Skip to content

INSTALLATION INSTRUCTIONS

for OpenBSD 6.5-amd64

Warning

This is not fully working yet. Mostly it is a template for our ongoing documentation efforts đź•· LIEF, will probably not be available for a long long time on OpenBSD, until someone is brave enough to make it work. GnuPG also needs some more TLC. misp-modules are broken because of the python-opencv dependency.

0/ WIP! You are warned, this does only partially work!


Notice

This guide attempts to offer native httpd or apache2/nginx.

Warning

As of 20181018 the native httpd server is NOT useable with MISP on OpenBSD 6.3. Thus ONLY Apache 2.x available. NO rewrite available, just yet. It will be in the next release

Notice

As of OpenBSD 6.4 the native httpd has rewrite rules and php 5.6 is gone too.

MISP configuration variables

# <snippet-begin 0_global-vars.sh>
# $ eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | grep -v \`\`\`)"
# $ MISPvars
MISPvars () {
  debug "Setting generic ${LBLUE}MISP${NC} variables shared by all flavours" 2> /dev/null
  # Local non-root MISP user
  MISP_USER='misp'
  MISP_PASSWORD="$(openssl rand -hex 32)"

  # MISP configuration variables
  PATH_TO_MISP='/var/www/MISP'

  # The web server user
  # RHEL/CentOS
  if [[ -f "/etc/redhat-release" ]]; then
    WWW_USER='apache'
  # Debian flavoured
  elif [[ -f "/etc/debian_version" ]]; then
    WWW_USER="www-data"
  # OpenBSD
  elif [[ "$(uname -s)" == "OpenBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/var/www/htdocs/MISP"
  # NetBSD
  elif [[ "$(uname -s)" == "NetBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/usr/pkg/share/httpd/htdocs/MISP"
  else
    # I am feeling lucky
    WWW_USER="www-data"
  fi

  if [ -z "$FQDN" ]; then
    FQDN="misp.local"
  fi

  if [ -z "$MISP_BASEURL" ]; then
    MISP_BASEURL='""'
  fi

  MISP_LIVE='1'

  # Database configuration
  DBHOST='localhost'
  DBNAME='misp'
  DBUSER_ADMIN='root'
  DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
  DBUSER_MISP='misp'
  DBPASSWORD_MISP="$(openssl rand -hex 32)"

  # OpenSSL configuration
  OPENSSL_CN=$FQDN
  OPENSSL_C='LU'
  OPENSSL_ST='State'
  OPENSSL_L='Location'
  OPENSSL_O='Organization'
  OPENSSL_OU='Organizational Unit'
  OPENSSL_EMAILADDRESS="info@$FQDN"

  # GPG configuration
  GPG_REAL_NAME='Autogenerated Key'
  # On a REAL install, please do not set a comment, see here for why: https://www.debian-administration.org/users/dkg/weblog/97
  GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
  GPG_EMAIL_ADDRESS='admin@admin.test'
  # 3072 bits used as per suggestions here: https://riseup.net/en/security/message-security/openpgp/best-practices
  GPG_KEY_LENGTH='3072'
  GPG_PASSPHRASE="$(openssl rand -hex 32)"

  # debug alias to make sure people are not confused when blindly copy pasting blobs of code
  alias debug="echo -e"

  # checkAptLock alias to make sure people are not confused when blindly copy pasting blobs of code
  alias checkAptLock="echo 'Function used in Installer to make sure apt is not locked'"

  # php.ini configuration
  upload_max_filesize=50M
  post_max_size=50M
  max_execution_time=300
  memory_limit=2048M

  CAKE="$PATH_TO_MISP/app/Console/cake"

  # sudo config to run $LUSER commands
  if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then
    SUDO_USER="sudo -H -u ${MISP_USER} -g staff"
  else
    SUDO_USER="sudo -H -u ${MISP_USER}"
  fi
  SUDO_WWW="sudo -H -u ${WWW_USER} "

  echo "The following DB Passwords were generated..."
  echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
  echo "User  (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
}
# <snippet-end 0_global-vars.sh>
export AUTOMAKE_VERSION=1.16
export AUTOCONF_VERSION=2.69

1/ Minimal OpenBSD install


Install standard OpenBSD-amd64 with ports

System Hardening

  • TBD

doas & pkg (as root)

if [[ ! -e /etc/installurl ]]; then
  echo https://cdn.openbsd.org/pub/OpenBSD/ > /etc/installurl
fi
echo "permit keepenv setenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel" > /etc/doas.conf
## FIXME: this does NOT set the HOME env correctly, please fix to make pip happier
echo "permit nopass setenv { ENV PS1 HOME=/var/www } www" >> /etc/doas.conf
In case you forgot to fetch ports (optional)
cd /tmp
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig}
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz
doas tar -x -z -f /tmp/ports.tar.gz -C /usr
If you want to use php-gd (resizing of images) you need X (optional)
cd /tmp
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/$(uname -m)/{xbase$(uname -r| tr -d \.).tgz,SHA256.sig}
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig xbase$(uname -r |tr -d \.).tgz
doas tar -xzphf /tmp/xbase$(uname -r| tr -d \.).tgz -C /
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/$(uname -m)/{xshare$(uname -r| tr -d \.).tgz,SHA256.sig}
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig xshare$(uname -r |tr -d \.).tgz
doas tar -xzphf /tmp/xshare$(uname -r| tr -d \.).tgz -C /

Update system

doas syspatch

Install bash & ntp

doas pkg_add -v bash ntp

mariadb server

doas pkg_add -v mariadb-server 

Install misc dependencies

Notice

You need to install python 3.x when asked, option 2. autoconf wants to be version 2.69, option 16 automake wants to be version 1.16, option 7

doas pkg_add -v curl git python redis libmagic autoconf automake libtool unzip

Notice

GnuPG 2.x is best, option 3.

doas pkg_add -v gnupg
doas ln -s /usr/local/bin/gpg2 /usr/local/bin/gpg

Notice

When asked, the standard postfix will be enough for a basic setup, option 9.

doas pkg_add -v postfix
doas /usr/local/sbin/postfix-enable 

nvim (optional)

doas pkg_add -v neovim
doas mv /usr/bin/vi /usr/bin/vi-`date +%d%m%y`
doas ln -s /usr/local/bin/nvim /usr/bin/vi

rc.local - Add ntpdate on boot

echo "echo -n ' ntpdate'" |doas tee -a /etc/rc.local
echo "/usr/local/sbin/ntpdate -b pool.ntp.org >/dev/null" |doas tee -a /etc/rc.local

Launch ntpd on boot

doas rcctl enable xntpd
doas rcctl set xntpd flags "-p /var/run/ntpd.pid"
doas /usr/local/sbin/ntpd -p /var/run/ntpd.pid

misp user

if [[ -z $(id misp 2>/dev/null) ]]; then
  doas useradd -m -s /usr/local/bin/bash -G wheel,www misp
else
  doas usermod -G www misp
fi

/etc/httpd.conf (native httpd)

doas cp /etc/examples/httpd.conf /etc # adjust by hand, or copy/paste the config example below
# $OpenBSD: httpd.conf,v 1.18 2018/03/23 11:36:41 florian Exp $

#
# Macros
#
ext4_addr="*"
ext6_addr="::"

server "default" {
        #listen on $ext4_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
        listen on $ext4_addr port 80
        listen on $ext4_addr tls port 443
        #listen on $ext6_addr port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI"
        listen on $ext6_addr port 80
        listen on $ext6_addr tls port 443

        root "/htdocs/MISP/app/webroot"

        tls {
                key "/etc/ssl/private/server.key"
                certificate "/etc/ssl/server.crt"
        }
        directory {
                index "index.php"
        }
        location "*.php" {
                fastcgi socket "/run/php-fpm.sock"
        }
        location match "/(.*)" {
                request rewrite "/$HTTP_HOST/%1"
        }
# Temporary Apache 2.x rewrite rules for future foo!
        #RewriteRule    ^$    webroot/    [L]
        #RewriteRule    (.*) webroot/$1    [L]
# Temporary Apache 2.x rewrite rules for future foo!

        #location "/.well-known/acme-challenge/*" {
        #       root "/acme"
        #       root strip 2
        #}
        #location * {
        #       block return 302 "https://$HTTP_HOST$REQUEST_URI"
        #}
}

# Include MIME types instead of the built-in ones
types {
        include "/usr/share/misc/mime.types"
}

#server "example.com" {
#       listen on * tls port 443
#       listen on :: tls port 443
#       tls {
#               certificate "/etc/ssl/example.com.fullchain.pem"
#               key "/etc/ssl/private/example.com.key"
#       }
#       location "/pub/*" {
#               directory auto index
#       }
#       location "/.well-known/acme-challenge/*" {
#               root "/acme"
#               root strip 2
#       }
#}

If a valid SSL certificate is not already created for the server, create a self-signed certificate:

# OpenSSL configuration
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_CN='Common Name'
OPENSSL_EMAILADDRESS='info@localhost'
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" -keyout /etc/ssl/private/server.key -out /etc/ssl/server.crt

start httpd

doas /etc/rc.d/httpd -f start

Enable httpd

doas rcctl enable httpd

Install Python virtualenv

doas ln -sf /usr/local/bin/pip3.6 /usr/local/bin/pip
doas ln -s /usr/local/bin/python3.6 /usr/local/bin/python
doas pkg_add -v py-virtualenv
doas mkdir /usr/local/virtualenvs
doas virtualenv -ppython3 /usr/local/virtualenvs/MISP

Install ssdeep

doas pkg_add -v ssdeep

Apache2 only

doas pkg_add -v apache-httpd
doas pkg_add -v fcgi-cgi fcgi

Notice

php-5.6 is marked as end-of-life starting December 2018, use php 7.0 instead. Option 2. If on OpenBSD 6.3, upgrade to 6.5 to make your life much easier.

doas pkg_add -v php-mysqli php-pcntl php-pdo_mysql php-apache pecl73-redis php-gd

/etc/php-7.3.ini

## TODO: sed foo as .ini exists
allow_url_fopen = On
cd /etc/php-7.3
doas cp ../php-7.3.sample/* .
doas ln -s /usr/local/bin/php-7.3 /usr/local/bin/php
doas ln -s /usr/local/bin/phpize-7.3 /usr/local/bin/phpize
doas ln -s /usr/local/bin/php-config-7.3 /usr/local/bin/php-config

Enable php fpm

doas rcctl enable php73_fpm

Configure fpm

doas vi /etc/php-fpm.conf

# pid = /var/www/run/php-fpm.pid
# error_log = /var/www/logs/php-fpm.log

doas mkdir /etc/php-fpm.d
doas vi /etc/php-fpm.d/default.conf
echo ";;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

[www]
user = www
group = www
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www" | doas tee /etc/php-fpm.d/default.conf

doas /etc/rc.d/php73_fpm start 

Notice

For native httpd: listen = /var/www/run/php-fpm.sock For apache2: listen = 127.0.0.1:9000

Enable redis

doas rcctl enable redis
doas /etc/rc.d/redis start

Enable mysqld

doas /usr/local/bin/mysql_install_db
doas rcctl set mysqld status on
doas rcctl set mysqld flags --bind-address=127.0.0.1
doas /etc/rc.d/mysqld start
doas mysql_secure_installation

2/ MISP code


# Download MISP using git in the /usr/local/www/ directory.
doas mkdir /var/www/htdocs/MISP
doas chown www:www /var/www/htdocs/MISP
cd /var/www/htdocs/MISP
doas -u www git clone https://github.com/MISP/MISP.git /var/www/htdocs/MISP
doas -u www git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
doas -u www git submodule foreach --recursive git config core.filemode false

# Make git ignore filesystem permission differences
doas -u www git config core.filemode false

doas pkg_add py-pip py3-pip libxml libxslt py3-jsonschema
doas /usr/local/virtualenvs/MISP/bin/pip install -U pip

cd /var/www/htdocs/MISP/app/files/scripts
doas -u www git clone https://github.com/CybOXProject/mixbox.git
doas -u www git clone https://github.com/CybOXProject/python-cybox.git
doas -u www git clone https://github.com/STIXProject/python-stix.git
doas -u www git clone https://github.com/MAECProject/python-maec.git

cd /var/www/htdocs/MISP/app/files/scripts/python-cybox
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

cd /var/www/htdocs/MISP/app/files/scripts/python-stix
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

cd /var/www/htdocs/MISP/app/files/scripts/python-maec
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

# install mixbox to accommodate the new STIX dependencies:
cd /var/www/htdocs/MISP/app/files/scripts/mixbox
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

# install PyMISP
cd /var/www/htdocs/MISP/PyMISP
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

# install support for STIX 2.0
cd /var/www/htdocs/MISP/cti-python-stix2
doas /usr/local/virtualenvs/MISP/bin/python setup.py install

# install python-magic and pydeep
doas /usr/local/virtualenvs/MISP/bin/pip install python-magic
doas /usr/local/virtualenvs/MISP/bin/pip install git+https://github.com/kbandla/pydeep.git

3/ CakePHP


# CakePHP is included as a submodule of MISP and has been fetched earlier.
# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd /var/www/htdocs/MISP/app
doas mkdir /var/www/.composer ; doas chown www:www /var/www/.composer
doas -u www php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
doas -u www php -r "if (hash_file('SHA384', 'composer-setup.php') === 'a5c698ffe4b8e849a443b120cd5ba38043260d5c4023dbf93e1558871f1f07f58274fc6f4c93bcfd858c6bd0775cd8d1') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
doas -u www env HOME=/var/www php composer-setup.php
doas -u www php -r "unlink('composer-setup.php');"
doas -u www env HOME=/var/www php composer.phar install

# To use the scheduler worker for scheduled tasks, do the following:
doas -u www cp -f /var/www/htdocs/MISP/INSTALL/setup/config.php /var/www/htdocs/MISP/app/Plugin/CakeResque/Config/config.php

4/ Set the permissions


# Check if the permissions are set correctly using the following commands:
doas chown -R www:www /var/www/htdocs/MISP
doas chmod -R 750 /var/www/htdocs/MISP
doas chmod -R g+ws /var/www/htdocs/MISP/app/tmp
doas chmod -R g+ws /var/www/htdocs/MISP/app/files
doas chmod -R g+ws /var/www/htdocs/MISP/app/files/scripts/tmp

5/ Create a database and user


# Enter the mysql shell
doas mysql -u root -p
MariaDB [(none)]> create database misp;
MariaDB [(none)]> grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
MariaDB [(none)]> grant all privileges on misp.* to misp@localhost;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
# Import the empty MISP database from MYSQL.sql
doas -u www sh -c "mysql -u misp -p misp < /var/www/htdocs/MISP/INSTALL/MYSQL.sql"
# enter the password you set previously

6/ Apache configuration (optional)


# Now configure your Apache webserver with the DocumentRoot /var/www/htdocs/MISP/app/webroot/

#2.4
doas mkdir /etc/apache2/sites-available/ /etc/apache2/sites-enabled/

# If the apache version is 2.4:
doas cp /var/www/htdocs/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp-ssl.conf

# Be aware that the configuration files for apache 2.4 and up have changed.
# The configuration file has to have the .conf extension in the sites-available directory
# For more information, visit http://httpd.apache.org/docs/2.4/upgrading.html

doas mkdir /etc/ssl/private/
# If a valid SSL certificate is not already created for the server, create a self-signed certificate: (Make sure to fill the <…>)

doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=$OPENSSL_C/ST=$OPENSSL_ST/L=$OPENSSL_L/O=<$OPENSSL_O/OU=$OPENSSL_OU/CN=$OPENSSL_CN/emailAddress=$OPENSSL_EMAILADDRESS" \
-keyout /etc/ssl/private/server.key -out /etc/ssl/server.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)

doas mkdir /var/log/apache2/
============================================= Begin sample working SSL config for MISP
<VirtualHost <IP, FQDN, or *>:80>
        ServerName <your.FQDN.here>

        Redirect permanent / https://<your.FQDN.here>

        LogLevel warn
        ErrorLog /var/log/apache2/misp.local_error.log
        CustomLog /var/log/apache2/misp.local_access.log combined
        ServerSignature Off
</VirtualHost>

<VirtualHost <IP, FQDN, or *>:443>
        ServerAdmin admin@<your.FQDN.here>
        ServerName <your.FQDN.here>
        DocumentRoot /var/www/htdocs/MISP/app/webroot
        <Directory /var/www/htdocs/MISP/app/webroot>
                Options -Indexes
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine On
        SSLCertificateFile /etc/ssl/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
#        SSLCertificateChainFile /etc/ssl/private/misp-chain.crt

        LogLevel warn
        ErrorLog /var/log/apache2/misp.local_error.log
        CustomLog /var/log/apache2/misp.local_access.log combined
        ServerSignature Off
</VirtualHost>
============================================= End sample working SSL config for MISP
# activate new vhost
cd /etc/apache2/sites-enabled/
doas ln -s ../sites-available/misp-ssl.conf
echo "Include /etc/apache2/sites-enabled/*.conf" |doas tee -a /etc/apache2/httpd2.conf

doas vi /etc/apache2/httpd2.conf
/!\ Enable mod_rewrite in httpd2.conf /!\
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
Listen 443
DirectoryIndex index.php
doas ln -sf /var/www/conf/modules.sample/php-7.3.conf /var/www/conf/modules/php.conf
# Restart apache
doas /etc/rc.d/apache2 restart

Notice

MISP saves the stdout and stderr of its workers in /var/www/htdocs/MISP/app/tmp/logs

8/ MISP configuration


# There are 4 sample configuration files in /var/www/htdocs/MISP/app/Config that need to be copied
doas -u www cp /var/www/htdocs/MISP/app/Config/bootstrap.default.php /var/www/htdocs/MISP/app/Config/bootstrap.php
doas -u www cp /var/www/htdocs/MISP/app/Config/database.default.php /var/www/htdocs/MISP/app/Config/database.php
doas -u www cp /var/www/htdocs/MISP/app/Config/core.default.php /var/www/htdocs/MISP/app/Config/core.php
doas -u www cp /var/www/htdocs/MISP/app/Config/config.default.php /var/www/htdocs/MISP/app/Config/config.php

# Configure the fields in the newly created files:
doas -u www vi /var/www/htdocs/MISP/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
#   public $default = array(
#       'datasource' => 'Database/Mysql',
#       'persistent' => false,
#       'host' => 'localhost',
#       'login' => 'misp', // grant usage on *.* to misp@localhost
#       'port' => 3306,
#       'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
#       'database' => 'misp', // create database misp;
#       'prefix' => '',
#       'encoding' => 'utf8',
#   );
#}

Danger

Important! Change the salt key in /usr/local/www/MISP/app/Config/config.php The salt key must be a string at least 32 bytes long. The admin user account will be generated on the first login, make sure that the salt is changed before you create that user If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)

# Change base url in config.php
doas -u www vi /var/www/htdocs/MISP/app/Config/config.php
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',

# and make sure the file permissions are still OK
doas chown -R www:www /var/www/htdocs/MISP/app/Config
doas chmod -R 750 /var/www/htdocs/MISP/app/Config

# Generate a GPG encryption key.
export GPG_REAL_NAME='Autogenerated Key'
export GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
export GPG_EMAIL_ADDRESS='admin@admin.test'
export GPG_KEY_LENGTH='2048'
export GPG_PASSPHRASE='Password1234'
echo "%echo Generating a default key
    Key-Type: default
    Key-Length: $GPG_KEY_LENGTH
    Subkey-Type: default
    Name-Real: $GPG_REAL_NAME
    Name-Comment: $GPG_COMMENT
    Name-Email: $GPG_EMAIL_ADDRESS
    Expire-Date: 0
    Passphrase: $GPG_PASSPHRASE
    # Do a commit here, so that we can later print "done"
    %commit
%echo done" > /tmp/gen-key-script
doas -u www mkdir /var/www/htdocs/MISP/.gnupg
doas chmod 700 /var/www/htdocs/MISP/.gnupg
doas gpg2 --homedir /var/www/htdocs/MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file

# And export the public key to the webroot
doas sh -c "gpg2 --homedir /var/www/htdocs/MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > /var/www/htdocs/MISP/app/webroot/gpg.asc"

# To make the background workers start on boot
doas chmod +x /var/www/htdocs/MISP/app/Console/worker/start.sh
doas vi /etc/rc.local
# Add the following line before the last line (exit 0). Make sure that you replace www with your apache user:
doas -u www bash /var/www/htdocs/MISP/app/Console/worker/start.sh

Warning

If you have installed the recommended Python 3 virtualenv to the recommended place of ${PATH_TO_MISP}/venv set the following MISP configurable

sudo -H -u www-data $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
or on CentOS
sudo -u apache $RUN_PHP "$CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python""

Warning

Make sure that the STIX libraries and GnuPG work as intended, if not, refer to the relevant sections in the install guide you are currently reading.

Notice

Now log in using the webinterface: http://misp/users/login
The default user/pass = admin@admin.test/admin
Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference.
It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
Once done, have a look at the diagnostics.

Notice

If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
you can do this by running the following commands:

chmod -R 750 ${PATH_TO_MISP}/<directory path with an indicated issue>
# /!\ Depending on your OS replace www-data with apache or www or whatever user is the web server user.
chown -R www-data:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>

Notice

If anything goes wrong, make sure that you check MISP's logs for errors:

# ${PATH_TO_MISP}/app/tmp/logs/error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-2018-10-25.log //where the actual date is the current date


  • By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.

  • You should really harden your OS

  • You should really harden the configuration of Apache
  • You should really harden the configuration of MySQL
  • Keep your software up2date (MISP, CakePHP and everything else)
  • Log and audit

MISP Modules

doas pkg_add -v jpeg yara
cd /usr/local/src/
doas -u misp git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
doas /usr/local/virtualenvs/MISP/bin/pip install -I -r REQUIREMENTS
doas /usr/local/virtualenvs/MISP/bin/pip install -I .
doas /usr/local/virtualenvs/MISP/bin/pip install git+https://github.com/VirusTotal/yara-python.git
doas /usr/local/virtualenvs/MISP/bin/pip install wand
##doas gem install pygments.rb
##doas gem install asciidoctor-pdf --pre
doas -u www /usr/local/virtualenvs/MISP/bin/misp-modules -l 0.0.0.0 -s &
echo "doas -u www /usr/local/virtualenvs/MISP/bin/misp-modules -l 0.0.0.0 -s &" |doas tee -a /etc/rc.local

Notice

Make sure that the STIX libraries and GnuPG work as intended, if not, refer to INSTALL.txt's paragraphs dealing with these two items

Notice

If anything goes wrong, make sure that you check MISP's logs for errors: /var/www/htdocs/MISP/app/tmp/logs/error.log /var/www/htdocs/MISP/app/tmp/logs/resque-worker-error.log /var/www/htdocs/MISP/app/tmp/logs/resque-scheduler-error.log /var/www/htdocs/MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date

MISP Config Automation

doas $CAKE Live $MISP_LIVE
AUTH_KEY=$(mysql -u misp -p misp -e "SELECT authkey FROM users;" | tail -1)
# Update the galaxies…
doas $CAKE Admin updateGalaxies

# Updating the taxonomies…
doas $CAKE Admin updateTaxonomies

# Updating the warning lists…
doas $CAKE Admin updateWarningLists

# Updating the notice lists…
## doas $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update

# Updating the object templates…
##doas $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update

# Tune global time outs
doas $CAKE Admin setSetting "Session.autoRegenerate" 0
doas $CAKE Admin setSetting "Session.timeout" 600
doas $CAKE Admin setSetting "Session.cookie_timeout" 3600

# Enable GnuPG
doas $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
doas $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
doas $CAKE Admin setSetting "GnuPG.password" "Password1234"

# Enable Enrichment set better timeouts
doas $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
doas $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
doas $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
doas $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
doas $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
doas $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
doas $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
doas $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666

# Enable Import modules set better timout
doas $CAKE Admin setSetting "Plugin.Import_services_enable" true
doas $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
doas $CAKE Admin setSetting "Plugin.Import_services_port" 6666
doas $CAKE Admin setSetting "Plugin.Import_timeout" 300
doas $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
doas $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true

# Enable Export modules set better timout
doas $CAKE Admin setSetting "Plugin.Export_services_enable" true
doas $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
doas $CAKE Admin setSetting "Plugin.Export_services_port" 6666
doas $CAKE Admin setSetting "Plugin.Export_timeout" 300
doas $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true

# Enable installer org and tune some configurables
doas $CAKE Admin setSetting "MISP.host_org_id" 1
doas $CAKE Admin setSetting "MISP.email" "info@admin.test"
doas $CAKE Admin setSetting "MISP.disable_emailing" true
doas $CAKE Admin setSetting "MISP.contact" "info@admin.test"
doas $CAKE Admin setSetting "MISP.disablerestalert" true
doas $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true

# Provisional Cortex tunes
doas $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
doas $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
doas $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
doas $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
doas $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
doas $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
doas $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
doas $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
doas $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
doas $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
doas $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true

# Various plugin sightings settings
doas $CAKE Admin setSetting "Plugin.Sightings_policy" 0
doas $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
doas $CAKE Admin setSetting "Plugin.Sightings_range" 365

# Plugin CustomAuth tuneable
doas $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false

# RPZ Plugin settings

doas $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
doas $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
doas $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
doas $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
doas $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
doas $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
doas $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
doas $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
doas $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
doas $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
doas $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"

# Force defaults to make MISP Server Settings less RED
doas $CAKE Admin setSetting "MISP.language" "eng"
doas $CAKE Admin setSetting "MISP.proposals_block_attributes" false

## Redis block
doas $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
doas $CAKE Admin setSetting "MISP.redis_port" 6379
doas $CAKE Admin setSetting "MISP.redis_database" 13
doas $CAKE Admin setSetting "MISP.redis_password" ""

# Force defaults to make MISP Server Settings less YELLOW
doas $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
doas $CAKE Admin setSetting "MISP.extended_alert_subject" false
doas $CAKE Admin setSetting "MISP.default_event_threat_level" 4
doas $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
doas $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
doas $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
doas $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
doas $CAKE Admin setSetting "MISP.log_client_ip" false
doas $CAKE Admin setSetting "MISP.log_auth" false
doas $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
doas $CAKE Admin setSetting "MISP.block_event_alert" false
doas $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
doas $CAKE Admin setSetting "MISP.block_old_event_alert" false
doas $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
doas $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
doas $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
doas $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
doas $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
doas $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"

# Force defaults to make MISP Server Settings less GREEN
doas $CAKE Admin setSetting "Security.password_policy_length" 12
doas $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
doas $CAKE Admin setSetting "Session.autoRegenerate" 0
doas $CAKE Admin setSetting "Session.timeout" 600
doas $CAKE Admin setSetting "Session.cookie_timeout" 3600

  • By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.

  • You should really harden your OS

  • You should really harden the configuration of Apache/httpd
  • You should really harden the configuration of MySQL/MariaDB
  • Keep your software up2date (OS, MISP, CakePHP and everything else)
  • Log and audit

Optional features


Notice

MISP has a pub/sub feature, using ZeroMQ.

ZeroMQ depends on the Python client for Redis

doas pkg_add -v py3-zmq zeromq
doas /usr/local/virtualenvs/MISP/bin/pip install pyzmq

misp-dashboard

Notice

Enable ZeroMQ for misp-dashboard

Warning

This still needs more testing, it runs but no data is showing.

Warning

The install_dependencies.sh script is for Linux ONLY. The following blurp will be a diff of a working OpenBSD version.

(DASHENV) obsd# diff -u install_dependencies.sh install_dependencies_obsd.sh  
--- install_dependencies.sh     Fri Oct 19 12:14:38 2018
+++ install_dependencies_obsd.sh        Fri Oct 19 12:43:22 2018
@@ -1,14 +1,14 @@
-#!/bin/bash
+#!/usr/local/bin/bash

 set -e
 #set -x

-sudo apt-get install python3-virtualenv virtualenv screen redis-server unzip -y
+doas pkg_add -v unzip wget

 if [ -z "$VIRTUAL_ENV" ]; then
-    virtualenv -p python3 DASHENV
+    virtualenv -p python3 /usr/local/virtualenvs/DASHENV

-    . ./DASHENV/bin/activate
+    . /usr/local/virtualenvs/DASHENV/bin/activate
 fi

 pip3 install -U pip argparse redis zmq geoip2 flask phonenumbers pycountry
cd /var/www
doas mkdir misp-dashboard
doas chown www:www misp-dashboard
doas -u www git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
#/!\ Made on Linux, the next script will fail
#doas /var/www/misp-dashboard/install_dependencies.sh
doas virtualenv -ppython3 /usr/local/virtualenvs/DASHENV
doas /usr/local/virtualenvs/DASHENV/bin/pip install -U pip argparse redis zmq geoip2 flask phonenumbers pycountry

doas sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
doas sed -i -e '$i \doas -u www bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
#/!\ Add port 8001 as a listener
#doas sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/apache2/ports.conf
doas pkg_add -v ap2-mod_wsgi

echo "<VirtualHost *:8001>
    ServerAdmin admin@misp.local
    ServerName misp.local
    DocumentRoot /var/www/misp-dashboard

    WSGIDaemonProcess misp-dashboard \
       user=misp group=misp \
       python-home=/var/www/misp-dashboard/DASHENV \
       processes=1 \
       threads=15 \
       maximum-requests=5000 \
       listen-backlog=100 \
       queue-timeout=45 \
       socket-timeout=60 \
       connect-timeout=15 \
       request-timeout=60 \
       inactivity-timeout=0 \
       deadlock-timeout=60 \
       graceful-timeout=15 \
       eviction-timeout=0 \
       shutdown-timeout=5 \
       send-buffer-size=0 \
       receive-buffer-size=0 \
       header-buffer-size=0 \
       response-buffer-size=0 \
       server-metrics=Off
    WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
    <Directory /var/www/misp-dashboard>
        WSGIProcessGroup misp-dashboard
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
    LogLevel info
    ErrorLog /var/log/apache2/misp-dashboard.local_error.log
    CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
    ServerSignature Off
</VirtualHost>" | doas tee /etc/apache2/sites-available/misp-dashboard.conf

doas ln -s /etc/apache2/sites-available/misp-dashboard.conf /etc/apache2/sites-enabled/misp-dashboard.conf

Add this to /etc/httpd2.conf

LoadModule wsgi_module /usr/local/lib/apache2/mod_wsgi.so
Listen 8001

doas $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
doas $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
doas $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
doas $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
doas $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
doas $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false

Hardening a base system

Intro

MISP is a web-based information sharing platform, by design it is kept rather simple and hardening can be done by following the common best practices.

Bare in mind that neither the MISP documentation efforts or the core MISP project can give you the ultimate guide on how to harden your system. This is not the purpose of the MISP Project but the purpose and care of those individuals and organizations deploying MISP Instances.

Nevertheless here is a very rough food for thoughts bulletpoint list for you to consider, and a list of some hardening ressources below.

  • Are we using SSL by default? (Especially when syncing over the internet and exposing the API)
  • How to we access the machine remotely? Via ssh? What is the path to get there? Does a bastion host make sense?
  • Is the machine shared with other user accounts? Do I need to care about useri-land security due to this sharing?
  • Is the instance deployed in the "cloud"? Is it a VPS? AWS? docker? ansible? kubernetes? whateverCloudContainterMagicIsFancibleNow?
  • Do we need to encrypt the partitions where some data is stored?
  • Are we redundant in case one MISP instance might fail?
  • Is the database server and any other servers running on the machine bound to localhost? Do we need to expose because our setup is more complex?
  • Do we have enough storage? What about MISP and size estimation anyways?
  • Do we care about BIOS updates?
  • Do we care about physical access to the servers? (Disabling USB ports etc...)
  • Is any fancy management engine Ă  la IME in use?

Apache

To make Apache less verbose in terms of sending banners, the belo might help.

diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
index f9f69d4..2e8fd78 100644
--- a/apache2/conf-available/security.conf
+++ b/apache2/conf-available/security.conf
@@ -22,7 +22,7 @@
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #ServerTokens Minimal
-ServerTokens OS
+ServerTokens Prod
 #ServerTokens Full

 #
@@ -33,7 +33,7 @@ ServerTokens OS
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 #ServerSignature Off
-ServerSignature On
+ServerSignature Off

 #
 # Allow TRACE method

Resources

IT Security Guidelines for TLS by NCSC.nl

Weak Diffie-Hellman and the Logjam Attack

Debian Wiki Hardening

CentOS Hardening

Some Linux hardening tips