mirror of https://github.com/MISP/misp-docker
Refactor the whole image and allow external customization
parent
8d7031e42c
commit
51075b4f37
12
README.md
12
README.md
|
@ -29,10 +29,10 @@ Additionally, this fork features the following improvements:
|
||||||
- Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md)
|
- Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md)
|
||||||
- Add support for exposing locally generated resources
|
- Add support for exposing locally generated resources
|
||||||
- Add support for building specific MISP and MISP-modules commits
|
- Add support for building specific MISP and MISP-modules commits
|
||||||
- Add automatic configuration of MISP modules (see `entrypoint_internal.sh`)
|
- Add automatic configuration of MISP modules (see `configure_misp.sh`)
|
||||||
- Add automatic configuration of sync servers (see `entrypoint_internal.sh`)
|
- Add automatic configuration of sync servers (see `configure_misp.sh`)
|
||||||
- Add automatic configuration of organizations (see `entrypoint_internal.sh`)
|
- Add automatic configuration of organizations (see `configure_misp.sh`)
|
||||||
- Add autoamtic configuration of authentication keys (see `entrypoint_internal.sh`)
|
- Add autoamtic configuration of authentication keys (see `configure_misp.sh`)
|
||||||
- Add direct push of docker images to Docker Hub
|
- Add direct push of docker images to Docker Hub
|
||||||
- Consolidate docker compose files
|
- Consolidate docker compose files
|
||||||
|
|
||||||
|
@ -117,10 +117,6 @@ The `docker-compose.yml` file allows further configuration settings:
|
||||||
"MYSQL_USER=misp"
|
"MYSQL_USER=misp"
|
||||||
"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
|
"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
|
||||||
"MYSQL_DATABASE=misp"
|
"MYSQL_DATABASE=misp"
|
||||||
"NOREDIR=true" # Do not redirect port 80
|
|
||||||
"DISIPV6=true" # Disable IPV6 in nginx
|
|
||||||
"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
|
|
||||||
"SECURESSL=true" # Enable higher security SSL in nginx
|
|
||||||
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
|
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
|
||||||
"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
|
"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
|
||||||
"NUM_WORKERS_DEFAULT=5" # To set the number of default workers
|
"NUM_WORKERS_DEFAULT=5" # To set the number of default workers
|
||||||
|
|
|
@ -42,19 +42,19 @@ services:
|
||||||
ports:
|
ports:
|
||||||
- "80:80"
|
- "80:80"
|
||||||
- "443:443"
|
- "443:443"
|
||||||
|
# customization
|
||||||
|
- "3030:3030"
|
||||||
volumes:
|
volumes:
|
||||||
- "./configs/:/var/www/MISP/app/Config/"
|
- "./configs/:/var/www/MISP/app/Config/"
|
||||||
- "./logs/:/var/www/MISP/app/tmp/logs/"
|
- "./logs/:/var/www/MISP/app/tmp/logs/"
|
||||||
- "./files/:/var/www/MISP/app/files/"
|
- "./files/:/var/www/MISP/app/files/"
|
||||||
- "./ssl/:/etc/nginx/certs/"
|
- "./ssl/:/etc/nginx/certs/"
|
||||||
- "./gnupg/:/var/www/MISP/.gnupg/"
|
- "./gnupg/:/var/www/MISP/.gnupg/"
|
||||||
- "${PUBLIC_MOUNT_POINT}:/mnt/public/"
|
|
||||||
environment:
|
environment:
|
||||||
- "HOSTNAME=https://localhost"
|
- "HOSTNAME=https://localhost"
|
||||||
- "REDIS_FQDN=redis"
|
- "REDIS_FQDN=redis"
|
||||||
- "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR
|
- "CRON_USER_ID=1"
|
||||||
- "CRON_USER_ID=1" # The MISP user ID to run cron jobs as
|
# sync server settings
|
||||||
# Synchronization Servers settings
|
|
||||||
- "SYNCSERVERS=${SYNCSERVERS}"
|
- "SYNCSERVERS=${SYNCSERVERS}"
|
||||||
- "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
|
- "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
|
||||||
- "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
|
- "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
|
||||||
|
@ -66,7 +66,7 @@ services:
|
||||||
"pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
|
"pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
|
||||||
"pull": true
|
"pull": true
|
||||||
}
|
}
|
||||||
# Custom Settings
|
# standard settings
|
||||||
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
|
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
|
||||||
- "ADMIN_KEY=${ADMIN_KEY}"
|
- "ADMIN_KEY=${ADMIN_KEY}"
|
||||||
- "ADMIN_ORG=${ADMIN_ORG}"
|
- "ADMIN_ORG=${ADMIN_ORG}"
|
||||||
|
@ -75,6 +75,7 @@ services:
|
||||||
- "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
|
- "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
|
||||||
- "ORGANIZATIONS=${ORGANIZATIONS}"
|
- "ORGANIZATIONS=${ORGANIZATIONS}"
|
||||||
- "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
|
- "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
|
||||||
|
|
||||||
misp-modules:
|
misp-modules:
|
||||||
image: ostefano/misp-docker:modules-latest
|
image: ostefano/misp-docker:modules-latest
|
||||||
build:
|
build:
|
||||||
|
|
|
@ -25,7 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
RUN if [ ! -z ${MODULES_COMMIT} ]; then \
|
RUN if [ ! -z ${MODULES_COMMIT} ]; then \
|
||||||
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \
|
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \
|
||||||
else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi
|
else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi
|
||||||
RUN cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
|
RUN cd /srv/misp-modules; \
|
||||||
|
echo "pyeti" >> REQUIREMENTS; \
|
||||||
|
echo "git+https://github.com/abenassi/Google-Search-API" >> REQUIREMENTS; \
|
||||||
|
sed -i 's/-e //g' REQUIREMENTS; \
|
||||||
|
pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
|
||||||
|
|
||||||
RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
|
RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
|
||||||
cd /srv/faup/build || exit; cmake .. && make install; \
|
cd /srv/faup/build || exit; cmake .. && make install; \
|
||||||
|
@ -56,4 +60,12 @@ RUN pip install --use-deprecated=legacy-resolver /wheel/*.whl; ldconfig
|
||||||
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
|
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
|
||||||
/usr/local/lib/python3.9/site-packages/pyfaup/__init__.py
|
/usr/local/lib/python3.9/site-packages/pyfaup/__init__.py
|
||||||
|
|
||||||
|
# Remove double logging
|
||||||
|
RUN sed -i "/logging.basicConfig/d" \
|
||||||
|
/usr/local/lib/python3.9/site-packages/apiosintDS/apiosintDS.py; \
|
||||||
|
sed -i "/logging.basicConfig/d" \
|
||||||
|
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/dosearch.py; \
|
||||||
|
sed -i "/logging.basicConfig/d" \
|
||||||
|
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/listutils.py
|
||||||
|
|
||||||
ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"]
|
ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"]
|
||||||
|
|
|
@ -7,11 +7,13 @@ FROM "${DOCKER_HUB_PROXY}composer:2.1.14" as composer-build
|
||||||
RUN composer install --ignore-platform-reqs && \
|
RUN composer install --ignore-platform-reqs && \
|
||||||
composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \
|
composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \
|
||||||
composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \
|
composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \
|
||||||
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs
|
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs && \
|
||||||
|
composer require --with-all-dependencies elasticsearch/elasticsearch:^8.7.0 aws/aws-sdk-php --ignore-platform-reqs
|
||||||
|
|
||||||
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
|
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
|
||||||
RUN apt-get update; apt-get install -y --no-install-recommends \
|
RUN apt-get update; apt-get install -y --no-install-recommends \
|
||||||
gcc \
|
gcc \
|
||||||
|
g++ \
|
||||||
make \
|
make \
|
||||||
libfuzzy-dev \
|
libfuzzy-dev \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
|
@ -19,14 +21,14 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
|
||||||
php-dev \
|
php-dev \
|
||||||
php-pear \
|
php-pear \
|
||||||
librdkafka-dev \
|
librdkafka-dev \
|
||||||
|
libsimdjson-dev \
|
||||||
git \
|
git \
|
||||||
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
RUN pecl channel-update pecl.php.net
|
RUN pecl channel-update pecl.php.net
|
||||||
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka
|
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka && pecl install simdjson
|
||||||
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
|
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
|
||||||
|
|
||||||
|
|
||||||
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
|
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
|
||||||
RUN apt-get update; apt-get install -y --no-install-recommends \
|
RUN apt-get update; apt-get install -y --no-install-recommends \
|
||||||
gcc \
|
gcc \
|
||||||
|
@ -78,7 +80,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
|
||||||
cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels
|
cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels
|
||||||
|
|
||||||
# Grab other modules we need
|
# Grab other modules we need
|
||||||
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief
|
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief==0.12.3
|
||||||
|
|
||||||
# Remove extra packages due to incompatible requirements.txt files
|
# Remove extra packages due to incompatible requirements.txt files
|
||||||
WORKDIR /wheels
|
WORKDIR /wheels
|
||||||
|
@ -125,6 +127,7 @@ ARG PHP_VER
|
||||||
php-zip \
|
php-zip \
|
||||||
librdkafka1 \
|
librdkafka1 \
|
||||||
libbrotli1 \
|
libbrotli1 \
|
||||||
|
libsimdjson5 \
|
||||||
# Unsure we need these
|
# Unsure we need these
|
||||||
zip unzip \
|
zip unzip \
|
||||||
# Require for advanced an unattended configuration
|
# Require for advanced an unattended configuration
|
||||||
|
@ -136,7 +139,7 @@ ARG PHP_VER
|
||||||
RUN if [ ! -z ${MISP_COMMIT} ]; then \
|
RUN if [ ! -z ${MISP_COMMIT} ]; then \
|
||||||
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \
|
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \
|
||||||
else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi
|
else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi
|
||||||
RUN cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \
|
RUN cd /var/www/MISP; git submodule update --init --recursive .; cd /var/www/MISP/app; \
|
||||||
# Remove some old and broken links that pollute the log files
|
# Remove some old and broken links that pollute the log files
|
||||||
rm -rf /var/www/MISP/INSTALL/old
|
rm -rf /var/www/MISP/INSTALL/old
|
||||||
|
|
||||||
|
@ -149,24 +152,21 @@ ARG PHP_VER
|
||||||
COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
|
COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
|
||||||
COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
|
COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
|
||||||
COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
|
COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
|
||||||
|
COPY --from=php-build /usr/lib/php/${PHP_VER}/simdjson.so /usr/lib/php/${PHP_VER}/simdjson.so
|
||||||
|
|
||||||
COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
|
COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
|
||||||
COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
|
COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
|
||||||
|
|
||||||
RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
|
RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
|
||||||
RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
|
RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
|
||||||
|
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done; phpenmod ssdeep
|
||||||
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \
|
RUN for dir in /etc/php/*; do echo "extension=simdjson.so" > "$dir/mods-available/simdjson.ini"; done; phpenmod simdjson
|
||||||
;phpenmod redis \
|
RUN phpenmod redis
|
||||||
# Enable ssdeep we build earlier
|
|
||||||
;phpenmod ssdeep
|
|
||||||
|
|
||||||
# nginx
|
# nginx
|
||||||
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
|
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
|
||||||
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
|
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
|
||||||
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
|
|
||||||
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
||||||
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
|
|
||||||
|
|
||||||
# Make a copy of the file store, so we can sync from it
|
# Make a copy of the file store, so we can sync from it
|
||||||
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
|
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
|
||||||
|
@ -174,10 +174,18 @@ ARG PHP_VER
|
||||||
# Make a copy of the configurations, so we can sync from it
|
# Make a copy of the configurations, so we can sync from it
|
||||||
RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
|
RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
|
||||||
|
|
||||||
|
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
|
||||||
|
RUN find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
|
||||||
|
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
|
||||||
|
RUN find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
|
||||||
|
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
|
||||||
|
RUN find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
|
||||||
|
|
||||||
# Entrypoints
|
# Entrypoints
|
||||||
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf
|
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf
|
||||||
COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf
|
COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf
|
||||||
COPY files/entrypoint_internal.sh /
|
COPY files/var/www/html/index.php /var/www/html/index.php
|
||||||
|
COPY files/configure_misp.sh /
|
||||||
COPY files/entrypoint_fpm.sh /
|
COPY files/entrypoint_fpm.sh /
|
||||||
COPY files/entrypoint_nginx.sh /
|
COPY files/entrypoint_nginx.sh /
|
||||||
COPY files/entrypoint_cron.sh /
|
COPY files/entrypoint_cron.sh /
|
||||||
|
|
|
@ -2,6 +2,39 @@
|
||||||
|
|
||||||
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
|
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
|
||||||
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
|
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
|
||||||
|
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
|
||||||
|
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
|
||||||
|
|
||||||
|
init_misp_configuration(){
|
||||||
|
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
||||||
|
echo "... configuring default settings"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
|
||||||
|
}
|
||||||
|
|
||||||
|
init_misp_workers(){
|
||||||
|
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
||||||
|
echo "... configuring background workers"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
|
||||||
|
|
||||||
|
echo "... starting background workers"
|
||||||
|
supervisorctl start misp-workers:*
|
||||||
|
}
|
||||||
|
|
||||||
init_gnupg() {
|
init_gnupg() {
|
||||||
GPG_DIR=/var/www/MISP/.gnupg
|
GPG_DIR=/var/www/MISP/.gnupg
|
||||||
|
@ -9,7 +42,7 @@ init_gnupg() {
|
||||||
GPG_TMP=/tmp/gpg.tmp
|
GPG_TMP=/tmp/gpg.tmp
|
||||||
|
|
||||||
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
|
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
|
||||||
echo "Generating GPG key ... (please be patient, we need some entropy)"
|
echo "... generating new GPG key in ${GPG_DIR}"
|
||||||
cat >${GPG_TMP} <<GPGEOF
|
cat >${GPG_TMP} <<GPGEOF
|
||||||
%echo Generating a basic OpenPGP key
|
%echo Generating a basic OpenPGP key
|
||||||
Key-Type: RSA
|
Key-Type: RSA
|
||||||
|
@ -25,7 +58,7 @@ GPGEOF
|
||||||
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
|
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
|
||||||
rm -f ${GPG_TMP}
|
rm -f ${GPG_TMP}
|
||||||
else
|
else
|
||||||
echo "Using pre-generated GPG key in ${GPG_DIR}"
|
echo "... found pre-generated GPG key in ${GPG_DIR}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Fix permissions
|
# Fix permissions
|
||||||
|
@ -34,10 +67,10 @@ GPGEOF
|
||||||
find ${GPG_DIR} -type d -exec chmod 700 {} \;
|
find ${GPG_DIR} -type d -exec chmod 700 {} \;
|
||||||
|
|
||||||
if [ ! -f ${GPG_ASC} ]; then
|
if [ ! -f ${GPG_ASC} ]; then
|
||||||
echo "Exporting GPG key ..."
|
echo "... exporting GPG key"
|
||||||
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC}
|
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC}
|
||||||
else
|
else
|
||||||
echo "Found exported key ${GPG_ASC}"
|
echo "... found exported key ${GPG_ASC}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}"
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}"
|
||||||
|
@ -64,14 +97,14 @@ init_user() {
|
||||||
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
|
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
|
||||||
fi
|
fi
|
||||||
if [ ! -z "$ADMIN_KEY" ]; then
|
if [ ! -z "$ADMIN_KEY" ]; then
|
||||||
echo "Customize MISP | Setting admin key to '${ADMIN_KEY}'"
|
echo "... setting admin key to '${ADMIN_KEY}'"
|
||||||
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
|
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
|
||||||
else
|
else
|
||||||
echo "Customize MISP | Regenerating admin key"
|
echo "... regenerating admin key"
|
||||||
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
|
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
|
||||||
fi
|
fi
|
||||||
ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
|
ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
|
||||||
echo "Customize MISP | Admin user key set to '${ADMIN_KEY}'"
|
echo "... admin user key set to '${ADMIN_KEY}'"
|
||||||
}
|
}
|
||||||
|
|
||||||
apply_critical_fixes() {
|
apply_critical_fixes() {
|
||||||
|
@ -81,9 +114,19 @@ apply_critical_fixes() {
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
|
||||||
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
|
\"Security\": {
|
||||||
|
\"rest_client_baseurl\": \"${HOSTNAME}\"
|
||||||
|
}
|
||||||
|
}" > /dev/null
|
||||||
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
|
\"Security\": {
|
||||||
|
\"auth\": \"\"
|
||||||
|
}
|
||||||
|
}" > /dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
apply_custom_settings() {
|
apply_optional_fixes() {
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" ""
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" ""
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" ""
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" ""
|
||||||
|
|
||||||
|
@ -99,9 +142,9 @@ apply_custom_settings() {
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5
|
||||||
}
|
}
|
||||||
|
|
||||||
configure_plugins() {
|
configure_optional_plugins() {
|
||||||
if [ ! -z "$VIRUSTOTAL_KEY" ]; then
|
if [ ! -z "$VIRUSTOTAL_KEY" ]; then
|
||||||
echo "Customize MISP | Enabling 'virustotal' module ..."
|
echo "... enabling 'virustotal' module ..."
|
||||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
\"Plugin\": {
|
\"Plugin\": {
|
||||||
\"Enrichment_virustotal_enabled\": true,
|
\"Enrichment_virustotal_enabled\": true,
|
||||||
|
@ -111,7 +154,7 @@ configure_plugins() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then
|
if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then
|
||||||
echo "Customize MISP | Enabling 'vmware_nsx' module ..."
|
echo "... enabling 'vmware_nsx' module ..."
|
||||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
\"Plugin\": {
|
\"Plugin\": {
|
||||||
\"Enrichment_vmware_nsx_enabled\": true,
|
\"Enrichment_vmware_nsx_enabled\": true,
|
||||||
|
@ -127,56 +170,12 @@ configure_plugins() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
configure_email() {
|
updateComponents() {
|
||||||
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
|
||||||
<?php
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
|
||||||
class EmailConfig {
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
|
||||||
public \$default = array(
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
|
||||||
'transport' => 'Smtp',
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
|
||||||
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
|
|
||||||
'host' => 'mail',
|
|
||||||
'port' => 25,
|
|
||||||
'timeout' => 30,
|
|
||||||
'client' => null,
|
|
||||||
'log' => false,
|
|
||||||
);
|
|
||||||
public \$smtp = array(
|
|
||||||
'transport' => 'Smtp',
|
|
||||||
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
|
|
||||||
'host' => 'mail',
|
|
||||||
'port' => 25,
|
|
||||||
'timeout' => 30,
|
|
||||||
'client' => null,
|
|
||||||
'log' => false,
|
|
||||||
);
|
|
||||||
public \$fast = array(
|
|
||||||
'from' => 'misp-dev@admin.test',
|
|
||||||
'sender' => null,
|
|
||||||
'to' => null,
|
|
||||||
'cc' => null,
|
|
||||||
'bcc' => null,
|
|
||||||
'replyTo' => null,
|
|
||||||
'readReceipt' => null,
|
|
||||||
'returnPath' => null,
|
|
||||||
'messageId' => true,
|
|
||||||
'subject' => null,
|
|
||||||
'message' => null,
|
|
||||||
'headers' => null,
|
|
||||||
'viewRender' => null,
|
|
||||||
'template' => false,
|
|
||||||
'layout' => false,
|
|
||||||
'viewVars' => null,
|
|
||||||
'attachments' => null,
|
|
||||||
'emailFormat' => null,
|
|
||||||
'transport' => 'Smtp',
|
|
||||||
'host' => 'mail',
|
|
||||||
'port' => 25,
|
|
||||||
'timeout' => 30,
|
|
||||||
'client' => null,
|
|
||||||
'log' => true,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
EOT
|
|
||||||
}
|
}
|
||||||
|
|
||||||
add_organization() {
|
add_organization() {
|
||||||
|
@ -196,7 +195,7 @@ get_organization() {
|
||||||
curl -s --show-error -k \
|
curl -s --show-error -k \
|
||||||
-H "Authorization: ${ADMIN_KEY}" \
|
-H "Authorization: ${ADMIN_KEY}" \
|
||||||
-H "Accept: application/json" \
|
-H "Accept: application/json" \
|
||||||
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id"
|
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id // empty"
|
||||||
}
|
}
|
||||||
|
|
||||||
add_server() {
|
add_server() {
|
||||||
|
@ -214,38 +213,20 @@ get_server() {
|
||||||
-H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
|
-H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
|
||||||
}
|
}
|
||||||
|
|
||||||
updateComponents() {
|
create_organizations() {
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
|
|
||||||
}
|
|
||||||
|
|
||||||
echo "Customize MISP | Configure email ..." && configure_email
|
|
||||||
|
|
||||||
echo "Customize MISP | Configure GPG key ..." && init_gnupg
|
|
||||||
|
|
||||||
echo "Customize MISP | Running updates ..." && apply_updates
|
|
||||||
|
|
||||||
echo "Customize MISP | Init default user and organization ..." && init_user
|
|
||||||
|
|
||||||
echo "Customize MISP | Resolve critical issues ..." && apply_critical_fixes
|
|
||||||
|
|
||||||
echo "Customize MISP | Customize installation ..." && apply_custom_settings
|
|
||||||
|
|
||||||
# This item last so we had a chance to create the ADMIN_KEY if not specified
|
|
||||||
echo "Customize MISP | Configure plugins ..." && configure_plugins
|
|
||||||
|
|
||||||
# Create organizations (and silently fail if present already)
|
|
||||||
echo "Customize MISP | Creating organizations ..."
|
|
||||||
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
|
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
|
||||||
for ORG in $SPLITTED_ORGS; do
|
for ORG in $SPLITTED_ORGS; do
|
||||||
echo "Adding organization: $ORG"
|
ORG_ID=$(get_organization ${ORG})
|
||||||
|
if [[ -z $ORG_ID ]]; then
|
||||||
|
echo "... adding organization: $ORG"
|
||||||
add_organization $ORG true
|
add_organization $ORG true
|
||||||
|
else
|
||||||
|
echo "... organization $ORG already exists"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
}
|
||||||
|
|
||||||
echo "Customize MISP | Creating sync servers ..."
|
create_sync_servers() {
|
||||||
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
|
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
|
||||||
for ID in $SPLITTED_SYNCSERVERS; do
|
for ID in $SPLITTED_SYNCSERVERS; do
|
||||||
NAME="SYNCSERVERS_${ID}_NAME"
|
NAME="SYNCSERVERS_${ID}_NAME"
|
||||||
|
@ -253,15 +234,37 @@ for ID in $SPLITTED_SYNCSERVERS; do
|
||||||
DATA="SYNCSERVERS_${ID}_DATA"
|
DATA="SYNCSERVERS_${ID}_DATA"
|
||||||
KEY="SYNCSERVERS_${ID}_KEY"
|
KEY="SYNCSERVERS_${ID}_KEY"
|
||||||
if ! get_server ${!NAME}; then
|
if ! get_server ${!NAME}; then
|
||||||
echo "Customize MISP | Configuring sync server ${!NAME}..."
|
echo "... configuring sync server ${!NAME}..."
|
||||||
add_organization ${!NAME} false ${!UUID}
|
add_organization ${!NAME} false ${!UUID}
|
||||||
ORG_ID=$(get_organization ${!UUID})
|
ORG_ID=$(get_organization ${!UUID})
|
||||||
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
|
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
|
||||||
add_server "$DATA"
|
add_server "$DATA"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
}
|
||||||
|
|
||||||
echo "Customize MISP | Updating components ..." && updateComponents
|
|
||||||
|
|
||||||
# Make the instance live
|
echo "MISP | Initialize configuration ..." && init_misp_configuration
|
||||||
|
|
||||||
|
echo "MISP | Initialize workers ..." && init_misp_workers
|
||||||
|
|
||||||
|
echo "MISP | Configure GPG key ..." && init_gnupg
|
||||||
|
|
||||||
|
echo "MISP | Running updates ..." && apply_updates
|
||||||
|
|
||||||
|
echo "MISP | Init default user and organization ..." && init_user
|
||||||
|
|
||||||
|
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
|
||||||
|
|
||||||
|
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
|
||||||
|
|
||||||
|
echo "MISP | Creating organizations ..." && create_organizations
|
||||||
|
|
||||||
|
echo "MISP | Creating sync servers ..." && create_sync_servers
|
||||||
|
|
||||||
|
echo "MISP | Updating components ..." && updateComponents
|
||||||
|
|
||||||
|
echo "MISP | Configure plugins with newly generate admin key ..." && configure_optional_plugins
|
||||||
|
|
||||||
|
echo "MISP | Marking instance live"
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
|
@ -21,7 +21,7 @@ change_php_vars() {
|
||||||
|
|
||||||
echo "Configure PHP | Change PHP values ..." && change_php_vars
|
echo "Configure PHP | Change PHP values ..." && change_php_vars
|
||||||
|
|
||||||
echo "Starting PHP FPM"
|
echo "Configure PHP | Starting PHP FPM"
|
||||||
/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
|
/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
|
||||||
|
|
||||||
# Wait for it
|
# Wait for it
|
||||||
|
|
|
@ -8,80 +8,13 @@ term_proc() {
|
||||||
|
|
||||||
trap term_proc SIGTERM
|
trap term_proc SIGTERM
|
||||||
|
|
||||||
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
|
|
||||||
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
|
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
|
||||||
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
|
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
|
||||||
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp
|
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp
|
||||||
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
|
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
|
||||||
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
|
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
|
||||||
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
|
[ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
|
||||||
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
|
|
||||||
[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
|
|
||||||
|
|
||||||
ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
|
|
||||||
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
|
|
||||||
|
|
||||||
init_misp_config(){
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
|
|
||||||
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
|
|
||||||
|
|
||||||
echo "Configure MISP | Set DB User, Password and Host in database.php"
|
|
||||||
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
|
|
||||||
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
|
|
||||||
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
|
|
||||||
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
|
|
||||||
}
|
|
||||||
|
|
||||||
init_misp_defaults(){
|
|
||||||
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
|
||||||
echo "Configure sane defaults"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
init_misp_workers(){
|
|
||||||
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
|
||||||
echo "Configuring background workers"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
|
|
||||||
|
|
||||||
echo "Starting background workers"
|
|
||||||
supervisorctl start misp-workers:*
|
|
||||||
}
|
|
||||||
|
|
||||||
init_misp_files(){
|
|
||||||
if [ ! -f /var/www/MISP/app/files/INIT ]; then
|
|
||||||
cp -R /var/www/MISP/app/files.dist/* /var/www/MISP/app/files
|
|
||||||
touch /var/www/MISP/app/files/INIT
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
init_ssl() {
|
|
||||||
if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
|
|
||||||
then
|
|
||||||
cd /etc/nginx/certs
|
|
||||||
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
init_mysql(){
|
init_mysql(){
|
||||||
# Test when MySQL is ready....
|
# Test when MySQL is ready....
|
||||||
|
@ -99,137 +32,209 @@ init_mysql(){
|
||||||
|
|
||||||
RETRY=100
|
RETRY=100
|
||||||
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
|
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
|
||||||
echo "Waiting for database to come up"
|
echo "... waiting for database to come up"
|
||||||
sleep 5
|
sleep 5
|
||||||
RETRY=$(( RETRY - 1))
|
RETRY=$(( RETRY - 1))
|
||||||
done
|
done
|
||||||
if [ $RETRY -le 0 ]; then
|
if [ $RETRY -le 0 ]; then
|
||||||
>&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
|
>&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $(isDBinitDone) -eq 0 ]; then
|
if [ $(isDBinitDone) -eq 0 ]; then
|
||||||
echo "Database has already been initialized"
|
echo "... database has already been initialized"
|
||||||
else
|
else
|
||||||
echo "Database has not been initialized, importing MySQL scheme..."
|
echo "... database has not been initialized, importing MySQL scheme..."
|
||||||
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
|
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
sync_files(){
|
init_misp_data_files(){
|
||||||
|
# Init config (shared with host)
|
||||||
|
echo "... initializing configuration files"
|
||||||
|
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
|
||||||
|
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
|
||||||
|
|
||||||
|
echo "... initializing database.php settings"
|
||||||
|
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
|
||||||
|
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
|
||||||
|
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
|
||||||
|
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
|
||||||
|
|
||||||
|
echo "... initializing email.php settings"
|
||||||
|
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
|
||||||
|
<?php
|
||||||
|
class EmailConfig {
|
||||||
|
public \$default = array(
|
||||||
|
'transport' => 'Smtp',
|
||||||
|
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
|
||||||
|
'host' => 'mail',
|
||||||
|
'port' => 25,
|
||||||
|
'timeout' => 30,
|
||||||
|
'client' => null,
|
||||||
|
'log' => false,
|
||||||
|
);
|
||||||
|
public \$smtp = array(
|
||||||
|
'transport' => 'Smtp',
|
||||||
|
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
|
||||||
|
'host' => 'mail',
|
||||||
|
'port' => 25,
|
||||||
|
'timeout' => 30,
|
||||||
|
'client' => null,
|
||||||
|
'log' => false,
|
||||||
|
);
|
||||||
|
public \$fast = array(
|
||||||
|
'from' => 'misp-dev@admin.test',
|
||||||
|
'sender' => null,
|
||||||
|
'to' => null,
|
||||||
|
'cc' => null,
|
||||||
|
'bcc' => null,
|
||||||
|
'replyTo' => null,
|
||||||
|
'readReceipt' => null,
|
||||||
|
'returnPath' => null,
|
||||||
|
'messageId' => true,
|
||||||
|
'subject' => null,
|
||||||
|
'message' => null,
|
||||||
|
'headers' => null,
|
||||||
|
'viewRender' => null,
|
||||||
|
'template' => false,
|
||||||
|
'layout' => false,
|
||||||
|
'viewVars' => null,
|
||||||
|
'attachments' => null,
|
||||||
|
'emailFormat' => null,
|
||||||
|
'transport' => 'Smtp',
|
||||||
|
'host' => 'mail',
|
||||||
|
'port' => 25,
|
||||||
|
'timeout' => 30,
|
||||||
|
'client' => null,
|
||||||
|
'log' => true,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
EOT
|
||||||
|
|
||||||
|
# Init files (shared with host)
|
||||||
|
echo "... initializing app files"
|
||||||
|
MISP_APP_FILES_PATH=/var/www/MISP/app/files
|
||||||
|
if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
|
||||||
|
cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
|
||||||
|
touch ${MISP_APP_FILES_PATH}/INIT
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
update_misp_data_files(){
|
||||||
for DIR in $(ls /var/www/MISP/app/files.dist); do
|
for DIR in $(ls /var/www/MISP/app/files.dist); do
|
||||||
|
echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
|
||||||
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
|
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53
|
enforce_misp_data_permissions(){
|
||||||
for CERT in cert.pem dhparams.pem key.pem; do
|
echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
|
||||||
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
|
|
||||||
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
|
|
||||||
WARNING53=true
|
|
||||||
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Things we should do when we have the INITIALIZE Env Flag
|
|
||||||
if [[ "$INIT" == true ]]; then
|
|
||||||
echo "Setup MySQL..." && init_mysql
|
|
||||||
echo "Setup MISP files dir..." && init_misp_files
|
|
||||||
echo "Ensure SSL certs exist..." && init_ssl
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Things we should do if we're configuring MISP via ENV
|
|
||||||
echo "Configure MISP | Initialize misp base config..." && init_misp_config
|
|
||||||
|
|
||||||
echo "Configure MISP | Sync app files..." && sync_files
|
|
||||||
|
|
||||||
echo "Configure MISP | Enforce permissions ..."
|
|
||||||
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
|
|
||||||
echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
|
|
||||||
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
|
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
|
||||||
echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
|
echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
|
||||||
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
|
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
|
||||||
echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
|
echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
|
||||||
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
|
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
|
||||||
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp
|
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
|
||||||
echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files
|
|
||||||
# We also make other special files writable (should be 660)
|
|
||||||
echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php
|
|
||||||
|
|
||||||
# Configuring defaults now
|
echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
|
||||||
echo "Configure MISP | Setting defaults ..." && init_misp_defaults
|
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
|
||||||
|
echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
|
||||||
|
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
|
||||||
|
echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
|
||||||
|
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
|
||||||
|
echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
|
||||||
|
|
||||||
# Workers are set to NOT auto start so we have time to enforce permissions on the cache first
|
echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
|
||||||
echo "Configure MISP | Starting workers ..." && init_misp_workers
|
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
|
||||||
|
echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
|
||||||
|
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
|
||||||
|
echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
|
||||||
|
# We make configuration files read only
|
||||||
|
echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
|
||||||
|
}
|
||||||
|
|
||||||
# Work around https://github.com/MISP/MISP/issues/5608
|
flip_nginx() {
|
||||||
if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then
|
local live="$1";
|
||||||
mkdir -p /var/www/MISP/PyMISP/pymisp/data/
|
local reload="$2";
|
||||||
ln -s /usr/local/lib/python3.9/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json
|
|
||||||
|
if [[ "$live" = "true" ]]; then
|
||||||
|
NGINX_DOC_ROOT=/var/www/MISP/app/webroot
|
||||||
|
elif [[ -x /custom/files/var/www/html/index.php ]]; then
|
||||||
|
NGINX_DOC_ROOT=/custom/files/var/www/html/
|
||||||
|
else
|
||||||
|
NGINX_DOC_ROOT=/var/www/html/
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then
|
# must be valid for all roots
|
||||||
echo "Configure NGINX | Disabling Port 80 Redirect"
|
echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
|
||||||
ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80
|
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
|
||||||
elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
|
|
||||||
echo "Configure NGINX | Enable Port 80 Redirect"
|
if [[ "$reload" = "true" ]]; then
|
||||||
|
echo "... nginx reloaded"
|
||||||
|
nginx -s reload
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
init_nginx() {
|
||||||
|
if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
|
||||||
|
echo "... enabling port 80 redirect"
|
||||||
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
|
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
|
||||||
else
|
else
|
||||||
echo "Configure NGINX | Port 80 already configured"
|
echo "... port 80 already configured"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
|
if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
|
||||||
echo "Configure NGINX | Using Secure SSL"
|
echo "... enabling port 443"
|
||||||
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
|
|
||||||
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
|
|
||||||
echo "Configure NGINX | Using Standard SSL"
|
|
||||||
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
||||||
else
|
else
|
||||||
echo "Configure NGINX | SSL already configured"
|
echo "... port 443 already configured"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
|
if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
|
||||||
echo "Configure NGINX | Building dhparams.pem"
|
echo "... generating new self-signed TLS certificate"
|
||||||
|
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
|
||||||
|
else
|
||||||
|
echo "... TLS certificates found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
|
||||||
|
echo "... generating new DH parameters"
|
||||||
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
|
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
|
||||||
|
else
|
||||||
|
echo "... DH parameters found"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $CERTAUTH = @(optional|on) ]]; then
|
flip_nginx false false
|
||||||
echo "Configure NGINX | Enabling SSL Cert Authentication"
|
}
|
||||||
grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
|
|
||||||
grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
|
|
||||||
grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
|
|
||||||
grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp
|
|
||||||
|
|
||||||
echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)"
|
|
||||||
sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ "$DISIPV6" == true ]]; then
|
# Initialize MySQL
|
||||||
echo "Configure NGINX | Disabling IPv6"
|
echo "INIT | Initialize MySQL ..." && init_mysql
|
||||||
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
|
|
||||||
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp
|
|
||||||
fi
|
|
||||||
|
|
||||||
# delete pid file
|
# Initialize NGINX
|
||||||
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
|
echo "INIT | Initialize NGINX ..." && init_nginx
|
||||||
|
|
||||||
if [[ "$WARNING53" == true ]]; then
|
|
||||||
echo "WARNING - WARNING - WARNING"
|
|
||||||
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
|
|
||||||
echo "This needs to be changed to /etc/nginx/certs."
|
|
||||||
echo "See: https://github.com/coolacid/docker-misp/issues/53"
|
|
||||||
echo "WARNING - WARNING - WARNING"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -x /entrypoint_internal.sh ]]; then
|
|
||||||
export MYSQLCMD=${MYSQLCMD}
|
|
||||||
nginx -g 'daemon off;' & master_pid=$!
|
nginx -g 'daemon off;' & master_pid=$!
|
||||||
/entrypoint_internal.sh
|
|
||||||
kill -TERM "$master_pid" 2>/dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Start NGINX
|
# Initialize MISP
|
||||||
nginx -g 'daemon off;' & master_pid=$!
|
echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
|
||||||
|
echo "INIT | Updating MISP app/files directory ..." && update_misp_data_files
|
||||||
|
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
|
||||||
|
echo "INIT | Flipping NGINX live ..." && flip_nginx true true
|
||||||
|
|
||||||
|
# Run configure MISP script
|
||||||
|
echo "INIT | Configuring MISP installation ..."
|
||||||
|
/configure_misp.sh
|
||||||
|
|
||||||
|
if [[ -x /custom/files/customize_misp.sh ]]; then
|
||||||
|
echo "INIT | Customizing MISP installation ..."
|
||||||
|
/custom/files/customize_misp.sh
|
||||||
|
fi
|
||||||
|
|
||||||
# Wait for it
|
# Wait for it
|
||||||
wait "$master_pid"
|
wait "$master_pid"
|
||||||
|
|
|
@ -1,12 +1,14 @@
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
# define the root dir
|
||||||
root /var/www/MISP/app/webroot;
|
root /var/www/MISP/app/webroot;
|
||||||
index index.php;
|
index index.php;
|
||||||
|
|
||||||
client_max_body_size 50M;
|
client_max_body_size 50M;
|
||||||
|
|
||||||
# Disable access logs
|
# disable access logs
|
||||||
access_log off;
|
access_log off;
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
error_log /dev/stderr error;
|
error_log /dev/stderr error;
|
||||||
|
@ -27,7 +29,7 @@ server {
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
# Aded headers for hardening browser security
|
# added headers for hardening browser security
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
add_header Referrer-Policy "no-referrer" always;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header X-Download-Options "noopen" always;
|
add_header X-Download-Options "noopen" always;
|
||||||
|
@ -36,17 +38,9 @@ server {
|
||||||
add_header X-Robots-Tag "none" always;
|
add_header X-Robots-Tag "none" always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
|
||||||
# Remove X-Powered-By, which is an information leak
|
# remove X-Powered-By, which is an information leak
|
||||||
fastcgi_hide_header X-Powered-By;
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
|
||||||
location /public {
|
|
||||||
root /mnt;
|
|
||||||
autoindex on;
|
|
||||||
autoindex_exact_size off;
|
|
||||||
autoindex_format html;
|
|
||||||
autoindex_localtime on;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ /index.php$is_args$query_string;
|
try_files $uri $uri/ /index.php$is_args$query_string;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
root /var/www/MISP/app/webroot;
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
client_max_body_size 50M;
|
|
||||||
|
|
||||||
# Disable access logs
|
|
||||||
access_log off;
|
|
||||||
log_not_found off;
|
|
||||||
error_log /dev/stderr error;
|
|
||||||
|
|
||||||
ssl_certificate /etc/nginx/certs/cert.pem;
|
|
||||||
ssl_certificate_key /etc/nginx/certs/key.pem;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
# modern configuration
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
# enable HSTS
|
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
|
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
|
||||||
|
|
||||||
# Aded headers for hardening browser security
|
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header X-Download-Options "noopen" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
||||||
add_header X-Robots-Tag "none" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
|
|
||||||
# Remove X-Powered-By, which is an information leak
|
|
||||||
fastcgi_hide_header X-Powered-By;
|
|
||||||
|
|
||||||
location /public {
|
|
||||||
root /mnt;
|
|
||||||
autoindex on;
|
|
||||||
autoindex_exact_size off;
|
|
||||||
autoindex_format html;
|
|
||||||
autoindex_localtime on;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$query_string;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
include snippets/fastcgi-php.conf;
|
|
||||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
|
||||||
fastcgi_read_timeout 300;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,35 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
root /var/www/MISP/app/webroot;
|
|
||||||
index index.php;
|
|
||||||
|
|
||||||
client_max_body_size 50M;
|
|
||||||
|
|
||||||
# Disable access logs
|
|
||||||
access_log off;
|
|
||||||
log_not_found off;
|
|
||||||
error_log /dev/stderr error;
|
|
||||||
|
|
||||||
# Aded headers for hardening browser security
|
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header X-Download-Options "noopen" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
||||||
add_header X-Robots-Tag "none" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
|
|
||||||
# Remove X-Powered-By, which is an information leak
|
|
||||||
fastcgi_hide_header X-Powered-By;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
try_files $uri $uri/ /index.php$is_args$query_string;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
include snippets/fastcgi-php.conf;
|
|
||||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
|
||||||
fastcgi_read_timeout 300;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
<html>
|
||||||
|
MISP is loading...
|
||||||
|
</html>
|
|
@ -1,5 +1,5 @@
|
||||||
MISP_TAG=v2.4.169
|
MISP_TAG=v2.4.170
|
||||||
MODULES_TAG=v2.4.169
|
MODULES_TAG=v2.4.170
|
||||||
PHP_VER=20190902
|
PHP_VER=20190902
|
||||||
# MISP_COMMIT takes precedence over MISP_TAG
|
# MISP_COMMIT takes precedence over MISP_TAG
|
||||||
# MISP_COMMIT=c56d537
|
# MISP_COMMIT=c56d537
|
||||||
|
@ -38,6 +38,3 @@ SYNCSERVERS_1_KEY=
|
||||||
|
|
||||||
# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
|
# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
|
||||||
ORGANIZATIONS=
|
ORGANIZATIONS=
|
||||||
|
|
||||||
# host folder containing public files generated by external tools
|
|
||||||
PUBLIC_MOUNT_POINT=./public
|
|
||||||
|
|
Loading…
Reference in New Issue