Now using Ubuntu 17.10 server + various improvements.

2018-01-26 08:00:03 +01:00 · 2018-01-26 08:00:03 +01:00 · 3f02814622
parent d2cc59ce45
commit 3f02814622
3 changed files with 122 additions and 138 deletions
--- a/README.rst
+++ b/README.rst
@ -25,7 +25,7 @@ Requirements
 Deployment of MISP
 ------------------

-MISP will be automatically deployed in an Ubuntu Zesty Server.
+MISP will be automatically deployed in an Ubuntu Artful Server.

 .. code-block:: bash

--- a/6
+++ b/6
@ -12,9 +12,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  # please see the online documentation at vagrantup.com.

  # Every Vagrant virtual environment requires a box to build off of.
-  #config.vm.box = "bento/ubuntu-16.04"
-  config.vm.box = "ubuntu/zesty64"
-  #config.vm.box_url = "https://atlas.hashicorp.com/ubuntu/boxes/zesty64/versions/20170412.1.0"
+  config.vm.box = "ubuntu/artful64"
  config.vm.provision :shell, path: "bootstrap.sh", args: "#{MISP_ENV}"

  # Disable automatic box update checking. If you disable this, then
@ -46,7 +44,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  # the path on the guest to mount the folder. And the optional third
  # argument is a set of non-required options.
  disabled = true
-  vm_name = "MISP - Ubuntu 17.04"
+  vm_name = "MISP - Ubuntu 17.10"
  if "#{MISP_ENV}" == "dev"
      disabled = false
      vm_name.concat(" - DEV")
--- a/bootstrap.sh
+++ b/bootstrap.sh
@ -36,31 +36,48 @@ GPG_EMAIL_ADDRESS='info@localhost'
 GPG_KEY_LENGTH='2048'
 GPG_PASSPHRASE=''

+# Sane PHP defaults
+upload_max_filesize=50M
+post_max_size=50M
+max_execution_time=300
+max_input_time=223
+memory_limit=512M
+PHP_INI=/etc/php/7.1/apache2/php.ini

-echo "--- Installing MISP... ---"
+
+export DEBIAN_FRONTEND=noninteractive
+export LANGUAGE=en_US.UTF-8
+export LANG=en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+
+echo "--- Installing MISP… ---"
 echo "--- Updating packages list ---"
-sudo apt-get -qq update
+apt-get update


-echo "--- Install base packages ---"
-sudo apt-get -y install curl net-tools gcc git gnupg-agent make python openssl redis-server sudo vim zip > /dev/null 2>&1
+echo "--- Install base packages… ---"
+apt-get -y install curl net-tools gcc git gnupg-agent make python openssl redis-server sudo vim zip > /dev/null


-echo "--- Installing and configuring Postfix ---"
+echo "--- Installing and configuring Postfix… ---"
 # # Postfix Configuration: Satellite system
 # # change the relay server later with:
-# sudo postconf -e 'relayhost = example.com'
-# sudo postfix reload
+# postconf -e 'relayhost = example.com'
+# postfix reload
 echo "postfix postfix/mailname string `hostname`.misp.local" | debconf-set-selections
 echo "postfix postfix/main_mailer_type string 'Satellite system'" | debconf-set-selections
-sudo apt-get install -y postfix > /dev/null 2>&1
+apt-get install -y postfix > /dev/null


-echo "--- Installing MariaDB specific packages and settings ---"
-sudo apt-get install -y mariadb-client mariadb-server > /dev/null 2>&1
+echo "--- Installing MariaDB specific packages and settings… ---"
+apt-get install -y mariadb-client mariadb-server > /dev/null
 # Secure the MariaDB installation (especially by setting a strong root password)
-sleep 7 # give some time to the DB to launch...
-sudo apt-get install -y expect > /dev/null 2>&1
+sleep 10 # give some time to the DB to launch...
+systemctl restart mariadb.service
+apt-get install -y expect > /dev/null
 expect -f - <<-EOF
  set timeout 10
  spawn mysql_secure_installation
@ -82,34 +99,41 @@ expect -f - <<-EOF
  send -- "y\r"
  expect eof
 EOF
-sudo apt-get purge -y expect > /dev/null 2>&1
+apt-get purge -y expect > /dev/null


-echo "--- Installing Apache2 ---"
-sudo apt-get install -y apache2 apache2-doc apache2-utils > /dev/null 2>&1
-sudo a2dismod status > /dev/null 2>&1
-sudo a2enmod ssl > /dev/null 2>&1
-sudo a2enmod rewrite > /dev/null 2>&1
-sudo a2dissite 000-default > /dev/null 2>&1
-sudo a2ensite default-ssl > /dev/null 2>&1
+echo "--- Installing Apache2… ---"
+apt-get install -y apache2 apache2-doc apache2-utils > /dev/null
+a2dismod status > /dev/null
+a2enmod ssl > /dev/null
+a2enmod rewrite > /dev/null
+a2dissite 000-default > /dev/null
+a2ensite default-ssl > /dev/null


-echo "--- Installing PHP-specific packages ---"
-sudo apt-get install -y libapache2-mod-php php php-cli php-crypt-gpg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml > /dev/null 2>&1
+echo "--- Installing PHP-specific packages… ---"
+apt-get install -y libapache2-mod-php php php-cli php-crypt-gpg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml > /dev/null


-echo "--- Restarting Apache ---"
-sudo systemctl restart apache2 > /dev/null 2>&1
+echo -e "\n--- Configuring PHP (sane PHP defaults)… ---\n"
+for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
+do
+ sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
+done


-echo "--- Retrieving MISP ---"
+echo "--- Restarting Apache… ---"
+systemctl restart apache2 > /dev/null
+
+
+echo "--- Retrieving MISP… ---"
 if [ "$MISP_ENV" != "dev" ]; then
-    sudo mkdir $PATH_TO_MISP
-    sudo chown www-data:www-data $PATH_TO_MISP
+    mkdir $PATH_TO_MISP
+    chown www-data:www-data $PATH_TO_MISP
    cd $PATH_TO_MISP
    sudo -u www-data -H git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
 else
-    sudo chown www-data:www-data $PATH_TO_MISP
+    chown www-data:www-data $PATH_TO_MISP
    cd $PATH_TO_MISP
 fi
 #sudo -u www-data -H git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
@ -119,26 +143,26 @@ sudo -u www-data -H git config core.filemode false
 # chmod -R 700 $PATH_TO_MISP


-echo "--- Installing Mitre's STIX ---"
-sudo apt-get install -y python-dev python-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools > /dev/null 2>&1
+echo "--- Installing Mitre's STIX… ---"
+apt-get install -y python-dev python-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools > /dev/null
 cd $PATH_TO_MISP/app/files/scripts
 sudo -u www-data -H git clone https://github.com/CybOXProject/python-cybox.git
 sudo -u www-data -H git clone https://github.com/STIXProject/python-stix.git
 cd $PATH_TO_MISP/app/files/scripts/python-cybox
 sudo -u www-data -H git checkout v2.1.0.12
-sudo python setup.py install > /dev/null 2>&1
+python setup.py install > /dev/null
 cd $PATH_TO_MISP/app/files/scripts/python-stix
 sudo -u www-data -H git checkout v1.1.1.4
-sudo python setup.py install > /dev/null 2>&1
+python setup.py install > /dev/null
 # install mixbox to accomodate the new STIX dependencies:
 cd $PATH_TO_MISP/app/files/scripts/
 sudo -u www-data -H git clone https://github.com/CybOXProject/mixbox.git
 cd $PATH_TO_MISP/app/files/scripts/mixbox
 sudo -u www-data -H git checkout v1.0.2
-sudo python setup.py install > /dev/null 2>&1
+python setup.py install > /dev/null


-echo "--- Retrieving CakePHP... ---"
+echo "--- Retrieving CakePHP… ---"
 # CakePHP is included as a submodule of MISP, execute the following commands to let git fetch it:
 cd $PATH_TO_MISP
 sudo -u www-data -H git submodule init
@ -149,37 +173,37 @@ sudo -u www-data -H php composer.phar require kamisama/cake-resque:4.1.2
 sudo -u www-data -H php composer.phar config vendor-dir Vendor
 sudo -u www-data -H php composer.phar install
 # Enable CakeResque with php-redis
-sudo phpenmod redis
+phpenmod redis
 # To use the scheduler worker for scheduled tasks, do the following:
 sudo -u www-data -H cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php


-echo "--- Setting the permissions... ---"
-sudo chown -R www-data:www-data $PATH_TO_MISP
-sudo chmod -R 750 $PATH_TO_MISP
-sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
-sudo chmod -R g+ws $PATH_TO_MISP/app/files
-sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
+echo "--- Setting the permissions… ---"
+chown -R www-data:www-data $PATH_TO_MISP
+chmod -R 750 $PATH_TO_MISP
+chmod -R g+ws $PATH_TO_MISP/app/tmp
+chmod -R g+ws $PATH_TO_MISP/app/files
+chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp


-echo "--- Creating a database user... ---"
-sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
-sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
-sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
-sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
+echo "--- Creating a database user… ---"
+mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
+mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
+mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
+mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
 # Import the empty MISP database from MYSQL.sql
 sudo -u www-data -H mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME < /var/www/MISP/INSTALL/MYSQL.sql


-echo "--- Configuring Apache... ---"
+echo "--- Configuring Apache… ---"
 # !!! apache.24.misp.ssl seems to be missing
 #cp $PATH_TO_MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf
 # If a valid SSL certificate is not already created for the server, create a self-signed certificate:
-sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" -keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt > /dev/null
+openssl req -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" -keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt > /dev/null


 echo "--- Add a VirtualHost for MISP ---"
-sudo cat > /etc/apache2/sites-available/misp-ssl.conf <<EOF
+cat > /etc/apache2/sites-available/misp-ssl.conf <<EOF
 <VirtualHost *:80>
    ServerAdmin admin@misp.local
    ServerName misp.local
@ -197,54 +221,20 @@ sudo cat > /etc/apache2/sites-available/misp-ssl.conf <<EOF
    ServerSignature Off
 </VirtualHost>
 EOF
-# cat > /etc/apache2/sites-available/misp-ssl.conf <<EOF
-# <VirtualHost *:80>
-#         ServerName misp.local
-#
-#         Redirect permanent / https://$FQDN
-#
-#         LogLevel warn
-#         ErrorLog /var/log/apache2/misp.local_error.log
-#         CustomLog /var/log/apache2/misp.local_access.log combined
-#         ServerSignature Off
-# </VirtualHost>
-#
-# <VirtualHost *:443>
-#         ServerAdmin me@me.local
-#         ServerName misp.local
-#         DocumentRoot $PATH_TO_MISP/app/webroot
-#
-#         <Directory $PATH_TO_MISP/app/webroot>
-#             Options -Indexes
-#             AllowOverride all
-#             Require all granted
-#         </Directory>
-#
-#         SSLEngine On
-#         SSLCertificateFile /etc/ssl/private/misp.local.crt
-#         SSLCertificateKeyFile /etc/ssl/private/misp.local.key
-#         #SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
-#
-#         LogLevel warn
-#         ErrorLog /var/log/apache2/misp.local_error.log
-#         CustomLog /var/log/apache2/misp.local_access.log combined
-#         ServerSignature Off
-# </VirtualHost>
-# EOF
 # activate new vhost
-sudo a2dissite default-ssl
-sudo a2ensite misp-ssl
+a2dissite default-ssl
+a2ensite misp-ssl


-echo "--- Restarting Apache ---"
-sudo systemctl restart apache2 > /dev/null 2>&1
+echo "--- Restarting Apache… ---"
+systemctl restart apache2 > /dev/null


-echo "--- Configuring log rotation ---"
-sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
+echo "--- Configuring log rotation… ---"
+cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp


-echo "--- MISP configuration ---"
+echo "--- MISP configuration… ---"
 # There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied
 sudo -u www-data -H cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php
 sudo -u www-data -H cp -a $PATH_TO_MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php
@ -269,17 +259,17 @@ class DATABASE_CONFIG {
 }
 EOF
 # and make sure the file permissions are still OK
-sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
-sudo chmod -R 750 $PATH_TO_MISP/app/Config
+chown -R www-data:www-data $PATH_TO_MISP/app/Config
+chmod -R 750 $PATH_TO_MISP/app/Config
 # Set some MISP directives with the command line tool
-sudo $PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
-sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
+$PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
+$PATH_TO_MISP/app/Console/cake Live $MISP_LIVE


-echo "--- Generating a GPG encryption key... ---"
-sudo apt-get install -y rng-tools haveged
+echo "--- Generating a GPG encryption key… ---"
+apt-get install -y rng-tools haveged
 sudo -u www-data -H mkdir $PATH_TO_MISP/.gnupg
-sudo chmod 700 $PATH_TO_MISP/.gnupg
+chmod 700 $PATH_TO_MISP/.gnupg
 cat >gen-key-script <<EOF
    %echo Generating a default key
    Key-Type: default
@ -300,8 +290,8 @@ rm gen-key-script
 sudo -u www-data -H gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key gen-key-scriptgpg --homedir $PATH_TO_MISP/.gnupg --export --armor $EMAIL_ADDRESS > $PATH_TO_MISP/app/webroot/gpg.asc


-echo "--- Making the background workers start on boot... ---"
-sudo chmod 755 $PATH_TO_MISP/app/Console/worker/start.sh
+echo "--- Making the background workers start on boot… ---"
+chmod 755 $PATH_TO_MISP/app/Console/worker/start.sh
 # With systemd:
 # sudo cat > /etc/systemd/system/workers.service  <<EOF
 # [Unit]
@ -323,18 +313,18 @@ if [ ! -e /etc/rc.local ]
 then
    echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
    echo 'exit 0' | sudo tee -a /etc/rc.local
-    sudo chmod u+x /etc/rc.local
+    chmod u+x /etc/rc.local
 fi
-sudo sed -i -e '$i \sudo -u www-data -H bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
+sed -i -e '$i \sudo -u www-data -H bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local


-echo "--- Installing MISP modules... ---"
-sudo apt-get install -y python3-dev python3-pip libpq5 libjpeg-dev > /dev/null 2>&1
+echo "--- Installing MISP modules… ---"
+apt-get install -y python3-dev python3-pip libpq5 libjpeg-dev > /dev/null
 cd /usr/local/src/
-sudo git clone https://github.com/MISP/misp-modules.git
+git clone https://github.com/MISP/misp-modules.git
 cd misp-modules
-sudo pip3 install -I -r REQUIREMENTS > /dev/null 2>&1
-sudo pip3 install -I . > /dev/null 2>&1
+pip3 install -I -r REQUIREMENTS > /dev/null
+pip3 install -I . > /dev/null
 # With systemd:
 # sudo cat > /etc/systemd/system/misp-modules.service  <<EOF
 # [Unit]
@ -352,54 +342,50 @@ sudo pip3 install -I . > /dev/null 2>&1
 # sudo systemctl restart misp-modules.service > /dev/null

 # With initd:
-sudo sed -i -e '$i \sudo -u www-data -H misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
+sed -i -e '$i \sudo -u www-data -H misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local

-# Set sane PHP defaults
-sudo sed -i 's/memory_limit = .*/memory_limit = '512M'/' /etc/php/7.0/apache2/php.ini
-sudo sed -i 's/max_execution_time = .*/max_execution_time = '300'/' /etc/php/7.0/apache2/php.ini
-sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = '50M'/' /etc/php/7.0/apache2/php.ini
-sudo sed -i 's/post_max_size = .*/post_max_size = '50M'/' /etc/php/7.0/apache2/php.ini

 echo "--- Restarting Apache... ---"
-sudo systemctl restart apache2 > /dev/null 2>&1
+systemctl restart apache2 > /dev/null
 sleep 5

+
 echo "--- Updating the galaxies... ---"
 sudo -E $PATH_TO_MISP/app/Console/cake userInit -q > /dev/null
 AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
-curl -k -X POST -H "Authorization: $AUTH_KEY" -H "Accept: application/json" -v http://127.0.0.1/galaxies/update > /dev/null 2>&1
+curl -k -X POST -H "Authorization: $AUTH_KEY" -H "Accept: application/json" -v http://127.0.0.1/galaxies/update > /dev/null


 echo "--- Updating the taxonomies... ---"
-curl -k -X POST -H "Authorization: $AUTH_KEY" -H "Accept: application/json" -v http://127.0.0.1/taxonomies/update > /dev/null 2>&1
+curl -k -X POST -H "Authorization: $AUTH_KEY" -H "Accept: application/json" -v http://127.0.0.1/taxonomies/update > /dev/null


 # echo "--- Enabling MISP new pub/sub feature (ZeroMQ)... ---"
 # # ZeroMQ depends on the Python client for Redis
-# pip install redis > /dev/null 2>&1
+# pip install redis > /dev/null
 # ## Install ZeroMQ and prerequisites
-# apt-get install -y pkg-config > /dev/null 2>&1
+# apt-get install -y pkg-config > /dev/null
 # cd /usr/local/src/
-# git clone git://github.com/jedisct1/libsodium.git > /dev/null 2>&1
+# git clone git://github.com/jedisct1/libsodium.git > /dev/null
 # cd libsodium
-# /autogen.sh > /dev/null 2>&1
-# ./configure > /dev/null 2>&1
-# make check > /dev/null 2>&1
-# make > /dev/null 2>&1
-# make install > /dev/null 2>&1
-# ldconfig > /dev/null 2>&1
+# /autogen.sh > /dev/null
+# ./configure > /dev/null
+# make check > /dev/null
+# make > /dev/null
+# make install > /dev/null
+# ldconfig > /dev/null
 # cd /usr/local/src/
-# wget https://archive.org/download/zeromq_4.1.5/zeromq-4.1.5.tar.gz > /dev/null 2>&1
-# tar -xvf zeromq-4.1.5.tar.gz > /dev/null 2>&1
+# wget https://archive.org/download/zeromq_4.1.5/zeromq-4.1.5.tar.gz > /dev/null
+# tar -xvf zeromq-4.1.5.tar.gz > /dev/null
 # cd zeromq-4.1.5/
-# ./autogen.sh > /dev/null 2>&1
-# ./configure > /dev/null 2>&1
-# make check > /dev/null 2>&1
-# make > /dev/null 2>&1
-# make install > /dev/null 2>&1
-# ldconfig > /dev/null 2>&1
+# ./autogen.sh > /dev/null
+# ./configure > /dev/null
+# make check > /dev/null
+# make > /dev/null
+# make install > /dev/null
+# ldconfig > /dev/null
 # ## install pyzmq
-# pip install pyzmq > /dev/null 2>&1
+# pip install pyzmq > /dev/null


 echo "--- MISP is ready ---"