From 51075b4f37921de865177a101c09fc1f22d146ed Mon Sep 17 00:00:00 2001 From: Stefano Ortolani Date: Thu, 13 Apr 2023 15:02:02 +0100 Subject: [PATCH] Refactor the whole image and allow external customization --- README.md | 12 +- docker-compose.yml | 11 +- modules/Dockerfile | 14 +- server/Dockerfile | 34 +- ...trypoint_internal.sh => configure_misp.sh} | 203 +++++----- server/files/entrypoint_fpm.sh | 4 +- server/files/entrypoint_nginx.sh | 347 +++++++++--------- server/files/etc/nginx/misp | 16 +- server/files/etc/nginx/misp-secure | 57 --- server/files/etc/nginx/misp80-noredir | 35 -- server/files/var/www/html/index.php | 3 + template.env | 7 +- 12 files changed, 335 insertions(+), 408 deletions(-) rename server/files/{entrypoint_internal.sh => configure_misp.sh} (56%) delete mode 100644 server/files/etc/nginx/misp-secure delete mode 100644 server/files/etc/nginx/misp80-noredir create mode 100644 server/files/var/www/html/index.php diff --git a/README.md b/README.md index 99845da..d2678f7 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,10 @@ Additionally, this fork features the following improvements: - Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md) - Add support for exposing locally generated resources - Add support for building specific MISP and MISP-modules commits -- Add automatic configuration of MISP modules (see `entrypoint_internal.sh`) -- Add automatic configuration of sync servers (see `entrypoint_internal.sh`) -- Add automatic configuration of organizations (see `entrypoint_internal.sh`) -- Add autoamtic configuration of authentication keys (see `entrypoint_internal.sh`) +- Add automatic configuration of MISP modules (see `configure_misp.sh`) +- Add automatic configuration of sync servers (see `configure_misp.sh`) +- Add automatic configuration of organizations (see `configure_misp.sh`) +- Add autoamtic configuration of authentication keys (see `configure_misp.sh`) - Add direct push of docker images to Docker Hub - Consolidate docker compose files @@ -117,10 +117,6 @@ The `docker-compose.yml` file allows further configuration settings: "MYSQL_USER=misp" "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. "MYSQL_DATABASE=misp" -"NOREDIR=true" # Do not redirect port 80 -"DISIPV6=true" # Disable IPV6 in nginx -"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required -"SECURESSL=true" # Enable higher security SSL in nginx "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) "NUM_WORKERS_DEFAULT=5" # To set the number of default workers diff --git a/docker-compose.yml b/docker-compose.yml index aca52f4..8592eab 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,19 +42,19 @@ services: ports: - "80:80" - "443:443" + # customization + - "3030:3030" volumes: - "./configs/:/var/www/MISP/app/Config/" - "./logs/:/var/www/MISP/app/tmp/logs/" - "./files/:/var/www/MISP/app/files/" - "./ssl/:/etc/nginx/certs/" - "./gnupg/:/var/www/MISP/.gnupg/" - - "${PUBLIC_MOUNT_POINT}:/mnt/public/" environment: - "HOSTNAME=https://localhost" - "REDIS_FQDN=redis" - - "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR - - "CRON_USER_ID=1" # The MISP user ID to run cron jobs as - # Synchronization Servers settings + - "CRON_USER_ID=1" + # sync server settings - "SYNCSERVERS=${SYNCSERVERS}" - "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}" - "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}" @@ -66,7 +66,7 @@ services: "pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}", "pull": true } - # Custom Settings + # standard settings - "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_KEY=${ADMIN_KEY}" - "ADMIN_ORG=${ADMIN_ORG}" @@ -75,6 +75,7 @@ services: - "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}" - "ORGANIZATIONS=${ORGANIZATIONS}" - "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}" + misp-modules: image: ostefano/misp-docker:modules-latest build: diff --git a/modules/Dockerfile b/modules/Dockerfile index 449dab3..2fbcf95 100644 --- a/modules/Dockerfile +++ b/modules/Dockerfile @@ -25,7 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ RUN if [ ! -z ${MODULES_COMMIT} ]; then \ git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \ else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi - RUN cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ + RUN cd /srv/misp-modules; \ + echo "pyeti" >> REQUIREMENTS; \ + echo "git+https://github.com/abenassi/Google-Search-API" >> REQUIREMENTS; \ + sed -i 's/-e //g' REQUIREMENTS; \ + pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \ cd /srv/faup/build || exit; cmake .. && make install; \ @@ -56,4 +60,12 @@ RUN pip install --use-deprecated=legacy-resolver /wheel/*.whl; ldconfig RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \ /usr/local/lib/python3.9/site-packages/pyfaup/__init__.py +# Remove double logging +RUN sed -i "/logging.basicConfig/d" \ + /usr/local/lib/python3.9/site-packages/apiosintDS/apiosintDS.py; \ + sed -i "/logging.basicConfig/d" \ + /usr/local/lib/python3.9/site-packages/apiosintDS/modules/dosearch.py; \ + sed -i "/logging.basicConfig/d" \ + /usr/local/lib/python3.9/site-packages/apiosintDS/modules/listutils.py + ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"] diff --git a/server/Dockerfile b/server/Dockerfile index 2b94e7e..fa5d0d4 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -7,11 +7,13 @@ FROM "${DOCKER_HUB_PROXY}composer:2.1.14" as composer-build RUN composer install --ignore-platform-reqs && \ composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \ composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \ - guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs + guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs && \ + composer require --with-all-dependencies elasticsearch/elasticsearch:^8.7.0 aws/aws-sdk-php --ignore-platform-reqs FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build RUN apt-get update; apt-get install -y --no-install-recommends \ gcc \ + g++ \ make \ libfuzzy-dev \ ca-certificates \ @@ -19,13 +21,13 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build php-dev \ php-pear \ librdkafka-dev \ + libsimdjson-dev \ git \ && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* RUN pecl channel-update pecl.php.net - RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka + RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka && pecl install simdjson RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install - FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build RUN apt-get update; apt-get install -y --no-install-recommends \ @@ -78,7 +80,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels # Grab other modules we need - RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief + RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief==0.12.3 # Remove extra packages due to incompatible requirements.txt files WORKDIR /wheels @@ -125,6 +127,7 @@ ARG PHP_VER php-zip \ librdkafka1 \ libbrotli1 \ + libsimdjson5 \ # Unsure we need these zip unzip \ # Require for advanced an unattended configuration @@ -136,7 +139,7 @@ ARG PHP_VER RUN if [ ! -z ${MISP_COMMIT} ]; then \ git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \ else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi - RUN cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \ + RUN cd /var/www/MISP; git submodule update --init --recursive .; cd /var/www/MISP/app; \ # Remove some old and broken links that pollute the log files rm -rf /var/www/MISP/INSTALL/old @@ -149,24 +152,21 @@ ARG PHP_VER COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so + COPY --from=php-build /usr/lib/php/${PHP_VER}/simdjson.so /usr/lib/php/${PHP_VER}/simdjson.so COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli - - RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ - ;phpenmod redis \ - # Enable ssdeep we build earlier - ;phpenmod ssdeep + RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done; phpenmod ssdeep + RUN for dir in /etc/php/*; do echo "extension=simdjson.so" > "$dir/mods-available/simdjson.ini"; done; phpenmod simdjson + RUN phpenmod redis # nginx RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs COPY files/etc/nginx/misp /etc/nginx/sites-available/misp - COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 - COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir # Make a copy of the file store, so we can sync from it RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist @@ -174,10 +174,18 @@ ARG PHP_VER # Make a copy of the configurations, so we can sync from it RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist +# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions + RUN find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + +# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory + RUN find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} + +# Directories are also writable, because there seems to be a requirement to add new files every once in a while + RUN find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} + + # Entrypoints COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf - COPY files/entrypoint_internal.sh / + COPY files/var/www/html/index.php /var/www/html/index.php + COPY files/configure_misp.sh / COPY files/entrypoint_fpm.sh / COPY files/entrypoint_nginx.sh / COPY files/entrypoint_cron.sh / diff --git a/server/files/entrypoint_internal.sh b/server/files/configure_misp.sh similarity index 56% rename from server/files/entrypoint_internal.sh rename to server/files/configure_misp.sh index 57e6cf3..a1a0de7 100755 --- a/server/files/entrypoint_internal.sh +++ b/server/files/configure_misp.sh @@ -2,6 +2,39 @@ [ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test" [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" +[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis +[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" + +init_misp_configuration(){ + # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this + echo "... configuring default settings" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3) + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false +} + +init_misp_workers(){ + # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this + echo "... configuring background workers" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001 + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor" + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN" + + echo "... starting background workers" + supervisorctl start misp-workers:* +} init_gnupg() { GPG_DIR=/var/www/MISP/.gnupg @@ -9,7 +42,7 @@ init_gnupg() { GPG_TMP=/tmp/gpg.tmp if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then - echo "Generating GPG key ... (please be patient, we need some entropy)" + echo "... generating new GPG key in ${GPG_DIR}" cat >${GPG_TMP} < ${GPG_ASC} else - echo "Found exported key ${GPG_ASC}" + echo "... found exported key ${GPG_ASC}" fi sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}" @@ -64,14 +97,14 @@ init_user() { echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD} fi if [ ! -z "$ADMIN_KEY" ]; then - echo "Customize MISP | Setting admin key to '${ADMIN_KEY}'" + echo "... setting admin key to '${ADMIN_KEY}'" CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}") else - echo "Customize MISP | Regenerating admin key" + echo "... regenerating admin key" CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1) fi ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'` - echo "Customize MISP | Admin user key set to '${ADMIN_KEY}'" + echo "... admin user key set to '${ADMIN_KEY}'" } apply_critical_fixes() { @@ -81,9 +114,19 @@ apply_critical_fixes() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"rest_client_baseurl\": \"${HOSTNAME}\" + } + }" > /dev/null + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"auth\": \"\" + } + }" > /dev/null } -apply_custom_settings() { +apply_optional_fixes() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" "" @@ -99,9 +142,9 @@ apply_custom_settings() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5 } -configure_plugins() { +configure_optional_plugins() { if [ ! -z "$VIRUSTOTAL_KEY" ]; then - echo "Customize MISP | Enabling 'virustotal' module ..." + echo "... enabling 'virustotal' module ..." sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ \"Plugin\": { \"Enrichment_virustotal_enabled\": true, @@ -111,7 +154,7 @@ configure_plugins() { fi if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then - echo "Customize MISP | Enabling 'vmware_nsx' module ..." + echo "... enabling 'vmware_nsx' module ..." sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ \"Plugin\": { \"Enrichment_vmware_nsx_enabled\": true, @@ -127,56 +170,12 @@ configure_plugins() { fi } -configure_email() { - sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null < 'Smtp', - 'from' => array('misp-dev@admin.test' => 'Misp DEV'), - 'host' => 'mail', - 'port' => 25, - 'timeout' => 30, - 'client' => null, - 'log' => false, - ); - public \$smtp = array( - 'transport' => 'Smtp', - 'from' => array('misp-dev@admin.test' => 'Misp DEV'), - 'host' => 'mail', - 'port' => 25, - 'timeout' => 30, - 'client' => null, - 'log' => false, - ); - public \$fast = array( - 'from' => 'misp-dev@admin.test', - 'sender' => null, - 'to' => null, - 'cc' => null, - 'bcc' => null, - 'replyTo' => null, - 'readReceipt' => null, - 'returnPath' => null, - 'messageId' => true, - 'subject' => null, - 'message' => null, - 'headers' => null, - 'viewRender' => null, - 'template' => false, - 'layout' => false, - 'viewVars' => null, - 'attachments' => null, - 'emailFormat' => null, - 'transport' => 'Smtp', - 'host' => 'mail', - 'port' => 25, - 'timeout' => 30, - 'client' => null, - 'log' => true, - ); -} -EOT +updateComponents() { + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists + sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" } add_organization() { @@ -196,7 +195,7 @@ get_organization() { curl -s --show-error -k \ -H "Authorization: ${ADMIN_KEY}" \ -H "Accept: application/json" \ - -H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id" + -H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id // empty" } add_server() { @@ -214,54 +213,58 @@ get_server() { -H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id" } -updateComponents() { - sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies - sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies - sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists - sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists - sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" +create_organizations() { + SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n') + for ORG in $SPLITTED_ORGS; do + ORG_ID=$(get_organization ${ORG}) + if [[ -z $ORG_ID ]]; then + echo "... adding organization: $ORG" + add_organization $ORG true + else + echo "... organization $ORG already exists" + fi + done } -echo "Customize MISP | Configure email ..." && configure_email +create_sync_servers() { + SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n') + for ID in $SPLITTED_SYNCSERVERS; do + NAME="SYNCSERVERS_${ID}_NAME" + UUID="SYNCSERVERS_${ID}_UUID" + DATA="SYNCSERVERS_${ID}_DATA" + KEY="SYNCSERVERS_${ID}_KEY" + if ! get_server ${!NAME}; then + echo "... configuring sync server ${!NAME}..." + add_organization ${!NAME} false ${!UUID} + ORG_ID=$(get_organization ${!UUID}) + DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}') + add_server "$DATA" + fi + done +} -echo "Customize MISP | Configure GPG key ..." && init_gnupg -echo "Customize MISP | Running updates ..." && apply_updates +echo "MISP | Initialize configuration ..." && init_misp_configuration -echo "Customize MISP | Init default user and organization ..." && init_user +echo "MISP | Initialize workers ..." && init_misp_workers -echo "Customize MISP | Resolve critical issues ..." && apply_critical_fixes +echo "MISP | Configure GPG key ..." && init_gnupg -echo "Customize MISP | Customize installation ..." && apply_custom_settings +echo "MISP | Running updates ..." && apply_updates -# This item last so we had a chance to create the ADMIN_KEY if not specified -echo "Customize MISP | Configure plugins ..." && configure_plugins +echo "MISP | Init default user and organization ..." && init_user -# Create organizations (and silently fail if present already) -echo "Customize MISP | Creating organizations ..." -SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n') -for ORG in $SPLITTED_ORGS; do - echo "Adding organization: $ORG" - add_organization $ORG true -done +echo "MISP | Resolve critical issues ..." && apply_critical_fixes -echo "Customize MISP | Creating sync servers ..." -SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n') -for ID in $SPLITTED_SYNCSERVERS; do - NAME="SYNCSERVERS_${ID}_NAME" - UUID="SYNCSERVERS_${ID}_UUID" - DATA="SYNCSERVERS_${ID}_DATA" - KEY="SYNCSERVERS_${ID}_KEY" - if ! get_server ${!NAME}; then - echo "Customize MISP | Configuring sync server ${!NAME}..." - add_organization ${!NAME} false ${!UUID} - ORG_ID=$(get_organization ${!UUID}) - DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}') - add_server "$DATA" - fi -done +echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes -echo "Customize MISP | Updating components ..." && updateComponents +echo "MISP | Creating organizations ..." && create_organizations -# Make the instance live +echo "MISP | Creating sync servers ..." && create_sync_servers + +echo "MISP | Updating components ..." && updateComponents + +echo "MISP | Configure plugins with newly generate admin key ..." && configure_optional_plugins + +echo "MISP | Marking instance live" sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 diff --git a/server/files/entrypoint_fpm.sh b/server/files/entrypoint_fpm.sh index d345705..0cfb8ec 100755 --- a/server/files/entrypoint_fpm.sh +++ b/server/files/entrypoint_fpm.sh @@ -19,9 +19,9 @@ change_php_vars() { done } -echo "Configure PHP | Change PHP values ..." && change_php_vars +echo "Configure PHP | Change PHP values ..." && change_php_vars -echo "Starting PHP FPM" +echo "Configure PHP | Starting PHP FPM" /usr/sbin/php-fpm7.4 -R -F & master_pid=$! # Wait for it diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 383baf3..5db778b 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -8,80 +8,13 @@ term_proc() { trap term_proc SIGTERM -MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config [ -z "$MYSQL_HOST" ] && MYSQL_HOST=db [ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306 [ -z "$MYSQL_USER" ] && MYSQL_USER=misp [ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example [ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp -[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis -[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" -[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE" +[ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE" -ENTRYPOINT_PID_FILE="/entrypoint_apache.install" -[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE - -init_misp_config(){ - [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php - [ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php - [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php - [ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php - [ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php - [ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php - - echo "Configure MISP | Set DB User, Password and Host in database.php" - sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php - sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php -} - -init_misp_defaults(){ - # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this - echo "Configure sane defaults" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3) - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false -} - - -init_misp_workers(){ - # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this - echo "Configuring background workers" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001 - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN" - - echo "Starting background workers" - supervisorctl start misp-workers:* -} - -init_misp_files(){ - if [ ! -f /var/www/MISP/app/files/INIT ]; then - cp -R /var/www/MISP/app/files.dist/* /var/www/MISP/app/files - touch /var/www/MISP/app/files/INIT - fi -} - -init_ssl() { - if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]]; - then - cd /etc/nginx/certs - openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 - fi -} init_mysql(){ # Test when MySQL is ready.... @@ -99,137 +32,209 @@ init_mysql(){ RETRY=100 until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do - echo "Waiting for database to come up" + echo "... waiting for database to come up" sleep 5 RETRY=$(( RETRY - 1)) done if [ $RETRY -le 0 ]; then - >&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT" + >&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT" exit 1 fi if [ $(isDBinitDone) -eq 0 ]; then - echo "Database has already been initialized" + echo "... database has already been initialized" else - echo "Database has not been initialized, importing MySQL scheme..." + echo "... database has not been initialized, importing MySQL scheme..." $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql fi } -sync_files(){ +init_misp_data_files(){ + # Init config (shared with host) + echo "... initializing configuration files" + MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config + [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php + [ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php + [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php + [ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php + [ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php + [ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php + + echo "... initializing database.php settings" + sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php + sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php + sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php + sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php + + echo "... initializing email.php settings" + sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null < 'Smtp', + 'from' => array('misp-dev@admin.test' => 'Misp DEV'), + 'host' => 'mail', + 'port' => 25, + 'timeout' => 30, + 'client' => null, + 'log' => false, + ); + public \$smtp = array( + 'transport' => 'Smtp', + 'from' => array('misp-dev@admin.test' => 'Misp DEV'), + 'host' => 'mail', + 'port' => 25, + 'timeout' => 30, + 'client' => null, + 'log' => false, + ); + public \$fast = array( + 'from' => 'misp-dev@admin.test', + 'sender' => null, + 'to' => null, + 'cc' => null, + 'bcc' => null, + 'replyTo' => null, + 'readReceipt' => null, + 'returnPath' => null, + 'messageId' => true, + 'subject' => null, + 'message' => null, + 'headers' => null, + 'viewRender' => null, + 'template' => false, + 'layout' => false, + 'viewVars' => null, + 'attachments' => null, + 'emailFormat' => null, + 'transport' => 'Smtp', + 'host' => 'mail', + 'port' => 25, + 'timeout' => 30, + 'client' => null, + 'log' => true, + ); +} +EOT + + # Init files (shared with host) + echo "... initializing app files" + MISP_APP_FILES_PATH=/var/www/MISP/app/files + if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then + cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH} + touch ${MISP_APP_FILES_PATH}/INIT + fi +} + +update_misp_data_files(){ for DIR in $(ls /var/www/MISP/app/files.dist); do + echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\"" rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/" done } -# Ensure SSL certs are where we expect them, for backward comparibility See issue #53 -for CERT in cert.pem dhparams.pem key.pem; do - echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT" - if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then - WARNING53=true - cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT +enforce_misp_data_permissions(){ + echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + + # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory + echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} + + # Directories are also writable, because there seems to be a requirement to add new files every once in a while + echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} + + # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) + echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp + + echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + + # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory + echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} + + # Directories are also writable, because there seems to be a requirement to add new files every once in a while + echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} + + # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) + echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files + + echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + + # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory + echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} + + # Directories are also writable, because there seems to be a requirement to add new files every once in a while + echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} + + # We make configuration files read only + echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php +} + +flip_nginx() { + local live="$1"; + local reload="$2"; + + if [[ "$live" = "true" ]]; then + NGINX_DOC_ROOT=/var/www/MISP/app/webroot + elif [[ -x /custom/files/var/www/html/index.php ]]; then + NGINX_DOC_ROOT=/custom/files/var/www/html/ + else + NGINX_DOC_ROOT=/var/www/html/ fi -done -# Things we should do when we have the INITIALIZE Env Flag -if [[ "$INIT" == true ]]; then - echo "Setup MySQL..." && init_mysql - echo "Setup MISP files dir..." && init_misp_files - echo "Ensure SSL certs exist..." && init_ssl -fi + # must be valid for all roots + echo "... nginx docroot set to ${NGINX_DOC_ROOT}" + sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp -# Things we should do if we're configuring MISP via ENV -echo "Configure MISP | Initialize misp base config..." && init_misp_config + if [[ "$reload" = "true" ]]; then + echo "... nginx reloaded" + nginx -s reload + fi +} -echo "Configure MISP | Sync app files..." && sync_files +init_nginx() { + if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then + echo "... enabling port 80 redirect" + ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80 + else + echo "... port 80 already configured" + fi -echo "Configure MISP | Enforce permissions ..." -# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions -echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + -# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory -echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} + -# Directories are also writable, because there seems to be a requirement to add new files every once in a while -echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} + -# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) -echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp -echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files -# We also make other special files writable (should be 660) -echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php + if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then + echo "... enabling port 443" + ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp + else + echo "... port 443 already configured" + fi + + if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then + echo "... generating new self-signed TLS certificate" + openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365 + else + echo "... TLS certificates found" + fi + + if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then + echo "... generating new DH parameters" + openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 + else + echo "... DH parameters found" + fi -# Configuring defaults now -echo "Configure MISP | Setting defaults ..." && init_misp_defaults + flip_nginx false false +} -# Workers are set to NOT auto start so we have time to enforce permissions on the cache first -echo "Configure MISP | Starting workers ..." && init_misp_workers -# Work around https://github.com/MISP/MISP/issues/5608 -if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then - mkdir -p /var/www/MISP/PyMISP/pymisp/data/ - ln -s /usr/local/lib/python3.9/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json -fi +# Initialize MySQL +echo "INIT | Initialize MySQL ..." && init_mysql -if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then - echo "Configure NGINX | Disabling Port 80 Redirect" - ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80 -elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then - echo "Configure NGINX | Enable Port 80 Redirect" - ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80 -else - echo "Configure NGINX | Port 80 already configured" -fi - -if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then - echo "Configure NGINX | Using Secure SSL" - ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp -elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then - echo "Configure NGINX | Using Standard SSL" - ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp -else - echo "Configure NGINX | SSL already configured" -fi - -if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then - echo "Configure NGINX | Building dhparams.pem" - openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 -fi - -if [[ $CERTAUTH = @(optional|on) ]]; then - echo "Configure NGINX | Enabling SSL Cert Authentication" - grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf - grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf - grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp - grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp - - echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" - sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php -fi - -if [[ "$DISIPV6" == true ]]; then - echo "Configure NGINX | Disabling IPv6" - sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80 - sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp -fi - -# delete pid file -[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE - -if [[ "$WARNING53" == true ]]; then - echo "WARNING - WARNING - WARNING" - echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs." - echo "This needs to be changed to /etc/nginx/certs." - echo "See: https://github.com/coolacid/docker-misp/issues/53" - echo "WARNING - WARNING - WARNING" -fi - -if [[ -x /entrypoint_internal.sh ]]; then - export MYSQLCMD=${MYSQLCMD} - nginx -g 'daemon off;' & master_pid=$! - /entrypoint_internal.sh - kill -TERM "$master_pid" 2>/dev/null -fi - -# Start NGINX +# Initialize NGINX +echo "INIT | Initialize NGINX ..." && init_nginx nginx -g 'daemon off;' & master_pid=$! +# Initialize MISP +echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files +echo "INIT | Updating MISP app/files directory ..." && update_misp_data_files +echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions +echo "INIT | Flipping NGINX live ..." && flip_nginx true true + +# Run configure MISP script +echo "INIT | Configuring MISP installation ..." +/configure_misp.sh + +if [[ -x /custom/files/customize_misp.sh ]]; then + echo "INIT | Customizing MISP installation ..." + /custom/files/customize_misp.sh +fi + # Wait for it wait "$master_pid" diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp index 09c8e16..8eda5ae 100644 --- a/server/files/etc/nginx/misp +++ b/server/files/etc/nginx/misp @@ -1,12 +1,14 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; + + # define the root dir root /var/www/MISP/app/webroot; index index.php; client_max_body_size 50M; - # Disable access logs + # disable access logs access_log off; log_not_found off; error_log /dev/stderr error; @@ -27,7 +29,7 @@ server { add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; add_header X-Frame-Options SAMEORIGIN; - # Aded headers for hardening browser security + # added headers for hardening browser security add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; @@ -36,17 +38,9 @@ server { add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; - # Remove X-Powered-By, which is an information leak + # remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; - location /public { - root /mnt; - autoindex on; - autoindex_exact_size off; - autoindex_format html; - autoindex_localtime on; - } - location / { try_files $uri $uri/ /index.php$is_args$query_string; } diff --git a/server/files/etc/nginx/misp-secure b/server/files/etc/nginx/misp-secure deleted file mode 100644 index d8aadde..0000000 --- a/server/files/etc/nginx/misp-secure +++ /dev/null @@ -1,57 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - root /var/www/MISP/app/webroot; - index index.php; - - client_max_body_size 50M; - - # Disable access logs - access_log off; - log_not_found off; - error_log /dev/stderr error; - - ssl_certificate /etc/nginx/certs/cert.pem; - ssl_certificate_key /etc/nginx/certs/key.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # about 40000 sessions - ssl_session_tickets off; - - # modern configuration - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - # enable HSTS - add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; - add_header X-Frame-Options SAMEORIGIN; - - # Aded headers for hardening browser security - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - location /public { - root /mnt; - autoindex on; - autoindex_exact_size off; - autoindex_format html; - autoindex_localtime on; - } - - location / { - try_files $uri $uri/ /index.php$is_args$query_string; - } - - location ~ \.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; - fastcgi_read_timeout 300; - } -} diff --git a/server/files/etc/nginx/misp80-noredir b/server/files/etc/nginx/misp80-noredir deleted file mode 100644 index 9dd2cc4..0000000 --- a/server/files/etc/nginx/misp80-noredir +++ /dev/null @@ -1,35 +0,0 @@ -server { - listen 80; - listen [::]:80; - root /var/www/MISP/app/webroot; - index index.php; - - client_max_body_size 50M; - - # Disable access logs - access_log off; - log_not_found off; - error_log /dev/stderr error; - - # Aded headers for hardening browser security - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - location / { - try_files $uri $uri/ /index.php$is_args$query_string; - } - - location ~ \.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; - fastcgi_read_timeout 300; - } -} diff --git a/server/files/var/www/html/index.php b/server/files/var/www/html/index.php new file mode 100644 index 0000000..5824a96 --- /dev/null +++ b/server/files/var/www/html/index.php @@ -0,0 +1,3 @@ + +MISP is loading... + \ No newline at end of file diff --git a/template.env b/template.env index 1d39e5b..d2c383c 100644 --- a/template.env +++ b/template.env @@ -1,5 +1,5 @@ -MISP_TAG=v2.4.169 -MODULES_TAG=v2.4.169 +MISP_TAG=v2.4.170 +MODULES_TAG=v2.4.170 PHP_VER=20190902 # MISP_COMMIT takes precedence over MISP_TAG # MISP_COMMIT=c56d537 @@ -38,6 +38,3 @@ SYNCSERVERS_1_KEY= # comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3") ORGANIZATIONS= - -# host folder containing public files generated by external tools -PUBLIC_MOUNT_POINT=./public