diff --git a/docker-compose-nginx.yml b/docker-compose-nginx.yml index 8535633..ddc8394 100644 --- a/docker-compose-nginx.yml +++ b/docker-compose-nginx.yml @@ -14,7 +14,7 @@ services: web: build: web container_name: misp_web - image: stevengoossens/misp:latest + image: misp:latest restart: unless-stopped volumes: - /dev/urandom:/dev/random diff --git a/web/Dockerfile b/web/Dockerfile index d1e48b1..6eb59b1 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -1,16 +1,191 @@ -FROM ubuntu:focal +FROM ubuntu:bionic + # Install core components ENV DEBIAN_FRONTEND noninteractive -RUN apt update -y && apt install wget sudo -y -# This will install MISP Core -RUN wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -RUN sed -i 's/> \/dev\/tty//' /tmp/INSTALL.sh -RUN sed -i 's/> \/dev\/null//' /tmp/INSTALL.sh -RUN sed -i 's/checkInstaller$/#checkInstaller/' /tmp/INSTALL.sh -RUN bash /tmp/INSTALL.sh -c + +RUN apt-get update && \ + apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean && \ + apt-get install -y software-properties-common && \ + apt-get install -y postfix && \ + apt-get install -y mysql-client curl gcc git gnupg-agent \ + make python openssl redis-server sudo vim zip locales + +RUN locale-gen en_US.UTF-8 +ENV LANG en_US.UTF-8 + +# Apache +RUN apt-get install -y apache2 apache2-doc apache2-utils && \ + a2dismod status && \ + a2dissite 000-default + +# PHP 7.2 and install MySQL PDO extension +RUN apt-get install -y libapache2-mod-php php php-dev php-json \ + php-mysql php-redis php-xml php-mbstring \ + php-gd php-pear php-opcache \ + pkg-config libbson-1.0 libmongoc-1.0-0 + +# Fix php.ini with recommended settings +RUN sed -i \ + -e "s/max_execution_time = 30/max_execution_time = 300/" \ + -e "s/memory_limit = 128M/memory_limit = 2048M/" \ + -e "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" \ + -e "s/post_max_size = 8M/post_max_size = 50M/" \ + /etc/php/7.2/apache2/php.ini + +RUN apt-get install -y python3-dev python3-pip python3-setuptools \ + python3-lxml libjpeg-dev \ + libxml2-dev libxslt1-dev zlib1g-dev libfuzzy-dev && \ + apt-get install -y cron logrotate supervisor syslog-ng-core && \ + apt-get clean + +WORKDIR /var/www +RUN chown www-data:www-data /var/www +USER www-data +RUN git clone https://github.com/MISP/MISP.git +WORKDIR /var/www/MISP +RUN git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) && \ + git config core.filemode false && \ + git submodule update --init --recursive && \ + git submodule foreach --recursive git config core.filemode false + +USER root +RUN pip3 install git+https://github.com/STIXProject/python-stix.git \ + git+https://github.com/CybOXProject/python-cybox.git \ + git+https://github.com/CybOXProject/mixbox.git \ + git+https://github.com/MAECProject/python-maec.git \ + /var/www/MISP/cti-python-stix2 \ + plyara + +USER www-data +WORKDIR /var/www/MISP +RUN git submodule init && git submodule update +WORKDIR /var/www/MISP/app + +# FIX COMPOSER +RUN curl --fail --location -o composer-setup.php https://getcomposer.org/installer && \ + EXPECTED_SIGNATURE="$(curl https://composer.github.io/installer.sig)"; php -r "if (hash_file('sha384', 'composer-setup.php') == '$(echo $EXPECTED_SIGNATURE)' ) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \ + php composer-setup.php && \ + php -r "unlink('composer-setup.php');" +# END FIX + +RUN php composer.phar update && \ + php composer.phar config vendor-dir Vendor && \ + php composer.phar install --ignore-platform-reqs +USER root +RUN phpenmod redis +USER www-data +RUN cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php + +# Fix permissions +USER root +RUN chown -R www-data:www-data /var/www/MISP && \ + chmod -R 750 /var/www/MISP && \ + chmod -R g+ws /var/www/MISP/app/tmp && \ + chmod -R g+ws /var/www/MISP/app/files && \ + chmod -R g+ws /var/www/MISP/app/files/scripts/tmp && \ + chmod +x /var/www/MISP/app/Console/cake + +RUN cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp + +# Preconfigure setting for packages +RUN echo "postfix postfix/main_mailer_type string Local only" \ + | debconf-set-selections && \ + echo "postfix postfix/mailname string localhost.localdomain" | \ + debconf-set-selections + +# Redis Setup +RUN sed -i 's/^\(daemonize\s*\)yes\s*$/\1no/g' /etc/redis/redis.conf +RUN sed -i 's/^\(bind\s*\)127.0.0.1 ::1\s*$/\1127.0.0.1/g' /etc/redis/redis.conf + +# Add a healthcheck endpoint +COPY healthcheck.patch healthcheck.patch +RUN patch /var/www/MISP/INSTALL/apache.misp.ubuntu < healthcheck.patch + +# Apache Setup +RUN cp /var/www/MISP/INSTALL/apache.misp.ubuntu /etc/apache2/sites-available/misp.conf && \ + a2dissite 000-default && \ + a2ensite misp && \ + a2enmod rewrite && \ + a2enmod headers + +# MISP base configuration +RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php && \ + sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php && \ + chown -R www-data:www-data /var/www/MISP/app/Config && \ + chmod -R 750 /var/www/MISP/app/Config + +# Replace the default salt +RUN sed -i -E "s/'salt'\s=>\s'(\S+)'/'salt' => '`openssl rand -base64 32|tr "/" "-"`'/" /var/www/MISP/app/Config/config.php + +# Enable workers at boot time +RUN chmod a+x /var/www/MISP/app/Console/worker/start.sh && \ + echo "sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh" >>/etc/rc.local + +# Install templates & stuff +WORKDIR /var/www/MISP/app/files +RUN rm -rf misp-objects && git clone https://github.com/MISP/misp-objects.git && \ + rm -rf misp-galaxy && git clone https://github.com/MISP/misp-galaxy.git && \ + rm -rf warninglists && git clone https://github.com/MISP/misp-warninglists.git ./warninglists && \ + rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git ./taxonomies && \ + chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies + +# Install MISP build requirements +RUN sudo -E apt-get -y install libpoppler73 libpoppler-dev libpoppler-cpp-dev + +# Install MISP Modules +WORKDIR /opt +RUN git clone https://github.com/MISP/misp-modules.git +RUN cd misp-modules && \ + pip3 install -I -r REQUIREMENTS && \ + pip3 install -I . && \ + echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local + +# Supervisord Setup +RUN ( \ + echo '[supervisord]'; \ + echo 'nodaemon = true'; \ + echo ''; \ + echo '[program:postfix]'; \ + echo 'process_name = master'; \ + echo 'directory = /etc/postfix'; \ + echo 'command = /usr/sbin/postfix -c /etc/postfix start'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ + echo ''; \ + echo '[program:redis-server]'; \ + echo 'command=redis-server /etc/redis/redis.conf'; \ + echo ''; \ + echo '[program:apache2]'; \ + echo 'command=/bin/bash -c "source /etc/apache2/envvars && exec /usr/sbin/apache2 -D FOREGROUND"'; \ + echo ''; \ + echo '[program:resque]'; \ + echo 'command=/bin/bash /var/www/MISP/app/Console/worker/start.sh'; \ + echo 'user = www-data'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ + echo ''; \ + echo '[program:misp-modules]'; \ + echo 'command=/bin/bash -c "misp-modules -s -l 127.0.0.1"'; \ + echo 'user = www-data'; \ + echo 'startsecs = 0'; \ + echo 'autorestart = false'; \ +) >> /etc/supervisor/conf.d/supervisord.conf + +# Modify syslog configuration +RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf + +# Add run script +# Trigger to perform first boot operations +ADD run.sh /run.sh +RUN chmod 0755 /run.sh && touch /.firstboot.tmp + +# Make a backup of /var/www/MISP to restore it to the local moint point at first boot +WORKDIR /var/www/MISP +RUN tar czpf /root/MISP.tgz . VOLUME /var/www/MISP -EXPOSE 80 443 - +EXPOSE 80 ENTRYPOINT ["/run.sh"] diff --git a/web/run.sh b/web/run.sh index bc91506..6a5ab70 100755 --- a/web/run.sh +++ b/web/run.sh @@ -1,16 +1,151 @@ #!/bin/bash # # MISP docker startup script -# Steven Goossens - steven@teamg.be +# Xavier Mertens +# +# 2017/05/17 - Created +# 2017/05/31 - Fixed small errors +# 2019/10/17 - Use built-in mysql docker DB creation and use std env names (dafal) +# set -e -git pull /var/www/MISP -# Make MISP live +if [ -r /.firstboot.tmp ]; then + echo "Container started for the fist time. Setup might time a few minutes. Please wait..." + echo "(Details are logged in /tmp/install.log)" + export DEBIAN_FRONTEND=noninteractive + + # If the user uses a mount point restore our files + if [ ! -d /var/www/MISP/app ]; then + echo "Restoring MISP files..." + cd /var/www/MISP + tar xzpf /root/MISP.tgz + rm /root/MISP.tgz + fi + + echo "Configuring postfix" + if [ -z "$POSTFIX_RELAY_HOST" ]; then + echo "POSTFIX_RELAY_HOST is not set, please configure Postfix manually later..." + else + postconf -e "relayhost = $POSTFIX_RELAY" + fi + + # Fix timezone (adapt to your local zone) + if [ -z "$TIMEZONE" ]; then + echo "TIMEZONE is not set, please configure the local time zone manually later..." + else + echo "$TIMEZONE" > /etc/timezone + dpkg-reconfigure -f noninteractive tzdata >>/tmp/install.log + fi + + echo "Creating MySQL database" + + # Check MYSQL_HOST + if [ -z "$MYSQL_HOST" ]; then + echo "MYSQL_HOST is not set. Aborting." + exit 1 + fi + + # Waiting for DB to be ready + while ! mysqladmin ping -h"$MYSQL_HOST" --silent; do + sleep 5 + echo "Waiting for database to be ready..." + done + + # Set MYSQL_PASSWORD + if [ -z "$MYSQL_PASSWORD" ]; then + echo "MYSQL_PASSWORD is not set, use default value 'misp'" + MYSQL_PASSWORD=misp + else + echo "MYSQL_PASSWORD is set to '$MYSQL_PASSWORD'" + fi + + ret=`echo 'SHOW TABLES;' | mysql -u $MYSQL_USER --password="$MYSQL_PASSWORD" -h $MYSQL_HOST -P 3306 $MYSQL_DATABASE # 2>&1` + if [ $? -eq 0 ]; then + echo "Connected to database successfully!" + found=0 + for table in $ret; do + if [ "$table" == "attributes" ]; then + found=1 + fi + done + if [ $found -eq 1 ]; then + echo "Database misp available" + else + echo "Database misp empty, creating tables ..." + ret=`mysql -u $MYSQL_USER --password="$MYSQL_PASSWORD" $MYSQL_DATABASE -h $MYSQL_HOST -P 3306 2>&1 < /var/www/MISP/INSTALL/MYSQL.sql` + if [ $? -eq 0 ]; then + echo "Imported /var/www/MISP/INSTALL/MYSQL.sql successfully" + else + echo "ERROR: Importing /var/www/MISP/INSTALL/MYSQL.sql failed:" + echo $ret + fi + fi + else + echo "ERROR: Connecting to database failed:" + echo $ret + fi + + # MISP configuration + echo "Creating MISP configuration files" + cd /var/www/MISP/app/Config + cp -a database.default.php database.php + sed -i "s/localhost/$MYSQL_HOST/" database.php + sed -i "s/db\s*login/$MYSQL_USER/" database.php + sed -i "s/8889/3306/" database.php + sed -i "s/db\s*password/$MYSQL_PASSWORD/" database.php + + # Fix the base url + if [ -z "$MISP_BASEURL" ]; then + echo "No base URL defined, don't forget to define it manually!" + else + echo "Fixing the MISP base URL ($MISP_BASEURL) ..." + sed -i "s/'baseurl' => '',/'baseurl' => '$MISP_BASEURL',/" /var/www/MISP/app/Config/config.php + fi + + # Generate the admin user PGP key + echo "Creating admin GnuPG key" + if [ -z "$MISP_ADMIN_EMAIL" -o -z "$MISP_ADMIN_PASSPHRASE" ]; then + echo "No admin details provided, don't forget to generate the PGP key manually!" + else + echo "Generating admin PGP key ... (please be patient, we need some entropy)" + cat >/tmp/gpg.tmp <>/tmp/install.log + rm -f /tmp/gpg.tmp + sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor $MISP_ADMIN_EMAIL > /var/www/MISP/app/webroot/gpg.asc + fi + + # Display tips + cat <<__WELCOME__ +Congratulations! +Your MISP docker has been successfully booted for the first time. +Don't forget: +- Reconfigure postfix to match your environment +- Change the MISP admin email address to $MISP_ADMIN_EMAIL + +__WELCOME__ + rm -f /.firstboot.tmp +fi + +# Make MISP live - this isn't ideal, as it means taking an instance +# non-live will make it live again if the container restarts. That seems +# better than the default which is that MISP is non-live on container restart. +# Ideally live/non-live would be persisted in the database. /var/www/MISP/app/Console/cake live 1 chown www-data:www-data /var/www/MISP/app/Config/config.php* # Start supervisord echo "Starting supervisord" cd / -exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf +exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf + diff --git a/web/sshd_config b/web/sshd_config deleted file mode 100644 index dfd41a9..0000000 --- a/web/sshd_config +++ /dev/null @@ -1,16 +0,0 @@ -# This is ssh server systemwide configuration file. -# -# /etc/sshd_config - -Port 2222 -ListenAddress 0.0.0.0 -LoginGraceTime 180 -X11Forwarding yes -Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr -MACs hmac-sha1,hmac-sha1-96 -StrictModes yes -SyslogFacility DAEMON -PasswordAuthentication yes -PermitEmptyPasswords no -PermitRootLogin yes -Subsystem sftp internal-sftp