mirror of https://github.com/MISP/misp-docker
Merge pull request #112 from stevengoossensB/master
Use installer script to install MISP and clean up repository
commit
8137e2154d
|
@ -13,4 +13,3 @@ before_install:
|
|||
|
||||
script:
|
||||
- docker-compose build
|
||||
- docker-compose -f docker-compose-nginx.yml build
|
||||
|
|
37
README.md
37
README.md
|
@ -7,24 +7,20 @@ The files in this repository are used to create a Docker container running a [MI
|
|||
|
||||
I rewrote the Docker file to split the components in multiple containers (which is more in the philosophy of Docker). Therefore there is no longer a Dockerfile in the root directory.
|
||||
|
||||
The MISP container needs at least a MySQL container to store the data. By default it listen to port 80. I highly recommend to serve it behind a NGinx or Apache reverse proxy.
|
||||
The MISP container needs at least a MySQL container to store the data. By default it listen to port 443 and port 80, which is redirected to 443.
|
||||
|
||||
The build is based on Ubuntu and will install all the required components. The following configuration steps are performed automatically:
|
||||
The build is based on Ubuntu and will install all the required components, using the INSTALL script provided in the MISP repository.
|
||||
|
||||
Using the Install script has the advantage that we can rely on a tested installation routine which is maintained and kept up to date. The amount of custom work to be done in the Dockerfile and run.sh files is limited to the necessary to make MISP container compliant.
|
||||
|
||||
The following configuration steps are performed automatically:
|
||||
* Reconfiguration of the base URL in `config.php`
|
||||
* Generation of a new salt in `config.php`
|
||||
* Generation of a self-signed certificate
|
||||
* Optimization of the PHP environment (php.ini) to match the MISP recommended values
|
||||
* Creation of the MySQL database
|
||||
* Generation of the admin PGP key
|
||||
|
||||
## Config
|
||||
* add your "*.crt" and "*.key" files to the ./proxy/ssl folder
|
||||
If not implementing SSL (not recommended) then simply comment out the appropriate lines in the "./proxy/default.conf" file.
|
||||
* Update "server_name" in default.conf file (will implement ENVIRONMENT VARIABLE in the future)
|
||||
|
||||
# Optional NGINX config
|
||||
|
||||
Included is an optional Docker Compose file 'docker-compose-nginx.yml' to spin up a reverse proxy to sit in front of MISP.
|
||||
* Installation of misp modules
|
||||
|
||||
# Building your image
|
||||
|
||||
|
@ -41,27 +37,12 @@ $ vi .env
|
|||
```
|
||||
$ docker-compose build
|
||||
or
|
||||
$ docker-compose -f docker-compose-nginx.yml build
|
||||
$ docker-compose -f docker-compose.yml build
|
||||
```
|
||||
|
||||
## Run containers
|
||||
```
|
||||
$ docker-compose up
|
||||
or
|
||||
$ docker-compose -f docker-compose-nginx.yml up
|
||||
```
|
||||
|
||||
# Optional NGINX config - SSL certificates
|
||||
|
||||
You can create the certificates manually if they are not automatically created.
|
||||
|
||||
```
|
||||
openssl req -new -nodes -x509 -subj "/C=BE/ST=Brussels/L=Brussels/O=CTI/CN=localhost" -days 3650 -newkey rsa:4096 -keyout proxy/ssl/misp.key -out proxy/ssl/misp.crt
|
||||
```
|
||||
|
||||
Then rebuild the proxy container and restart al the containers.
|
||||
|
||||
```
|
||||
docker-compose -f docker-compose-nginx.yml build --no-cache proxy
|
||||
docker-compose -f docker-compose-nginx.yml up
|
||||
$ docker-compose -f docker-compose.yml up
|
||||
```
|
|
@ -1,44 +0,0 @@
|
|||
version: '2'
|
||||
|
||||
services:
|
||||
proxy:
|
||||
build:
|
||||
context: proxy
|
||||
container_name: misp_proxy
|
||||
restart: unless-stopped
|
||||
image: misp-proxy:latest
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
|
||||
web:
|
||||
build: web
|
||||
container_name: misp_web
|
||||
image: misp:latest
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /dev/urandom:/dev/random
|
||||
- ${DATA_DIR}/web:/var/www/MISP
|
||||
environment:
|
||||
- MYSQL_HOST=${MYSQL_HOST}
|
||||
- MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- MYSQL_USER=${MYSQL_USER}
|
||||
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
- MISP_ADMIN_EMAIL=${MISP_ADMIN_EMAIL}
|
||||
- MISP_ADMIN_PASSPHRASE=${MISP_ADMIN_PASSPHRASE}
|
||||
- MISP_BASEURL=${MISP_BASEURL}
|
||||
- POSTFIX_RELAY_HOST=${POSTFIX_RELAY_HOST}
|
||||
- TIMEZONE=${TIMEZONE}
|
||||
|
||||
db:
|
||||
container_name: misp_db
|
||||
image: mysql/mysql-server:5.7
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ${DATA_DIR}/db:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- MYSQL_USER=${MYSQL_USER}
|
||||
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
version: '2'
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
web:
|
||||
|
@ -10,6 +10,7 @@ services:
|
|||
restart: unless-stopped
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- /dev/urandom:/dev/random
|
||||
- ${DATA_DIR}/web:/var/www/MISP
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
FROM nginx:1.18
|
||||
|
||||
# default conf for proxy service
|
||||
COPY ./default.conf /etc/nginx/conf.d/default.conf
|
||||
|
||||
# Proxy and SSL configurations
|
||||
COPY ./includes/ /etc/nginx/includes/
|
||||
|
||||
# Proxy SSL certificates
|
||||
COPY ./ssl/ /etc/ssl/certs/nginx/
|
|
@ -1,26 +0,0 @@
|
|||
# plain http redirect to https
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name localhost;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
# main server, reverse proxy to 'web' container
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
server_name localhost;
|
||||
|
||||
# Path for SSL config/key/certificate
|
||||
ssl_certificate /etc/ssl/certs/nginx/misp.crt;
|
||||
ssl_certificate_key /etc/ssl/certs/nginx/misp.key;
|
||||
include /etc/nginx/includes/ssl.conf;
|
||||
|
||||
location / {
|
||||
include /etc/nginx/includes/proxy.conf;
|
||||
proxy_pass http://web;
|
||||
}
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log error;
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_intercept_errors on;
|
|
@ -1,7 +0,0 @@
|
|||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
|
@ -1,4 +1,4 @@
|
|||
MYSQL_HOST=db
|
||||
MYSQL_HOST=misp-db
|
||||
MYSQL_DATABASE=misp
|
||||
MYSQL_USER=misp
|
||||
MYSQL_PASSWORD=misp
|
||||
|
|
152
web/Dockerfile
152
web/Dockerfile
|
@ -1,152 +1,40 @@
|
|||
|
||||
FROM ubuntu:focal
|
||||
FROM ubuntu:latest
|
||||
|
||||
# Install core components
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get dist-upgrade -y && apt-get autoremove -y && apt-get clean && \
|
||||
apt-get dist-upgrade -y && apt-get upgrade && apt-get autoremove -y && apt-get clean && \
|
||||
apt-get install -y software-properties-common && \
|
||||
apt-get install -y postfix && \
|
||||
apt-get install -y mysql-client curl gcc git gnupg-agent \
|
||||
make python openssl redis-server sudo vim zip locales
|
||||
make openssl redis-server sudo vim zip locales wget iproute2 supervisor cron
|
||||
|
||||
RUN add-apt-repository ppa:deadsnakes/ppa
|
||||
RUN apt-get update && apt-get -y install python3.9 python3-pip
|
||||
RUN pip3 install --upgrade pip
|
||||
|
||||
|
||||
RUN locale-gen en_US.UTF-8
|
||||
ENV LANG en_US.UTF-8
|
||||
|
||||
# Apache
|
||||
RUN apt-get install -y apache2 apache2-doc apache2-utils && \
|
||||
a2dismod status && \
|
||||
a2dissite 000-default
|
||||
RUN useradd misp && usermod -aG sudo misp
|
||||
|
||||
# PHP 7.4 and install MySQL PDO extension
|
||||
RUN apt-get update
|
||||
RUN apt-get install -y --fix-missing libapache2-mod-php php php-dev php-json \
|
||||
php-mysql php-redis php-xml php-mbstring \
|
||||
php-gd php-pear php-opcache \
|
||||
pkg-config libbson-1.0 libmongoc-1.0-0 \
|
||||
php-zip php-bcmath php-intl
|
||||
# Install script
|
||||
COPY INSTALL_NODB.sh .
|
||||
RUN chmod +x INSTALL_NODB.sh
|
||||
RUN echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
||||
|
||||
# Fix php.ini with recommended settings
|
||||
RUN sed -i \
|
||||
-e "s/max_execution_time = 30/max_execution_time = 300/" \
|
||||
-e "s/memory_limit = 128M/memory_limit = 2048M/" \
|
||||
-e "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" \
|
||||
-e "s/post_max_size = 8M/post_max_size = 50M/" \
|
||||
/etc/php/7.4/apache2/php.ini
|
||||
|
||||
RUN apt-get install -y python3-dev python3-pip python3-setuptools \
|
||||
python3-lxml libjpeg-dev \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev libfuzzy-dev && \
|
||||
apt-get install -y cron logrotate supervisor syslog-ng-core && \
|
||||
apt-get clean
|
||||
USER misp
|
||||
|
||||
WORKDIR /var/www
|
||||
RUN chown www-data:www-data /var/www
|
||||
USER www-data
|
||||
RUN git clone https://github.com/MISP/MISP.git
|
||||
WORKDIR /var/www/MISP
|
||||
RUN git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) && \
|
||||
git config core.filemode false && \
|
||||
git submodule update --init --recursive && \
|
||||
git submodule foreach --recursive git config core.filemode false
|
||||
RUN bash INSTALL_NODB.sh -A -u
|
||||
|
||||
USER root
|
||||
RUN pip3 install git+https://github.com/STIXProject/python-stix.git \
|
||||
git+https://github.com/CybOXProject/python-cybox.git \
|
||||
git+https://github.com/CybOXProject/mixbox.git \
|
||||
git+https://github.com/MAECProject/python-maec.git \
|
||||
/var/www/MISP/cti-python-stix2 \
|
||||
plyara
|
||||
|
||||
USER www-data
|
||||
WORKDIR /var/www/MISP
|
||||
RUN git submodule init && git submodule update
|
||||
WORKDIR /var/www/MISP/app
|
||||
RUN pip3 list -o | cut -f1 -d' ' | tr " " "\n" | awk '{if(NR>=3)print}' | cut -d' ' -f1 | xargs -n1 pip3 install -U ; exit 0 #Hack error code
|
||||
|
||||
# FIX COMPOSER
|
||||
RUN curl --fail --location -o composer-setup.php https://getcomposer.org/installer && \
|
||||
EXPECTED_SIGNATURE="$(curl https://composer.github.io/installer.sig)"; php -r "if (hash_file('sha384', 'composer-setup.php') == '$(echo $EXPECTED_SIGNATURE)' ) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" && \
|
||||
php composer-setup.php && \
|
||||
php -r "unlink('composer-setup.php');"
|
||||
# END FIX
|
||||
|
||||
RUN php composer.phar update && \
|
||||
php composer.phar config vendor-dir Vendor && \
|
||||
php composer.phar install --ignore-platform-reqs
|
||||
USER root
|
||||
RUN phpenmod redis
|
||||
USER www-data
|
||||
RUN cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
|
||||
|
||||
# Fix permissions
|
||||
USER root
|
||||
RUN chown -R www-data:www-data /var/www/MISP && \
|
||||
chmod -R 750 /var/www/MISP && \
|
||||
chmod -R g+ws /var/www/MISP/app/tmp && \
|
||||
chmod -R g+ws /var/www/MISP/app/files && \
|
||||
chmod -R g+ws /var/www/MISP/app/files/scripts/tmp && \
|
||||
chmod +x /var/www/MISP/app/Console/cake
|
||||
|
||||
RUN cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
|
||||
|
||||
# Preconfigure setting for packages
|
||||
RUN echo "postfix postfix/main_mailer_type string Local only" \
|
||||
| debconf-set-selections && \
|
||||
echo "postfix postfix/mailname string localhost.localdomain" | \
|
||||
debconf-set-selections
|
||||
|
||||
# Redis Setup
|
||||
RUN sed -i 's/^\(daemonize\s*\)yes\s*$/\1no/g' /etc/redis/redis.conf
|
||||
RUN sed -i 's/^\(bind\s*\)127.0.0.1 ::1\s*$/\1127.0.0.1/g' /etc/redis/redis.conf
|
||||
|
||||
# Add a healthcheck endpoint
|
||||
COPY healthcheck.patch healthcheck.patch
|
||||
RUN patch /var/www/MISP/INSTALL/apache.misp.ubuntu < healthcheck.patch
|
||||
|
||||
# Apache Setup
|
||||
RUN cp /var/www/MISP/INSTALL/apache.misp.ubuntu /etc/apache2/sites-available/misp.conf && \
|
||||
a2dissite 000-default && \
|
||||
a2ensite misp && \
|
||||
a2enmod rewrite && \
|
||||
a2enmod headers
|
||||
|
||||
# MISP base configuration
|
||||
RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php && \
|
||||
sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php && \
|
||||
sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php && \
|
||||
sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php && \
|
||||
chown -R www-data:www-data /var/www/MISP/app/Config && \
|
||||
chmod -R 750 /var/www/MISP/app/Config
|
||||
|
||||
# Replace the default salt
|
||||
RUN sed -i -E "s/'salt'\s=>\s'(\S+)'/'salt' => '`openssl rand -base64 32|tr "/" "-"`'/" /var/www/MISP/app/Config/config.php
|
||||
|
||||
# Enable workers at boot time
|
||||
RUN chmod a+x /var/www/MISP/app/Console/worker/start.sh && \
|
||||
echo "sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh" >>/etc/rc.local
|
||||
|
||||
# Install templates & stuff
|
||||
WORKDIR /var/www/MISP/app/files
|
||||
RUN rm -rf misp-objects && git clone https://github.com/MISP/misp-objects.git && \
|
||||
rm -rf misp-galaxy && git clone https://github.com/MISP/misp-galaxy.git && \
|
||||
rm -rf warninglists && git clone https://github.com/MISP/misp-warninglists.git ./warninglists && \
|
||||
rm -rf taxonomies && git clone https://github.com/MISP/misp-taxonomies.git ./taxonomies && \
|
||||
chown -R www-data:www-data misp-objects misp-galaxy warninglists taxonomies
|
||||
|
||||
# Install MISP build requirements
|
||||
RUN sudo -E apt-get -y install libpoppler97 libpoppler-dev libpoppler-cpp-dev
|
||||
|
||||
# Install MISP Modules
|
||||
WORKDIR /opt
|
||||
RUN git clone --branch v2.4.134 https://github.com/MISP/misp-modules.git
|
||||
RUN cd misp-modules && \
|
||||
pip3 install --upgrade pip setuptools wheel && \
|
||||
pip3 install scikit-build && \
|
||||
pip3 install opencv-python && \
|
||||
pip3 install -I -r REQUIREMENTS && \
|
||||
pip3 install -I . && \
|
||||
echo "sudo -u www-data misp-modules -s -l 127.0.0.1 &" >>/etc/rc.local
|
||||
|
||||
# Supervisord Setup
|
||||
RUN ( \
|
||||
|
@ -173,20 +61,18 @@ RUN ( \
|
|||
echo 'autorestart = false'; \
|
||||
echo ''; \
|
||||
echo '[program:misp-modules]'; \
|
||||
echo 'command=/bin/bash -c "misp-modules -s -l 127.0.0.1"'; \
|
||||
echo 'command=/bin/bash -c "/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s"'; \
|
||||
echo 'user = www-data'; \
|
||||
echo 'startsecs = 0'; \
|
||||
echo 'autorestart = false'; \
|
||||
) >> /etc/supervisor/conf.d/supervisord.conf
|
||||
|
||||
# Modify syslog configuration
|
||||
RUN sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
|
||||
|
||||
# Add run script
|
||||
# Trigger to perform first boot operations
|
||||
ADD run.sh /run.sh
|
||||
RUN mv /etc/apache2/sites-available/misp-ssl.conf /etc/apache2/sites-available/misp-ssl.conf.bak
|
||||
ADD misp-ssl.conf /etc/apache2/sites-available/misp-ssl.conf
|
||||
RUN chmod 0755 /run.sh && touch /.firstboot.tmp
|
||||
|
||||
# Make a backup of /var/www/MISP to restore it to the local moint point at first boot
|
||||
WORKDIR /var/www/MISP
|
||||
RUN tar czpf /root/MISP.tgz .
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
a49d5521f405d20fc3dea76ee995e067d01c5c2c INSTALL_NODB.sh
|
|
@ -0,0 +1 @@
|
|||
8660be136c0127091888ef38a71eb551dba5fe4e0a2d4f53b5b9479a675da6b1 INSTALL_NODB.sh
|
|
@ -0,0 +1 @@
|
|||
03b5185082c6d77184520214cf2c263fd46068109c8972ede393b6bd0d99a30e7552ee6e70de5c87f9aea5ba41cd5f9f INSTALL_NODB.sh
|
|
@ -0,0 +1 @@
|
|||
92bb3778f344bb0673713e34a10cba99487d59c94e469c0a1b7de3a526169daef0d387b7bbff7a1bca49c67232ee1cfa2461e7d8caebb31554f3811e4350f111 INSTALL_NODB.sh
|
|
@ -0,0 +1,55 @@
|
|||
<VirtualHost *:80>
|
||||
ServerAdmin serveradmin@misp.local
|
||||
ServerName misp.local
|
||||
|
||||
DocumentRoot /var/www/MISP/app/webroot
|
||||
<Directory /var/www/MISP/app/webroot>
|
||||
Options -Indexes
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_p80_error.log
|
||||
CustomLog /var/log/apache2/misp.local_p80_access.log combined
|
||||
|
||||
Header always unset "X-Powered-By"
|
||||
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerAdmin serveradmin@misp.local
|
||||
ServerName misp.local
|
||||
DocumentRoot /var/www/MISP/app/webroot
|
||||
<Directory /var/www/MISP/app/webroot>
|
||||
Options -Indexes
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
SSLEngine On
|
||||
# The line below disable unsecure Ciphers, might be enabled by default
|
||||
# SSLCipherSuite HIGH:!aNULL:!MD5
|
||||
SSLCertificateFile /etc/ssl/private/misp.local.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
|
||||
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
|
||||
ServerSignature Off
|
||||
|
||||
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
|
||||
Header always set X-Content-Type-Options nosniff
|
||||
Header always set X-Frame-Options SAMEORIGIN
|
||||
Header always unset "X-Powered-By"
|
||||
|
||||
# TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
|
||||
## Example:
|
||||
# Header always set X-XSS-Protection "1; mode=block"
|
||||
# Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
|
||||
# Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
||||
# Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
|
||||
</VirtualHost>
|
37
web/run.sh
37
web/run.sh
|
@ -2,10 +2,12 @@
|
|||
#
|
||||
# MISP docker startup script
|
||||
# Xavier Mertens <xavier@rootshell.be>
|
||||
# Steven Goossens <steven@teamg.be>
|
||||
#
|
||||
# 2017/05/17 - Created
|
||||
# 2017/05/31 - Fixed small errors
|
||||
# 2019/10/17 - Use built-in mysql docker DB creation and use std env names (dafal)
|
||||
# 2021/03/09 - Update to work with the install script provided by MISP. Includes https support, Python venv,...
|
||||
#
|
||||
|
||||
set -e
|
||||
|
@ -103,27 +105,8 @@ if [ -r /.firstboot.tmp ]; then
|
|||
sed -i "s@'baseurl'[\t ]*=>[\t ]*'',@'baseurl' => '$MISP_BASEURL',@g" /var/www/MISP/app/Config/config.php
|
||||
fi
|
||||
|
||||
# Generate the admin user PGP key
|
||||
echo "Creating admin GnuPG key"
|
||||
if [ -z "$MISP_ADMIN_EMAIL" -o -z "$MISP_ADMIN_PASSPHRASE" ]; then
|
||||
echo "No admin details provided, don't forget to generate the PGP key manually!"
|
||||
else
|
||||
echo "Generating admin PGP key ... (please be patient, we need some entropy)"
|
||||
cat >/tmp/gpg.tmp <<GPGEOF
|
||||
%echo Generating a basic OpenPGP key
|
||||
Key-Type: RSA
|
||||
Key-Length: 2048
|
||||
Name-Real: MISP Admin
|
||||
Name-Email: $MISP_ADMIN_EMAIL
|
||||
Expire-Date: 0
|
||||
Passphrase: $MISP_ADMIN_PASSPHRASE
|
||||
%commit
|
||||
%echo Done
|
||||
GPGEOF
|
||||
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key --batch /tmp/gpg.tmp >>/tmp/install.log
|
||||
rm -f /tmp/gpg.tmp
|
||||
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor $MISP_ADMIN_EMAIL > /var/www/MISP/app/webroot/gpg.asc
|
||||
fi
|
||||
#Redis should not run as a daemon
|
||||
sed -i "s/daemonize yes/daemonize no/g" /etc/redis/redis.conf
|
||||
|
||||
# Display tips
|
||||
cat <<__WELCOME__
|
||||
|
@ -134,6 +117,15 @@ Don't forget:
|
|||
- Change the MISP admin email address to $MISP_ADMIN_EMAIL
|
||||
|
||||
__WELCOME__
|
||||
|
||||
#Add crontab to sync data from remote servers
|
||||
service cron start
|
||||
|
||||
##Schedule to sync all servers every hour
|
||||
{ crontab -l 2>/dev/null || true; echo "0 * * * * /var/www/MISP/app/Console/cake Server pullAll 2 full"; } | crontab -
|
||||
|
||||
##Schedule to fetch all feeds at 1 am
|
||||
{ crontab -l 2>/dev/null || true; echo "0 1 * * * /var/www/MISP/app/Console/cake Server fetchFeed 2 all"; } | crontab -
|
||||
rm -f /.firstboot.tmp
|
||||
fi
|
||||
|
||||
|
@ -141,11 +133,12 @@ fi
|
|||
# non-live will make it live again if the container restarts. That seems
|
||||
# better than the default which is that MISP is non-live on container restart.
|
||||
# Ideally live/non-live would be persisted in the database.
|
||||
/var/www/MISP/app/Console/cake Admin setSetting "MISP.python_bin" "/var/www/MISP/venv/bin/python"
|
||||
/var/www/MISP/app/Console/cake live 1
|
||||
chown www-data:www-data /var/www/MISP/app/Config/config.php*
|
||||
|
||||
# Start supervisord
|
||||
echo "Starting supervisord"
|
||||
cd /
|
||||
exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
|
||||
exec supervisord -c /etc/supervisor/conf.d/supervisord.conf
|
||||
|
||||
|
|
Loading…
Reference in New Issue