commit 46301dc7520a679ef4deb03c832793c16ca7936e Author: Cédric Bonhomme Date: Wed Jul 5 22:54:12 2017 +0200 initial commit. WIP. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..f9f77a5 --- /dev/null +++ b/README.rst @@ -0,0 +1,26 @@ +Deployment of the MISP with Vagrant +=================================== + +This script is a work in progress! + +Installation of VirtualBox and Vagrant +-------------------------------------- + +.. code-block:: bash + + $ sudo apt-get install virtualbox vagrant + + +Deployment of MISP +------------------ + +MISP will be automatically deployed in an Ubuntu Zesty Server. + +.. code-block:: bash + + $ git clone https://github.com/MISP/misp-vagrant.git + $ cd misp-vagrant/ + $ vagrant up + +Once the VM will be configured by Vagrant, go to the address +http://127.0.0.1:5000. diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..dd18bbb --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,125 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + # All Vagrant configuration is done here. The most common configuration + # options are documented and commented below. For a complete reference, + # please see the online documentation at vagrantup.com. + + # Every Vagrant virtual environment requires a box to build off of. + config.vm.box = "ubuntu/zesty64" + #config.vm.box_url = "https://atlas.hashicorp.com/ubuntu/boxes/zesty64/versions/20170412.1.0" + config.vm.provision :shell, path: "bootstrap.sh" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + config.vm.network "forwarded_port", guest: 80, host: 5001 + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # If true, then any SSH connections made will enable agent forwarding. + # Default value: false + # config.ssh.forward_agent = true + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../", "/" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + config.vm.provider "virtualbox" do |vb| + # # Don't boot with headless mode + # vb.gui = true + # + # # Use VBoxManage to customize the VM. For example to change memory: + vb.customize ["modifyvm", :id, "--memory", "2048"] + vb.customize ["modifyvm", :id, "--name", "MISP - Ubuntu 17.04"] + end + # + # View the documentation for the provider you're using for more + # information on available options. + + # Enable provisioning with CFEngine. CFEngine Community packages are + # automatically installed. For example, configure the host as a + # policy server and optionally a policy file to run: + # + # config.vm.provision "cfengine" do |cf| + # cf.am_policy_hub = true + # # cf.run_file = "motd.cf" + # end + # + # You can also configure and bootstrap a client to an existing + # policy server: + # + # config.vm.provision "cfengine" do |cf| + # cf.policy_server_address = "10.0.2.15" + # end + + # Enable provisioning with Puppet stand alone. Puppet manifests + # are contained in a directory path relative to this Vagrantfile. + # You will need to create the manifests directory and a manifest in + # the file default.pp in the manifests_path directory. + # + # config.vm.provision "puppet" do |puppet| + # puppet.manifests_path = "manifests" + # puppet.manifest_file = "site.pp" + # end + + # Enable provisioning with chef solo, specifying a cookbooks path, roles + # path, and data_bags path (all relative to this Vagrantfile), and adding + # some recipes and/or roles. + # + # config.vm.provision "chef_solo" do |chef| + # chef.cookbooks_path = "../my-recipes/cookbooks" + # chef.roles_path = "../my-recipes/roles" + # chef.data_bags_path = "../my-recipes/data_bags" + # chef.add_recipe "mysql" + # chef.add_role "web" + # + # # You may also specify custom JSON attributes: + # chef.json = { :mysql_password => "foo" } + # end + + # Enable provisioning with chef server, specifying the chef server URL, + # and the path to the validation key (relative to this Vagrantfile). + # + # The Opscode Platform uses HTTPS. Substitute your organization for + # ORGNAME in the URL and validation key. + # + # If you have your own Chef Server, use the appropriate URL, which may be + # HTTP instead of HTTPS depending on your configuration. Also change the + # validation key to validation.pem. + # + # config.vm.provision "chef_client" do |chef| + # chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME" + # chef.validation_key_path = "ORGNAME-validator.pem" + # end + # + # If you're using the Opscode platform, your validator client is + # ORGNAME-validator, replacing ORGNAME with your organization name. + # + # If you have your own Chef Server, the default validation client name is + # chef-validator, unless you changed the configuration. + # + # chef.validation_client_name = "ORGNAME-validator" +end diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 0000000..fdb77c8 --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,120 @@ +#! /usr/bin/env bash + +# Variables +APPENV='local' + +DBHOST='localhost' +DBNAME='misp' +DBUSER_AMIN='root' +DBPASSWORD_AMIN='root' +DBUSER_MISP='misp' +DBPASSWORD_MISP='XXXXdbpasswordhereXXXXX' + +PATH_TO_MISP='/var/www/MISP' +IP='127.0.0.1' +FQDN='localhost' + + + +echo -e "\n--- Installing now... ---\n" + +echo -e "\n--- Updating packages list ---\n" +apt-get -qq update + +echo -e "\n--- Install base packages ---\n" +apt-get -y install vim git > /dev/null 2>&1 + +echo -e "\n--- Install Postfix ---\n" +# sudo apt-get install postfix +# # Postfix Configuration: Satellite system +# # change the relay server later with: +# sudo postconf -e 'relayhost = example.com' +# sudo postfix reload + +echo -e "\n--- Updating packages list ---\n" +apt-get -qq update + +# +# TODO: replace MySQL by MariaDB +# + +echo -e "\n--- Install MySQL specific packages and settings ---\n" +echo "mysql-server mysql-server/root_password password $DBPASSWORD_AMIN" | debconf-set-selections +echo "mysql-server mysql-server/root_password_again password $DBPASSWORD_AMIN" | debconf-set-selections +# echo "phpmyadmin phpmyadmin/dbconfig-install boolean true" | debconf-set-selections +# echo "phpmyadmin phpmyadmin/app-password-confirm password $DBPASSWORD_AMIN" | debconf-set-selections +# echo "phpmyadmin phpmyadmin/mysql/admin-pass password $DBPASSWORD_AMIN" | debconf-set-selections +# echo "phpmyadmin phpmyadmin/mysql/app-pass password $DBPASSWORD_AMIN" | debconf-set-selections +# echo "phpmyadmin phpmyadmin/reconfigure-webserver multiselect none" | debconf-set-selections +apt-get -y install mysql-server phpmyadmin > /dev/null 2>&1 + +echo -e "\n--- Installing PHP-specific packages ---\n" +apt-get -y install php apache2 libapache2-mod-php php-curl php-gd php-mcrypt php-mysql php-pear php-apcu php-xml php-mbstring php-intl php-imagick > /dev/null 2>&1 + +echo -e "\n--- Enabling mod-rewrite and ssl ---\n" +a2enmod rewrite > /dev/null 2>&1 +a2enmod ssl > /dev/null 2>&1 + +echo -e "\n--- Allowing Apache override to all ---\n" +sudo sed -i "s/AllowOverride None/AllowOverride All/g" /etc/apache2/apache2.conf + +#echo -e "\n--- We want to see the PHP errors, turning them on ---\n" +#sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.0/apache2/php.ini +#sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.0/apache2/php.ini + +echo -e "\n--- Setting up our MySQL user for MISP ---\n" +mysql -u root -p$DBPASSWORD_AMIN -e "CREATE USER '$DBUSER_MISP'@'localhost' IDENTIFIED BY '$DBPASSWORD_MISP';" +mysql -u root -p$DBPASSWORD_AMIN -e "GRANT ALL PRIVILEGES ON * . * TO '$DBUSER_MISP'@'localhost';" +mysql -u root -p$DBPASSWORD_AMIN -e "FLUSH PRIVILEGES;" + + +mkdir $PATH_TO_MISP +git clone https://github.com/MISP/MISP.git /var/www/MISP +# chown -R www-data $PATH_TO_MISP +# chgrp -R www-data $PATH_TO_MISP +# chmod -R 700 $PATH_TO_MISP + + + +echo -e "\n--- Add a VirtualHost for MISP ---\n" +cat > /etc/apache2/sites-enabled/000-default.conf < + ServerName $FQDN + + Redirect permanent / https://$FQDN + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + + + + ServerAdmin admin@$FQDN + ServerName $FQDN + DocumentRoot $PATH_TO_MISP/app/webroot + + Options -Indexes + AllowOverride all + Order allow,deny + allow from all + + + SSLEngine On + SSLCertificateFile /etc/ssl/private/misp.local.crt + SSLCertificateKeyFile /etc/ssl/private/misp.local.key + #SSLCertificateChainFile /etc/ssl/private/misp-chain.crt + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + +EOF + + +echo -e "\n--- Restarting Apache ---\n" +service apache2 restart > /dev/null 2>&1 + + +echo -e "\n--- MISP is ready! Point your Web browser to http://127.0.0.1:5000 ---\n"