Revert "Create the database"

docker-compose-nginx.yml

@@ -14,7 +14,7 @@ services:
   web:
     build: web
     container_name: misp_web
-    image: stevengoossens/misp:latest
+    image: misp:latest
     restart: unless-stopped
     volumes:
       - /dev/urandom:/dev/random

web/Dockerfile

@@ -1,16 +1,191 @@
 
-FROM ubuntu:focal
+FROM ubuntu:bionic
+
 # Install core components
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt update -y && apt install wget sudo -y
-# This will install MISP Core
-RUN wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh
-RUN sed -i 's/> \/dev\/tty//' /tmp/INSTALL.sh
-RUN sed -i 's/> \/dev\/null//' /tmp/INSTALL.sh 
-RUN sed -i 's/checkInstaller$/#checkInstaller/' /tmp/INSTALL.sh
-RUN bash /tmp/INSTALL.sh -c
+
+RUN apt-get update && \
+    apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean && \
+    apt-get install -y software-properties-common && \
+    apt-get install -y postfix && \
+    apt-get install -y mysql-client curl gcc git gnupg-agent \
+        make python openssl redis-server sudo vim zip locales
+
+RUN locale-gen en_US.UTF-8
+ENV LANG en_US.UTF-8
+
+# Apache
+RUN apt-get install -y apache2 apache2-doc apache2-utils && \
+    a2dismod status && \
+    a2dissite 000-default
+
+# PHP 7.2 and install MySQL PDO extension
+RUN apt-get install -y libapache2-mod-php php php-dev php-json \
+        php-mysql php-redis php-xml php-mbstring \
+        php-gd php-pear php-opcache \
+        pkg-config libbson-1.0 libmongoc-1.0-0
+
+# Fix php.ini with recommended settings
+RUN sed -i \
+        -e "s/max_execution_time = 30/max_execution_time = 300/" \
+        -e "s/memory_limit = 128M/memory_limit = 2048M/" \
+        -e "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" \
+        -e "s/post_max_size = 8M/post_max_size = 50M/" \
+        /etc/php/7.2/apache2/php.ini
+
+RUN apt-get install -y python3-dev python3-pip python3-setuptools \
+        python3-lxml libjpeg-dev \
+        libxml2-dev libxslt1-dev zlib1g-dev libfuzzy-dev && \
+    apt-get install -y cron logrotate supervisor syslog-ng-core && \
+    apt-get clean
+
+WORKDIR /var/www
+RUN chown www-data:www-data /var/www
+USER www-data
+RUN git clone https://github.com/MISP/MISP.git
+WORKDIR /var/www/MISP
+RUN git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) && \
+    git config core.filemode false && \
+    git submodule update --init --recursive && \
+    git submodule foreach --recursive git config core.filemode false
+
+USER root
+RUN pip3 install git+https://github.com/STIXProject/python-stix.git \
+                 git+https://github.com/CybOXProject/python-cybox.git \
+                 git+https://github.com/CybOXProject/mixbox.git \
+                 git+https://github.com/MAECProject/python-maec.git \
+                 /var/www/MISP/cti-python-stix2 \
+                 plyara
+
+USER www-data
+WORKDIR /var/www/MISP
+RUN git submodule init && git submodule update
+WORKDIR /var/www/MISP/app
+
+# FIX COMPOSER
+RUN curl --fail --location -o composer-setup.php https://getcomposer.org/installer && \
+    EXPECTED_SIGNATURE="$(curl https://composer.github.io/installer.sig)"; php -r "if (hash_file('sha384', 'composer-setup.php') == '$(echo $EXPECTED_SIGNATURE)' ) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \
+    php composer-setup.php && \
+    php -r "unlink('composer-setup.php');"
+# END FIX
+
+RUN php composer.phar update && \
+    php composer.phar config vendor-dir Vendor && \
+    php composer.phar install --ignore-platform-reqs
+USER root
+RUN phpenmod redis
+USER www-data
+RUN cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
+
+# Fix permissions
+USER root
+RUN chown -R www-data:www-data /var/www/MISP && \
+    chmod -R 750 /var/www/MISP && \
+    chmod -R g+ws /var/www/MISP/app/tmp && \
+    chmod -R g+ws /var/www/MISP/app/files && \
+    chmod -R g+ws /var/www/MISP/app/files/scripts/tmp && \
+    chmod +x /var/www/MISP/app/Console/cake
+
+RUN cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
+
+# Preconfigure setting for packages
+RUN echo "postfix postfix/main_mailer_type string Local only" \
+  | debconf-set-selections && \
+    echo "postfix postfix/mailname string localhost.localdomain" | \
+    debconf-set-selections
+
+# Redis Setup
+RUN sed -i 's/^\(daemonize\s*\)yes\s*$/\1no/g' /etc/redis/redis.conf
+RUN sed -i 's/^\(bind\s*\)127.0.0.1 ::1\s*$/\1127.0.0.1/g' /etc/redis/redis.conf
+
+# Add a healthcheck endpoint
+COPY healthcheck.patch healthcheck.patch
+RUN patch /var/www/MISP/INSTALL/apache.misp.ubuntu < healthcheck.patch
+
+# Apache Setup
+RUN cp /var/www/MISP/INSTALL/apache.misp.ubuntu /etc/apache2/sites-available/misp.conf && \
+    a2dissite 000-default && \
+    a2ensite misp && \
+    a2enmod rewrite && \
+    a2enmod headers
+
+# MISP base configuration
+RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php && \
+    sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php && \
+    sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php && \
+    sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php && \
+    chown -R www-data:www-data /var/www/MISP/app/Config && \
+    chmod -R 750 /var/www/MISP/app/Config
+
+# Replace the default salt
+RUN sed -i -E "s/'salt'\s=>\s'(\S+)'/'salt' => '`openssl rand -base64 32|tr "/" "-"`'/" /var/www/MISP/app/Config/config.php
+
+# Enable workers at boot time
+RUN chmod a+x /var/www/MISP/app/Console/worker/start.sh && \
+    echo "sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh" >>/etc/rc.local
+
+# Install templates & stuff
+WORKDIR /var/www/MISP/app/files
+RUN rm -rf misp-objects && git clone https://github.com/MISP/misp-objects.git && \
+    rm -rf misp-galaxy && git clone https://github.com/MISP/misp-galaxy.git && \
+    rm -rf warninglists && git clone https://github.com/MISP/misp-warninglists.git ./warninglists && \
+    rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git ./taxonomies && \
+    chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies
+
+# Install MISP build requirements
+RUN sudo -E apt-get -y install libpoppler73 libpoppler-dev libpoppler-cpp-dev
+
+# Install MISP Modules
+WORKDIR /opt
+RUN git clone https://github.com/MISP/misp-modules.git
+RUN cd misp-modules && \
+    pip3 install -I -r REQUIREMENTS && \
+    pip3 install -I . && \
+    echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local
+
+# Supervisord Setup
+RUN ( \
+    echo '[supervisord]'; \
+    echo 'nodaemon = true'; \
+    echo ''; \
+    echo '[program:postfix]'; \
+    echo 'process_name = master'; \
+    echo 'directory = /etc/postfix'; \
+    echo 'command = /usr/sbin/postfix -c /etc/postfix start'; \
+    echo 'startsecs = 0'; \
+    echo 'autorestart = false'; \
+    echo ''; \
+    echo '[program:redis-server]'; \
+    echo 'command=redis-server /etc/redis/redis.conf'; \
+    echo ''; \
+    echo '[program:apache2]'; \
+    echo 'command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -D FOREGROUND"'; \
+    echo ''; \
+    echo '[program:resque]'; \
+    echo 'command=/bin/bash /var/www/MISP/app/Console/worker/start.sh'; \
+    echo 'user = www-data'; \
+    echo 'startsecs = 0'; \
+    echo 'autorestart = false'; \
+    echo ''; \
+    echo '[program:misp-modules]'; \
+    echo 'command=/bin/bash -c "misp-modules -s -l 127.0.0.1"'; \
+    echo 'user = www-data'; \
+    echo 'startsecs = 0'; \
+    echo 'autorestart = false'; \
+) >> /etc/supervisor/conf.d/supervisord.conf
+ 
+# Modify syslog configuration
+RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
+
+# Add run script
+# Trigger to perform first boot operations
+ADD run.sh /run.sh
+RUN chmod 0755 /run.sh && touch /.firstboot.tmp
+
+# Make a backup of /var/www/MISP to restore it to the local moint point at first boot
+WORKDIR /var/www/MISP
+RUN tar czpf /root/MISP.tgz .
 
 VOLUME /var/www/MISP
-EXPOSE 80 443
-
+EXPOSE 80
 ENTRYPOINT ["/run.sh"]

web/run.sh

@@ -1,16 +1,151 @@
 #!/bin/bash
 #
 # MISP docker startup script
-# Steven Goossens - steven@teamg.be
+# Xavier Mertens <xavier@rootshell.be>
+#
+# 2017/05/17 - Created
+# 2017/05/31 - Fixed small errors
+# 2019/10/17 - Use built-in mysql docker DB creation and use std env names (dafal)
+#
 
 set -e
-git pull /var/www/MISP
 
-# Make MISP live
+if [ -r /.firstboot.tmp ]; then
+        echo "Container started for the fist time. Setup might time a few minutes. Please wait..."
+        echo "(Details are logged in /tmp/install.log)"
+        export DEBIAN_FRONTEND=noninteractive
+
+        # If the user uses a mount point restore our files
+        if [ ! -d /var/www/MISP/app ]; then
+                echo "Restoring MISP files..."
+                cd /var/www/MISP
+                tar xzpf /root/MISP.tgz
+                rm /root/MISP.tgz
+        fi
+
+        echo "Configuring postfix"
+        if [ -z "$POSTFIX_RELAY_HOST" ]; then
+                echo "POSTFIX_RELAY_HOST is not set, please configure Postfix manually later..."
+        else
+                postconf -e "relayhost = $POSTFIX_RELAY"
+        fi
+
+        # Fix timezone (adapt to your local zone)
+        if [ -z "$TIMEZONE" ]; then
+                echo "TIMEZONE is not set, please configure the local time zone manually later..."
+        else
+                echo "$TIMEZONE" > /etc/timezone
+                dpkg-reconfigure -f noninteractive tzdata >>/tmp/install.log
+        fi
+
+        echo "Creating MySQL database"
+
+        # Check MYSQL_HOST
+        if [ -z "$MYSQL_HOST" ]; then
+                echo "MYSQL_HOST is not set. Aborting."
+                exit 1
+        fi
+		
+		# Waiting for DB to be ready
+		while ! mysqladmin ping -h"$MYSQL_HOST" --silent; do
+		    sleep 5
+			echo "Waiting for database to be ready..."
+		done
+		
+        # Set MYSQL_PASSWORD
+        if [ -z "$MYSQL_PASSWORD" ]; then
+                echo "MYSQL_PASSWORD is not set, use default value 'misp'"
+                MYSQL_PASSWORD=misp
+        else
+                echo "MYSQL_PASSWORD is set to '$MYSQL_PASSWORD'"
+        fi
+
+        ret=`echo 'SHOW TABLES;' | mysql -u $MYSQL_USER --password="$MYSQL_PASSWORD" -h $MYSQL_HOST -P 3306 $MYSQL_DATABASE # 2>&1`
+        if [ $? -eq 0 ]; then
+                echo "Connected to database successfully!"
+                found=0
+                for table in $ret; do
+                        if [ "$table" == "attributes" ]; then
+                                found=1
+                        fi
+                done
+                if [ $found -eq 1 ]; then
+                        echo "Database misp available"
+                else
+                        echo "Database misp empty, creating tables ..."
+                        ret=`mysql -u $MYSQL_USER --password="$MYSQL_PASSWORD" $MYSQL_DATABASE -h $MYSQL_HOST -P 3306 2>&1 < /var/www/MISP/INSTALL/MYSQL.sql`
+                        if [ $? -eq 0 ]; then
+                            echo "Imported /var/www/MISP/INSTALL/MYSQL.sql successfully"
+                        else
+                            echo "ERROR: Importing /var/www/MISP/INSTALL/MYSQL.sql failed:"
+                            echo $ret
+                        fi
+                fi
+        else
+                echo "ERROR: Connecting to database failed:"
+                echo $ret
+        fi
+
+        # MISP configuration
+        echo "Creating MISP configuration files"
+        cd /var/www/MISP/app/Config
+        cp -a database.default.php database.php
+        sed -i "s/localhost/$MYSQL_HOST/" database.php
+        sed -i "s/db\s*login/$MYSQL_USER/" database.php
+        sed -i "s/8889/3306/" database.php
+        sed -i "s/db\s*password/$MYSQL_PASSWORD/" database.php
+
+        # Fix the base url
+        if [ -z "$MISP_BASEURL" ]; then
+                echo "No base URL defined, don't forget to define it manually!"
+        else
+                echo "Fixing the MISP base URL ($MISP_BASEURL) ..."
+                sed -i "s/'baseurl' => '',/'baseurl' => '$MISP_BASEURL',/" /var/www/MISP/app/Config/config.php
+        fi
+
+        # Generate the admin user PGP key
+        echo "Creating admin GnuPG key"
+        if [ -z "$MISP_ADMIN_EMAIL" -o -z "$MISP_ADMIN_PASSPHRASE" ]; then
+                echo "No admin details provided, don't forget to generate the PGP key manually!"
+        else
+                echo "Generating admin PGP key ... (please be patient, we need some entropy)"
+                cat >/tmp/gpg.tmp <<GPGEOF
+%echo Generating a basic OpenPGP key
+Key-Type: RSA
+Key-Length: 2048
+Name-Real: MISP Admin
+Name-Email: $MISP_ADMIN_EMAIL
+Expire-Date: 0
+Passphrase: $MISP_ADMIN_PASSPHRASE
+%commit
+%echo Done
+GPGEOF
+                sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key --batch /tmp/gpg.tmp >>/tmp/install.log
+                rm -f /tmp/gpg.tmp
+		sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor $MISP_ADMIN_EMAIL > /var/www/MISP/app/webroot/gpg.asc
+        fi
+
+        # Display tips
+        cat <<__WELCOME__
+Congratulations!
+Your MISP docker has been successfully booted for the first time.
+Don't forget:
+- Reconfigure postfix to match your environment
+- Change the MISP admin email address to $MISP_ADMIN_EMAIL
+
+__WELCOME__
+        rm -f /.firstboot.tmp
+fi
+
+# Make MISP live - this isn't ideal, as it means taking an instance
+# non-live will make it live again if the container restarts.  That seems
+# better than the default which is that MISP is non-live on container restart.
+# Ideally live/non-live would be persisted in the database.
 /var/www/MISP/app/Console/cake live 1
 chown www-data:www-data /var/www/MISP/app/Config/config.php*
 
 # Start supervisord
 echo "Starting supervisord"
 cd /
-exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf        
+exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
+          

web/sshd_config

@@ -1,16 +0,0 @@
-# This is ssh server systemwide configuration file.
-#
-# /etc/sshd_config
-
-Port 			2222
-ListenAddress 		0.0.0.0
-LoginGraceTime 		180
-X11Forwarding 		yes
-Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
-MACs hmac-sha1,hmac-sha1-96
-StrictModes 		yes
-SyslogFacility 		DAEMON
-PasswordAuthentication 	yes
-PermitEmptyPasswords 	no
-PermitRootLogin 	yes
-Subsystem sftp internal-sftp