INSTALLATION INSTRUCTIONS¶
for Ubuntu 18.04.1-server with Webmin¶
0/ MISP Ubuntu 18.04-server install - status¶
Notice
Tested semi-working by @SteveClement on 20181120.
Notice
Maintained and tested by the community.
Parts of the installation procedures can also be found in the automatic VM generator script bootstrap.sh of misp-packer.
MISP configuration variables¶
If you are doing a manual install, copy and pasting from this document, please do the following before starting:
eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | awk '/^# <snippet-begin/,0' | grep -v \`\`\`)"
MISPvars
Notice
Do NOT leave your session after this mid-install as some initial passwords have been generated and thus would be lost. Consider using a mux like screen or tmux.
# <snippet-begin 0_global-vars.sh>
# $ eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | awk '/^# <snippet-begin/,0' | grep -v \`\`\`)"
# $ MISPvars
MISPvars () {
debug "Setting generic ${LBLUE}MISP${NC} variables shared by all flavours" 2> /dev/null
# Local non-root MISP user
MISP_USER="${MISP_USER:-misp}"
MISP_PASSWORD="${MISP_PASSWORD:-$(openssl rand -hex 32)}"
# Cheap distribution detector
FLAVOUR="$(. /etc/os-release && echo "$ID"| tr '[:upper:]' '[:lower:]')"
STREAM="$(. /etc/os-release && echo "$NAME"| grep -o -i stream |tr '[:upper:]' '[:lower:]')"
DIST_VER="$(. /etc/os-release && echo "$VERSION_ID")"
DISTRI=${FLAVOUR}${DIST_VER}${STREAM}
# The web server user
# RHEL/CentOS
if [[ -f "/etc/redhat-release" ]]; then
SE_LINUX=$(sestatus -v -b |grep "^SELinux status"| grep enabled ; echo $?)
WWW_USER="apache"
SUDO_WWW="sudo -H -u ${WWW_USER} "
# Debian flavoured
elif [[ -f "/etc/debian_version" ]]; then
WWW_USER="www-data"
SUDO_WWW="sudo -H -u ${WWW_USER} "
# OpenBSD
elif [[ "$(uname -s)" == "OpenBSD" ]]; then
WWW_USER="www"
PATH_TO_MISP="${PATH_TO_MISP:-/var/www/htdocs/MISP}"
SUDO_WWW="doas -u www "
SUDO_CMD="doas "
# NetBSD
elif [[ "$(uname -s)" == "NetBSD" ]]; then
WWW_USER="www"
PATH_TO_MISP="$PATH_TO_MISP:-/usr/pkg/share/httpd/htdocs/MISP}"
SUDO_WWW="sudo -H -u ${WWW_USER} "
else
# I am feeling lucky
WWW_USER="www-data"
SUDO_WWW="sudo -H -u ${WWW_USER} "
fi
# MISP configuration variables
PATH_TO_MISP="${PATH_TO_MISP:-/var/www/MISP}"
PATH_TO_MISP_SCRIPTS="${PATH_TO_MISP}/app/files/scripts"
FQDN="${FQDN:-misp.local}"
MISP_BASEURL="${MISP_BASEURL:-""}"
MISP_LIVE="1"
# Database configuration
DBHOST="${DBHOST:-localhost}"
DBNAME="${DBNAME:-misp}"
DBUSER_ADMIN="${DBUSER_ADMIN:-root}"
DBPASSWORD_ADMIN="${DBPASSWORD_ADMIN:-$(openssl rand -hex 32)}"
DBUSER_MISP="${DBUSER_MISP:-misp}"
DBPASSWORD_MISP="${DBPASSWORD_MISP:-$(openssl rand -hex 32)}"
# OpenSSL configuration
OPENSSL_CN=${FQDN}
OPENSSL_C="LU"
OPENSSL_ST="State"
OPENSSL_L="Location"
OPENSSL_O="Organization"
OPENSSL_OU="Organizational Unit"
OPENSSL_EMAILADDRESS="info@${FQDN}"
# GPG configuration
GPG_REAL_NAME="Autogenerated Key"
# On a REAL install, please do not set a comment, see here for why: https://www.debian-administration.org/users/dkg/weblog/97
GPG_COMMENT="WARNING: MISP AutoGenerated Key consider this Key VOID!"
GPG_EMAIL_ADDRESS="admin@admin.test"
# 3072 bits used as per suggestions here: https://riseup.net/en/security/message-security/openpgp/best-practices
GPG_KEY_LENGTH="3072"
GPG_PASSPHRASE="$(openssl rand -hex 32)"
# debug alias to make sure people are not confused when blindly copy pasting blobs of code
alias debug="echo -e"
# checkAptLock alias to make sure people are not confused when blindly copy pasting blobs of code
alias checkAptLock="echo 'Function used in Installer to make sure apt is not locked'"
# php.ini configuration
upload_max_filesize="50M"
post_max_size="50M"
max_execution_time="300"
memory_limit="2048M"
session0sid_length="32"
session0use_strict_mode="1"
CAKE="${PATH_TO_MISP}/app/Console/cake"
# sudo config to run $LUSER commands
if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then
SUDO_CMD="sudo -H -u ${MISP_USER} -g staff"
else
SUDO_CMD="sudo -H -u ${MISP_USER}"
fi
echo "The following DB Passwords were generated..."
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
}
# <snippet-end 0_global-vars.sh>
PHP_ETC_BASE=/etc/php/7.2
PHP_INI=${PHP_ETC_BASE}/apache2/php.ini
VIRT_USER=misp.misp-vm.local
PATH_TO_MISP=/home/${VIRT_USER}/public_html/MISP
Why Webmin/Virtualmin?¶
Some may not be full time sysadmin and prefer a platform that once it has been setup works and is decently easy to manage.
Assumptions¶
Assuming you created the subdomanin misp.yourserver.tld to where MISP will be installed and that the user "misp" is in the sudoers group and that you have already configured SSL with Lets Encrypt on the subdomain.
1/ Minimal Ubuntu install¶
Install a minimal Ubuntu 18.04-server system with the software:¶
- OpenSSH server
- This guide assumes a user name of 'misp' with sudo working
install etckeeper and sudo (optional)¶
# <snippet-begin 0_sudoKeeper.sh>
# check if sudo is installed
checkSudoKeeper () {
echo "Checking for sudo and installing etckeeper"
if [[ ! -f $(which sudo) ]]; then
echo "Please enter your root password below to install etckeeper"
su -c "apt install etckeeper -y"
echo "Please enter your root password below to install sudo"
su -c "apt install sudo -y"
echo "Please enter your root password below to install sudo"
su -c "apt install curl -y"
echo "Please enter your root password below to add ${MISP_USER} to sudo group"
su -c "/usr/sbin/adduser ${MISP_USER} sudo"
echo "We added ${MISP_USER} to group sudo and now we need to log out and in again."
exit
else
sudo apt update
sudo apt install etckeeper -y
fi
}
# <snippet-end 0_sudoKeeper.sh>
add the misp user to staff and www-data (mandatory)¶
# <snippet-begin add-user.sh>
## FIXME: This function is a duplicate included in: # <snippet-begin 0_support-functions.sh>
# check is /usr/local/src is RW by misp user
checkUsrLocalSrc () {
echo ""
if [[ -e /usr/local/src ]]; then
WRITEABLE=$(sudo -H -u $MISP_USER touch /usr/local/src 2> /dev/null ; echo $?)
if [[ "$WRITEABLE" == "0" ]]; then
echo "Good, /usr/local/src exists and is writeable as $MISP_USER"
else
# TODO: The below might be shorter, more elegant and more modern
#[[ -n $KALI ]] || [[ -n $UNATTENDED ]] && echo "Just do it"
sudo chmod 2775 /usr/local/src
sudo chown root:staff /usr/local/src
fi
else
echo "/usr/local/src does not exist, creating."
mkdir -p /usr/local/src
sudo chmod 2775 /usr/local/src
# TODO: Better handling /usr/local/src permissions
if [[ "$(cat /etc/group |grep staff > /dev/null 2>&1)" == "0" ]]; then
sudo chown root:staff /usr/local/src
fi
fi
}
# <snippet-end add-user.sh>
Network Interface Name salvage (optional)¶
This will bring back 'ethX' e.g: eth0
# <snippet-end interfaces.sh>
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
DEFAULT_GRUB=/etc/default/grub
echo "--- Using old style name (ethX) for interfaces"
#for key in GRUB_CMDLINE_LINUX
#do
# sudo sed -i "s/^\($key\)=.*/\1=\"$(eval echo \${$key})\"/" $DEFAULT_GRUB
#done
sed -r 's/^(GRUB_CMDLINE_LINUX=).*/\1\"net\.ifnames=0\ biosdevname=0\"/' /etc/default/grub | sudo tee /etc/default/grub > /dev/null
# install ifupdown since ubuntu 18.04
sudo apt-get update
sudo apt-get install -y ifupdown
# enable eth0
echo "--- Configuring eth0"
echo "# The primary network interface
auto eth0
iface eth0 inet dhcp" | sudo tee /etc/network/interfaces
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo update-grub > /dev/null 2>&1
# <snippet-end interfaces.sh>
Notice
On recent Ubuntu install Netplan is default and you need to change the Network name.
sudo sed -i "s/enp0s3/eth0/" /etc/netplan/50-cloud-init.yaml
sudo sed -i "s/enp0s3/eth0/" /etc/netplan/01-netcfg.yaml
Make sure your system is up2date¶
sudo apt-get update
sudo apt-get upgrade
Get Virtualmin¶
wget -O /tmp/install.sh http://software.virtualmin.com/gpl/scripts/install.sh
Install it¶
chmod +x /tmp/install.sh
sudo /tmp/install.sh
2/ Configure basic Virtualmin environment¶
Once the system is installed you can perform the following steps:
Install the dependencies: (some might already be installed)¶
sudo apt-get install curl gcc git gnupg-agent make python openssl redis-server sudo vim zip virtualenv -y
Stop MySQL and install MariaDB (a MySQL fork/alternative)¶
MariaDB will replace MySQL and it will work with the latests versions of Webmin without modifications¶
Warning
Databases and data will be lost! It is assumed you are installing on a new server with no existing DBs
Notice
At present, a simple...
sudo service mysql stop && sudo apt-get install mariadb-client mariadb-server'
sudo apt purge mysql-client-5.7 mysql-client-core-5.7 mysql-common mysql-server-5.7 mysql-server-core-5.7 mysql-server
Issues may arise if you leave the MySQL configuration in place, remove config files in /etc/mysql if needed.
Remove and cleanup packages¶
sudo apt autoremove && sudo apt -f install
Add repositories for Mariadb 10.3 and install it¶
sudo apt-get install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http://mariadb.mirrors.ovh.net/MariaDB/repo/10.3/ubuntu bionic main'
sudo apt update
# Install MariaDB (a MySQL fork/alternative)
sudo apt-get install mariadb-client mariadb-server -y
# Make sure auth_socket.so is loaded
grep auth_socket /etc/mysql/mariadb.conf.d/50-server.cnf
## If not add this in the [mysqld] section
### [mysqld]
### plugin-load-add = auth_socket.so
sudo systemctl restart mariadb.service
sudo apt install expect -y
# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
pw="Password1234"
expect -f - <<-EOF
set timeout 10
spawn sudo mysql_secure_installation
expect "*?assword*"
send -- "$pw\r"
expect "Enter current password for root (enter for none):"
send -- "\r"
expect "Set root password?"
send -- "y\r"
expect "New password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Re-enter new password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Remove anonymous users?"
send -- "y\r"
expect "Disallow root login remotely?"
send -- "y\r"
expect "Remove test database and access to it?"
send -- "y\r"
expect "Reload privilege tables now?"
send -- "y\r"
expect eof
EOF
sudo apt-get purge -y expect ; sudo apt autoremove -y
Go through the Webmin post-installation Wizard and configure your misp.yourdomain.tld virtual server
That should create the 'misp' user and related directories Add the 'misp' user to the sudo group
Also make sure the variable ${VIRT_USER} is set to the user you created when you created the virtual server. This might NOT be 'misp' but something completely different, like: 'misp.misp-vm.local' or 'misp.example.com' or 'misp-virtual'.
Install PHP and dependencies¶
sudo apt-get install libapache2-mod-php php php-cli php-gnupg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml php-mbstring php-gd php-zip -y
Apply all changes¶
sudo systemctl restart apache2
3/ MISP code¶
Assuming you created the subdomain virtual server misp.yourserver.tld Download MISP using git in the /home/${VIRT_USER}/public_html/ as ${VIRT_USER}
sudo su - ${VIRT_USER}
# or log out root and log back in as your virtual server user
git clone https://github.com/MISP/MISP.git ${PATH_TO_MISP}
cd ${PATH_TO_MISP}
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)
git submodule update --init --recursive
# Make git ignore filesystem permission differences
git submodule foreach --recursive git config core.filemode false
# Create a python3 virtualenv
virtualenv -p python3 ${PATH_TO_MISP}/venv
cd ${PATH_TO_MISP}/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
git clone https://github.com/MAECProject/python-maec.git
cd ${PATH_TO_MISP}/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
${PATH_TO_MISP}/venv/bin/pip install .
cd ${PATH_TO_MISP}/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
${PATH_TO_MISP}/venv/bin/pip install .
cd ${PATH_TO_MISP}/app/files/scripts/python-maec
$SUDO_WWW git config core.filemode false
${PATH_TO_MISP}/venv/bin/pip install .
# install mixbox to accommodate the new STIX dependencies:
cd ${PATH_TO_MISP}/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd ${PATH_TO_MISP}/app/files/scripts/mixbox
$SUDO_WWW git config core.filemode false
${PATH_TO_MISP}/venv/bin/pip install .
# install PyMISP
cd ${PATH_TO_MISP}/PyMISP
${PATH_TO_MISP}/venv/bin/pip install .
4/ CakePHP¶
# CakePHP is included as a submodule of MISP
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd ${PATH_TO_MISP}/app
php composer.phar install
# Enable CakeResque with php-redis
sudo phpenmod redis
sudo phpenmod gnupg
# To use the scheduler worker for scheduled tasks, do the following:
cp -fa ${PATH_TO_MISP}/INSTALL/setup/config.php ${PATH_TO_MISP}/app/Plugin/CakeResque/Config/config.php
# If you have multiple MISP instances on the same system, don't forget to have a different Redis per MISP instance for the CakeResque workers
# The default Redis port can be updated in Plugin/CakeResque/Config/config.php
5/ Set the permissions¶
# Check if the permissions are set correctly using the following commands:
sudo chown -R ${VIRT_USER}:${VIRT_USER} ${PATH_TO_MISP}
sudo chmod -R 750 ${PATH_TO_MISP}
sudo chmod -R g+ws ${PATH_TO_MISP}/app/tmp
sudo chmod -R g+ws ${PATH_TO_MISP}/app/files
sudo chmod -R g+ws ${PATH_TO_MISP}/app/files/scripts/tmp
6/ Create a database and user¶
# Enter the mysql shell
sudo mysql -u root -p
# If all went well when you created the misp user in Virtualmin you should already have a misp database
# otherwise create it with:
create database misp;
# Make sure password and all privileges are set
grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
grant all privileges on misp.* to misp@localhost;
flush privileges;
exit
# Import the empty MISP database from MYSQL.sql
sudo -u ${VIRT_USER} cat ${PATH_TO_MISP}/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration¶
Most of it should have been done when you created the subdomain but add these changes as well
# Under <VirtualHost <IP, FQDN, or *>:80>
# ServerName <your.FQDN.here>
# add
Redirect permanent / https://<your.FQDN.here>
ServerSignature Off
# Closing tag </VirtualHost>
# Under <VirtualHost <IP, FQDN, or *>:443>
# ServerAdmin admin@<your.FQDN.here>
# ServerName <your.FQDN.here>
# etc...
# find the document root and change it as follows
DocumentRoot /home/misp/public_html/MISP/app/webroot
# The Directory tag should be changed to:
<Directory /home/misp/public_html/MISP/app/webroot>
# The rest should't require modifications. Restart Apache
sudo service apache2 restart
9/ MISP configuration¶
# There are 4 sample configuration files in ${PATH_TO_MISP}/app/Config that need to be copied
cp -a ${PATH_TO_MISP}/app/Config/bootstrap.default.php ${PATH_TO_MISP}/app/Config/bootstrap.php
cp -a ${PATH_TO_MISP}/app/Config/database.default.php ${PATH_TO_MISP}/app/Config/database.php
cp -a ${PATH_TO_MISP}/app/Config/core.default.php ${PATH_TO_MISP}/app/Config/core.php
cp -a ${PATH_TO_MISP}/app/Config/config.default.php ${PATH_TO_MISP}/app/Config/config.php
# Configure the fields in the newly created files:
vi ${PATH_TO_MISP}/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
# public $default = array(
# 'datasource' => 'Database/Mysql',
# 'persistent' => false,
# 'host' => 'localhost',
# 'login' => 'misp', // grant usage on *.* to misp@localhost
# 'port' => 3306,
# 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
# 'database' => 'misp', // create database misp;
# 'prefix' => '',
# 'encoding' => 'utf8',
# );
#}
# Important! Change the salt key in ${PATH_TO_MISP}/app/Config/config.php
# see line 7 (may change)
# 'salt' => 'yoursaltkeyhere'
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)
# Change base url in config.php
vi ${PATH_TO_MISP}/app/Config/config.php
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# 'email' => 'anemail@yourdomain.tld, set an email address that will be used for gpg
# and make sure the file permissions are still OK
chmod -R 750 ${PATH_TO_MISP}/app/Config
# Generate a GPG encryption key.
mkdir ${PATH_TO_MISP}/.gnupg
chmod 700 ${PATH_TO_MISP}/.gnupg
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
gpg --homedir ${PATH_TO_MISP}/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sh -c "gpg --homedir ${PATH_TO_MISP}/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | tee ${PATH_TO_MISP}/app/webroot/gpg.asc
# If you get no satisfaction with your entropy install this:
sudo apt-get install haveged pv
#Generate entropy for the next step, open a new shell and run the following command:
haveged -n 0 | pv > /dev/null
# It should start saying something like "Writing unlimited bytes to stdout"
# let it run and go back to the previous shell
# You can now Ctrl+C the running haveged in the other shell
# and return to the "install" shell
# To make the background workers start on boot
chmod +x ${PATH_TO_MISP}/app/Console/worker/start.sh
# Activate rc.local in systemd
# Systemd developers, in their wisdom, decided to complicate things a bit so you'll have to
# create the rc-local.service
sudo vi /etc/systemd/system/rc-local.service
# and paste the following in it
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
# Hit the "esc" button then type :wq! to write the file and exit vi
# Create/edit /etc/rc.local
sudo vi /etc/rc.local
# If the file is empty add the following including the #
#!/bin/bash
# Then add this
sudo -u ${VIRT_USER} bash ${PATH_TO_MISP}/app/Console/worker/start.sh
# If the file was empty add this as the last line
exit 0
# save, quit vi and set permissions
sudo chmod +x /etc/rc.local
# Enable it in systemd
sudo systemctl enable rc-local
#Start the rc-local compatibility layer and check if AOK
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service
Notice
Once done, have a look at the diagnostics If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions you can do this by running the following commands:
sudo chmod -R 770 ${PATH_TO_MISP}/<directory path with an indicated issue>
sudo chown -R misp:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>
Notice
If anything goes wrong, make sure that you check MISP's logs for errors: ```
${PATH_TO_MISP}/app/tmp/logs/error.log¶
${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log¶
${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log¶
${PATH_TO_MISP}/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date¶
```
Warning
If you have installed the recommended Python 3 virtualenv to the recommended place of ${PATH_TO_MISP}/venv set the following MISP configurable
sudo -H -u www-data $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
sudo -u apache $RUN_PHP "$CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python""
Warning
Make sure that the STIX libraries and GnuPG work as intended, if not, refer to the relevant sections in the install guide you are currently reading.
Notice
Now log in using the webinterface: http://misp/users/login
The default user/pass = admin@admin.test/admin
Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference.
It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
Once done, have a look at the diagnostics.
Notice
If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
you can do this by running the following commands:
chmod -R 750 ${PATH_TO_MISP}/<directory path with an indicated issue>
# /!\ Depending on your OS replace www-data with apache or www or whatever user is the web server user.
chown -R www-data:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>
Notice
If anything goes wrong, make sure that you check MISP's logs for errors:
# ${PATH_TO_MISP}/app/tmp/logs/error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-2018-10-25.log //where the actual date is the current date
Recommended actions¶
-
By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
-
You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL
- Keep your software up2date (MISP, CakePHP and everything else)
- Log and audit
Hardening a base system¶
Intro¶
MISP is a web-based information sharing platform, by design it is kept rather simple and hardening can be done by following the common best practices.
Bare in mind that neither the MISP documentation efforts or the core MISP project can give you the ultimate guide on how to harden your system. This is not the purpose of the MISP Project but the purpose and care of those individuals and organizations deploying MISP Instances.
Nevertheless here is a very rough food for thoughts bulletpoint list for you to consider, and a list of some hardening ressources below.
- Are we using SSL by default? (Especially when syncing over the internet and exposing the API)
- How to we access the machine remotely? Via ssh? What is the path to get there? Does a bastion host make sense?
- Is the machine shared with other user accounts? Do I need to care about useri-land security due to this sharing?
- Is the instance deployed in the "cloud"? Is it a VPS? AWS? docker? ansible? kubernetes? whateverCloudContainterMagicIsFancibleNow?
- Do we need to encrypt the partitions where some data is stored?
- Are we redundant in case one MISP instance might fail?
- Is the database server and any other servers running on the machine bound to localhost? Do we need to expose because our setup is more complex?
- Do we have enough storage? What about MISP and size estimation anyways?
- Do we care about BIOS updates?
- Do we care about physical access to the servers? (Disabling USB ports etc...)
- Is any fancy management engine à la IME in use?
Apache¶
To make Apache less verbose in terms of sending banners, the belo might help.
diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
index f9f69d4..2e8fd78 100644
--- a/apache2/conf-available/security.conf
+++ b/apache2/conf-available/security.conf
@@ -22,7 +22,7 @@
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
-ServerTokens OS
+ServerTokens Prod
#ServerTokens Full
#
@@ -33,7 +33,7 @@ ServerTokens OS
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#ServerSignature Off
-ServerSignature On
+ServerSignature Off
#
# Allow TRACE method
Resources¶
IT Security Guidelines for TLS by NCSC.nl
Weak Diffie-Hellman and the Logjam Attack
Optional features¶
MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command¶
sudo pip3 install pyzmq
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
MISP has a feature for publishing events to Kafka. To enable it, simply run the following commands¶
apt-get install librdkafka-dev php-dev
pecl install rdkafka
find /etc -name php.ini | while read f; do echo 'extension=rdkafka.so' | tee -a "$f"; done
Experimental ssdeep correlations¶
# installing ssdeep
wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz
tar zxvf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install
ssdeep -h # test
#installing ssdeep_php
sudo pecl install ssdeep
# You should add "extension=ssdeep.so" to mods-available - Check /etc/php for your current version
echo "extension=ssdeep.so" | sudo tee /etc/php/7.2/mods-available/ssdeep.ini
sudo phpenmod ssdeep
sudo service apache2 restart
misp-modules¶
Notice
If you want to add the misp modules functionality, follow the setup procedure described in misp-modules:
https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules
Then the enrichment, export and import modules can be enabled in MISP via the settings.