Introduce new system to persist mandatory and optional settings (#66)

* Make safe settings functions handling config json objects. 
* Also, update cake's cacerts. Previous method was using ubuntu's crts, which weren't pem.
* Bring config inline with previous config.php template version.
* Move settings into files in /etc/misp-docker.
* Fix Security.auth kludge.
* Rename functions and settings json files for a bit more clarity.
* Add documentation to README.md.
* Add a bit of context around adding new envars.
* Add ENABLE_DB_SETTINGS envar for turning on MISP.system_setting_db.
* Add documentation regarding new envar, and add to docker-compose.yml and template.php.
* Move "weird default" ZeroMQ setting to initialisation settings.
* Move some settings to cli_only.
* Add code to disable DB settings when applying cli_only settings.
* Change system_settings table availability check to until loop.
* Some language changes for clarity.
pull/70/head
UFOSmuggler 2024-06-06 18:30:12 +10:00 committed by GitHub
parent 639d6e746b
commit d56c893f4d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
16 changed files with 502 additions and 68 deletions

View File

@ -62,6 +62,34 @@ The `docker-compose.yml` file allows further configuration settings:
New options are added on a regular basis.
#### Environment variable behaviour
Set environment variables in .env to configure settings instead of in docker-compose.yml where possible. Setting the variables in .env will allow you to pull updates from Github without issues caused by a modified docker-compose.yml file, should there be an update for it.
Environment variable driven settings are enforced every time the misp-core container starts. This means that if you change the config.php file or database for a setting that has a set environment variable, it will be changed to the environment variable value upon next container start. Empty environment variables may have a safe default which is enforced instead.
If you push a change to add or remove an environment variable, please look in "core/files/etc/misp-docker/" for json files with "envars" in the name and adjust there.
#### Unset safe default settings behaviour
The misp-core container has definitions for minimum safe default settings which are set if needed each time the container starts. They will only be set if there is no existing entry in the config.php file or database for these settings. If you specify a custom value for any of these settings it will be respected. See the definitions of these in "core/files/etc/misp-docker" where the filenames contain the word "defaults".
#### Storing system settings in the DB
This container includes the "ENABLE_DB_SETTINGS" environment variable, which can be used to set "MISP.system.setting_db" to true or false. This changes the behaviour of where MISP chooses to store operator made settings changes; in config.php or in the system_settings database table. By default this is set to false.
If a setting is not defined in the DB, but is defined in config.php, it will be read out of config.php and used. This can sometimes lead to operator confusion, so please check both locations for values when troubleshooting.
If you change this setting from false to true, settings are not migrated from config.php to the database, but rather the above behaviour is relied upon.
While storing system settings in the DB works as expected most of the time, you may come across some instances where a particular setting MUST be set in the config.php file. We have tried to side-step this issue by prepopulating the config.php file with all of these settings, but there could be more. If you encounter any issues like this, please raise an issue, and try configuring the setting in the config.php file instead.
#### Overriding environment variable and unset safe default settings behaviours
If you are trying to accomplish something and the above behaviours get in the way, please let us know as this is not intended.
To override these behaviours edit the docker-compose.yml file's misp-core volume definitions to enable the "customize_misp.sh" behaviour (see the bottom of the Production section for details). The "customize_misp.sh" script triggers after the above behaviours complete and is an appropriate place to override a setting. It is suggested that you use the "/var/www/MISP/app/cake Admin setSetting" command to override a setting, as this tool is config.php file and database setting aware.
### Production
- It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages)

View File

@ -141,6 +141,7 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
ARG PHP_VER
RUN apt-get update; apt-get install -y --no-install-recommends \
gettext \
procps \
sudo \
nginx \

View File

@ -2,48 +2,41 @@
source /rest_client.sh
source /utilities.sh
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
[ -z "$ADMIN_EMAIL" ] && export ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && export GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && export REDIS_FQDN="redis"
[ -z "$MISP_MODULES_FQDN" ] && export MISP_MODULES_FQDN="http://misp-modules"
# Switches to selectively disable configuration logic
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
[ -z "$ENABLE_DB_SETTINGS" ] && ENABLE_DB_SETTINGS="false"
# We now use envsubst for safe variable substitution with pseudo-json objects for env var enforcement
# envsubst won't evaluate anything like $() or conditional variable expansion so lets do that here
export PYTHON_BIN="$(which python3)"
export GPG_BINARY="$(which gpg)"
export SETTING_CONTACT="${MISP_CONTACT-$ADMIN_EMAIL}"
export SETTING_EMAIL="${MISP_EMAIL-$ADMIN_EMAIL}"
init_cli_only_config() {
# I think no matter what we do, we should wait for this table to turn up.
# Only really impacts us on first run, and on my machine only takes a few seconds to turn up.
await_system_settings_table
# Temporarily disable DB to apply cli_only settings, since these MUST be in the config.php file (by design or otherwise)
# This will reenable upon init_settings "db_enable" below if it is indeed enabled
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.system_setting_db" false
init_settings "cli_only"
init_settings "db_enable"
}
init_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$BASE_URL"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Cortex_services_enable" false
init_settings "initialisation"
}
init_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
@ -54,7 +47,7 @@ configure_gnupg() {
return
fi
GPG_DIR=/var/www/MISP/.gnupg
export GPG_DIR=/var/www/MISP/.gnupg
GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
GPG_TMP=/tmp/gpg.tmp
@ -90,10 +83,7 @@ GPGEOF
echo "... found exported key ${GPG_ASC}"
fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
init_settings "gpg"
}
set_up_oidc() {
@ -212,8 +202,6 @@ set_up_aad() {
}
apply_updates() {
# Disable weird default
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
# Run updates (strip colors since output might end up in a log)
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
}
@ -259,40 +247,114 @@ init_user() {
}
apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.external_baseurl" "${BASE_URL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.host_org_id" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Action_services_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.csp_enforce" true
init_settings "critical"
# Kludge for handling Security.auth array. Unrecognised by tools like cake admin setsetting.
local config_json=$(echo '<?php require_once "/var/www/MISP/app/Config/config.php"; echo json_encode($config, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); ?>'|/usr/bin/php)
if $(echo $config_json |jq -e 'getpath(("Security.auth" | split("."))) == null'); then
echo "Updating unset critical setting 'Security.auth' to 'Array()'..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${BASE_URL}\"
\"auth\": {}
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
# Avoids displaying errors not relevant to a docker container
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.self_update" false
fi
}
apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
init_settings "optional"
}
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
# This is not necessary because we update the DB directly
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
# Some settings return a value from cake Admin getSetting even if not set in config.php and database.
# This means we cannot rely on that tool which inspects both db and file.
# Leaving this here though in case the serverSettings model for those odd settings is fixed one day.
#setting_is_set() {
# local setting="$1"
# local current_value="$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting $setting)"
# local error_value="$(jq -r '.errorMessage' <<< $current_value)"
#
# if [[ "$current_value" =~ ^\{.*\}$ && "$error_value" != "Value not set." && "$error_value" != Invalid* ]]; then
# return 0
# else
# return 1
# fi
#}
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true
# Kludgy alternative to using cake Admin getSetting.
setting_is_set_alt() {
local setting="$1"
local config_json=$(echo '<?php require_once "/var/www/MISP/app/Config/config.php"; echo json_encode($config, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); ?>'|/usr/bin/php)
local db_settings_enabled=$(jq -e 'getpath(("MISP.system_setting_db" | split("."))) // false' <<< $config_json)
local setting_in_config_file=$(jq -e 'getpath(("'"$setting"'" | split("."))) != null' <<< $config_json)
if $setting_in_config_file; then
return 0
elif $db_settings_enabled; then
local setting_in_db=$(echo "SELECT EXISTS(SELECT 1 FROM $MYSQL_DATABASE.system_settings WHERE setting = \"${setting}\");" | ${MYSQLCMD})
if [[ $setting_in_db -eq 1 ]]; then
return 0
fi
fi
return 1
}
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_timeout" 30
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_timeout" 5
set_default_settings() {
local settings_json="$1"
local description="$2"
for setting in $(jq -r 'keys[]' <<< $settings_json); do
local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)"
local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)"
set_safe_default "$setting" "$default_value" "$description" "$command_args"
done
}
enforce_env_settings() {
local settings_json="$1"
local description="$2"
for setting in $(jq -r 'keys[]' <<< $settings_json); do
local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)"
local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)"
echo "Enforcing $description setting '$setting' to env var or default value '$default_value'..."
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value"
done
}
set_safe_default() {
local setting="$1"
local default_value="$2"
local description="$3"
local command_args="$4"
if ! setting_is_set_alt "$setting"; then
echo "Updating unset $description setting '$setting' to '$default_value'..."
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value"
fi
}
init_settings() {
local description="$1"
local enforced="/etc/misp-docker/${description}.envars.json"
local defaults="/etc/misp-docker/${description}.defaults.json"
if [[ -e "$enforced" ]]; then
echo "... enforcing env var settings"
local settings_json="$(envsubst < $enforced)"
enforce_env_settings "$settings_json" "$description"
fi
if [[ -e "$defaults" ]]; then
echo "... checking for unset default settings"
local settings_json="$(cat $defaults)"
set_default_settings "$settings_json" "$description"
fi
}
await_system_settings_table() {
until [[ $(echo "SELECT EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema = '$MYSQL_DATABASE' and table_name = 'system_settings');" | ${MYSQLCMD}) -eq 1 ]]; do
echo "... awaiting availability of system_settings table"
sleep 2
done
}
update_components() {
@ -303,6 +365,13 @@ update_components() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
}
update_ca_certificates() {
# Upgrade host os certificates
update-ca-certificates
# Upgrade cake cacert.pem file from Mozilla project
echo "Updating /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem..."
sudo -u www-data curl -s --etag-compare /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt --etag-save /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt https://curl.se/ca/cacert.pem -o /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem
}
create_sync_servers() {
if [ -z "$ADMIN_KEY" ]; then
@ -353,7 +422,9 @@ create_sync_servers() {
done
}
echo "MISP | Update CA certificates ..." && update-ca-certificates
echo "MISP | Update CA certificates ..." && update_ca_certificates
echo "MISP | CLI_only configuration directives ..." && init_cli_only_config
echo "MISP | Initialize configuration ..." && init_configuration

View File

@ -66,7 +66,8 @@ init_misp_data_files(){
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/bootstrap.default.php of=$MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/database.default.php of=$MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/core.default.php of=$MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/config.php.template ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php.template
[ -f $MISP_APP_CONFIG_PATH/config.php ] || echo -e "<?php\n\$config=array();\n?>" > $MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/email.php of=$MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/routes.php of=$MISP_APP_CONFIG_PATH/routes.php

View File

@ -0,0 +1,79 @@
{
"MISP.tmpdir": {
"default_value": "/var/www/MISP/app/tmp"
},
"MISP.attachments_dir": {
"default_value": "/var/www/MISP/app/files"
},
"MISP.download_gpg_from_homedir": {
"default_value": false
},
"MISP.background_jobs": {
"default_value": true
},
"MISP.osuser": {
"default_value": "www-data"
},
"MISP.online_version_check": {
"default_value": true
},
"MISP.self_update": {
"default_value": false
},
"MISP.ca_path": {
"default_value": "/var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem"
},
"MISP.menu_custom_right_link": {
"default_value": ""
},
"MISP.menu_custom_right_link_html": {
"default_value": ""
},
"Security.rest_client_enable_arbitrary_urls": {
"default_value": false
},
"Security.disable_local_feed_access": {
"default_value": false
},
"Security.disable_instance_file_uploads": {
"default_value": false
},
"Security.encryption_key": {
"default_value": "",
"command_args": "-f"
},
"Security.salt": {
"default_value": "",
"command_args": "-f"
},
"SimpleBackgroundJobs.enabled": {
"default_value": true
},
"SimpleBackgroundJobs.supervisor_host": {
"default_value": "127.0.0.1"
},
"SimpleBackgroundJobs.supervisor_port": {
"default_value": 9001
},
"SimpleBackgroundJobs.supervisor_password": {
"default_value": "supervisor"
},
"SimpleBackgroundJobs.supervisor_user": {
"default_value": "supervisor"
},
"SimpleBackgroundJobs.redis_port": {
"default_value": 6379
},
"SimpleBackgroundJobs.redis_database": {
"default_value": 1
},
"SimpleBackgroundJobs.redis_password": {
"default_value": ""
},
"SimpleBackgroundJobs.redis_namespace": {
"default_value": "background_jobs"
},
"SimpleBackgroundJobs.max_job_history_ttl": {
"default_value": 86400
}
}

View File

@ -0,0 +1,11 @@
{
"MISP.python_bin": {
"default_value": "${PYTHON_BIN}"
},
"GnuPG.binary": {
"default_value": "${GPG_BINARY}"
},
"SimpleBackgroundJobs.redis_host": {
"default_value": "${REDIS_FQDN}"
}
}

View File

@ -0,0 +1,20 @@
{
"MISP.host_org_id": {
"default_value": 1
},
"Plugin.Action_services_enable": {
"default_value": false
},
"Plugin.Enrichment_hover_enable": {
"default_value": false
},
"Plugin.Enrichment_hover_popover_only": {
"default_value": false
},
"Security.csp_enforce": {
"default_value": true
},
"Security.do_not_log_authkeys": {
"default_value": true
}
}

View File

@ -0,0 +1,8 @@
{
"MISP.external_baseurl": {
"default_value": "${BASE_URL}"
},
"Security.rest_client_baseurl": {
"default_value": "${BASE_URL}"
}
}

View File

@ -0,0 +1,5 @@
{
"MISP.system_setting_db": {
"default_value": "$ENABLE_DB_SETTINGS"
}
}

View File

@ -0,0 +1,8 @@
{
"GnuPG.onlyencrypted": {
"default_value": false
},
"SMIME.enabled": {
"default_value": false
}
}

View File

@ -0,0 +1,11 @@
{
"GnuPG.email": {
"default_value": "${SETTING_EMAIL}"
},
"GnuPG.homedir": {
"default_value": "${GPG_DIR}"
},
"GnuPG.password": {
"default_value": "${GPG_PASSPHRASE}"
}
}

View File

@ -0,0 +1,134 @@
{
"MISP.ca_path": {
"default_value": "/var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem"
},
"MISP.redis_port": {
"default_value": 6379
},
"MISP.redis_database": {
"default_value": 13
},
"MISP.redis_password": {
"default_value": ""
},
"MISP.language": {
"default_value": "eng"
},
"MISP.showorg": {
"default_value": true
},
"MISP.default_event_distribution": {
"default_value": 1
},
"MISP.default_event_tag_collection": {
"default_value": 0
},
"MISP.default_attribute_distribution": {
"default_value": "event"
},
"MISP.proposals_block_attributes": {
"default_value": false
},
"MISP.tagging": {
"default_value": true
},
"MISP.enableEventBlocklisting": {
"default_value": true
},
"MISP.enableOrgBlocklisting": {
"default_value": true
},
"MISP.store_api_access_time": {
"default_value": false
},
"MISP.log_auth": {
"default_value": true
},
"MISP.log_new_audit": {
"default_value": true
},
"MISP.disable_user_login_change": {
"default_value": false
},
"MISP.incoming_tags_disabled_by_default": {
"default_value": false
},
"MISP.full_tags_on_event_index": {
"default_value": 1
},
"MISP.event_alert_republish_ban": {
"default_value": true
},
"MISP.showCorrelationsOnIndex": {
"default_value": true
},
"MISP.user_email_notification_ban": {
"default_value": true
},
"MISP.delegation": {
"default_value": true
},
"MISP.take_ownership_xml_import": {
"default_value": false
},
"MISP.unpublishedprivate": {
"default_value": false
},
"MISP.terms_download": {
"default_value": false
},
"MISP.showorgalternate": {
"default_value": false
},
"MISP.event_alert_republish_ban_refresh_on_retry": {
"default_value": true
},
"MISP.event_alert_republish_ban_threshold": {
"default_value": 120
},
"Plugin.ZeroMQ_enable": {
"default_value": false
},
"Plugin.Enrichment_services_enable": {
"default_value": true
},
"Plugin.Import_services_enable": {
"default_value": true
},
"Plugin.Export_services_enable": {
"default_value": true
},
"Plugin.Cortex_services_enable": {
"default_value": false
},
"Security.advanced_authkeys": {
"default_value": true
},
"Security.disable_browser_cache": {
"default_value": true
},
"Security.check_sec_fetch_site_header": {
"default_value": true
},
"Security.username_in_response_header": {
"default_value": true
},
"Security.do_not_log_authkeys": {
"default_value": true
},
"Security.log_each_individual_auth_fail": {
"default_value": true
},
"Security.alert_on_suspicious_logins": {
"default_value": true
},
"Security.require_password_confirmation": {
"default_value": true
},
"SecureAuth.amount": {
"default_value": 5
},
"SecureAuth.expire": {
"default_value": 300
}
}

View File

@ -0,0 +1,29 @@
{
"MISP.baseurl": {
"default_value": "${BASE_URL}"
},
"MISP.email": {
"default_value": "${SETTING_EMAIL}"
},
"MISP.contact": {
"default_value": "${SETTING_CONTACT}"
},
"MISP.redis_host": {
"default_value": "${REDIS_FQDN}"
},
"Plugin.ZeroMQ_redis_host": {
"default_value": "${REDIS_FQDN}"
},
"Plugin.Enrichment_services_url": {
"default_value": "${MISP_MODULES_FQDN}"
},
"Plugin.Import_services_url": {
"default_value": "${MISP_MODULES_FQDN}"
},
"Plugin.Action_services_url": {
"default_value": "${MISP_MODULES_FQDN}"
},
"Plugin.Export_services_url": {
"default_value": "${MISP_MODULES_FQDN}"
}
}

View File

@ -0,0 +1,25 @@
{
"MISP.welcome_text_top": {
"default_value": "",
"command_args": "-f"
},
"MISP.welcome_text_bottom": {
"default_value": "",
"command_args": "-f"
},
"MISP.log_client_ip": {
"default_value": true
},
"MISP.log_user_ips": {
"default_value": true
},
"MISP.log_user_ips_authkeys": {
"default_value": true
},
"Plugin.Enrichment_timeout": {
"default_value": 30
},
"Plugin.Enrichment_hover_timeout": {
"default_value": 5
}
}

View File

@ -86,6 +86,7 @@ services:
- "CRON_USER_ID=${CRON_USER_ID}"
- "DISABLE_IPV6=${DISABLE_IPV6}"
- "DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT}"
- "ENABLE_DB_SETTINGS=${ENABLE_DB_SETTINGS}"
# standard settings
- "ADMIN_EMAIL=${ADMIN_EMAIL}"
- "ADMIN_PASSWORD=${ADMIN_PASSWORD}"

View File

@ -41,6 +41,8 @@ GPG_PASSPHRASE=
CRON_USER_ID=
# defaults to 'https://localhost'
BASE_URL=
# store settings in db except those that must stay in config.php. true/false, defaults to false
ENABLE_DB_SETTINGS=
# optional and used by the mail sub-system
SMARTHOST_ADDRESS=