.docker.com/r/coolacid/misp-docker) builds the images automatically based on git tags. I try and tag using the following details +- ARM (Apple M1) support +- Fix and improve support for cron jobs +- Fix Supervisor handling of entrypoints +- Make schema update repeatable and completely offline +- Fix missing MISP modules dependencies +- New Background Job system, see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md +- Automatic configuration of MISP modules (see `entrypoint_internal.sh`) +- Automatic configuration of sync servers (see `entrypoint_internal.sh`) +- Automatic configuration of organizations (see `entrypoint_internal.sh`) +- Autoamtic configuration of authentication keys (see `entrypoint_internal.sh`) -***v\[MISP Version]\[Our build version]*** +As a result, this image is not for everybody and does not (and will not) fit every use case. +Nevertheless the underlying spirit of this fork is to allow "repeatable deployments", and all pull requests in this direction will be merged. -- MISP version is the MISP tag we're building -- Our build version is the iteration for our changes with the same MISP version -- Core and modules are split into \[core]-version and \[modules]-version respectively +## Versioning + +GitHub builds the images automatically and pushes them to [Docker hub](https://hub.docker.com/r/ostefano/misp-docker). We do not use tags and versioning works as follows: + +- MISP (and modules) version specified inside the `template.env` file +- Docker images are tagged based on the commit hash +- Core and modules are tagged as core-commit-sha1[0:7] and modules-commit-sha1[0:7] respectively +- The latest images have additional tags core-latest and modules-latest ## Getting Started @@ -33,10 +46,6 @@ This is based on some of the work from the DSCO docker build, nearly all of the ### Development/Test -- Grab the `docker-compose.yml` and `server-configs/email.php` files (Keep directory structure) - -- A dry run will create sane default configurations - - `docker-compose up` - Login to `https://localhost` @@ -47,7 +56,7 @@ This is based on some of the work from the DSCO docker build, nearly all of the ### Using the image for development -Pull the entire repository, you can build the images using `docker-compose -f docker-compose.yml -f build-docker-compose.yml build` +Pull the entire repository, you can build the images using `docker-compose build` Once you have the docker container up you can access the container by running `docker-compose exec misp /bin/bash`. This will provide you with a root shell. You can use `apt update` and then install any tools you wish to use. @@ -73,11 +82,10 @@ Updating the images should be as simple as `docker-compose pull` which, unless c - Additional directory volume mounts: - `/var/www/MISP/app/files` - `/var/www/MISP/.gnupg` - - `/var/www/MISP/.smime` ### Building -If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose -f build-docker-compose.yml build` +If you are interested in building the project from scratch - `git clone` or download the entire repo and run `docker-compose build` ## Image file sizes @@ -91,3 +99,25 @@ If you are interested in building the project from scratch - `git clone` or down - Modules (Saved: 640MB) - Original: 1.36GB - Pre-build modules: 750MB + +### Configuration + +The `docker-compose.yml` file further allows the following configuration settings: + +``` +"MYSQL_HOST=db" +"MYSQL_USER=misp" +"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. +"MYSQL_DATABASE=misp" +"NOREDIR=true" # Do not redirect port 80 +"DISIPV6=true" # Disable IPV6 in nginx +"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required +"SECURESSL=true" # Enable higher security SSL in nginx +"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url +"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) +"NUM_WORKERS_DEFAULT=5" # To set the number of default workers +"NUM_WORKERS_PRIO=5" # To set the number of prio workers +"NUM_WORKERS_EMAIL=5" # To set the number of email workers +"NUM_WORKERS_UPDATE=1" # To set the number of update workers +"NUM_WORKERS_CACHE=5" # To set the number of cache workers +``` diff --git a/build-docker-compose.yml b/build-docker-compose.yml deleted file mode 100644 index 6616000..0000000 --- a/build-docker-compose.yml +++ /dev/null @@ -1,17 +0,0 @@ -version: '3' -services: - misp: - image: ostefano/misp-docker:core-latest - build: - context: server/. - args: - - MISP_TAG=${MISP_TAG} - - MISP_COMMIT=${MISP_COMMIT} - - PHP_VER=${PHP_VER} - - misp-modules: - image: ostefano/misp-docker:modules-latest - build: - context: modules/. - args: - - MODULES_TAG=${MODULES_TAG} diff --git a/docker-compose.yml b/docker-compose.yml index 3f3a4f7..a75df94 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,6 +30,12 @@ services: misp: image: ostefano/misp-docker:core-latest + build: + context: server/. + args: + - MISP_TAG=${MISP_TAG} + - MISP_COMMIT=${MISP_COMMIT} + - PHP_VER=${PHP_VER} depends_on: - redis - db @@ -37,48 +43,30 @@ services: - "80:80" - "443:443" volumes: - - "./configs/:/var/www/MISP/app/Config/:delegated" - - "./logs/:/var/www/MISP/app/tmp/logs/:delegated" - - "./files/:/var/www/MISP/app/files/:delegated" - - "./ssl/:/etc/nginx/certs/:delegated" - - "${PUBLIC_MOUNT_POINT}:/mnt/public/:delegated" + - "./configs/:/var/www/MISP/app/Config/" + - "./logs/:/var/www/MISP/app/tmp/logs/" + - "./files/:/var/www/MISP/app/files/" + - "./ssl/:/etc/nginx/certs/" + - "./gnupg/:/var/www/MISP/.gnupg/" + - "${PUBLIC_MOUNT_POINT}:/mnt/public/" # - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh - - "./.gnupg/:/var/www/MISP/.gnupg/:delegated" environment: - "HOSTNAME=https://localhost" - "REDIS_FQDN=redis" - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR - "CRON_USER_ID=1" # The MISP user ID to run cron jobs as # Synchronization Servers settings - - "SYNCSERVERS=1" + - "SYNCSERVERS=${SYNCSERVERS}" - "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}" - "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}" - "SYNCSERVERS_1_KEY=${SYNCSERVERS_1_KEY}" - | SYNCSERVERS_1_DATA= { - "url": "https://intel.thedfirreport.com/", + "url": "${SYNCSERVERS_1_URL}", "pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}", "pull": true } - - "ORGANIZATIONS=${ORGANIZATIONS}" - # Database Configuration (And their defaults) -# - "MYSQL_HOST=db" -# - "MYSQL_USER=misp" -# - "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. -# - "MYSQL_DATABASE=misp" - # Optional Settings -# - "NOREDIR=true" # Do not redirect port 80 -# - "DISIPV6=true" # Disable IPV6 in nginx -# - "CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required -# - "SECURESSL=true" # Enable higher security SSL in nginx -# - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url -# - "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) -# - "NUM_WORKERS_DEFAULT=5" # To set the number of default workers -# - "NUM_WORKERS_PRIO=5" # To set the number of prio workers -# - "NUM_WORKERS_EMAIL=5" # To set the number of email workers -# - "NUM_WORKERS_UPDATE=1" # To set the number of update workers -# - "NUM_WORKERS_CACHE=5" # To set the number of cache workers # Custom Settings - "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_KEY=${ADMIN_KEY}" @@ -86,9 +74,15 @@ services: - "GPG_PASSPHRASE=${GPG_PASSPHRASE}" - "NSX_ANALYSIS_API_TOKEN=${NSX_ANALYSIS_API_TOKEN}" - "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}" + - "ORGANIZATIONS=${ORGANIZATIONS}" - "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}" misp-modules: image: ostefano/misp-docker:modules-latest + build: + context: modules/. + args: + - MODULES_TAG=${MODULES_TAG} + - MODULES_COMMIT=${MODULES_COMMIT} environment: - "REDIS_BACKEND=redis" depends_on: diff --git a/modules/hooks/build b/modules/hooks/build deleted file mode 100755 index cce3ff0..0000000 --- a/modules/hooks/build +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# https://docs.docker.com/docker-cloud/builds/advanced/ - -# $IMAGE_NAME var is injected into the build so the tag is correct. -echo "[***] Build hook running" - -export $(grep -v '^#' ../.env | xargs) - -docker pull $DOCKER_REPO:modules-latest - -docker build \ - --build-arg MODULES_TAG=$MODULES_TAG \ - --build-arg PHP_VER=$PHP_VER \ - --build-arg BUILD_RFC3339=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --build-arg COMMIT=$(git rev-parse --short HEAD) \ - --build-arg VERSION=$(git describe --tags --always) \ - -t $IMAGE_NAME . diff --git a/modules/hooks/post_push b/modules/hooks/post_push deleted file mode 100755 index a87516e..0000000 --- a/modules/hooks/post_push +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -docker tag $IMAGE_NAME $DOCKER_REPO:modules-latest -docker push $DOCKER_REPO:modules-latest diff --git a/public/.keep b/public/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/server/Dockerfile b/server/Dockerfile index d7efe38..d612edc 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -136,7 +136,9 @@ ARG PHP_VER RUN git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP RUN if [ ! -z ${MISP_COMMIT} ]; then cd /var/www/MISP && git checkout ${MISP_COMMIT}; fi; \ # We build the MISP modules outside, so we don't need to grab those submodules - cd /var/www/MISP/app || exit; git submodule update --init --recursive .; + cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \ + # Remove some old and broken links that pollute the log files + rm -rf /var/www/MISP/INSTALL/old # Python Modules COPY --from=python-build /wheels /wheels diff --git a/server/files/entrypoint_internal.sh b/server/files/entrypoint_internal.sh index 752aa0e..57e6cf3 100755 --- a/server/files/entrypoint_internal.sh +++ b/server/files/entrypoint_internal.sh @@ -78,7 +78,7 @@ apply_critical_fixes() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.external_baseurl" "${HOSTNAME}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1 sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Action_services_enable" false - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true } @@ -214,6 +214,13 @@ get_server() { -H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id" } +updateComponents() { + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" +} echo "Customize MISP | Configure email ..." && configure_email @@ -233,15 +240,14 @@ echo "Customize MISP | Configure plugins ..." && configure_plugins # Create organizations (and silently fail if present already) echo "Customize MISP | Creating organizations ..." SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n') -for ORG in $SPLITTED_ORGS -do +for ORG in $SPLITTED_ORGS; do echo "Adding organization: $ORG" add_organization $ORG true done - -# Create sync servers -for ID in $SYNCSERVERS; do +echo "Customize MISP | Creating sync servers ..." +SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n') +for ID in $SPLITTED_SYNCSERVERS; do NAME="SYNCSERVERS_${ID}_NAME" UUID="SYNCSERVERS_${ID}_UUID" DATA="SYNCSERVERS_${ID}_DATA" @@ -255,5 +261,7 @@ for ID in $SYNCSERVERS; do fi done +echo "Customize MISP | Updating components ..." && updateComponents + # Make the instance live sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 1c86e3e..7504ce9 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -34,27 +34,26 @@ init_misp_config(){ sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php - - echo "Configure sane defaults" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME" - /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3) - - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true - - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" - - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN" - - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN" - - /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false } +init_misp_defaults(){ + # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this + echo "Configure sane defaults" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3) + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false +} + + init_misp_workers(){ # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this echo "Configuring background workers" @@ -145,13 +144,21 @@ echo "Configure MISP | Initialize misp base config..." && init_misp_config echo "Configure MISP | Sync app files..." && sync_files echo "Configure MISP | Enforce permissions ..." -echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP -not -user www-data -exec chown www-data:www-data {} + -echo "... chmod -R 0750 /var/www/MISP ..." && find /var/www/MISP -perm 550 -type f -exec chmod 0550 {} + && find /var/www/MISP -perm 770 -type d -exec chmod 0770 {} + -echo "... chmod -R g+ws /var/www/MISP/app/tmp ..." && chmod -R g+ws /var/www/MISP/app/tmp -echo "... chmod -R g+ws /var/www/MISP/app/files ..." && chmod -R g+ws /var/www/MISP/app/files -echo "... chmod -R g+ws /var/www/MISP/app/files/scripts/tmp ..." && chmod -R g+ws /var/www/MISP/app/files/scripts/tmp +# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions +echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + +# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory +echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} + +# Directories are also writable, because there seems to be a requirement to add new files every once in a while +echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} + +# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) +echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp +echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files +# We also make other special files writable (should be 660) echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php +# Configuring defaults now +echo "Configure MISP | Setting defaults ..." && init_misp_defaults + # Workers are set to NOT auto start so we have time to enforce permissions on the cache first echo "Configure MISP | Starting workers ..." && init_misp_workers @@ -219,26 +226,6 @@ if [[ "$WARNING53" == true ]]; then fi if [[ -x /entrypoint_internal.sh ]]; then - ## Re-exporting might not be necessary after all? - # export ADMIN_EMAIL=${ADMIN_EMAIL} - # export ADMIN_ORG=${ADMIN_ORG} - # export ADMIN_KEY=${ADMIN_KEY} - # export GPG_PASSPHRASE=${GPG_PASSPHRASE} - # export HOSTNAME=${HOSTNAME} - # export NSX_ANALYSIS_API_TOKEN=${NSX_ANALYSIS_API_TOKEN} - # export NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY} - # export VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY} - # export SYNCSERVERS=${SYNCSERVERS} - # for ID in $SYNCSERVERS; do - # NAME="SYNCSERVERS_${ID}_NAME" - # UUID="SYNCSERVERS_${ID}_UUID" - # DATA="SYNCSERVERS_${ID}_DATA" - # KEY="SYNCSERVERS_${ID}_KEY" - # export ${NAME}="${!NAME}" - # export ${UUID}="${!UUID}" - # export ${DATA}="${!DATA}" - # export ${KEY}="${!KEY}" - # done export MYSQLCMD=${MYSQLCMD} nginx -g 'daemon off;' & master_pid=$! /entrypoint_internal.sh diff --git a/server/hooks/build b/server/hooks/build deleted file mode 100755 index d0291ed..0000000 --- a/server/hooks/build +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# https://docs.docker.com/docker-cloud/builds/advanced/ - -# $IMAGE_NAME var is injected into the build so the tag is correct. -echo "[***] Build hook running" - -export $(grep -v '^#' ../.env | xargs) - -docker pull $DOCKER_REPO:core-latest - -docker build \ - --build-arg MISP_TAG=$MISP_TAG \ - --build-arg PHP_VER=$PHP_VER \ - --build-arg BUILD_RFC3339=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --build-arg COMMIT=$(git rev-parse --short HEAD) \ - --build-arg VERSION=$(git describe --tags --always) \ - -t $IMAGE_NAME . diff --git a/server/hooks/post_push b/server/hooks/post_push deleted file mode 100755 index 7be5a03..0000000 --- a/server/hooks/post_push +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -docker tag $IMAGE_NAME $DOCKER_REPO:core-latest -docker push $DOCKER_REPO:core-latest diff --git a/template.env b/template.env index c6244af..9d852e5 100644 --- a/template.env +++ b/template.env @@ -6,21 +6,38 @@ PHP_VER=20190902 # MODULES_COMMIT takes precedence over MODULES_TAG # MODULES_COMMIT=de69ae3 +# default to MISP's default (admin@admin.test) ADMIN_EMAIL= +# default to MISP's default (Org1) ADMIN_ORG= +# default to an automatically generated one (password is 'admin') ADMIN_KEY= +# default to 'passphrase' GPG_PASSPHRASE= + +# optional and used by some misp-modules NSX_ANALYSIS_API_TOKEN= NSX_ANALYSIS_KEY= VIRUSTOTAL_KEY= +# optional and used by the mail sub-system SMARTHOST_ADDRESS= SMARTHOST_PORT= SMARTHOST_USER= SMARTHOST_PASSWORD= SMARTHOST_ALIASES= -# comma separated list of organizations to create (e.g ORGANIZATIONS="ORG1, ORG2, ORG3") +# comma separated list of IDs of syncservers (e.g. SYNCSERVERS=1) +SYNCSERVERS= +# name, remote organization uuid, and key of each syncserver +# note: if you have more than one, you need to update docker-compose.yml +SYNCSERVERS_1_URL= +SYNCSERVERS_1_NAME= +SYNCSERVERS_1_UUID= +SYNCSERVERS_1_KEY= + +# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3") ORGANIZATIONS= -# Host folder containing the files generated by external tools + +# host folder containing public files generated by external tools PUBLIC_MOUNT_POINT=./public