MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Refactor the whole image and allow external customization

pull/1/head
Stefano Ortolani 2023-04-13 15:02:02 +01:00
parent 8d7031e42c
commit 51075b4f37
12 changed files with 335 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -29,10 +29,10 @@ Additionally, this fork features the following improvements:
- Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md) - Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md)
- Add support for exposing locally generated resources - Add support for exposing locally generated resources
- Add support for building specific MISP and MISP-modules commits - Add support for building specific MISP and MISP-modules commits
- Add automatic configuration of MISP modules (see `entrypoint_internal.sh`) - Add automatic configuration of MISP modules (see `configure_misp.sh`)
- Add automatic configuration of sync servers (see `entrypoint_internal.sh`) - Add automatic configuration of sync servers (see `configure_misp.sh`)
- Add automatic configuration of organizations (see `entrypoint_internal.sh`) - Add automatic configuration of organizations (see `configure_misp.sh`)
- Add autoamtic configuration of authentication keys (see `entrypoint_internal.sh`) - Add autoamtic configuration of authentication keys (see `configure_misp.sh`)
- Add direct push of docker images to Docker Hub - Add direct push of docker images to Docker Hub
- Consolidate docker compose files - Consolidate docker compose files
@ -117,10 +117,6 @@ The `docker-compose.yml` file allows further configuration settings:
"MYSQL_USER=misp" "MYSQL_USER=misp"
"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
"MYSQL_DATABASE=misp" "MYSQL_DATABASE=misp"
"NOREDIR=true" # Do not redirect port 80
"DISIPV6=true" # Disable IPV6 in nginx
"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
"SECURESSL=true" # Enable higher security SSL in nginx
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
"NUM_WORKERS_DEFAULT=5" # To set the number of default workers "NUM_WORKERS_DEFAULT=5" # To set the number of default workers

11
docker-compose.yml
View File

@ -42,19 +42,19 @@ services:
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
# customization
- "3030:3030"
volumes: volumes:
- "./configs/:/var/www/MISP/app/Config/" - "./configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/" - "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files/" - "./files/:/var/www/MISP/app/files/"
- "./ssl/:/etc/nginx/certs/" - "./ssl/:/etc/nginx/certs/"
- "./gnupg/:/var/www/MISP/.gnupg/" - "./gnupg/:/var/www/MISP/.gnupg/"
- "${PUBLIC_MOUNT_POINT}:/mnt/public/"
environment: environment:
- "HOSTNAME=https://localhost" - "HOSTNAME=https://localhost"
- "REDIS_FQDN=redis" - "REDIS_FQDN=redis"
- "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR - "CRON_USER_ID=1"
- "CRON_USER_ID=1" # The MISP user ID to run cron jobs as # sync server settings
# Synchronization Servers settings
- "SYNCSERVERS=${SYNCSERVERS}" - "SYNCSERVERS=${SYNCSERVERS}"
- "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}" - "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
- "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}" - "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
@ -66,7 +66,7 @@ services:
"pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}", "pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
"pull": true "pull": true
} }
# Custom Settings # standard settings
- "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_EMAIL=${ADMIN_EMAIL}"
- "ADMIN_KEY=${ADMIN_KEY}" - "ADMIN_KEY=${ADMIN_KEY}"
- "ADMIN_ORG=${ADMIN_ORG}" - "ADMIN_ORG=${ADMIN_ORG}"
@ -75,6 +75,7 @@ services:
- "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}" - "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
- "ORGANIZATIONS=${ORGANIZATIONS}" - "ORGANIZATIONS=${ORGANIZATIONS}"
- "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}" - "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
misp-modules: misp-modules:
image: ostefano/misp-docker:modules-latest image: ostefano/misp-docker:modules-latest
build: build:

14
modules/Dockerfile
View File

@ -25,7 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
RUN if [ ! -z ${MODULES_COMMIT} ]; then \ RUN if [ ! -z ${MODULES_COMMIT} ]; then \
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \ git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \
else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi
RUN cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ RUN cd /srv/misp-modules; \
echo "pyeti" >> REQUIREMENTS; \
echo "git+https://github.com/abenassi/Google-Search-API" >> REQUIREMENTS; \
sed -i 's/-e //g' REQUIREMENTS; \
pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \ RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
cd /srv/faup/build || exit; cmake .. && make install; \ cd /srv/faup/build || exit; cmake .. && make install; \
@ -56,4 +60,12 @@ RUN pip install --use-deprecated=legacy-resolver /wheel/*.whl; ldconfig
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \ RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
/usr/local/lib/python3.9/site-packages/pyfaup/__init__.py /usr/local/lib/python3.9/site-packages/pyfaup/__init__.py
# Remove double logging
RUN sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/apiosintDS.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/dosearch.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/listutils.py
ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"] ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"]

34
server/Dockerfile
View File

@ -7,11 +7,13 @@ FROM "${DOCKER_HUB_PROXY}composer:2.1.14" as composer-build
RUN composer install --ignore-platform-reqs && \ RUN composer install --ignore-platform-reqs && \
composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \ composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \
composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \ composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs && \
composer require --with-all-dependencies elasticsearch/elasticsearch:^8.7.0 aws/aws-sdk-php --ignore-platform-reqs
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
RUN apt-get update; apt-get install -y --no-install-recommends \ RUN apt-get update; apt-get install -y --no-install-recommends \
gcc \ gcc \
g++ \
make \ make \
libfuzzy-dev \ libfuzzy-dev \
ca-certificates \ ca-certificates \
@ -19,14 +21,14 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
php-dev \ php-dev \
php-pear \ php-pear \
librdkafka-dev \ librdkafka-dev \
libsimdjson-dev \
git \ git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN pecl channel-update pecl.php.net RUN pecl channel-update pecl.php.net
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka && pecl install simdjson
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
RUN apt-get update; apt-get install -y --no-install-recommends \ RUN apt-get update; apt-get install -y --no-install-recommends \
gcc \ gcc \
@ -78,7 +80,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels
# Grab other modules we need # Grab other modules we need
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief==0.12.3
# Remove extra packages due to incompatible requirements.txt files # Remove extra packages due to incompatible requirements.txt files
WORKDIR /wheels WORKDIR /wheels
@ -125,6 +127,7 @@ ARG PHP_VER
php-zip \ php-zip \
librdkafka1 \ librdkafka1 \
libbrotli1 \ libbrotli1 \
libsimdjson5 \
# Unsure we need these # Unsure we need these
zip unzip \ zip unzip \
# Require for advanced an unattended configuration # Require for advanced an unattended configuration
@ -136,7 +139,7 @@ ARG PHP_VER
RUN if [ ! -z ${MISP_COMMIT} ]; then \ RUN if [ ! -z ${MISP_COMMIT} ]; then \
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \ git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \
else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi
RUN cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \ RUN cd /var/www/MISP; git submodule update --init --recursive .; cd /var/www/MISP/app; \
# Remove some old and broken links that pollute the log files # Remove some old and broken links that pollute the log files
rm -rf /var/www/MISP/INSTALL/old rm -rf /var/www/MISP/INSTALL/old
@ -149,24 +152,21 @@ ARG PHP_VER
COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/simdjson.so /usr/lib/php/${PHP_VER}/simdjson.so
COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done; phpenmod ssdeep
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ RUN for dir in /etc/php/*; do echo "extension=simdjson.so" > "$dir/mods-available/simdjson.ini"; done; phpenmod simdjson
;phpenmod redis \ RUN phpenmod redis
# Enable ssdeep we build earlier
;phpenmod ssdeep
# nginx # nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
# Make a copy of the file store, so we can sync from it # Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
@ -174,10 +174,18 @@ ARG PHP_VER
# Make a copy of the configurations, so we can sync from it # Make a copy of the configurations, so we can sync from it
RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
RUN find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
RUN find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
RUN find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
# Entrypoints # Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf
COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf
COPY files/entrypoint_internal.sh / COPY files/var/www/html/index.php /var/www/html/index.php
COPY files/configure_misp.sh /
COPY files/entrypoint_fpm.sh / COPY files/entrypoint_fpm.sh /
COPY files/entrypoint_nginx.sh / COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh / COPY files/entrypoint_cron.sh /

187
server/files/entrypoint_internal.sh → server/files/configure_misp.sh
View File

@ -2,6 +2,39 @@
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test" [ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
init_misp_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
init_gnupg() { init_gnupg() {
GPG_DIR=/var/www/MISP/.gnupg GPG_DIR=/var/www/MISP/.gnupg
@ -9,7 +42,7 @@ init_gnupg() {
GPG_TMP=/tmp/gpg.tmp GPG_TMP=/tmp/gpg.tmp
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "Generating GPG key ... (please be patient, we need some entropy)" echo "... generating new GPG key in ${GPG_DIR}"
cat >${GPG_TMP} <<GPGEOF cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key %echo Generating a basic OpenPGP key
Key-Type: RSA Key-Type: RSA
@ -25,7 +58,7 @@ GPGEOF
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP} gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP} rm -f ${GPG_TMP}
else else
echo "Using pre-generated GPG key in ${GPG_DIR}" echo "... found pre-generated GPG key in ${GPG_DIR}"
fi fi
# Fix permissions # Fix permissions
@ -34,10 +67,10 @@ GPGEOF
find ${GPG_DIR} -type d -exec chmod 700 {} \; find ${GPG_DIR} -type d -exec chmod 700 {} \;
if [ ! -f ${GPG_ASC} ]; then if [ ! -f ${GPG_ASC} ]; then
echo "Exporting GPG key ..." echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC} sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC}
else else
echo "Found exported key ${GPG_ASC}" echo "... found exported key ${GPG_ASC}"
fi fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}"
@ -64,14 +97,14 @@ init_user() {
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD} echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
fi fi
if [ ! -z "$ADMIN_KEY" ]; then if [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Setting admin key to '${ADMIN_KEY}'" echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}") CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
else else
echo "Customize MISP | Regenerating admin key" echo "... regenerating admin key"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1) CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
fi fi
ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'` ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
echo "Customize MISP | Admin user key set to '${ADMIN_KEY}'" echo "... admin user key set to '${ADMIN_KEY}'"
} }
apply_critical_fixes() { apply_critical_fixes() {
@ -81,9 +114,19 @@ apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${HOSTNAME}\"
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
} }
apply_custom_settings() { apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" ""
@ -99,9 +142,9 @@ apply_custom_settings() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5 sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5
} }
configure_plugins() { configure_optional_plugins() {
if [ ! -z "$VIRUSTOTAL_KEY" ]; then if [ ! -z "$VIRUSTOTAL_KEY" ]; then
echo "Customize MISP | Enabling 'virustotal' module ..." echo "... enabling 'virustotal' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": { \"Plugin\": {
\"Enrichment_virustotal_enabled\": true, \"Enrichment_virustotal_enabled\": true,
@ -111,7 +154,7 @@ configure_plugins() {
fi fi
if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Enabling 'vmware_nsx' module ..." echo "... enabling 'vmware_nsx' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": { \"Plugin\": {
\"Enrichment_vmware_nsx_enabled\": true, \"Enrichment_vmware_nsx_enabled\": true,
@ -127,56 +170,12 @@ configure_plugins() {
fi fi
} }
configure_email() { updateComponents() {
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
<?php sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
class EmailConfig { sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
public \$default = array( sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
'transport' => 'Smtp', sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
} }
add_organization() { add_organization() {
@ -196,7 +195,7 @@ get_organization() {
curl -s --show-error -k \ curl -s --show-error -k \
-H "Authorization: ${ADMIN_KEY}" \ -H "Authorization: ${ADMIN_KEY}" \
-H "Accept: application/json" \ -H "Accept: application/json" \
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id" -H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id // empty"
} }
add_server() { add_server() {
@ -214,38 +213,20 @@ get_server() {
-H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id" -H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
} }
updateComponents() { create_organizations() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
}
echo "Customize MISP | Configure email ..." && configure_email
echo "Customize MISP | Configure GPG key ..." && init_gnupg
echo "Customize MISP | Running updates ..." && apply_updates
echo "Customize MISP | Init default user and organization ..." && init_user
echo "Customize MISP | Resolve critical issues ..." && apply_critical_fixes
echo "Customize MISP | Customize installation ..." && apply_custom_settings
# This item last so we had a chance to create the ADMIN_KEY if not specified
echo "Customize MISP | Configure plugins ..." && configure_plugins
# Create organizations (and silently fail if present already)
echo "Customize MISP | Creating organizations ..."
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n') SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
for ORG in $SPLITTED_ORGS; do for ORG in $SPLITTED_ORGS; do
echo "Adding organization: $ORG" ORG_ID=$(get_organization ${ORG})
if [[ -z $ORG_ID ]]; then
echo "... adding organization: $ORG"
add_organization $ORG true add_organization $ORG true
else
echo "... organization $ORG already exists"
fi
done done
}
echo "Customize MISP | Creating sync servers ..." create_sync_servers() {
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n') SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do for ID in $SPLITTED_SYNCSERVERS; do
NAME="SYNCSERVERS_${ID}_NAME" NAME="SYNCSERVERS_${ID}_NAME"
@ -253,15 +234,37 @@ for ID in $SPLITTED_SYNCSERVERS; do
DATA="SYNCSERVERS_${ID}_DATA" DATA="SYNCSERVERS_${ID}_DATA"
KEY="SYNCSERVERS_${ID}_KEY" KEY="SYNCSERVERS_${ID}_KEY"
if ! get_server ${!NAME}; then if ! get_server ${!NAME}; then
echo "Customize MISP | Configuring sync server ${!NAME}..." echo "... configuring sync server ${!NAME}..."
add_organization ${!NAME} false ${!UUID} add_organization ${!NAME} false ${!UUID}
ORG_ID=$(get_organization ${!UUID}) ORG_ID=$(get_organization ${!UUID})
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}') DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
add_server "$DATA" add_server "$DATA"
fi fi
done done
}
echo "Customize MISP | Updating components ..." && updateComponents
# Make the instance live echo "MISP | Initialize configuration ..." && init_misp_configuration
echo "MISP | Initialize workers ..." && init_misp_workers
echo "MISP | Configure GPG key ..." && init_gnupg
echo "MISP | Running updates ..." && apply_updates
echo "MISP | Init default user and organization ..." && init_user
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
echo "MISP | Creating organizations ..." && create_organizations
echo "MISP | Creating sync servers ..." && create_sync_servers
echo "MISP | Updating components ..." && updateComponents
echo "MISP | Configure plugins with newly generate admin key ..." && configure_optional_plugins
echo "MISP | Marking instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

2
server/files/entrypoint_fpm.sh
View File

@ -21,7 +21,7 @@ change_php_vars() {
echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Starting PHP FPM" echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm7.4 -R -F & master_pid=$! /usr/sbin/php-fpm7.4 -R -F & master_pid=$!
# Wait for it # Wait for it

319
server/files/entrypoint_nginx.sh
View File

@ -8,80 +8,13 @@ term_proc() {
trap term_proc SIGTERM trap term_proc SIGTERM
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db [ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306 [ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp [ -z "$MYSQL_USER" ] && MYSQL_USER=misp
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example [ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp [ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis [ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
init_misp_config(){
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "Configure MISP | Set DB User, Password and Host in database.php"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
}
init_misp_defaults(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configure sane defaults"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "Starting background workers"
supervisorctl start misp-workers:*
}
init_misp_files(){
if [ ! -f /var/www/MISP/app/files/INIT ]; then
cp -R /var/www/MISP/app/files.dist/* /var/www/MISP/app/files
touch /var/www/MISP/app/files/INIT
fi
}
init_ssl() {
if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
then
cd /etc/nginx/certs
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
fi
}
init_mysql(){ init_mysql(){
# Test when MySQL is ready.... # Test when MySQL is ready....
@ -99,137 +32,209 @@ init_mysql(){
RETRY=100 RETRY=100
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
echo "Waiting for database to come up" echo "... waiting for database to come up"
sleep 5 sleep 5
RETRY=$(( RETRY - 1)) RETRY=$(( RETRY - 1))
done done
if [ $RETRY -le 0 ]; then if [ $RETRY -le 0 ]; then
>&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT" >&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
exit 1 exit 1
fi fi
if [ $(isDBinitDone) -eq 0 ]; then if [ $(isDBinitDone) -eq 0 ]; then
echo "Database has already been initialized" echo "... database has already been initialized"
else else
echo "Database has not been initialized, importing MySQL scheme..." echo "... database has not been initialized, importing MySQL scheme..."
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
fi fi
} }
sync_files(){ init_misp_data_files(){
# Init config (shared with host)
echo "... initializing configuration files"
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "... initializing database.php settings"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
echo "... initializing email.php settings"
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
<?php
class EmailConfig {
public \$default = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
# Init files (shared with host)
echo "... initializing app files"
MISP_APP_FILES_PATH=/var/www/MISP/app/files
if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
touch ${MISP_APP_FILES_PATH}/INIT
fi
}
update_misp_data_files(){
for DIR in $(ls /var/www/MISP/app/files.dist); do for DIR in $(ls /var/www/MISP/app/files.dist); do
echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/" rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
done done
} }
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53 enforce_misp_data_permissions(){
for CERT in cert.pem dhparams.pem key.pem; do echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
WARNING53=true
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
fi
done
# Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then
echo "Setup MySQL..." && init_mysql
echo "Setup MISP files dir..." && init_misp_files
echo "Ensure SSL certs exist..." && init_ssl
fi
# Things we should do if we're configuring MISP via ENV
echo "Configure MISP | Initialize misp base config..." && init_misp_config
echo "Configure MISP | Sync app files..." && sync_files
echo "Configure MISP | Enforce permissions ..."
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} + echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while # Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} + echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files
# We also make other special files writable (should be 660)
echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php
# Configuring defaults now echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
echo "Configure MISP | Setting defaults ..." && init_misp_defaults # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
# Workers are set to NOT auto start so we have time to enforce permissions on the cache first echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
echo "Configure MISP | Starting workers ..." && init_misp_workers # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
# We make configuration files read only
echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
}
# Work around https://github.com/MISP/MISP/issues/5608 flip_nginx() {
if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then local live="$1";
mkdir -p /var/www/MISP/PyMISP/pymisp/data/ local reload="$2";
ln -s /usr/local/lib/python3.9/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json
if [[ "$live" = "true" ]]; then
NGINX_DOC_ROOT=/var/www/MISP/app/webroot
elif [[ -x /custom/files/var/www/html/index.php ]]; then
NGINX_DOC_ROOT=/custom/files/var/www/html/
else
NGINX_DOC_ROOT=/var/www/html/
fi fi
if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then # must be valid for all roots
echo "Configure NGINX | Disabling Port 80 Redirect" echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80 sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "Configure NGINX | Enable Port 80 Redirect" if [[ "$reload" = "true" ]]; then
echo "... nginx reloaded"
nginx -s reload
fi
}
init_nginx() {
if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80 ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else else
echo "Configure NGINX | Port 80 already configured" echo "... port 80 already configured"
fi fi
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Secure SSL" echo "... enabling port 443"
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Standard SSL"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
else else
echo "Configure NGINX | SSL already configured" echo "... port 443 already configured"
fi fi
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
echo "Configure NGINX | Building dhparams.pem" echo "... generating new self-signed TLS certificate"
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
else
echo "... TLS certificates found"
fi
if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "... generating new DH parameters"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
else
echo "... DH parameters found"
fi fi
if [[ $CERTAUTH = @(optional|on) ]]; then flip_nginx false false
echo "Configure NGINX | Enabling SSL Cert Authentication" }
grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp
echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)"
sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
fi
if [[ "$DISIPV6" == true ]]; then # Initialize MySQL
echo "Configure NGINX | Disabling IPv6" echo "INIT | Initialize MySQL ..." && init_mysql
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp
fi
# delete pid file # Initialize NGINX
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE echo "INIT | Initialize NGINX ..." && init_nginx
if [[ "$WARNING53" == true ]]; then
echo "WARNING - WARNING - WARNING"
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
echo "This needs to be changed to /etc/nginx/certs."
echo "See: https://github.com/coolacid/docker-misp/issues/53"
echo "WARNING - WARNING - WARNING"
fi
if [[ -x /entrypoint_internal.sh ]]; then
export MYSQLCMD=${MYSQLCMD}
nginx -g 'daemon off;' & master_pid=$! nginx -g 'daemon off;' & master_pid=$!
/entrypoint_internal.sh
kill -TERM "$master_pid" 2>/dev/null
fi
# Start NGINX # Initialize MISP
nginx -g 'daemon off;' & master_pid=$! echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
echo "INIT | Updating MISP app/files directory ..." && update_misp_data_files
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
echo "INIT | Flipping NGINX live ..." && flip_nginx true true
# Run configure MISP script
echo "INIT | Configuring MISP installation ..."
/configure_misp.sh
if [[ -x /custom/files/customize_misp.sh ]]; then
echo "INIT | Customizing MISP installation ..."
/custom/files/customize_misp.sh
fi
# Wait for it # Wait for it
wait "$master_pid" wait "$master_pid"

16
server/files/etc/nginx/misp
View File

@ -1,12 +1,14 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
# define the root dir
root /var/www/MISP/app/webroot; root /var/www/MISP/app/webroot;
index index.php; index index.php;
client_max_body_size 50M; client_max_body_size 50M;
# Disable access logs # disable access logs
access_log off; access_log off;
log_not_found off; log_not_found off;
error_log /dev/stderr error; error_log /dev/stderr error;
@ -27,7 +29,7 @@ server {
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security # added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
@ -36,17 +38,9 @@ server {
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / { location / {
try_files $uri $uri/ /index.php$is_args$query_string; try_files $uri $uri/ /index.php$is_args$query_string;
} }

57
server/files/etc/nginx/misp-secure
View File

@ -1,57 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

35
server/files/etc/nginx/misp80-noredir
View File

@ -1,35 +0,0 @@
server {
listen 80;
listen [::]:80;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

3
server/files/var/www/html/index.php Normal file
View File

@ -0,0 +1,3 @@
<html>
MISP is loading...
</html>

7
template.env
View File

@ -1,5 +1,5 @@
MISP_TAG=v2.4.169 MISP_TAG=v2.4.170
MODULES_TAG=v2.4.169 MODULES_TAG=v2.4.170
PHP_VER=20190902 PHP_VER=20190902
# MISP_COMMIT takes precedence over MISP_TAG # MISP_COMMIT takes precedence over MISP_TAG
# MISP_COMMIT=c56d537 # MISP_COMMIT=c56d537
@ -38,6 +38,3 @@ SYNCSERVERS_1_KEY=
# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3") # comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
ORGANIZATIONS= ORGANIZATIONS=
# host folder containing public files generated by external tools
PUBLIC_MOUNT_POINT=./public