diff --git a/README.md b/README.md index 6e4423b..40fcf08 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,34 @@ The `docker-compose.yml` file allows further configuration settings: New options are added on a regular basis. +#### Environment variable behaviour + +Set environment variables in .env to configure settings instead of in docker-compose.yml where possible. Setting the variables in .env will allow you to pull updates from Github without issues caused by a modified docker-compose.yml file, should there be an update for it. + +Environment variable driven settings are enforced every time the misp-core container starts. This means that if you change the config.php file or database for a setting that has a set environment variable, it will be changed to the environment variable value upon next container start. Empty environment variables may have a safe default which is enforced instead. + +If you push a change to add or remove an environment variable, please look in "core/files/etc/misp-docker/" for json files with "envars" in the name and adjust there. + +#### Unset safe default settings behaviour + +The misp-core container has definitions for minimum safe default settings which are set if needed each time the container starts. They will only be set if there is no existing entry in the config.php file or database for these settings. If you specify a custom value for any of these settings it will be respected. See the definitions of these in "core/files/etc/misp-docker" where the filenames contain the word "defaults". + +#### Storing system settings in the DB + +This container includes the "ENABLE_DB_SETTINGS" environment variable, which can be used to set "MISP.system.setting_db" to true or false. This changes the behaviour of where MISP chooses to store operator made settings changes; in config.php or in the system_settings database table. By default this is set to false. + +If a setting is not defined in the DB, but is defined in config.php, it will be read out of config.php and used. This can sometimes lead to operator confusion, so please check both locations for values when troubleshooting. + +If you change this setting from false to true, settings are not migrated from config.php to the database, but rather the above behaviour is relied upon. + +While storing system settings in the DB works as expected most of the time, you may come across some instances where a particular setting MUST be set in the config.php file. We have tried to side-step this issue by prepopulating the config.php file with all of these settings, but there could be more. If you encounter any issues like this, please raise an issue, and try configuring the setting in the config.php file instead. + +#### Overriding environment variable and unset safe default settings behaviours + +If you are trying to accomplish something and the above behaviours get in the way, please let us know as this is not intended. + +To override these behaviours edit the docker-compose.yml file's misp-core volume definitions to enable the "customize_misp.sh" behaviour (see the bottom of the Production section for details). The "customize_misp.sh" script triggers after the above behaviours complete and is an appropriate place to override a setting. It is suggested that you use the "/var/www/MISP/app/cake Admin setSetting" command to override a setting, as this tool is config.php file and database setting aware. + ### Production - It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages) diff --git a/core/Dockerfile b/core/Dockerfile index 4565e98..8e2bd0a 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -141,6 +141,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" ARG PHP_VER RUN apt-get update; apt-get install -y --no-install-recommends \ + gettext \ procps \ sudo \ nginx \ diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index 91f90dc..7e50e71 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -2,48 +2,41 @@ source /rest_client.sh source /utilities.sh - -[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test" -[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" -[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis" -[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" +[ -z "$ADMIN_EMAIL" ] && export ADMIN_EMAIL="admin@admin.test" +[ -z "$GPG_PASSPHRASE" ] && export GPG_PASSPHRASE="passphrase" +[ -z "$REDIS_FQDN" ] && export REDIS_FQDN="redis" +[ -z "$MISP_MODULES_FQDN" ] && export MISP_MODULES_FQDN="http://misp-modules" # Switches to selectively disable configuration logic [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true" [ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true" [ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false" [ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false" +[ -z "$ENABLE_DB_SETTINGS" ] && ENABLE_DB_SETTINGS="false" + +# We now use envsubst for safe variable substitution with pseudo-json objects for env var enforcement +# envsubst won't evaluate anything like $() or conditional variable expansion so lets do that here +export PYTHON_BIN="$(which python3)" +export GPG_BINARY="$(which gpg)" +export SETTING_CONTACT="${MISP_CONTACT-$ADMIN_EMAIL}" +export SETTING_EMAIL="${MISP_EMAIL-$ADMIN_EMAIL}" + +init_cli_only_config() { + # I think no matter what we do, we should wait for this table to turn up. + # Only really impacts us on first run, and on my machine only takes a few seconds to turn up. + await_system_settings_table + # Temporarily disable DB to apply cli_only settings, since these MUST be in the config.php file (by design or otherwise) + # This will reenable upon init_settings "db_enable" below if it is indeed enabled + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.system_setting_db" false + init_settings "cli_only" + init_settings "db_enable" +} init_configuration(){ - # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this - echo "... configuring default settings" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$BASE_URL" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3) - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_enable" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_url" "$MISP_MODULES_FQDN" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Cortex_services_enable" false + init_settings "initialisation" } init_workers(){ - # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this - echo "... configuring background workers" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.enabled" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_host" "127.0.0.1" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_port" 9001 - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_password" "supervisor" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_user" "supervisor" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN" - echo "... starting background workers" supervisorctl start misp-workers:* } @@ -54,7 +47,7 @@ configure_gnupg() { return fi - GPG_DIR=/var/www/MISP/.gnupg + export GPG_DIR=/var/www/MISP/.gnupg GPG_ASC=/var/www/MISP/app/webroot/gpg.asc GPG_TMP=/tmp/gpg.tmp @@ -90,10 +83,7 @@ GPGEOF echo "... found exported key ${GPG_ASC}" fi - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)" + init_settings "gpg" } set_up_oidc() { @@ -212,8 +202,6 @@ set_up_aad() { } apply_updates() { - # Disable weird default - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false # Run updates (strip colors since output might end up in a log) sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" } @@ -259,40 +247,114 @@ init_user() { } apply_critical_fixes() { - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.external_baseurl" "${BASE_URL}" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.host_org_id" 1 - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Action_services_enable" false - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_enable" false - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_popover_only" false - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.csp_enforce" true - sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ - \"Security\": { - \"rest_client_baseurl\": \"${BASE_URL}\" - } - }" > /dev/null - sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ - \"Security\": { - \"auth\": \"\" - } - }" > /dev/null - # Avoids displaying errors not relevant to a docker container - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.self_update" false + init_settings "critical" + + # Kludge for handling Security.auth array. Unrecognised by tools like cake admin setsetting. + local config_json=$(echo ''|/usr/bin/php) + if $(echo $config_json |jq -e 'getpath(("Security.auth" | split("."))) == null'); then + echo "Updating unset critical setting 'Security.auth' to 'Array()'..." + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"auth\": {} + } + }" > /dev/null + fi } apply_optional_fixes() { - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" "" - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" "" + init_settings "optional" +} - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}" - # This is not necessary because we update the DB directly - # sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}" +# Some settings return a value from cake Admin getSetting even if not set in config.php and database. +# This means we cannot rely on that tool which inspects both db and file. +# Leaving this here though in case the serverSettings model for those odd settings is fixed one day. +#setting_is_set() { +# local setting="$1" +# local current_value="$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting $setting)" +# local error_value="$(jq -r '.errorMessage' <<< $current_value)" +# +# if [[ "$current_value" =~ ^\{.*\}$ && "$error_value" != "Value not set." && "$error_value" != Invalid* ]]; then +# return 0 +# else +# return 1 +# fi +#} - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true +# Kludgy alternative to using cake Admin getSetting. +setting_is_set_alt() { + local setting="$1" + local config_json=$(echo ''|/usr/bin/php) + local db_settings_enabled=$(jq -e 'getpath(("MISP.system_setting_db" | split("."))) // false' <<< $config_json) + local setting_in_config_file=$(jq -e 'getpath(("'"$setting"'" | split("."))) != null' <<< $config_json) + if $setting_in_config_file; then + return 0 + elif $db_settings_enabled; then + local setting_in_db=$(echo "SELECT EXISTS(SELECT 1 FROM $MYSQL_DATABASE.system_settings WHERE setting = \"${setting}\");" | ${MYSQLCMD}) + if [[ $setting_in_db -eq 1 ]]; then + return 0 + fi + fi + return 1 +} - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_timeout" 30 - sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_timeout" 5 +set_default_settings() { + local settings_json="$1" + local description="$2" + + for setting in $(jq -r 'keys[]' <<< $settings_json); do + local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)" + local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)" + + set_safe_default "$setting" "$default_value" "$description" "$command_args" + done +} + +enforce_env_settings() { + local settings_json="$1" + local description="$2" + for setting in $(jq -r 'keys[]' <<< $settings_json); do + local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)" + local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)" + echo "Enforcing $description setting '$setting' to env var or default value '$default_value'..." + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value" + done +} + +set_safe_default() { + local setting="$1" + local default_value="$2" + local description="$3" + local command_args="$4" + + if ! setting_is_set_alt "$setting"; then + echo "Updating unset $description setting '$setting' to '$default_value'..." + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value" + fi +} + +init_settings() { + local description="$1" + local enforced="/etc/misp-docker/${description}.envars.json" + local defaults="/etc/misp-docker/${description}.defaults.json" + + if [[ -e "$enforced" ]]; then + echo "... enforcing env var settings" + local settings_json="$(envsubst < $enforced)" + enforce_env_settings "$settings_json" "$description" + fi + + if [[ -e "$defaults" ]]; then + echo "... checking for unset default settings" + local settings_json="$(cat $defaults)" + set_default_settings "$settings_json" "$description" + fi +} + +await_system_settings_table() { + until [[ $(echo "SELECT EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema = '$MYSQL_DATABASE' and table_name = 'system_settings');" | ${MYSQLCMD}) -eq 1 ]]; do + echo "... awaiting availability of system_settings table" + sleep 2 + done } update_components() { @@ -303,6 +365,13 @@ update_components() { sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" } +update_ca_certificates() { + # Upgrade host os certificates + update-ca-certificates + # Upgrade cake cacert.pem file from Mozilla project + echo "Updating /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem..." + sudo -u www-data curl -s --etag-compare /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt --etag-save /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt https://curl.se/ca/cacert.pem -o /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem +} create_sync_servers() { if [ -z "$ADMIN_KEY" ]; then @@ -353,7 +422,9 @@ create_sync_servers() { done } -echo "MISP | Update CA certificates ..." && update-ca-certificates +echo "MISP | Update CA certificates ..." && update_ca_certificates + +echo "MISP | CLI_only configuration directives ..." && init_cli_only_config echo "MISP | Initialize configuration ..." && init_configuration diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index bcff31f..5576cc5 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -66,7 +66,8 @@ init_misp_data_files(){ [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/bootstrap.default.php of=$MISP_APP_CONFIG_PATH/bootstrap.php [ -f $MISP_APP_CONFIG_PATH/database.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/database.default.php of=$MISP_APP_CONFIG_PATH/database.php [ -f $MISP_APP_CONFIG_PATH/core.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/core.default.php of=$MISP_APP_CONFIG_PATH/core.php - [ -f $MISP_APP_CONFIG_PATH/config.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php + [ -f $MISP_APP_CONFIG_PATH/config.php.template ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php.template + [ -f $MISP_APP_CONFIG_PATH/config.php ] || echo -e "" > $MISP_APP_CONFIG_PATH/config.php [ -f $MISP_APP_CONFIG_PATH/email.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/email.php of=$MISP_APP_CONFIG_PATH/email.php [ -f $MISP_APP_CONFIG_PATH/routes.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/routes.php of=$MISP_APP_CONFIG_PATH/routes.php diff --git a/core/files/etc/misp-docker/cli_only.defaults.json b/core/files/etc/misp-docker/cli_only.defaults.json new file mode 100644 index 0000000..9fc792d --- /dev/null +++ b/core/files/etc/misp-docker/cli_only.defaults.json @@ -0,0 +1,79 @@ +{ + "MISP.tmpdir": { + "default_value": "/var/www/MISP/app/tmp" + }, + "MISP.attachments_dir": { + "default_value": "/var/www/MISP/app/files" + }, + "MISP.download_gpg_from_homedir": { + "default_value": false + }, + "MISP.background_jobs": { + "default_value": true + }, + "MISP.osuser": { + "default_value": "www-data" + }, + "MISP.online_version_check": { + "default_value": true + }, + "MISP.self_update": { + "default_value": false + }, + "MISP.ca_path": { + "default_value": "/var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem" + }, + "MISP.menu_custom_right_link": { + "default_value": "" + }, + "MISP.menu_custom_right_link_html": { + "default_value": "" + }, + "Security.rest_client_enable_arbitrary_urls": { + "default_value": false + }, + "Security.disable_local_feed_access": { + "default_value": false + }, + "Security.disable_instance_file_uploads": { + "default_value": false + }, + "Security.encryption_key": { + "default_value": "", + "command_args": "-f" + }, + "Security.salt": { + "default_value": "", + "command_args": "-f" + }, + "SimpleBackgroundJobs.enabled": { + "default_value": true + }, + "SimpleBackgroundJobs.supervisor_host": { + "default_value": "127.0.0.1" + }, + "SimpleBackgroundJobs.supervisor_port": { + "default_value": 9001 + }, + "SimpleBackgroundJobs.supervisor_password": { + "default_value": "supervisor" + }, + "SimpleBackgroundJobs.supervisor_user": { + "default_value": "supervisor" + }, + "SimpleBackgroundJobs.redis_port": { + "default_value": 6379 + }, + "SimpleBackgroundJobs.redis_database": { + "default_value": 1 + }, + "SimpleBackgroundJobs.redis_password": { + "default_value": "" + }, + "SimpleBackgroundJobs.redis_namespace": { + "default_value": "background_jobs" + }, + "SimpleBackgroundJobs.max_job_history_ttl": { + "default_value": 86400 + } +} diff --git a/core/files/etc/misp-docker/cli_only.envars.json b/core/files/etc/misp-docker/cli_only.envars.json new file mode 100644 index 0000000..2535b65 --- /dev/null +++ b/core/files/etc/misp-docker/cli_only.envars.json @@ -0,0 +1,11 @@ +{ + "MISP.python_bin": { + "default_value": "${PYTHON_BIN}" + }, + "GnuPG.binary": { + "default_value": "${GPG_BINARY}" + }, + "SimpleBackgroundJobs.redis_host": { + "default_value": "${REDIS_FQDN}" + } +} diff --git a/core/files/etc/misp-docker/critical.defaults.json b/core/files/etc/misp-docker/critical.defaults.json new file mode 100644 index 0000000..c508a6b --- /dev/null +++ b/core/files/etc/misp-docker/critical.defaults.json @@ -0,0 +1,20 @@ +{ + "MISP.host_org_id": { + "default_value": 1 + }, + "Plugin.Action_services_enable": { + "default_value": false + }, + "Plugin.Enrichment_hover_enable": { + "default_value": false + }, + "Plugin.Enrichment_hover_popover_only": { + "default_value": false + }, + "Security.csp_enforce": { + "default_value": true + }, + "Security.do_not_log_authkeys": { + "default_value": true + } +} diff --git a/core/files/etc/misp-docker/critical.envars.json b/core/files/etc/misp-docker/critical.envars.json new file mode 100644 index 0000000..650291b --- /dev/null +++ b/core/files/etc/misp-docker/critical.envars.json @@ -0,0 +1,8 @@ +{ + "MISP.external_baseurl": { + "default_value": "${BASE_URL}" + }, + "Security.rest_client_baseurl": { + "default_value": "${BASE_URL}" + } +} diff --git a/core/files/etc/misp-docker/db_enable.envars.json b/core/files/etc/misp-docker/db_enable.envars.json new file mode 100644 index 0000000..32c183f --- /dev/null +++ b/core/files/etc/misp-docker/db_enable.envars.json @@ -0,0 +1,5 @@ +{ + "MISP.system_setting_db": { + "default_value": "$ENABLE_DB_SETTINGS" + } +} diff --git a/core/files/etc/misp-docker/gpg.defaults.json b/core/files/etc/misp-docker/gpg.defaults.json new file mode 100644 index 0000000..7fc74b2 --- /dev/null +++ b/core/files/etc/misp-docker/gpg.defaults.json @@ -0,0 +1,8 @@ +{ + "GnuPG.onlyencrypted": { + "default_value": false + }, + "SMIME.enabled": { + "default_value": false + } +} diff --git a/core/files/etc/misp-docker/gpg.envars.json b/core/files/etc/misp-docker/gpg.envars.json new file mode 100644 index 0000000..009d0e7 --- /dev/null +++ b/core/files/etc/misp-docker/gpg.envars.json @@ -0,0 +1,11 @@ +{ + "GnuPG.email": { + "default_value": "${SETTING_EMAIL}" + }, + "GnuPG.homedir": { + "default_value": "${GPG_DIR}" + }, + "GnuPG.password": { + "default_value": "${GPG_PASSPHRASE}" + } +} diff --git a/core/files/etc/misp-docker/initialisation.defaults.json b/core/files/etc/misp-docker/initialisation.defaults.json new file mode 100644 index 0000000..445be68 --- /dev/null +++ b/core/files/etc/misp-docker/initialisation.defaults.json @@ -0,0 +1,134 @@ +{ + "MISP.ca_path": { + "default_value": "/var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem" + }, + "MISP.redis_port": { + "default_value": 6379 + }, + "MISP.redis_database": { + "default_value": 13 + }, + "MISP.redis_password": { + "default_value": "" + }, + "MISP.language": { + "default_value": "eng" + }, + "MISP.showorg": { + "default_value": true + }, + "MISP.default_event_distribution": { + "default_value": 1 + }, + "MISP.default_event_tag_collection": { + "default_value": 0 + }, + "MISP.default_attribute_distribution": { + "default_value": "event" + }, + "MISP.proposals_block_attributes": { + "default_value": false + }, + "MISP.tagging": { + "default_value": true + }, + "MISP.enableEventBlocklisting": { + "default_value": true + }, + "MISP.enableOrgBlocklisting": { + "default_value": true + }, + "MISP.store_api_access_time": { + "default_value": false + }, + "MISP.log_auth": { + "default_value": true + }, + "MISP.log_new_audit": { + "default_value": true + }, + "MISP.disable_user_login_change": { + "default_value": false + }, + "MISP.incoming_tags_disabled_by_default": { + "default_value": false + }, + "MISP.full_tags_on_event_index": { + "default_value": 1 + }, + "MISP.event_alert_republish_ban": { + "default_value": true + }, + "MISP.showCorrelationsOnIndex": { + "default_value": true + }, + "MISP.user_email_notification_ban": { + "default_value": true + }, + "MISP.delegation": { + "default_value": true + }, + "MISP.take_ownership_xml_import": { + "default_value": false + }, + "MISP.unpublishedprivate": { + "default_value": false + }, + "MISP.terms_download": { + "default_value": false + }, + "MISP.showorgalternate": { + "default_value": false + }, + "MISP.event_alert_republish_ban_refresh_on_retry": { + "default_value": true + }, + "MISP.event_alert_republish_ban_threshold": { + "default_value": 120 + }, + "Plugin.ZeroMQ_enable": { + "default_value": false + }, + "Plugin.Enrichment_services_enable": { + "default_value": true + }, + "Plugin.Import_services_enable": { + "default_value": true + }, + "Plugin.Export_services_enable": { + "default_value": true + }, + "Plugin.Cortex_services_enable": { + "default_value": false + }, + "Security.advanced_authkeys": { + "default_value": true + }, + "Security.disable_browser_cache": { + "default_value": true + }, + "Security.check_sec_fetch_site_header": { + "default_value": true + }, + "Security.username_in_response_header": { + "default_value": true + }, + "Security.do_not_log_authkeys": { + "default_value": true + }, + "Security.log_each_individual_auth_fail": { + "default_value": true + }, + "Security.alert_on_suspicious_logins": { + "default_value": true + }, + "Security.require_password_confirmation": { + "default_value": true + }, + "SecureAuth.amount": { + "default_value": 5 + }, + "SecureAuth.expire": { + "default_value": 300 + } +} diff --git a/core/files/etc/misp-docker/initialisation.envars.json b/core/files/etc/misp-docker/initialisation.envars.json new file mode 100644 index 0000000..0628fb3 --- /dev/null +++ b/core/files/etc/misp-docker/initialisation.envars.json @@ -0,0 +1,29 @@ +{ + "MISP.baseurl": { + "default_value": "${BASE_URL}" + }, + "MISP.email": { + "default_value": "${SETTING_EMAIL}" + }, + "MISP.contact": { + "default_value": "${SETTING_CONTACT}" + }, + "MISP.redis_host": { + "default_value": "${REDIS_FQDN}" + }, + "Plugin.ZeroMQ_redis_host": { + "default_value": "${REDIS_FQDN}" + }, + "Plugin.Enrichment_services_url": { + "default_value": "${MISP_MODULES_FQDN}" + }, + "Plugin.Import_services_url": { + "default_value": "${MISP_MODULES_FQDN}" + }, + "Plugin.Action_services_url": { + "default_value": "${MISP_MODULES_FQDN}" + }, + "Plugin.Export_services_url": { + "default_value": "${MISP_MODULES_FQDN}" + } +} diff --git a/core/files/etc/misp-docker/optional.defaults.json b/core/files/etc/misp-docker/optional.defaults.json new file mode 100644 index 0000000..b876e4c --- /dev/null +++ b/core/files/etc/misp-docker/optional.defaults.json @@ -0,0 +1,25 @@ +{ + "MISP.welcome_text_top": { + "default_value": "", + "command_args": "-f" + }, + "MISP.welcome_text_bottom": { + "default_value": "", + "command_args": "-f" + }, + "MISP.log_client_ip": { + "default_value": true + }, + "MISP.log_user_ips": { + "default_value": true + }, + "MISP.log_user_ips_authkeys": { + "default_value": true + }, + "Plugin.Enrichment_timeout": { + "default_value": 30 + }, + "Plugin.Enrichment_hover_timeout": { + "default_value": 5 + } +} diff --git a/docker-compose.yml b/docker-compose.yml index 43d5998..bb27486 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -86,6 +86,7 @@ services: - "CRON_USER_ID=${CRON_USER_ID}" - "DISABLE_IPV6=${DISABLE_IPV6}" - "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}" + - "ENABLE_DB_SETTINGS=${ENABLE_DB_SETTINGS}" # standard settings - "ADMIN_EMAIL=${ADMIN_EMAIL}" - "ADMIN_PASSWORD=${ADMIN_PASSWORD}" diff --git a/template.env b/template.env index f0b28a5..a2b249b 100644 --- a/template.env +++ b/template.env @@ -41,6 +41,8 @@ GPG_PASSPHRASE= CRON_USER_ID= # defaults to 'https://localhost' BASE_URL= +# store settings in db except those that must stay in config.php. true/false, defaults to false +ENABLE_DB_SETTINGS= # optional and used by the mail sub-system SMARTHOST_ADDRESS=