Skip to content

INSTALLATION INSTRUCTIONS

for FreeBSD 12.0-amd64

0/ WIP /! You are warned, this does not work yet! /!\

Warning

NOT working: pydeep, lief

MISP configuration variables

# <snippet-begin 0_global-vars.sh>
# $ eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | grep -v \`\`\`)"
# $ MISPvars
MISPvars () {
  debug "Setting generic ${LBLUE}MISP${NC} variables shared by all flavours" 2> /dev/null
  # Local non-root MISP user
  MISP_USER='misp'
  MISP_PASSWORD="$(openssl rand -hex 32)"

  # MISP configuration variables
  PATH_TO_MISP='/var/www/MISP'

  # The web server user
  # RHEL/CentOS
  if [[ -f "/etc/redhat-release" ]]; then
    WWW_USER='apache'
  # Debian flavoured
  elif [[ -f "/etc/debian_version" ]]; then
    WWW_USER="www-data"
  # OpenBSD
  elif [[ "$(uname -s)" == "OpenBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/var/www/htdocs/MISP"
  # NetBSD
  elif [[ "$(uname -s)" == "NetBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/usr/pkg/share/httpd/htdocs/MISP"
  else
    # I am feeling lucky
    WWW_USER="www-data"
  fi

  if [ -z "$FQDN" ]; then
    FQDN="misp.local"
  fi

  if [ -z "$MISP_BASEURL" ]; then
    MISP_BASEURL='""'
  fi

  MISP_LIVE='1'

  # Database configuration
  DBHOST='localhost'
  DBNAME='misp'
  DBUSER_ADMIN='root'
  DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
  DBUSER_MISP='misp'
  DBPASSWORD_MISP="$(openssl rand -hex 32)"

  # OpenSSL configuration
  OPENSSL_CN=$FQDN
  OPENSSL_C='LU'
  OPENSSL_ST='State'
  OPENSSL_L='Location'
  OPENSSL_O='Organization'
  OPENSSL_OU='Organizational Unit'
  OPENSSL_EMAILADDRESS="info@$FQDN"

  # GPG configuration
  GPG_REAL_NAME='Autogenerated Key'
  # On a REAL install, please do not set a comment, see here for why: https://www.debian-administration.org/users/dkg/weblog/97
  GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
  GPG_EMAIL_ADDRESS='admin@admin.test'
  # 3072 bits used as per suggestions here: https://riseup.net/en/security/message-security/openpgp/best-practices
  GPG_KEY_LENGTH='3072'
  GPG_PASSPHRASE="$(openssl rand -hex 32)"

  # debug alias to make sure people are not confused when blindly copy pasting blobs of code
  alias debug="echo -e"

  # checkAptLock alias to make sure people are not confused when blindly copy pasting blobs of code
  alias checkAptLock="echo 'Function used in Installer to make sure apt is not locked'"

  # php.ini configuration
  upload_max_filesize=50M
  post_max_size=50M
  max_execution_time=300
  memory_limit=2048M

  CAKE="$PATH_TO_MISP/app/Console/cake"

  # sudo config to run $LUSER commands
  if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then
    SUDO_USER="sudo -H -u ${MISP_USER} -g staff"
  else
    SUDO_USER="sudo -H -u ${MISP_USER}"
  fi
  SUDO_WWW="sudo -H -u ${WWW_USER} "

  echo "The following DB Passwords were generated..."
  echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
  echo "User  (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
}
# <snippet-end 0_global-vars.sh>
PHP_ETC_BASE=/usr/local/etc
PHP_INI=${PHP_ETC_BASE}/php.ini
PATH_TO_MISP=/usr/local/www/MISP
CAKE="$PATH_TO_MISP/app/Console/cake"

1/ Minimal FreeBSD install


Install standard FreeBSD-amd64 with:

  • sshd
  • ntpdate
  • ntpd
  • ports

System Hardening

  • Clean /tmp
  • Disable Syslogd network socket
  • Disable Sendmail service

Install pkg and point to latest

$ su -
# pkg

Install sudo

pkg install -y sudo

Notice

Make sure users in group wheel can sudo, uncomment in /usr/local/etc/sudoers

%wheel ALL=(ALL) ALL

Install bash

sudo pkg install -y bash

Optional but useful, add a local misp user

sudo pw user add misp -s /usr/local/bin/bash -G wheel,www,staff
sudo mkdir /home/misp ; sudo chown misp:misp /home/misp
sudo passwd misp
# In case you already have a MISP User
sudo pw usermod misp -s /usr/local/bin/bash
sudo pw groupmod -n www -m misp
sudo pw groupmod -n staff -m misp
exit

Update system

sudo freebsd-update fetch install

Fetch ports or update ports

sudo portsnap fetch extract
# OR
sudo portsnap fetch update

Make python3 default *(optional)

echo "DEFAULT_VERSIONS= python=3.6 python2=2.7 python3=3.6" >> /etc/make.conf
sudo ln -s /usr/local/bin/python3 /usr/local/bin/python

Install postfix

sudo pkg install -y postfix

FAMP

Install misc dependencies

sudo pkg install -y curl git python3 vim m4 help2man gmake automake libtool expect gsed

Warning

N.B: MariaDB 10.3 currently segfaults on 11.2: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229219

sudo pkg install -y apache24 \
    logrotate \
    gnupg \
    mariadb102-server mariadb102-client \
    php72 \
    php72-mysqli \
    php72-xml \
    php72-openssl \
    php72-pcntl \
    php72-mbstring \
    php72-pdo_mysql \
    php72-phar \
    php72-json \
    php72-filter \
    php72-fileinfo \
    php72-dom \
    php72-opcache \
    php72-session \
    mod_php72

sudo cp -p /usr/local/etc/php.ini-development /usr/local/etc/php.ini

sudo sysrc apache24_enable="yes"
sudo sysrc mysql_enable="yes"
sudo sysrc mysql_args="--bind-address=127.0.0.1"
sudo service apache24 start
sudo service mysql-server start


### /!\ Needs Fixing /!\
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
pw="Password1234"

expect -f - <<-EOF
  set timeout 10

  spawn sudo mysql_secure_installation
  expect "*?assword*"
  send -- "$pw\r"
  expect "Enter current password for root (enter for none):"
  send -- "\r"
  expect "Set root password?"
  send -- "y\r"
  expect "New password:"
  send -- "${DBPASSWORD_ADMIN}\r"
  expect "Re-enter new password:"
  send -- "${DBPASSWORD_ADMIN}\r"
  expect "Remove anonymous users?"
  send -- "y\r"
  expect "Disallow root login remotely?"
  send -- "y\r"
  expect "Remove test database and access to it?"
  send -- "y\r"
  expect "Reload privilege tables now?"
  send -- "y\r"
  expect eof
EOF

sudo pkg remove -R tcl86

echo "<IfModule dir_module>
    DirectoryIndex index.php index.html

    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>

    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>" |sudo tee -a /usr/local/etc/apache24/Includes/php.conf

Redis needs to be installed via ports

cd /usr/ports/databases/redis
sudo make install clean
sudo sysrc redis_enable="yes"
php-redis
cd /usr/ports/databases/pecl-redis
sudo make install clean
php-gnupg
cd /usr/ports/security/pecl-gnupg
sudo make install clean

PHP CLI Tweak

echo "PATH=$PATH:/usr/local/bin" |sudo tee -a /usr/local/etc/apache24/envvars.d/php.env

sudo service apache24 restart

3/ MISP code


# Download MISP using git in the /usr/local/www/ directory.
sudo mkdir ${PATH_TO_MISP}
sudo chown www:www ${PATH_TO_MISP}
cd ${PATH_TO_MISP}
sudo -u www git clone https://github.com/MISP/MISP.git ${PATH_TO_MISP}

# Make git ignore filesystem permission differences
sudo -u www git config core.filemode false

sudo -u www git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u www git submodule foreach --recursive git config core.filemode false

# install Mitre's STIX and its dependencies by running the following commands:
sudo pkg install -y py36-pip libxml2 libxslt

# Install virtualenv
sudo pip-3.6 install virtualenv

# Create a python3 virtualenv
sudo -u www virtualenv -p python3 ${PATH_TO_MISP}/venv

cd ${PATH_TO_MISP}/app/files/scripts
sudo -u www git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www git clone https://github.com/STIXProject/python-stix.git
sudo -u www git clone https://github.com/MAECProject/python-maec.git
# install mixbox to accommodate the new STIX dependencies:
sudo -u www git clone https://github.com/CybOXProject/mixbox.git
cd ${PATH_TO_MISP}/app/files/scripts/mixbox
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install .
cd ${PATH_TO_MISP}/app/files/scripts/python-cybox
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install .
cd ${PATH_TO_MISP}/app/files/scripts/python-stix
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install .

# install PyMISP
cd ${PATH_TO_MISP}/PyMISP
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install .

4/ CakePHP


# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd ${PATH_TO_MISP}/app
sudo -u www php composer.phar install

# To use the scheduler worker for scheduled tasks, do the following:
sudo -u www cp -fa /usr/local/www/MISP/INSTALL/setup/config.php /usr/local/www/MISP/app/Plugin/CakeResque/Config/config.php

5/ Set the permissions


# Check if the permissions are set correctly using the following commands:
sudo chown -R www:www /usr/local/www/MISP
sudo chmod -R 750 /usr/local/www/MISP
sudo chmod -R g+ws /usr/local/www/MISP/app/tmp
sudo chmod -R g+ws /usr/local/www/MISP/app/files
sudo chmod -R g+ws /usr/local/www/MISP/app/files/scripts/tmp

6/ Create a database and user


# Enter the mysql shell
sudo mysql -u root -p

MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

copy/paste

sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
# Import the empty MISP database from MYSQL.sql
sudo -u www cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME

7/ Apache configuration


# Now configure your Apache webserver with the DocumentRoot /usr/local/www/MISP/app/webroot/

#2.4
sudo mkdir /usr/local/etc/apache24/sites-available/ /usr/local/etc/apache24/sites-enabled/

# If the apache version is 2.4:
sudo cp /usr/local/www/MISP/INSTALL/apache.24.misp.ssl /usr/local/etc/apache24/sites-available/misp-ssl.conf

# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html

sudo mkdir /etc/ssl/private/
# If a valid SSL certificate is not already created for the server, create a self-signed certificate: (Make sure to fill the <…>)
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt

sudo chmod 750 /etc/ssl/private/
sudo chmod 640 /etc/ssl/private/*

# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)

sudo mkdir /var/log/apache24/

sudo gsed -i "s/apache2/apache24/" /usr/local/etc/apache24/sites-available/misp-ssl.conf
sudo gsed -i "s/var\/www/usr\/local\/www/" /usr/local/etc/apache24/sites-available/misp-ssl.conf
sudo gsed -i "s/SSLCertificateChainFile/#SSLCertificateChainFile/" /usr/local/etc/apache24/sites-available/misp-ssl.conf

# activate new vhost
cd /usr/local/etc/apache24/sites-enabled/
sudo ln -s ../sites-available/misp-ssl.conf
echo "Include etc/apache24/sites-enabled/*.conf" |sudo tee -a /usr/local/etc/apache24/httpd.conf
echo "IncludeOptional etc/apache24/sites-enabled/*.conf" |sudo tee -a /usr/local/etc/apache24/httpd.conf

for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
    sudo gsed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done

sudo gsed -i "s/#LoadModule rewrite_module libexec\/apache24\/mod_rewrite.so/LoadModule rewrite_module libexec\/apache24\/mod_rewrite.so/" /usr/local/etc/apache24/httpd.conf
sudo gsed -i "s/#LoadModule ssl_module libexec\/apache24\/mod_ssl.so/LoadModule ssl_module libexec\/apache24\/mod_ssl.so/" /usr/local/etc/apache24/httpd.conf
sudo gsed -i "s/Listen 80/Listen 80\nListen 443/" /usr/local/etc/apache24/httpd.conf

# Restart apache
sudo service apache24 restart

8/ Log rotation


# MISP saves the stdout and stderr of its workers in /usr/local/www/MISP/app/tmp/logs
# To rotate these logs install the supplied logrotate script:
sudo cp /usr/local/www/MISP/INSTALL/misp.logrotate /usr/local/etc/logrotate.d/misp
sudo chmod 0640 /usr/local/etc/logrotate.d/misp

9/ MISP configuration


# There are 4 sample configuration files in /usr/local/www/MISP/app/Config that need to be copied
sudo -u www cp -a /usr/local/www/MISP/app/Config/bootstrap.default.php /usr/local/www/MISP/app/Config/bootstrap.php
sudo -u www cp -a /usr/local/www/MISP/app/Config/database.default.php /usr/local/www/MISP/app/Config/database.php
sudo -u www cp -a /usr/local/www/MISP/app/Config/core.default.php /usr/local/www/MISP/app/Config/core.php
sudo -u www cp -a /usr/local/www/MISP/app/Config/config.default.php /usr/local/www/MISP/app/Config/config.php

# Configure the fields in the newly created files:


echo "<?php
class DATABASE_CONFIG {
        public \$default = array(
                'datasource' => 'Database/Mysql',
                //'datasource' => 'Database/Postgres',
                'persistent' => false,
                'host' => '$DBHOST',
                'login' => '$DBUSER_MISP',
                'port' => 3306, // MySQL & MariaDB
                //'port' => 5432, // PostgreSQL
                'password' => '$DBPASSWORD_MISP',
                'database' => '$DBNAME',
                'prefix' => '',
                'encoding' => 'utf8',
        );
}" | sudo -u www tee $PATH_TO_MISP/app/Config/database.php

# Important! Change the salt key in /usr/local/www/MISP/app/Config/config.php
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)

# Change base url in config.php
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',

# and make sure the file permissions are still OK
sudo chown -R www:www /usr/local/www/MISP/app/Config
sudo chmod -R 750 /usr/local/www/MISP/app/Config

# Generate a GPG encryption key.

cat >/tmp/gen-key-script <<EOF
    %echo Generating a default key
    Key-Type: default
    Key-Length: $GPG_KEY_LENGTH
    Subkey-Type: default
    Name-Real: $GPG_REAL_NAME
    Name-Comment: $GPG_COMMENT
    Name-Email: $GPG_EMAIL_ADDRESS
    Expire-Date: 0
    Passphrase: $GPG_PASSPHRASE
    # Do a commit here, so that we can later print "done"
    %commit
    %echo done
EOF

sudo -u www gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file

# And export the public key to the webroot
sudo -u www sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www tee $PATH_TO_MISP/app/webroot/gpg.asc

# To make the background workers start on boot
sudo chmod +x /usr/local/www/MISP/app/Console/worker/start.sh

if [ ! -e /etc/rc.local ]
then
    echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
    echo 'exit 0' | sudo tee -a /etc/rc.local
    sudo chmod u+x /etc/rc.local
fi

Initialize MISP configuration and set some defaults

# <snippet-begin 2_core-cake.sh>
# Core cake commands to tweak MISP and aleviate some of the configuration pains
# The $RUN_PHP is ONLY set on RHEL/CentOS installs and can thus be ignored
# This file is NOT an excuse to NOT read the settings and familiarize ourselves with them ;)

coreCAKE () {
  debug "Running core Cake commands to set sane defaults for ${LBLUE}MISP${NC}"

  # IF you have logged in prior to running this, it will fail but the fail is NON-blocking
  $SUDO_WWW $RUN_PHP -- $CAKE userInit -q

  # This makes sure all Database upgrades are done, without logging in.
  $SUDO_WWW $RUN_PHP -- $CAKE Admin runUpdates

  # The default install is Python >=3.6 in a virtualenv, setting accordingly
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"

  # Set default role
  # TESTME: The following seem defunct, please test.
  # $SUDO_WWW $RUN_PHP -- $CAKE setDefaultRole 3

  # Tune global time outs
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.autoRegenerate" 0
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.timeout" 600
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.cookieTimeout" 3600

  # Change base url, either with this CLI command or in the UI
  $SUDO_WWW $RUN_PHP -- $CAKE Baseurl $MISP_BASEURL
  # example: 'baseurl' => 'https://<your.FQDN.here>',
  # alternatively, you can leave this field empty if you would like to use relative pathing in MISP
  # 'baseurl' => '',
  # The base url of the application (in the format https://www.mymispinstance.com) as visible externally/by other MISPs.
  # MISP will encode this URL in sharing groups when including itself. If this value is not set, the baseurl is used as a fallback.
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.external_baseurl" $MISP_BASEURL

  # Enable GnuPG
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE"
  # FIXME: what if we have not gpg binary but a gpg2 one?
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)"

  # Enable installer org and tune some configurables
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.host_org_id" 1
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.email" "info@admin.test"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_emailing" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.contact" "info@admin.test"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disablerestalert" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.default_event_tag_collection" 0

  # Provisional Cortex tunes
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_authkey" ""
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true

  # Various plugin sightings settings
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_policy" 0
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365

  # Plugin CustomAuth tuneable
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false

  # RPZ Plugin settings
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"

  # Force defaults to make MISP Server Settings less RED
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.language" "eng"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.proposals_block_attributes" false

  # Redis block
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_port" 6379
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_database" 13
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_password" ""

  # Force defaults to make MISP Server Settings less YELLOW
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.extended_alert_subject" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.default_event_threat_level" 4
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_event_alert" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_old_event_alert" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.maintenance_message" "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at \$email."
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
  # TODO: Make sure $FLAVOUR is correct
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on $FLAVOUR, change this message in MISP Settings"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.attachments_dir" "$PATH_TO_MISP/app/files"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.download_attachments_on_load" true
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.title_text" "MISP"
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.terms_download" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.showorgalternate" false
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.event_view_filter_fields" "id, uuid, value, comment, type, category, Tag.name"

  # Force defaults to make MISP Server Settings less GREEN
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_length" 12
  $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'

  # Set MISP Live
  $SUDO_WWW $RUN_PHP -- $CAKE Live $MISP_LIVE
}

# This updates Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates
updateGOWNT () {
  # AUTH_KEY Place holder in case we need to **curl** somehing in the future
  # 
  $SUDO_WWW $RUN_MYSQL -- mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1 > /tmp/auth.key
  AUTH_KEY=$(cat /tmp/auth.key)
  rm /tmp/auth.key

  debug "Updating Galaxies, ObjectTemplates, Warninglists, Noticelists and Templates"
  # Update the galaxies…
  # TODO: Fix updateGalaxies
  $SUDO_WWW $RUN_PHP -- $CAKE Admin updateGalaxies
  # Updating the taxonomies…
  $SUDO_WWW $RUN_PHP -- $CAKE Admin updateTaxonomies
  # Updating the warning lists…
  $SUDO_WWW $RUN_PHP -- $CAKE Admin updateWarningLists
  # Updating the notice lists…
  $SUDO_WWW $RUN_PHP -- $CAKE Admin updateNoticeLists
  # Updating the object templates…
  $SUDO_WWW $RUN_PHP -- $CAKE Admin updateObjectTemplates "1337"
}
# <snippet-end 2_core-cake.sh>
sudo gsed -i -e '$i \sudo -u www bash /usr/local/www/MISP/app/Console/worker/start.sh > /tmp/worker_start_rc.local.log\n' /etc/rc.local
sudo gsed -i -e '$i \sudo -u www /usr/local/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log 2> /dev/null &\n' /etc/rc.local

10/ MISP modules

sudo pkg install -y yara
sudo mkdir /usr/local/src
sudo chmod 2775 /usr/local/src
sudo chown root:staff /usr/local/src
cd /usr/local/src/
git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# lief broken...
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install maec python-magic
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install -I -r REQUIREMENTS
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install .
##sudo pip-3.6 install git+https://github.com/kbandla/pydeep.git

# install STIX2.0 library to support STIX 2.0 export:
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install stix2

Warning

If you have installed the recommended Python 3 virtualenv to the recommended place of ${PATH_TO_MISP}/venv set the following MISP configurable

sudo -H -u www-data $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
or on CentOS
sudo -u apache $RUN_PHP "$CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python""

Warning

Make sure that the STIX libraries and GnuPG work as intended, if not, refer to the relevant sections in the install guide you are currently reading.

Notice

Now log in using the webinterface: http://misp/users/login
The default user/pass = admin@admin.test/admin
Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference.
It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
Once done, have a look at the diagnostics.

Notice

If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
you can do this by running the following commands:

chmod -R 750 ${PATH_TO_MISP}/<directory path with an indicated issue>
# /!\ Depending on your OS replace www-data with apache or www or whatever user is the web server user.
chown -R www-data:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>

Notice

If anything goes wrong, make sure that you check MISP's logs for errors:

# ${PATH_TO_MISP}/app/tmp/logs/error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-2018-10-25.log //where the actual date is the current date


  • By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.

  • You should really harden your OS

  • You should really harden the configuration of Apache
  • You should really harden the configuration of MySQL
  • Keep your software up2date (MISP, CakePHP and everything else)
  • Log and audit

Optional features


MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command

sudo pkg install -y libzmq4
sudo -H -u www ${PATH_TO_MISP}/venv/bin/pip install pyzmq

misp-dashboard (NOT WORKING)

Notice

Enable ZeroMQ for misp-dashboard

Warning

This is not working, still needs a working WSGI config.

Warning

The install_dependencies.sh script is for Linux ONLY. The following blurp will be a diff of a working OpenBSD version.

(DASHENV) fbsd# diff -u install_dependencies.sh install_dependencies_fbsd.sh
diff --git a/install_dependencies.sh b/install_dependencies.sh
index ca10fc0..bd5d415 100755
--- a/install_dependencies.sh
+++ b/install_dependencies.sh
@@ -1,9 +1,9 @@
-#!/bin/bash
+#!/usr/local/bin/bash

 set -e
 #set -x

-sudo apt-get install python3-virtualenv virtualenv screen redis-server unzip -y
+pkg install -y unzip wget screen

 if [ -z "$VIRTUAL_ENV" ]; then
     virtualenv -p python3 DASHENV
@@ -25,8 +25,8 @@ if [ -e "config/config.cfg" ]; then
 else
     cp -i config/config.cfg.default config/config.cfg
     echo "Sanitizing MaxMindDB Path"
-    sed -i "s|pathMaxMindDB=./data/GeoLite2-City/GeoLite2-City.mmdb|pathMaxMindDB=$PWD/data/GeoLite2-City/GeoLite2-City.mmdb|" config/config.cfg
-    sed -i "s|path_countrycode_to_coord_JSON=./data/country_code_lat_long.json|path_countrycode_to_coord_JSON=$PWD/data/country_code_lat_long.json|" config/config.cfg
+    gsed -i "s|pathMaxMindDB=./data/GeoLite2-City/GeoLite2-City.mmdb|pathMaxMindDB=$PWD/data/GeoLite2-City/GeoLite2-City.mmdb|" config/config.cfg
+    gsed -i "s|path_countrycode_to_coord_JSON=./data/country_code_lat_long.json|path_countrycode_to_coord_JSON=$PWD/data/country_code_lat_long.json|" config/config.cfg
 fi

 ## Web stuff
cd /usr/local/www
sudo mkdir misp-dashboard
sudo chown www:www misp-dashboard
sudo -u www git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
#/!\ Made on Linux, the next script will fail
#sudo /usr/local/www/misp-dashboard/install_dependencies.sh
sudo virtualenv -ppython3 /usr/local/www/misp-dashboard/DASHENV
sudo chown -R www DASHENV/
sudo -u www /usr/local/www/misp-dashboard/DASHENV/bin/pip install -U pip argparse redis zmq geoip2 flask phonenumbers pycountry

sudo gsed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /usr/local/www/misp-dashboard/config/config.cfg
sudo gsed -i -e '$i \sudo -u www bash /usr/local/www/misp-dashboard/start_all.sh\n' /etc/rc.local
#/!\ Add port 8001 as a listener
#sudo sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf
sudo pkg install -y ap24-py36-mod_wsgi

echo "<VirtualHost *:8001>
    ServerAdmin admin@misp.local
    ServerName misp.local
    DocumentRoot /usr/local/www/misp-dashboard

    WSGIDaemonProcess misp-dashboard \
       user=misp group=misp \
       python-home=/usr/local/www/misp-dashboard/DASHENV \
       processes=1 \
       threads=15 \
       maximum-requests=5000 \
       listen-backlog=100 \
       queue-timeout=45 \
       socket-timeout=60 \
       connect-timeout=15 \
       request-timeout=60 \
       inactivity-timeout=0 \
       deadlock-timeout=60 \
       graceful-timeout=15 \
       eviction-timeout=0 \
       shutdown-timeout=5 \
       send-buffer-size=0 \
       receive-buffer-size=0 \
       header-buffer-size=0 \
       response-buffer-size=0 \
       server-metrics=Off
    WSGIScriptAlias / /usr/local/www/misp-dashboard/misp-dashboard.wsgi
    <Directory /usr/local/www/misp-dashboard>
        WSGIProcessGroup misp-dashboard
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
    LogLevel info
    ErrorLog /usr/local/log/apache2/misp-dashboard.local_error.log
    CustomLog /usr/local/log/apache2/misp-dashboard.local_access.log combined
    ServerSignature Off
</VirtualHost>" | sudo tee /usr/local/etc/apache24/sites-available/misp-dashboard.conf

sudo ln -s /usr/local/etc/apache24/sites-available/misp-dashboard.conf /usr/local/etc/apache24/sites-enabled/misp-dashboard.conf

Add this to /etc/httpd2.conf

LoadModule wsgi_module /usr/local/lib/apache2/mod_wsgi.so
Listen 8001

Notice

If you want to add the misp modules functionality, follow the setup procedure described in misp-modules:
https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules
Then the enrichment, export and import modules can be enabled in MISP via the settings.