MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Refactor the whole image and allow external customization

pull/1/head
Stefano Ortolani 2023-04-13 15:02:02 +01:00
parent 8d7031e42c
commit 51075b4f37
12 changed files with 335 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -29,10 +29,10 @@ Additionally, this fork features the following improvements:
- Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md) - Add support for new background job system (see https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md)
- Add support for exposing locally generated resources - Add support for exposing locally generated resources
- Add support for building specific MISP and MISP-modules commits - Add support for building specific MISP and MISP-modules commits
- Add automatic configuration of MISP modules (see `entrypoint_internal.sh`) - Add automatic configuration of MISP modules (see `configure_misp.sh`)
- Add automatic configuration of sync servers (see `entrypoint_internal.sh`) - Add automatic configuration of sync servers (see `configure_misp.sh`)
- Add automatic configuration of organizations (see `entrypoint_internal.sh`) - Add automatic configuration of organizations (see `configure_misp.sh`)
- Add autoamtic configuration of authentication keys (see `entrypoint_internal.sh`) - Add autoamtic configuration of authentication keys (see `configure_misp.sh`)
- Add direct push of docker images to Docker Hub - Add direct push of docker images to Docker Hub
- Consolidate docker compose files - Consolidate docker compose files
@ -117,10 +117,6 @@ The `docker-compose.yml` file allows further configuration settings:
"MYSQL_USER=misp" "MYSQL_USER=misp"
"MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run. "MYSQL_PASSWORD=example" # NOTE: This should be AlphaNum with no Special Chars. Otherwise, edit config files after first run.
"MYSQL_DATABASE=misp" "MYSQL_DATABASE=misp"
"NOREDIR=true" # Do not redirect port 80
"DISIPV6=true" # Disable IPV6 in nginx
"CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
"SECURESSL=true" # Enable higher security SSL in nginx
"MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
"WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead) "WORKERS=1" # Legacy variable controlling the number of parallel workers (use variables below instead)
"NUM_WORKERS_DEFAULT=5" # To set the number of default workers "NUM_WORKERS_DEFAULT=5" # To set the number of default workers

11
docker-compose.yml
View File

@ -42,19 +42,19 @@ services:
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
# customization
- "3030:3030"
volumes: volumes:
- "./configs/:/var/www/MISP/app/Config/" - "./configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/" - "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files/" - "./files/:/var/www/MISP/app/files/"
- "./ssl/:/etc/nginx/certs/" - "./ssl/:/etc/nginx/certs/"
- "./gnupg/:/var/www/MISP/.gnupg/" - "./gnupg/:/var/www/MISP/.gnupg/"
- "${PUBLIC_MOUNT_POINT}:/mnt/public/"
environment: environment:
- "HOSTNAME=https://localhost" - "HOSTNAME=https://localhost"
- "REDIS_FQDN=redis" - "REDIS_FQDN=redis"
- "INIT=true" # Initialze MISP, things includes, attempting to import SQL and the Files DIR - "CRON_USER_ID=1"
- "CRON_USER_ID=1" # The MISP user ID to run cron jobs as # sync server settings
# Synchronization Servers settings
- "SYNCSERVERS=${SYNCSERVERS}" - "SYNCSERVERS=${SYNCSERVERS}"
- "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}" - "SYNCSERVERS_1_NAME=${SYNCSERVERS_1_NAME}"
- "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}" - "SYNCSERVERS_1_UUID=${SYNCSERVERS_1_UUID}"
@ -66,7 +66,7 @@ services:
"pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}", "pull_rules": "{\"tags\":{\"OR\":[],\"NOT\":[]},\"orgs\":{\"OR\":[],\"NOT\":[]},\"url_params\":\"{\\\"searchanalysis\\\": \\\"2\\\"}\"}",
"pull": true "pull": true
} }
# Custom Settings # standard settings
- "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_EMAIL=${ADMIN_EMAIL}"
- "ADMIN_KEY=${ADMIN_KEY}" - "ADMIN_KEY=${ADMIN_KEY}"
- "ADMIN_ORG=${ADMIN_ORG}" - "ADMIN_ORG=${ADMIN_ORG}"
@ -75,6 +75,7 @@ services:
- "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}" - "NSX_ANALYSIS_KEY=${NSX_ANALYSIS_KEY}"
- "ORGANIZATIONS=${ORGANIZATIONS}" - "ORGANIZATIONS=${ORGANIZATIONS}"
- "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}" - "VIRUSTOTAL_KEY=${VIRUSTOTAL_KEY}"
misp-modules: misp-modules:
image: ostefano/misp-docker:modules-latest image: ostefano/misp-docker:modules-latest
build: build:

14
modules/Dockerfile
View File

@ -25,7 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
RUN if [ ! -z ${MODULES_COMMIT} ]; then \ RUN if [ ! -z ${MODULES_COMMIT} ]; then \
git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \ git clone https://github.com/MISP/misp-modules.git /srv/misp-modules && cd /srv/misp-modules && git checkout ${MODULES_COMMIT}; \
else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi else git clone --branch ${MODULES_TAG} --depth 1 https://github.com/MISP/misp-modules.git /srv/misp-modules; fi
RUN cd /srv/misp-modules || exit; sed -i 's/-e //g' REQUIREMENTS; pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/ RUN cd /srv/misp-modules; \
echo "pyeti" >> REQUIREMENTS; \
echo "git+https://github.com/abenassi/Google-Search-API" >> REQUIREMENTS; \
sed -i 's/-e //g' REQUIREMENTS; \
pip3 wheel -r REQUIREMENTS --no-cache-dir -w /wheel/
RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \ RUN git clone --depth 1 https://github.com/stricaud/faup.git /srv/faup; \
cd /srv/faup/build || exit; cmake .. && make install; \ cd /srv/faup/build || exit; cmake .. && make install; \
@ -56,4 +60,12 @@ RUN pip install --use-deprecated=legacy-resolver /wheel/*.whl; ldconfig
RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \ RUN sed -i s/LoadLibrary\(LOAD_LIB\)/LoadLibrary\(\"\\/usr\\/local\\/lib\\/libfaupl.so\"\)/ \
/usr/local/lib/python3.9/site-packages/pyfaup/__init__.py /usr/local/lib/python3.9/site-packages/pyfaup/__init__.py
# Remove double logging
RUN sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/apiosintDS.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/dosearch.py; \
sed -i "/logging.basicConfig/d" \
/usr/local/lib/python3.9/site-packages/apiosintDS/modules/listutils.py
ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"] ENTRYPOINT [ "/usr/local/bin/misp-modules", "-l", "0.0.0.0"]

34
server/Dockerfile
View File

@ -7,11 +7,13 @@ FROM "${DOCKER_HUB_PROXY}composer:2.1.14" as composer-build
RUN composer install --ignore-platform-reqs && \ RUN composer install --ignore-platform-reqs && \
composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \ composer require jakub-onderka/openid-connect-php:1.0.0-rc1 --ignore-platform-reqs && \
composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \ composer require --with-all-dependencies supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs guzzlehttp/guzzle php-http/message lstrojny/fxmlrpc --ignore-platform-reqs && \
composer require --with-all-dependencies elasticsearch/elasticsearch:^8.7.0 aws/aws-sdk-php --ignore-platform-reqs
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
RUN apt-get update; apt-get install -y --no-install-recommends \ RUN apt-get update; apt-get install -y --no-install-recommends \
gcc \ gcc \
g++ \
make \ make \
libfuzzy-dev \ libfuzzy-dev \
ca-certificates \ ca-certificates \
@ -19,13 +21,13 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
php-dev \ php-dev \
php-pear \ php-pear \
librdkafka-dev \ librdkafka-dev \
libsimdjson-dev \
git \ git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN pecl channel-update pecl.php.net RUN pecl channel-update pecl.php.net
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka && pecl install simdjson
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
RUN apt-get update; apt-get install -y --no-install-recommends \ RUN apt-get update; apt-get install -y --no-install-recommends \
@ -78,7 +80,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels cd pydeep || exit; python3 setup.py bdist_wheel -d /wheels
# Grab other modules we need # Grab other modules we need
RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief RUN pip3 wheel --no-cache-dir -w /wheels/ plyara pyzmq redis python-magic lief==0.12.3
# Remove extra packages due to incompatible requirements.txt files # Remove extra packages due to incompatible requirements.txt files
WORKDIR /wheels WORKDIR /wheels
@ -125,6 +127,7 @@ ARG PHP_VER
php-zip \ php-zip \
librdkafka1 \ librdkafka1 \
libbrotli1 \ libbrotli1 \
libsimdjson5 \
# Unsure we need these # Unsure we need these
zip unzip \ zip unzip \
# Require for advanced an unattended configuration # Require for advanced an unattended configuration
@ -136,7 +139,7 @@ ARG PHP_VER
RUN if [ ! -z ${MISP_COMMIT} ]; then \ RUN if [ ! -z ${MISP_COMMIT} ]; then \
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \ git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout ${MISP_COMMIT}; \
else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi else git clone --branch ${MISP_TAG} --depth 1 https://github.com/MISP/MISP.git /var/www/MISP; fi
RUN cd /var/www/MISP/app || exit; git submodule update --init --recursive .; \ RUN cd /var/www/MISP; git submodule update --init --recursive .; cd /var/www/MISP/app; \
# Remove some old and broken links that pollute the log files # Remove some old and broken links that pollute the log files
rm -rf /var/www/MISP/INSTALL/old rm -rf /var/www/MISP/INSTALL/old
@ -149,24 +152,21 @@ ARG PHP_VER
COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so COPY --from=php-build /usr/lib/php/${PHP_VER}/ssdeep.so /usr/lib/php/${PHP_VER}/ssdeep.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so COPY --from=php-build /usr/lib/php/${PHP_VER}/rdkafka.so /usr/lib/php/${PHP_VER}/rdkafka.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so COPY --from=php-build /usr/lib/php/${PHP_VER}/brotli.so /usr/lib/php/${PHP_VER}/brotli.so
COPY --from=php-build /usr/lib/php/${PHP_VER}/simdjson.so /usr/lib/php/${PHP_VER}/simdjson.so
COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done; phpenmod ssdeep
RUN for dir in /etc/php/*; do echo "extension=ssdeep.so" > "$dir/mods-available/ssdeep.ini"; done \ RUN for dir in /etc/php/*; do echo "extension=simdjson.so" > "$dir/mods-available/simdjson.ini"; done; phpenmod simdjson
;phpenmod redis \ RUN phpenmod redis
# Enable ssdeep we build earlier
;phpenmod ssdeep
# nginx # nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
COPY files/etc/nginx/misp80-noredir /etc/nginx/sites-available/misp80-noredir
# Make a copy of the file store, so we can sync from it # Make a copy of the file store, so we can sync from it
RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist RUN cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
@ -174,10 +174,18 @@ ARG PHP_VER
# Make a copy of the configurations, so we can sync from it # Make a copy of the configurations, so we can sync from it
RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist RUN cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions
RUN find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
RUN find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
RUN find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
# Entrypoints # Entrypoints
COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf COPY files/etc/supervisor/supervisor.conf /etc/supervisor/conf.d/10-supervisor.conf
COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf COPY files/etc/supervisor/workers.conf /etc/supervisor/conf.d/50-workers.conf
COPY files/entrypoint_internal.sh / COPY files/var/www/html/index.php /var/www/html/index.php
COPY files/configure_misp.sh /
COPY files/entrypoint_fpm.sh / COPY files/entrypoint_fpm.sh /
COPY files/entrypoint_nginx.sh / COPY files/entrypoint_nginx.sh /
COPY files/entrypoint_cron.sh / COPY files/entrypoint_cron.sh /

203
server/files/entrypoint_internal.sh → server/files/configure_misp.sh
View File

@ -2,6 +2,39 @@
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test" [ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
init_misp_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
init_gnupg() { init_gnupg() {
GPG_DIR=/var/www/MISP/.gnupg GPG_DIR=/var/www/MISP/.gnupg
@ -9,7 +42,7 @@ init_gnupg() {
GPG_TMP=/tmp/gpg.tmp GPG_TMP=/tmp/gpg.tmp
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "Generating GPG key ... (please be patient, we need some entropy)" echo "... generating new GPG key in ${GPG_DIR}"
cat >${GPG_TMP} <<GPGEOF cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key %echo Generating a basic OpenPGP key
Key-Type: RSA Key-Type: RSA
@ -25,7 +58,7 @@ GPGEOF
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP} gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP} rm -f ${GPG_TMP}
else else
echo "Using pre-generated GPG key in ${GPG_DIR}" echo "... found pre-generated GPG key in ${GPG_DIR}"
fi fi
# Fix permissions # Fix permissions
@ -34,10 +67,10 @@ GPGEOF
find ${GPG_DIR} -type d -exec chmod 700 {} \; find ${GPG_DIR} -type d -exec chmod 700 {} \;
if [ ! -f ${GPG_ASC} ]; then if [ ! -f ${GPG_ASC} ]; then
echo "Exporting GPG key ..." echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC} sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${ADMIN_EMAIL} > ${GPG_ASC}
else else
echo "Found exported key ${GPG_ASC}" echo "... found exported key ${GPG_ASC}"
fi fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "${ADMIN_EMAIL}"
@ -64,14 +97,14 @@ init_user() {
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD} echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
fi fi
if [ ! -z "$ADMIN_KEY" ]; then if [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Setting admin key to '${ADMIN_KEY}'" echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}") CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
else else
echo "Customize MISP | Regenerating admin key" echo "... regenerating admin key"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1) CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
fi fi
ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'` ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
echo "Customize MISP | Admin user key set to '${ADMIN_KEY}'" echo "... admin user key set to '${ADMIN_KEY}'"
} }
apply_critical_fixes() { apply_critical_fixes() {
@ -81,9 +114,19 @@ apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${HOSTNAME}\"
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
} }
apply_custom_settings() { apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting --force "MISP.welcome_text_bottom" ""
@ -99,9 +142,9 @@ apply_custom_settings() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5 sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 5
} }
configure_plugins() { configure_optional_plugins() {
if [ ! -z "$VIRUSTOTAL_KEY" ]; then if [ ! -z "$VIRUSTOTAL_KEY" ]; then
echo "Customize MISP | Enabling 'virustotal' module ..." echo "... enabling 'virustotal' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": { \"Plugin\": {
\"Enrichment_virustotal_enabled\": true, \"Enrichment_virustotal_enabled\": true,
@ -111,7 +154,7 @@ configure_plugins() {
fi fi
if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then if [ ! -z "$VIRUSTOTAL_KEY" ] && [ ! -z "$NSX_ANALYSIS_KEY" ] && [ ! -z "$NSX_ANALYSIS_API_TOKEN" ] && [ ! -z "$ADMIN_KEY" ]; then
echo "Customize MISP | Enabling 'vmware_nsx' module ..." echo "... enabling 'vmware_nsx' module ..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Plugin\": { \"Plugin\": {
\"Enrichment_vmware_nsx_enabled\": true, \"Enrichment_vmware_nsx_enabled\": true,
@ -127,56 +170,12 @@ configure_plugins() {
fi fi
} }
configure_email() { updateComponents() {
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
<?php sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
class EmailConfig { sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
public \$default = array( sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
'transport' => 'Smtp', sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
} }
add_organization() { add_organization() {
@ -196,7 +195,7 @@ get_organization() {
curl -s --show-error -k \ curl -s --show-error -k \
-H "Authorization: ${ADMIN_KEY}" \ -H "Authorization: ${ADMIN_KEY}" \
-H "Accept: application/json" \ -H "Accept: application/json" \
-H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id" -H "Content-type: application/json" ${HOSTNAME}/organisations/view/${1} | jq -e -r ".Organisation.id // empty"
} }
add_server() { add_server() {
@ -214,54 +213,58 @@ get_server() {
-H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id" -H "Content-type: application/json" ${HOSTNAME}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${1}\") | .Server.id"
} }
updateComponents() { create_organizations() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies for ORG in $SPLITTED_ORGS; do
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists ORG_ID=$(get_organization ${ORG})
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists if [[ -z $ORG_ID ]]; then
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" echo "... adding organization: $ORG"
add_organization $ORG true
else
echo "... organization $ORG already exists"
fi
done
} }
echo "Customize MISP | Configure email ..." && configure_email create_sync_servers() {
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
NAME="SYNCSERVERS_${ID}_NAME"
UUID="SYNCSERVERS_${ID}_UUID"
DATA="SYNCSERVERS_${ID}_DATA"
KEY="SYNCSERVERS_${ID}_KEY"
if ! get_server ${!NAME}; then
echo "... configuring sync server ${!NAME}..."
add_organization ${!NAME} false ${!UUID}
ORG_ID=$(get_organization ${!UUID})
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
add_server "$DATA"
fi
done
}
echo "Customize MISP | Configure GPG key ..." && init_gnupg
echo "Customize MISP | Running updates ..." && apply_updates echo "MISP | Initialize configuration ..." && init_misp_configuration
echo "Customize MISP | Init default user and organization ..." && init_user echo "MISP | Initialize workers ..." && init_misp_workers
echo "Customize MISP | Resolve critical issues ..." && apply_critical_fixes echo "MISP | Configure GPG key ..." && init_gnupg
echo "Customize MISP | Customize installation ..." && apply_custom_settings echo "MISP | Running updates ..." && apply_updates
# This item last so we had a chance to create the ADMIN_KEY if not specified echo "MISP | Init default user and organization ..." && init_user
echo "Customize MISP | Configure plugins ..." && configure_plugins
# Create organizations (and silently fail if present already) echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "Customize MISP | Creating organizations ..."
SPLITTED_ORGS=$(echo $ORGANIZATIONS | tr ',' '\n')
for ORG in $SPLITTED_ORGS; do
echo "Adding organization: $ORG"
add_organization $ORG true
done
echo "Customize MISP | Creating sync servers ..." echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
NAME="SYNCSERVERS_${ID}_NAME"
UUID="SYNCSERVERS_${ID}_UUID"
DATA="SYNCSERVERS_${ID}_DATA"
KEY="SYNCSERVERS_${ID}_KEY"
if ! get_server ${!NAME}; then
echo "Customize MISP | Configuring sync server ${!NAME}..."
add_organization ${!NAME} false ${!UUID}
ORG_ID=$(get_organization ${!UUID})
DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} --arg name ${!NAME} --arg key ${!KEY} '. + {remote_org_id: $org_id, name: $name, authkey: $key}')
add_server "$DATA"
fi
done
echo "Customize MISP | Updating components ..." && updateComponents echo "MISP | Creating organizations ..." && create_organizations
# Make the instance live echo "MISP | Creating sync servers ..." && create_sync_servers
echo "MISP | Updating components ..." && updateComponents
echo "MISP | Configure plugins with newly generate admin key ..." && configure_optional_plugins
echo "MISP | Marking instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

4
server/files/entrypoint_fpm.sh
View File

@ -19,9 +19,9 @@ change_php_vars() {
done done
} }
echo "Configure PHP | Change PHP values ..." && change_php_vars echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Starting PHP FPM" echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm7.4 -R -F & master_pid=$! /usr/sbin/php-fpm7.4 -R -F & master_pid=$!
# Wait for it # Wait for it

347
server/files/entrypoint_nginx.sh
View File

@ -8,80 +8,13 @@ term_proc() {
trap term_proc SIGTERM trap term_proc SIGTERM
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db [ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306 [ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp [ -z "$MYSQL_USER" ] && MYSQL_USER=misp
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example [ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp [ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis [ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
[ -z "$MYSQLCMD" ] && MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
ENTRYPOINT_PID_FILE="/entrypoint_apache.install"
[ ! -f $ENTRYPOINT_PID_FILE ] && touch $ENTRYPOINT_PID_FILE
init_misp_config(){
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "Configure MISP | Set DB User, Password and Host in database.php"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
}
init_misp_defaults(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configure sane defaults"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
}
init_misp_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "Configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "Starting background workers"
supervisorctl start misp-workers:*
}
init_misp_files(){
if [ ! -f /var/www/MISP/app/files/INIT ]; then
cp -R /var/www/MISP/app/files.dist/* /var/www/MISP/app/files
touch /var/www/MISP/app/files/INIT
fi
}
init_ssl() {
if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
then
cd /etc/nginx/certs
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
fi
}
init_mysql(){ init_mysql(){
# Test when MySQL is ready.... # Test when MySQL is ready....
@ -99,137 +32,209 @@ init_mysql(){
RETRY=100 RETRY=100
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
echo "Waiting for database to come up" echo "... waiting for database to come up"
sleep 5 sleep 5
RETRY=$(( RETRY - 1)) RETRY=$(( RETRY - 1))
done done
if [ $RETRY -le 0 ]; then if [ $RETRY -le 0 ]; then
>&2 echo "Error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT" >&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
exit 1 exit 1
fi fi
if [ $(isDBinitDone) -eq 0 ]; then if [ $(isDBinitDone) -eq 0 ]; then
echo "Database has already been initialized" echo "... database has already been initialized"
else else
echo "Database has not been initialized, importing MySQL scheme..." echo "... database has not been initialized, importing MySQL scheme..."
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
fi fi
} }
sync_files(){ init_misp_data_files(){
# Init config (shared with host)
echo "... initializing configuration files"
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
echo "... initializing database.php settings"
sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
echo "... initializing email.php settings"
sudo -u www-data tee /var/www/MISP/app/Config/email.php > /dev/null <<EOT
<?php
class EmailConfig {
public \$default = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
# Init files (shared with host)
echo "... initializing app files"
MISP_APP_FILES_PATH=/var/www/MISP/app/files
if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
touch ${MISP_APP_FILES_PATH}/INIT
fi
}
update_misp_data_files(){
for DIR in $(ls /var/www/MISP/app/files.dist); do for DIR in $(ls /var/www/MISP/app/files.dist); do
echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/" rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
done done
} }
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53 enforce_misp_data_permissions(){
for CERT in cert.pem dhparams.pem key.pem; do echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT" # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
WARNING53=true # Directories are also writable, because there seems to be a requirement to add new files every once in a while
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
# We make configuration files read only
echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
}
flip_nginx() {
local live="$1";
local reload="$2";
if [[ "$live" = "true" ]]; then
NGINX_DOC_ROOT=/var/www/MISP/app/webroot
elif [[ -x /custom/files/var/www/html/index.php ]]; then
NGINX_DOC_ROOT=/custom/files/var/www/html/
else
NGINX_DOC_ROOT=/var/www/html/
fi fi
done
# Things we should do when we have the INITIALIZE Env Flag # must be valid for all roots
if [[ "$INIT" == true ]]; then echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
echo "Setup MySQL..." && init_mysql sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
echo "Setup MISP files dir..." && init_misp_files
echo "Ensure SSL certs exist..." && init_ssl
fi
# Things we should do if we're configuring MISP via ENV if [[ "$reload" = "true" ]]; then
echo "Configure MISP | Initialize misp base config..." && init_misp_config echo "... nginx reloaded"
nginx -s reload
fi
}
echo "Configure MISP | Sync app files..." && sync_files init_nginx() {
if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
echo "... port 80 already configured"
fi
echo "Configure MISP | Enforce permissions ..." if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
# The spirit of the upstrem dockerization is to keep user and group aligned in terms of permissions echo "... enabling port 443"
echo "... chown -R www-data:www-data /var/www/MISP ..." && find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} + ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory else
echo "... chmod -R 0550 files /var/www/MISP ..." && find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 {} + echo "... port 443 already configured"
# Directories are also writable, because there seems to be a requirement to add new files every once in a while fi
echo "... chmod -R 0770 directories /var/www/MISP ..." && find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit) if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp ..." && chmod -R u+w,g+w /var/www/MISP/app/tmp echo "... generating new self-signed TLS certificate"
echo "... chmod -R u+w,g+w /var/www/MISP/app/files ..." && chmod -R u+w,g+w /var/www/MISP/app/files openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
# We also make other special files writable (should be 660) else
echo "... chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php ... " && chmod 600 /var/www/MISP/app/Config/config.php /var/www/MISP/app/Config/database.php /var/www/MISP/app/Config/email.php echo "... TLS certificates found"
fi
if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "... generating new DH parameters"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
else
echo "... DH parameters found"
fi
# Configuring defaults now flip_nginx false false
echo "Configure MISP | Setting defaults ..." && init_misp_defaults }
# Workers are set to NOT auto start so we have time to enforce permissions on the cache first
echo "Configure MISP | Starting workers ..." && init_misp_workers
# Work around https://github.com/MISP/MISP/issues/5608 # Initialize MySQL
if [[ ! -f /var/www/MISP/PyMISP/pymisp/data/describeTypes.json ]]; then echo "INIT | Initialize MySQL ..." && init_mysql
mkdir -p /var/www/MISP/PyMISP/pymisp/data/
ln -s /usr/local/lib/python3.9/dist-packages/pymisp/data/describeTypes.json /var/www/MISP/PyMISP/pymisp/data/describeTypes.json
fi
if [[ ! -L "/etc/nginx/sites-enabled/misp80" && "$NOREDIR" == true ]]; then # Initialize NGINX
echo "Configure NGINX | Disabling Port 80 Redirect" echo "INIT | Initialize NGINX ..." && init_nginx
ln -s /etc/nginx/sites-available/misp80-noredir /etc/nginx/sites-enabled/misp80
elif [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
echo "Configure NGINX | Enable Port 80 Redirect"
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
echo "Configure NGINX | Port 80 already configured"
fi
if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
echo "Configure NGINX | Using Secure SSL"
ln -s /etc/nginx/sites-available/misp-secure /etc/nginx/sites-enabled/misp
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Standard SSL"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
else
echo "Configure NGINX | SSL already configured"
fi
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "Configure NGINX | Building dhparams.pem"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
fi
if [[ $CERTAUTH = @(optional|on) ]]; then
echo "Configure NGINX | Enabling SSL Cert Authentication"
grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\ ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\ ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp
echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)"
sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
fi
if [[ "$DISIPV6" == true ]]; then
echo "Configure NGINX | Disabling IPv6"
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80
sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp
fi
# delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
if [[ "$WARNING53" == true ]]; then
echo "WARNING - WARNING - WARNING"
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
echo "This needs to be changed to /etc/nginx/certs."
echo "See: https://github.com/coolacid/docker-misp/issues/53"
echo "WARNING - WARNING - WARNING"
fi
if [[ -x /entrypoint_internal.sh ]]; then
export MYSQLCMD=${MYSQLCMD}
nginx -g 'daemon off;' & master_pid=$!
/entrypoint_internal.sh
kill -TERM "$master_pid" 2>/dev/null
fi
# Start NGINX
nginx -g 'daemon off;' & master_pid=$! nginx -g 'daemon off;' & master_pid=$!
# Initialize MISP
echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
echo "INIT | Updating MISP app/files directory ..." && update_misp_data_files
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
echo "INIT | Flipping NGINX live ..." && flip_nginx true true
# Run configure MISP script
echo "INIT | Configuring MISP installation ..."
/configure_misp.sh
if [[ -x /custom/files/customize_misp.sh ]]; then
echo "INIT | Customizing MISP installation ..."
/custom/files/customize_misp.sh
fi
# Wait for it # Wait for it
wait "$master_pid" wait "$master_pid"

16
server/files/etc/nginx/misp
View File

@ -1,12 +1,14 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
# define the root dir
root /var/www/MISP/app/webroot; root /var/www/MISP/app/webroot;
index index.php; index index.php;
client_max_body_size 50M; client_max_body_size 50M;
# Disable access logs # disable access logs
access_log off; access_log off;
log_not_found off; log_not_found off;
error_log /dev/stderr error; error_log /dev/stderr error;
@ -27,7 +29,7 @@ server {
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security # added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
@ -36,17 +38,9 @@ server {
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / { location / {
try_files $uri $uri/ /index.php$is_args$query_string; try_files $uri $uri/ /index.php$is_args$query_string;
} }

57
server/files/etc/nginx/misp-secure
View File

@ -1,57 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location /public {
root /mnt;
autoindex on;
autoindex_exact_size off;
autoindex_format html;
autoindex_localtime on;
}
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

35
server/files/etc/nginx/misp80-noredir
View File

@ -1,35 +0,0 @@
server {
listen 80;
listen [::]:80;
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
# Aded headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

3
server/files/var/www/html/index.php Normal file
View File

@ -0,0 +1,3 @@
<html>
MISP is loading...
</html>

7
template.env
View File

@ -1,5 +1,5 @@
MISP_TAG=v2.4.169 MISP_TAG=v2.4.170
MODULES_TAG=v2.4.169 MODULES_TAG=v2.4.170
PHP_VER=20190902 PHP_VER=20190902
# MISP_COMMIT takes precedence over MISP_TAG # MISP_COMMIT takes precedence over MISP_TAG
# MISP_COMMIT=c56d537 # MISP_COMMIT=c56d537
@ -38,6 +38,3 @@ SYNCSERVERS_1_KEY=
# comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3") # comma separated list of organizations to create (e.g. ORGANIZATIONS="ORG1, ORG2, ORG3")
ORGANIZATIONS= ORGANIZATIONS=
# host folder containing public files generated by external tools
PUBLIC_MOUNT_POINT=./public