MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Refactor the whole image and allow external customization

pull/1/head
Stefano Ortolani 2023-04-13 15:02:02 +01:00
parent 8d7031e42c
commit 51075b4f37
12 changed files with 335 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -29,10 +29,10 @@ Additionally, this fork features the following improvements:
- Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md)
- Add support for exposing locally generated resources
- Add support for building specific MISP and MISP-modules commits
- Add automatic configuration of MISP modules (see `entrypoint_internal.sh`)
- Add automatic configuration of sync servers (see `entrypoint_internal.sh`)
- Add automatic configuration of organizations (see `entrypoint_internal.sh`)
- Add autoamtic configuration of authentication keys (see `entrypoint_internal.sh`)
- Add automatic configuration of MISP modules (see `configure_misp.sh`)
- Add automatic configuration of sync servers (see `configure_misp.sh`)
- Add automatic configuration of organizations (see `configure_misp.sh`)
- Add autoamtic configuration of authentication keys (see `configure_misp.sh`)
- Add direct push of docker images to Docker Hub
- Consolidate docker compose files
@ -117,10 +117,6 @@ The `docker-compose.yml` file allows further configuration settings:
"MYSQL_USER=misp"
"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
"MYSQL_DATABASE=misp"
"NOREDIR=true" # Do not redirect port 80
"DISIPV6=true" # Disable IPV6 in nginx
"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
"SECURESSL=true" # Enable higher security SSL in nginx
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
"NUM_WORKERS_DEFAULT=5" # To set the number of default workers

11
docker-compose.yml
View File

@ -42,19 +42,19 @@ services:
ports:
- "80:80"
- "443:443"
# customization
- "3030:3030"
volumes:
- "./configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files/"
- "./ssl/:/etc/nginx/certs/"
- "./gnupg/:/var/www/MISP/.gnupg/"
- "${PUBLIC_MOUNT_POINT}:/mnt/public/"
environment:
- "HOSTNAME=https://localhost"
- "REDIS_FQDN=redis"
- "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR
- "CRON_USER_ID=1" # The MISP user ID to run cron jobs as
# Synchronization Servers settings
- "CRON_USER_ID=1"
# sync server settings
- "SYNCSERVERS=${SYNCSERVERS}"
- "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
- "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
@ -66,7 +66,7 @@ services:
"pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
"pull": true
}
# Custom Settings
# standard settings
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
- "ADMIN_KEY=${ADMIN_KEY}"
- "ADMIN_ORG=${ADMIN_ORG}"
@ -75,6 +75,7 @@ services:
- "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
- "ORGANIZATIONS=${ORGANIZATIONS}"
- "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
misp-modules:
image: ostefano/misp-docker:modules-latest
build:

14
modules/Dockerfile
View File

@ -25,7 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
RUN if [ ! -z ${MODULES_COMMIT} ]; then \
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \
else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi
RUN cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
RUN cd /srv/misp-modules; \
echo "pyeti" >> REQUIREMENTS; \
echo "git+https://github.com/abenassi/Google-Search-API" >> REQUIREMENTS; \
sed -i 's/-e //g' REQUIREMENTS; \
pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
cd /srv/faup/build || exit; cmake .. && make install; \
@ -56,4 +60,12 @@ RUN pip install --use-deprecated=legacy-resolver /wheel/*.whl; ldconfig
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
/usr/local/lib/python3.9/site-packages/pyfaup/__init__.py
# Remove double logging
RUN sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/apiosintDS.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/dosearch.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/listutils.py
ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"]

34
server/Dockerfile
View File

@ -7,11 +7,13 @@ FROM "${DOCKER_HUB_PROXY}composer:2.1.14" as composer-build
RUN composer install --ignore-platform-reqs && \
composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \
composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs && \
composer require --with-all-dependencies elasticsearch/elasticsearch:^8.7.0 aws/aws-sdk-php --ignore-platform-reqs
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
RUN apt-get update; apt-get install -y --no-install-recommends \
gcc \
g++ \
make \
libfuzzy-dev \
ca-certificates \
@ -19,13 +21,13 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
php-dev \
php-pear \
librdkafka-dev \
libsimdjson-dev \
git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN pecl channel-update pecl.php.net
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka && pecl install simdjson
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
RUN apt-get update; apt-get install -y --no-install-recommends \
@ -78,7 +80,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels
# Grab other modules we need
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief==0.12.3
# Remove extra packages due to incompatible requirements.txt files
WORKDIR /wheels
@ -125,6 +127,7 @@ ARG PHP_VER
php-zip \
librdkafka1 \
libbrotli1 \
libsimdjson5 \
# Unsure we need these
zip unzip \
# Require for advanced an unattended configuration
@ -136,7 +139,7 @@ ARG PHP_VER
RUN if [ ! -z ${MISP_COMMIT} ]; then \
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \
else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi
RUN cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \
RUN cd /var/www/MISP; git submodule update --init --recursive .; cd /var/www/MISP/app; \
# Remove some old and broken links that pollute the log files
rm -rf /var/www/MISP/INSTALL/old
@ -149,24 +152,21 @@ ARG PHP_VER
COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/simdjson.so /usr/lib/php/${PHP_VER}/simdjson.so
COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \
;phpenmod redis \
# Enable ssdeep we build earlier
;phpenmod ssdeep
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done; phpenmod ssdeep
RUN for dir in /etc/php/*; do echo "extension=simdjson.so" > "$dir/mods-available/simdjson.ini"; done; phpenmod simdjson
RUN phpenmod redis
# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
# Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
@ -174,10 +174,18 @@ ARG PHP_VER
# Make a copy of the configurations, so we can sync from it
RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
RUN find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
RUN find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
RUN find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
# Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf
COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf
COPY files/entrypoint_internal.sh /
COPY files/var/www/html/index.php /var/www/html/index.php
COPY files/configure_misp.sh /
COPY files/entrypoint_fpm.sh /
COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh /

203
server/files/entrypoint_internal.sh → server/files/configure_misp.sh
View File

@ -2,6 +2,39 @@
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
init_misp_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
init_gnupg() {
GPG_DIR=/var/www/MISP/.gnupg
@ -9,7 +42,7 @@ init_gnupg() {
GPG_TMP=/tmp/gpg.tmp
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "Generating GPG key ... (please be patient, we need some entropy)"
echo "... generating new GPG key in ${GPG_DIR}"
cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
@ -25,7 +58,7 @@ GPGEOF
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP}
else
echo "Using pre-generated GPG key in ${GPG_DIR}"
echo "... found pre-generated GPG key in ${GPG_DIR}"
fi
# Fix permissions
@ -34,10 +67,10 @@ GPGEOF
find ${GPG_DIR} -type d -exec chmod 700 {} \;
if [ ! -f ${GPG_ASC} ]; then
echo "Exporting GPG key ..."
echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC}
else
echo "Found exported key ${GPG_ASC}"
echo "... found exported key ${GPG_ASC}"
fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}"
@ -64,14 +97,14 @@ init_user() {
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
fi
if [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Setting admin key to '${ADMIN_KEY}'"
echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
else
echo "Customize MISP | Regenerating admin key"
echo "... regenerating admin key"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
fi
ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
echo "Customize MISP | Admin user key set to '${ADMIN_KEY}'"
echo "... admin user key set to '${ADMIN_KEY}'"
}
apply_critical_fixes() {
@ -81,9 +114,19 @@ apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${HOSTNAME}\"
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
}
apply_custom_settings() {
apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" ""
@ -99,9 +142,9 @@ apply_custom_settings() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5
}
configure_plugins() {
configure_optional_plugins() {
if [ ! -z "$VIRUSTOTAL_KEY" ]; then
echo "Customize MISP | Enabling 'virustotal' module ..."
echo "... enabling 'virustotal' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": {
\"Enrichment_virustotal_enabled\": true,
@ -111,7 +154,7 @@ configure_plugins() {
fi
if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Enabling 'vmware_nsx' module ..."
echo "... enabling 'vmware_nsx' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": {
\"Enrichment_vmware_nsx_enabled\": true,
@ -127,56 +170,12 @@ configure_plugins() {
fi
}
configure_email() {
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
<?php
class EmailConfig {
public \$default = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
updateComponents() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
}
add_organization() {
@ -196,7 +195,7 @@ get_organization() {
curl -s --show-error -k \
-H "Authorization: ${ADMIN_KEY}" \
-H "Accept: application/json" \
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id"
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id // empty"
}
add_server() {
@ -214,54 +213,58 @@ get_server() {
-H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
}
updateComponents() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
create_organizations() {
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
for ORG in $SPLITTED_ORGS; do
ORG_ID=$(get_organization ${ORG})
if [[ -z $ORG_ID ]]; then
echo "... adding organization: $ORG"
add_organization $ORG true
else
echo "... organization $ORG already exists"
fi
done
}
echo "Customize MISP | Configure email ..." && configure_email
create_sync_servers() {
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
NAME="SYNCSERVERS_${ID}_NAME"
UUID="SYNCSERVERS_${ID}_UUID"
DATA="SYNCSERVERS_${ID}_DATA"
KEY="SYNCSERVERS_${ID}_KEY"
if ! get_server ${!NAME}; then
echo "... configuring sync server ${!NAME}..."
add_organization ${!NAME} false ${!UUID}
ORG_ID=$(get_organization ${!UUID})
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
add_server "$DATA"
fi
done
}
echo "Customize MISP | Configure GPG key ..." && init_gnupg
echo "Customize MISP | Running updates ..." && apply_updates
echo "MISP | Initialize configuration ..." && init_misp_configuration
echo "Customize MISP | Init default user and organization ..." && init_user
echo "MISP | Initialize workers ..." && init_misp_workers
echo "Customize MISP | Resolve critical issues ..." && apply_critical_fixes
echo "MISP | Configure GPG key ..." && init_gnupg
echo "Customize MISP | Customize installation ..." && apply_custom_settings
echo "MISP | Running updates ..." && apply_updates
# This item last so we had a chance to create the ADMIN_KEY if not specified
echo "Customize MISP | Configure plugins ..." && configure_plugins
echo "MISP | Init default user and organization ..." && init_user
# Create organizations (and silently fail if present already)
echo "Customize MISP | Creating organizations ..."
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
for ORG in $SPLITTED_ORGS; do
echo "Adding organization: $ORG"
add_organization $ORG true
done
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "Customize MISP | Creating sync servers ..."
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
NAME="SYNCSERVERS_${ID}_NAME"
UUID="SYNCSERVERS_${ID}_UUID"
DATA="SYNCSERVERS_${ID}_DATA"
KEY="SYNCSERVERS_${ID}_KEY"
if ! get_server ${!NAME}; then
echo "Customize MISP | Configuring sync server ${!NAME}..."
add_organization ${!NAME} false ${!UUID}
ORG_ID=$(get_organization ${!UUID})
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
add_server "$DATA"
fi
done
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
echo "Customize MISP | Updating components ..." && updateComponents
echo "MISP | Creating organizations ..." && create_organizations
# Make the instance live
echo "MISP | Creating sync servers ..." && create_sync_servers
echo "MISP | Updating components ..." && updateComponents
echo "MISP | Configure plugins with newly generate admin key ..." && configure_optional_plugins
echo "MISP | Marking instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

4
server/files/entrypoint_fpm.sh
View File

@ -19,9 +19,9 @@ change_php_vars() {
done
}
echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Starting PHP FPM"
echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
# Wait for it

347
server/files/entrypoint_nginx.sh
View File

@ -8,80 +8,13 @@ term_proc() {
trap term_proc SIGTERM
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
[ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
init_misp_config(){
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "Configure MISP | Set DB User, Password and Host in database.php"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
}
init_misp_defaults(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configure sane defaults"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "Starting background workers"
supervisorctl start misp-workers:*
}
init_misp_files(){
if [ ! -f /var/www/MISP/app/files/INIT ]; then
cp -R /var/www/MISP/app/files.dist/* /var/www/MISP/app/files
touch /var/www/MISP/app/files/INIT
fi
}
init_ssl() {
if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
then
cd /etc/nginx/certs
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
fi
}
init_mysql(){
# Test when MySQL is ready....
@ -99,137 +32,209 @@ init_mysql(){
RETRY=100
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
echo "Waiting for database to come up"
echo "... waiting for database to come up"
sleep 5
RETRY=$(( RETRY - 1))
done
if [ $RETRY -le 0 ]; then
>&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
>&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
exit 1
fi
if [ $(isDBinitDone) -eq 0 ]; then
echo "Database has already been initialized"
echo "... database has already been initialized"
else
echo "Database has not been initialized, importing MySQL scheme..."
echo "... database has not been initialized, importing MySQL scheme..."
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
fi
}
sync_files(){
init_misp_data_files(){
# Init config (shared with host)
echo "... initializing configuration files"
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "... initializing database.php settings"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
echo "... initializing email.php settings"
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
<?php
class EmailConfig {
public \$default = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
# Init files (shared with host)
echo "... initializing app files"
MISP_APP_FILES_PATH=/var/www/MISP/app/files
if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
touch ${MISP_APP_FILES_PATH}/INIT
fi
}
update_misp_data_files(){
for DIR in $(ls /var/www/MISP/app/files.dist); do
echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
done
}
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53
for CERT in cert.pem dhparams.pem key.pem; do
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
WARNING53=true
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
enforce_misp_data_permissions(){
echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
# We make configuration files read only
echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
}
flip_nginx() {
local live="$1";
local reload="$2";
if [[ "$live" = "true" ]]; then
NGINX_DOC_ROOT=/var/www/MISP/app/webroot
elif [[ -x /custom/files/var/www/html/index.php ]]; then
NGINX_DOC_ROOT=/custom/files/var/www/html/
else
NGINX_DOC_ROOT=/var/www/html/
fi
done
# Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then
echo "Setup MySQL..." && init_mysql
echo "Setup MISP files dir..." && init_misp_files
echo "Ensure SSL certs exist..." && init_ssl
fi
# must be valid for all roots
echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
# Things we should do if we're configuring MISP via ENV
echo "Configure MISP | Initialize misp base config..." && init_misp_config
if [[ "$reload" = "true" ]]; then
echo "... nginx reloaded"
nginx -s reload
fi
}
echo "Configure MISP | Sync app files..." && sync_files
init_nginx() {
if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
echo "... port 80 already configured"
fi
echo "Configure MISP | Enforce permissions ..."
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp
echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files
# We also make other special files writable (should be 660)
echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php
if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "... enabling port 443"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
else
echo "... port 443 already configured"
fi
if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
echo "... generating new self-signed TLS certificate"
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
else
echo "... TLS certificates found"
fi
if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "... generating new DH parameters"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
else
echo "... DH parameters found"
fi
# Configuring defaults now
echo "Configure MISP | Setting defaults ..." && init_misp_defaults
flip_nginx false false
}
# Workers are set to NOT auto start so we have time to enforce permissions on the cache first
echo "Configure MISP | Starting workers ..." && init_misp_workers
# Work around https://github.com/MISP/MISP/issues/5608
if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then
mkdir -p /var/www/MISP/PyMISP/pymisp/data/
ln -s /usr/local/lib/python3.9/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json
fi
# Initialize MySQL
echo "INIT | Initialize MySQL ..." && init_mysql
if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then
echo "Configure NGINX | Disabling Port 80 Redirect"
ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80
elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "Configure NGINX | Enable Port 80 Redirect"
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
echo "Configure NGINX | Port 80 already configured"
fi
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
echo "Configure NGINX | Using Secure SSL"
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Standard SSL"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
else
echo "Configure NGINX | SSL already configured"
fi
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "Configure NGINX | Building dhparams.pem"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
fi
if [[ $CERTAUTH = @(optional|on) ]]; then
echo "Configure NGINX | Enabling SSL Cert Authentication"
grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp
echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)"
sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
fi
if [[ "$DISIPV6" == true ]]; then
echo "Configure NGINX | Disabling IPv6"
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp
fi
# delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
if [[ "$WARNING53" == true ]]; then
echo "WARNING - WARNING - WARNING"
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
echo "This needs to be changed to /etc/nginx/certs."
echo "See: https://github.com/coolacid/docker-misp/issues/53"
echo "WARNING - WARNING - WARNING"
fi
if [[ -x /entrypoint_internal.sh ]]; then
export MYSQLCMD=${MYSQLCMD}
nginx -g 'daemon off;' & master_pid=$!
/entrypoint_internal.sh
kill -TERM "$master_pid" 2>/dev/null
fi
# Start NGINX
# Initialize NGINX
echo "INIT | Initialize NGINX ..." && init_nginx
nginx -g 'daemon off;' & master_pid=$!
# Initialize MISP
echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
echo "INIT | Updating MISP app/files directory ..." && update_misp_data_files
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
echo "INIT | Flipping NGINX live ..." && flip_nginx true true
# Run configure MISP script
echo "INIT | Configuring MISP installation ..."
/configure_misp.sh
if [[ -x /custom/files/customize_misp.sh ]]; then
echo "INIT | Customizing MISP installation ..."
/custom/files/customize_misp.sh
fi
# Wait for it
wait "$master_pid"

16
server/files/etc/nginx/misp
View File

@ -1,12 +1,14 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# define the root dir
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
# disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
@ -27,7 +29,7 @@ server {
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security
# added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
@ -36,17 +38,9 @@ server {
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
# remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}

57
server/files/etc/nginx/misp-secure
View File

@ -1,57 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

35
server/files/etc/nginx/misp80-noredir
View File

@ -1,35 +0,0 @@
server {
listen 80;
listen [::]:80;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

3
server/files/var/www/html/index.php Normal file
View File

@ -0,0 +1,3 @@
<html>
MISP is loading...
</html>

7
template.env
View File

@ -1,5 +1,5 @@
MISP_TAG=v2.4.169
MODULES_TAG=v2.4.169
MISP_TAG=v2.4.170
MODULES_TAG=v2.4.170
PHP_VER=20190902
# MISP_COMMIT takes precedence over MISP_TAG
# MISP_COMMIT=c56d537
@ -38,6 +38,3 @@ SYNCSERVERS_1_KEY=
# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
ORGANIZATIONS=
# host folder containing public files generated by external tools
PUBLIC_MOUNT_POINT=./public