INSTALLATION INSTRUCTIONS¶
for CentOS 6.10¶
-1/ Installer and Manual install instructions¶
Make sure you are reading the parsed version of this Document. When in doubt click here.
Warning
In the future, to install MISP on a fresh CentOS 6 install all you need to do is:
# Please check the installer options first to make the best choice for your install wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh bash /tmp/INSTALL.sh # This will install MISP Core wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh bash /tmp/INSTALL.sh -c
0/ MISP CentOS 6 Minimal NetInstall - Status¶
Notice
Maintained and tested by the community.
Parts of the installation procedures can also be found in the automatic VM generator script bootstrap.sh of misp-packer.
Notice
There are technically only minor differences between CentOS and RHEL.
For more information on what might differ, this StackExchange question might answer some questions.
Notice
Semi-maintained and tested by @SteveClement, CentOS 6.10 on 20190417
It is still considered experimental as not everything works seemlessly.
CentOS 6.10 NetInstallURL
MISP configuration variables¶
# <snippet-begin 0_global-vars.sh> # $ eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | grep -v \`\`\`)" # $ MISPvars MISPvars () { debug "Setting generic ${LBLUE}MISP${NC} variables shared by all flavours" 2> /dev/null # Local non-root MISP user MISP_USER='misp' MISP_PASSWORD="$(openssl rand -hex 32)" # MISP configuration variables PATH_TO_MISP='/var/www/MISP' # The web server user # RHEL/CentOS if [[ -f "/etc/redhat-release" ]]; then WWW_USER='apache' # Debian flavoured elif [[ -f "/etc/debian_version" ]]; then WWW_USER="www-data" # OpenBSD elif [[ "$(uname -s)" == "OpenBSD" ]]; then WWW_USER="www" PATH_TO_MISP="/var/www/htdocs/MISP" # NetBSD elif [[ "$(uname -s)" == "NetBSD" ]]; then WWW_USER="www" PATH_TO_MISP="/usr/pkg/share/httpd/htdocs/MISP" else # I am feeling lucky WWW_USER="www-data" fi if [ -z "$FQDN" ]; then FQDN="misp.local" fi if [ -z "$MISP_BASEURL" ]; then MISP_BASEURL='""' fi MISP_LIVE='1' # Database configuration DBHOST='localhost' DBNAME='misp' DBUSER_ADMIN='root' DBPASSWORD_ADMIN="$(openssl rand -hex 32)" DBUSER_MISP='misp' DBPASSWORD_MISP="$(openssl rand -hex 32)" # OpenSSL configuration OPENSSL_CN=$FQDN OPENSSL_C='LU' OPENSSL_ST='State' OPENSSL_L='Location' OPENSSL_O='Organization' OPENSSL_OU='Organizational Unit' OPENSSL_EMAILADDRESS="info@$FQDN" # GPG configuration GPG_REAL_NAME='Autogenerated Key' # On a REAL install, please do not set a comment, see here for why: https://www.debian-administration.org/users/dkg/weblog/97 GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!' GPG_EMAIL_ADDRESS='admin@admin.test' # 3072 bits used as per suggestions here: https://riseup.net/en/security/message-security/openpgp/best-practices GPG_KEY_LENGTH='3072' GPG_PASSPHRASE="$(openssl rand -hex 32)" # debug alias to make sure people are not confused when blindly copy pasting blobs of code alias debug="echo -e" # checkAptLock alias to make sure people are not confused when blindly copy pasting blobs of code alias checkAptLock="echo 'Function used in Installer to make sure apt is not locked'" # php.ini configuration upload_max_filesize=50M post_max_size=50M max_execution_time=300 memory_limit=2048M CAKE="$PATH_TO_MISP/app/Console/cake" # sudo config to run $LUSER commands if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then SUDO_USER="sudo -H -u ${MISP_USER} -g staff" else SUDO_USER="sudo -H -u ${MISP_USER}" fi SUDO_WWW="sudo -H -u ${WWW_USER} " echo "The following DB Passwords were generated..." echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}" echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}" } # <snippet-end 0_global-vars.sh>
# CentOS Specific RUN_PHP='/usr/bin/scl enable rh-php70 ' RUN_PYTHON='/usr/bin/scl enable rh-python36 ' SUDO_WWW='sudo -H -u apache' PHP_INI=/etc/opt/rh/rh-php70/php.ini
1/ Minimal CentOS install¶
Install a minimal CentOS 6.x system with the software:
- OpenSSH server
- LAMP server (actually, this is done below)
- Mail server
# Make sure you set your hostname CORRECTLY vs. like an brute (manually in /etc/hostname) sudo hostnamectl set-hostname misp.local # Your choice, in a production environment, it's best to use a FQDN # Make sure your system is up2date: sudo yum update -y
2/ Dependencies *¶
Once the system is installed you can perform the following steps as root or with sudo.
# We need some packages from the Extra Packages for Enterprise Linux repository curl -o /tmp/epel.rpm http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo rpm -Uvh /tmp/epel.rpm # php 7.2 # sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm # sudo yum install yum-utils # sudo yum-config-manager --enable remi-php72 # sudo yum update # Since MISP 2.4 PHP 5.5 is a minimal requirement, so we need a newer version than CentOS base provides # Software Collections is a way do to this, see https://wiki.centos.org/AdditionalResources/Repositories/SCL sudo yum install centos-release-scl -y # Because vim is just so practical sudo yum install vim -y # Install the dependencies: sudo yum install gcc git zip \ httpd \ mod_ssl \ redis \ mysql-server \ python-devel python-pip python-zmq \ libxslt-devel zlib-devel ssdeep-devel -y # Install PHP 7.0 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php70/ sudo yum install rh-php70 rh-php70-php-fpm rh-php70-php-devel rh-php70-php-mysqlnd rh-php70-php-mbstring rh-php70-php-xml rh-php70-php-bcmath rh-php70-php-gd # Install Python 3.6 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-python36/ sudo yum install rh-python36 -y # rh-php70-php only provided mod_php for httpd24-httpd from SCL # if we want to use httpd from CentOS base we can use rh-php70-php-fpm instead sudo chkconfig rh-php70-php-fpm on sudo service rh-php70-php-fpm start # php-fpm is accessed using the fcgi interface sudo yum install mod_fcgid mod_proxy_fcgi
Notice
$RUN_PHP makes php available for you if using rh-php70. e.g: $RUN_PHP "pear list | grep Crypt_GPG"
# GPG needs lots of entropy, haveged provides entropy sudo yum install haveged -y sudo chkconfig haveged on sudo service haveged start # Enable and start redis sudo chkconfig redis on sudo service redis start
3/ MISP code¶
# Download MISP using git in the /var/www/ directory. sudo mkdir $PATH_TO_MISP sudo chown apache:apache $PATH_TO_MISP cd /var/www $SUDO_WWW git clone https://github.com/MISP/MISP.git cd $PATH_TO_MISP ##$SUDO_WWW git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`) # if the last shortcut doesn't work, specify the latest version manually # example: git checkout tags/v2.4.XY # the message regarding a "detached HEAD state" is expected behaviour # (you only have to create a new branch, if you want to change stuff and do a pull request for example) # Fetch submodules $SUDO_WWW git submodule update --init --recursive # Make git ignore filesystem permission differences for submodules $SUDO_WWW git submodule foreach --recursive git config core.filemode false # Create a python3 virtualenv $SUDO_WWW $RUN_PYTHON "virtualenv -p python3 $PATH_TO_MISP/venv" sudo mkdir /var/www/.cache sudo chown apache:apache /var/www/.cache $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools # install Mitre's STIX and its dependencies by running the following commands: sudo yum install python-importlib python-lxml python-dateutil python-six -y cd $PATH_TO_MISP/app/files/scripts $SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git $SUDO_WWW git clone https://github.com/STIXProject/python-stix.git cd $PATH_TO_MISP/app/files/scripts/python-cybox # If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules UMASK=$(umask) umask 0022 cd $PATH_TO_MISP/app/files/scripts/python-stix $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . # install maec $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec # install zmq $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq # install redis $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U redis # lief needs manual compilation sudo yum install devtoolset-7 cmake3 -y sudo yum install http://opensource.wandisco.com/centos/6/git/x86_64/wandisco-git-release-6-1.noarch.rpm sudo yum install git -y cd $PATH_TO_MISP/app/files/scripts $SUDO_WWW git clone --branch master --single-branch https://github.com/lief-project/LIEF.git lief # TODO: Fix static path with PATH_TO_MISP cd $PATH_TO_MISP/app/files/scripts/lief $SUDO_WWW mkdir build cd build $SUDO_WWW scl enable devtoolset-7 rh-python36 'bash -c "cmake3 \ -DLIEF_PYTHON_API=on \ -DLIEF_DOC=off \ -DCMAKE_INSTALL_PREFIX=$LIEF_INSTALL \ -DCMAKE_BUILD_TYPE=Release \ -DPYTHON_VERSION=3.6 \ -DPYTHON_EXECUTABLE=/var/www/MISP/venv/bin/python \ .."' $SUDO_WWW make -j3 sudo make install cd api/python/lief_pybind11-prefix/src/lief_pybind11 $SUDO_WWW $PATH_TO_MISP/venv/bin/python setup.py install $SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install https://github.com/lief-project/packages/raw/lief-master-latest/pylief-0.9.0.dev.zip # install magic, pydeep $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic ## pydeep does not compile ): ## git+https://github.com/kbandla/pydeep.git # install mixbox to accommodate the new STIX dependencies: cd $PATH_TO_MISP/app/files/scripts/ $SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git cd $PATH_TO_MISP/app/files/scripts/mixbox $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . # install STIX2.0 library to support STIX 2.0 export: cd $PATH_TO_MISP/cti-python-stix2 $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . # install PyMISP cd $PATH_TO_MISP/PyMISP $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . # Enable python3 for php-fpm echo 'source scl_source enable rh-python36' | sudo tee -a /etc/opt/rh/rh-php70/sysconfig/php-fpm sudo sed -i.org -e 's/^;\(clear_env = no\)/\1/' /etc/opt/rh/rh-php70/php-fpm.d/www.conf sudo service rh-php70-php-fpm restart umask $UMASK # Enable dependencies detection in the diagnostics page # This allows MISP to detect GnuPG, the Python modules' versions and to read the PHP settings. echo "env[PATH] =/opt/rh/rh-python36/root/usr/bin:/opt/rh/rh-php70/root/usr/bin:/usr/local/bin:/usr/bin:/bin" |sudo tee -a /etc/opt/rh/rh-php70/php-fpm.d/www.conf sudo service rh-php70-php-fpm restart
4/ CakePHP¶
CakePHP is now included as a submodule of MISP and has been fetch by a previous step.¶
Install CakeResque along with its dependencies if you intend to use the built in background jobs.¶
sudo chown -R apache:apache $PATH_TO_MISP sudo mkdir /var/www/.composer/ sudo chown apache:apache /var/www/.composer/ cd $PATH_TO_MISP/app # Update composer.phar (optional) #$SUDO_WWW $RUN_PHP -- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" #$SUDO_WWW $RUN_PHP -- php -r "if (hash_file('SHA384', 'composer-setup.php') === 'a5c698ffe4b8e849a443b120cd5ba38043260d5c4023dbf93e1558871f1f07f58274fc6f4c93bcfd858c6bd0775cd8d1') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" #$SUDO_WWW $RUN_PHP "php composer-setup.php" #$SUDO_WWW $RUN_PHP -- php -r "unlink('composer-setup.php');" $SUDO_WWW $RUN_PHP "php composer.phar install" sudo yum install php-redis -y sudo service rh-php70-php-fpm restart # If you have not yet set a timezone in php.ini echo 'date.timezone = "Europe/Luxembourg"' |sudo tee /etc/opt/rh/rh-php70/php-fpm.d/timezone.ini sudo ln -s ../php-fpm.d/timezone.ini /etc/opt/rh/rh-php70/php.d/99-timezone.ini # Recommended: Change some PHP settings in /etc/opt/rh/rh-php70/php.ini # max_execution_time=300 # memory_limit=2048M # upload_max_filesize=50M # post_max_size=50M for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit do sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI done sudo service rh-php70-php-fpm restart # To use the scheduler worker for scheduled tasks, do the following: sudo cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
5/ Set the permissions¶
# Make sure the permissions are set correctly using the following commands as root: sudo chown -R apache:apache $PATH_TO_MISP sudo find $PATH_TO_MISP -type d -exec chmod g=rx {} \; sudo chmod -R g+r,o= $PATH_TO_MISP sudo chmod -R 750 $PATH_TO_MISP sudo chmod -R g+xws $PATH_TO_MISP/app/tmp sudo chmod -R g+ws $PATH_TO_MISP/app/files sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp sudo chmod -R g+rw $PATH_TO_MISP/venv sudo chmod -R g+rw $PATH_TO_MISP/.git sudo chown apache:apache $PATH_TO_MISP/app/files sudo chown apache:apache $PATH_TO_MISP/app/files/terms sudo chown apache:apache $PATH_TO_MISP/app/files/scripts/tmp sudo chown apache:apache $PATH_TO_MISP/app/Plugin/CakeResque/tmp sudo chown -R apache:apache $PATH_TO_MISP/app/Config sudo chown -R apache:apache $PATH_TO_MISP/app/tmp sudo chown -R apache:apache $PATH_TO_MISP/app/webroot/img/orgs sudo chown -R apache:apache $PATH_TO_MISP/app/webroot/img/custom
6/ Create a database and user¶
# Enable, start and secure your mysql database server sudo chkconfig mysqld on sudo service mysqld start sudo yum install expect -y # Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines pw="Password1234" expect -f - <<-EOF set timeout 10 spawn sudo mysql_secure_installation expect "*?assword*" send -- "$pw\r" expect "Enter current password for root (enter for none):" send -- "\r" expect "Set root password?" send -- "y\r" expect "New password:" send -- "${DBPASSWORD_ADMIN}\r" expect "Re-enter new password:" send -- "${DBPASSWORD_ADMIN}\r" expect "Remove anonymous users?" send -- "y\r" expect "Disallow root login remotely?" send -- "y\r" expect "Remove test database and access to it?" send -- "y\r" expect "Reload privilege tables now?" send -- "y\r" expect eof EOF sudo yum remove tcl expect -y # Additionally, it is probably a good idea to make the database server listen on localhost only echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf sudo service mysqld restart
Manual procedure:¶
# Enter the mysql shell
mysql -u root -p
mysql> create database misp; mysql> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX'; mysql> grant all privileges on misp.* to misp@localhost ; mysql> exit
Same as Manual but for copy/paste foo:¶
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;" sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';" sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';" sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
Import the empty MySQL database from MYSQL.sql¶
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
7/ Apache configuration¶
Notice
SELinux note, to check if it is running:
$ sestatus SELinux status: disabled
# Now configure your apache server with the DocumentRoot $PATH_TO_MISP/app/webroot/ # A sample vhost can be found in $PATH_TO_MISP/INSTALL/old/apache.misp.centos6 sudo cp $PATH_TO_MISP/INSTALL/old/apache.misp.centos6 /etc/httpd/conf.d/misp.conf # Allow httpd to connect to the redis server and php-fpm over tcp/ip sudo setsebool -P httpd_can_network_connect on # Enable and start the httpd service sudo chkconfig httpd on sudo service httpd start # Open a hole in the iptables firewall sudo iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT sudo service iptables save # We seriously recommend using only HTTPS / SSL ! # Add SSL support by running: yum install mod_ssl # Check out the apache.misp.ssl file for an example
# If a valid SSL certificate is not already created for the server, create a self-signed certificate: sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \ -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \ -keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
8/ Log rotation¶
# MISP saves the stdout and stderr of its workers in $PATH_TO_MISP/app/tmp/logs # To rotate these logs install the supplied logrotate script: sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp sudo chmod 0640 /etc/logrotate.d/misp # Now make logrotate work under SELinux as well # Allow logrotate to modify the log files sudo semanage fcontext -a -t httpd_log_t "$PATH_TO_MISP/app/tmp/logs(/.*)?" sudo chcon -R -t httpd_log_t $PATH_TO_MISP/app/tmp/logs sudo chcon -R -t httpd_sys_rw_content_t $PATH_TO_MISP/app/tmp/logs # Allow logrotate to read /var/www sudo checkmodule -M -m -o /tmp/misplogrotate.mod $PATH_TO_MISP/INSTALL/misplogrotate.te sudo semodule_package -o /tmp/misplogrotate.pp -m /tmp/misplogrotate.mod sudo semodule -i /tmp/misplogrotate.pp
9/ MISP configuration¶
# There are 4 sample configuration files in $PATH_TO_MISP/app/Config that need to be copied $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php $SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php echo "<?php class DATABASE_CONFIG { public \$default = array( 'datasource' => 'Database/Mysql', //'datasource' => 'Database/Postgres', 'persistent' => false, 'host' => '$DBHOST', 'login' => '$DBUSER_MISP', 'port' => 3306, // MySQL & MariaDB //'port' => 5432, // PostgreSQL 'password' => '$DBPASSWORD_MISP', 'database' => '$DBNAME', 'prefix' => '', 'encoding' => 'utf8', ); }" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php # Configure the fields in the newly created files: # config.php : baseurl (example: 'baseurl' => 'http://misp',) - don't use "localhost" it causes issues when browsing externally # core.php : Uncomment and set the timezone: `// date_default_timezone_set('UTC');` # database.php : login, port, password, database # DATABASE_CONFIG has to be filled # With the default values provided in section 6, this would look like: # class DATABASE_CONFIG { # public $default = array( # 'datasource' => 'Database/Mysql', # 'persistent' => false, # 'host' => 'localhost', # 'login' => 'misp', // grant usage on *.* to misp@localhost # 'port' => 3306, # 'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX'; # 'database' => 'misp', // create database misp; # 'prefix' => '', # 'encoding' => 'utf8', # ); #} # Important! Change the salt key in $PATH_TO_MISP/app/Config/config.php # The admin user account will be generated on the first login, make sure that the salt is changed before you create that user # If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt, # delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin) # If you want to be able to change configuration parameters from the webinterface: sudo chown apache:apache $PATH_TO_MISP/app/Config/config.php sudo chcon -t httpd_sys_rw_content_t $PATH_TO_MISP/app/Config/config.php # Generate a GPG encryption key. cat >/tmp/gen-key-script <<EOF %echo Generating a default key Key-Type: default Key-Length: $GPG_KEY_LENGTH Subkey-Type: default Name-Real: $GPG_REAL_NAME Name-Comment: $GPG_COMMENT Name-Email: $GPG_EMAIL_ADDRESS Expire-Date: 0 Passphrase: $GPG_PASSPHRASE # Do a commit here, so that we can later print "done" %commit %echo done EOF sudo gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script sudo rm -f /tmp/gen-key-script sudo chown -R apache:apache $PATH_TO_MISP/.gnupg # And export the public key to the webroot sudo gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS |sudo tee $PATH_TO_MISP/app/webroot/gpg.asc sudo chown apache:apache $PATH_TO_MISP/app/webroot/gpg.asc # Start the workers to enable background jobs sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh $SUDO_WWW $RUN_PHP $PATH_TO_MISP/app/Console/worker/start.sh if [ ! -e /etc/rc.local ] then echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local echo 'exit 0' | sudo tee -a /etc/rc.local sudo chmod u+x /etc/rc.local fi # TODO: Fix static path with PATH_TO_MISP sudo sed -i -e '$i \su -s /bin/bash apache -c "scl enable rh-php70 /var/www/MISP/app/Console/worker/start.sh" > /tmp/worker_start_rc.local.log\n' /etc/rc.local # Make sure it will execute sudo chmod +x /etc/rc.local echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" echo "User (misp) DB Password: $DBPASSWORD_MISP"
# some misp-modules dependencies sudo yum install -y openjpeg-devel sudo chmod 2777 /usr/local/src sudo chown root:users /usr/local/src cd /usr/local/src/ $SUDO_WWW git clone https://github.com/MISP/misp-modules.git cd misp-modules # pip install $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS # The following fails $SUDO_WWW $PATH_TO_MISP/venv/bin/pip install . sudo yum install rubygem-rouge rubygem-asciidoctor -y ##sudo gem install asciidoctor-pdf --pre # install additional dependencies for extended object generation and extraction $SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install maec python-magic pathlib $SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git # Start misp-modules $SUDO_WWW ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s & # TODO: Fix static path with PATH_TO_MISP sudo sed -i -e '$i \sudo -u apache /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &\n' /etc/rc.local
MISP Dashboard on CentOS¶
Warning
Does not work on RHEL 8
# <snippet-begin 4_misp-dashboardRHEL.sh> # Main MISP Dashboard install function mispDashboard () { sudo yum install wget screen -y sudo mkdir /var/www/misp-dashboard sudo chown $WWW_USER:$WWW_USER /var/www/misp-dashboard $SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git /var/www/misp-dashboard cd /var/www/misp-dashboard sudo sed -i -E 's/sudo apt/#sudo apt/' install_dependencies.sh sudo sed -i -E 's/virtualenv -p python3 DASHENV/\/usr\/bin\/scl enable rh-python36 \"virtualenv -p python3 DASHENV\"/' install_dependencies.sh sudo -H /var/www/misp-dashboard/install_dependencies.sh sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg sudo sed -i '/Listen 80/a Listen 0.0.0.0:8001' /etc/httpd/conf/httpd.conf sudo yum install rh-python36-mod_wsgi -y sudo cp /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_rh-python36-wsgi.so /etc/httpd/modules/ sudo cp /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-rh-python36-wsgi.conf /etc/httpd/conf.modules.d/ echo "<VirtualHost *:8001> ServerAdmin admin@misp.local ServerName misp.local DocumentRoot /var/www/misp-dashboard WSGIDaemonProcess misp-dashboard \ user=misp group=misp \ python-home=/var/www/misp-dashboard/DASHENV \ processes=1 \ threads=15 \ maximum-requests=5000 \ listen-backlog=100 \ queue-timeout=45 \ socket-timeout=60 \ connect-timeout=15 \ request-timeout=60 \ inactivity-timeout=0 \ deadlock-timeout=60 \ graceful-timeout=15 \ eviction-timeout=0 \ shutdown-timeout=5 \ send-buffer-size=0 \ receive-buffer-size=0 \ header-buffer-size=0 \ response-buffer-size=0 \ server-metrics=Off WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi <Directory /var/www/misp-dashboard> WSGIProcessGroup misp-dashboard WSGIApplicationGroup %{GLOBAL} Require all granted </Directory> LogLevel info ErrorLog /var/log/httpd/misp-dashboard.local_error.log CustomLog /var/log/httpd/misp-dashboard.local_access.log combined ServerSignature Off </VirtualHost>" | sudo tee /etc/httpd/conf.d/misp-dashboard.conf sudo semanage port -a -t http_port_t -p tcp 8001 sudo systemctl restart httpd.service # Add misp-dashboard to rc.local to start on boot. sudo sed -i -e '$i \sudo -u apache bash /var/www/misp-dashboard/start_all.sh > /tmp/misp-dashboard_rc.local.log\n' /etc/rc.local # Enable ZeroMQ for misp-dashboard $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false } # <snippet-end 4_misp-dashboardRHEL.sh>
Initialize MISP configuration and set some defaults¶
# <snippet-begin 2_core-cake.sh> # Core cake commands to tweak MISP and aleviate some of the configuration pains # The $RUN_PHP is ONLY set on RHEL/CentOS installs and can thus be ignored # This file is NOT an excuse to NOT read the settings and familiarize ourselves with them ;) coreCAKE () { debug "Running core Cake commands to set sane defaults for ${LBLUE}MISP${NC}" # IF you have logged in prior to running this, it will fail but the fail is NON-blocking $SUDO_WWW $RUN_PHP -- $CAKE userInit -q # This makes sure all Database upgrades are done, without logging in. $SUDO_WWW $RUN_PHP -- $CAKE Admin runUpdates # The default install is Python >=3.6 in a virtualenv, setting accordingly $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python" # Set default role # TESTME: The following seem defunct, please test. # $SUDO_WWW $RUN_PHP -- $CAKE setDefaultRole 3 # Tune global time outs $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.autoRegenerate" 0 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.timeout" 600 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Session.cookieTimeout" 3600 # Change base url, either with this CLI command or in the UI $SUDO_WWW $RUN_PHP -- $CAKE Baseurl $MISP_BASEURL # example: 'baseurl' => 'https://<your.FQDN.here>', # alternatively, you can leave this field empty if you would like to use relative pathing in MISP # 'baseurl' => '', # The base url of the application (in the format https://www.mymispinstance.com) as visible externally/by other MISPs. # MISP will encode this URL in sharing groups when including itself. If this value is not set, the baseurl is used as a fallback. $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.external_baseurl" $MISP_BASEURL # Enable GnuPG $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.email" "$GPG_EMAIL_ADDRESS" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.password" "$GPG_PASSPHRASE" # FIXME: what if we have not gpg binary but a gpg2 one? $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "GnuPG.binary" "$(which gpg)" # Enable installer org and tune some configurables $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.host_org_id" 1 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.email" "info@admin.test" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disable_emailing" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.contact" "info@admin.test" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disablerestalert" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.default_event_tag_collection" 0 # Provisional Cortex tunes $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_enable" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_timeout" 120 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_authkey" "" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true # Various plugin sightings settings $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_policy" 0 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_anonymise" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.Sightings_range" 365 # Plugin CustomAuth tuneable $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false # RPZ Plugin settings $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_retry" "30m" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost." $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_ns_alt" "" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost" # Force defaults to make MISP Server Settings less RED $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.language" "eng" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.proposals_block_attributes" false # Redis block $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_port" 6379 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_database" 13 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.redis_password" "" # Force defaults to make MISP Server Settings less YELLOW $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.extended_alert_subject" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.default_event_threat_level" 4 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableEventBlacklisting" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_client_ip" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.log_auth" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.disableUserSelfManagement" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_event_alert" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_old_event_alert" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.block_old_event_alert_age" "" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.maintenance_message" "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at \$email." $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure" # TODO: Make sure $FLAVOUR is correct $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on $FLAVOUR, change this message in MISP Settings" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.attachments_dir" "$PATH_TO_MISP/app/files" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.download_attachments_on_load" true $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.title_text" "MISP" $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.terms_download" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.showorgalternate" false $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "MISP.event_view_filter_fields" "id, uuid, value, comment, type, category, Tag.name" # Force defaults to make MISP Server Settings less GREEN $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_length" 12 $SUDO_WWW $RUN_PHP -- $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/' # Set MISP Live $SUDO_WWW $RUN_PHP -- $CAKE Live $MISP_LIVE } # This updates Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates updateGOWNT () { # AUTH_KEY Place holder in case we need to **curl** somehing in the future # $SUDO_WWW $RUN_MYSQL -- mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1 > /tmp/auth.key AUTH_KEY=$(cat /tmp/auth.key) rm /tmp/auth.key debug "Updating Galaxies, ObjectTemplates, Warninglists, Noticelists and Templates" # Update the galaxies… # TODO: Fix updateGalaxies $SUDO_WWW $RUN_PHP -- $CAKE Admin updateGalaxies # Updating the taxonomies… $SUDO_WWW $RUN_PHP -- $CAKE Admin updateTaxonomies # Updating the warning lists… $SUDO_WWW $RUN_PHP -- $CAKE Admin updateWarningLists # Updating the notice lists… $SUDO_WWW $RUN_PHP -- $CAKE Admin updateNoticeLists # Updating the object templates… $SUDO_WWW $RUN_PHP -- $CAKE Admin updateObjectTemplates "1337" } # <snippet-end 2_core-cake.sh>
Warning
If you have installed the recommended Python 3 virtualenv to the recommended place of ${PATH_TO_MISP}/venv set the following MISP configurable
sudo -H -u www-data $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
sudo -u apache $RUN_PHP "$CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python""
Warning
Make sure that the STIX libraries and GnuPG work as intended, if not, refer to the relevant sections in the install guide you are currently reading.
Notice
Now log in using the webinterface: http://misp/users/login
The default user/pass = admin@admin.test/admin
Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference.
It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
Once done, have a look at the diagnostics.
Notice
If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
you can do this by running the following commands:
chmod -R 750 ${PATH_TO_MISP}/<directory path with an indicated issue> # /!\ Depending on your OS replace www-data with apache or www or whatever user is the web server user. chown -R www-data:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>
Notice
If anything goes wrong, make sure that you check MISP's logs for errors:
# ${PATH_TO_MISP}/app/tmp/logs/error.log # ${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log # ${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log # ${PATH_TO_MISP}/app/tmp/logs/resque-2018-10-25.log //where the actual date is the current date
Recommended actions¶
-
By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.
-
You should really harden your OS
- You should really harden the configuration of Apache
- You should really harden the configuration of MySQL
- Keep your software up2date (MISP, CakePHP and everything else)
- Log and audit
Hardening a base system¶
Intro¶
MISP is a web-based information sharing platform, by design it is kept rather simple and hardening can be done by following the common best practices.
Bare in mind that neither the MISP documentation efforts or the core MISP project can give you the ultimate guide on how to harden your system. This is not the purpose of the MISP Project but the purpose and care of those individuals and organizations deploying MISP Instances.
Nevertheless here is a very rough food for thoughts bulletpoint list for you to consider, and a list of some hardening ressources below.
- Are we using SSL by default? (Especially when syncing over the internet and exposing the API)
- How to we access the machine remotely? Via ssh? What is the path to get there? Does a bastion host make sense?
- Is the machine shared with other user accounts? Do I need to care about useri-land security due to this sharing?
- Is the instance deployed in the "cloud"? Is it a VPS? AWS? docker? ansible? kubernetes? whateverCloudContainterMagicIsFancibleNow?
- Do we need to encrypt the partitions where some data is stored?
- Are we redundant in case one MISP instance might fail?
- Is the database server and any other servers running on the machine bound to localhost? Do we need to expose because our setup is more complex?
- Do we have enough storage? What about MISP and size estimation anyways?
- Do we care about BIOS updates?
- Do we care about physical access to the servers? (Disabling USB ports etc...)
- Is any fancy management engine à la IME in use?
Apache¶
To make Apache less verbose in terms of sending banners, the belo might help.
diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf index f9f69d4..2e8fd78 100644 --- a/apache2/conf-available/security.conf +++ b/apache2/conf-available/security.conf @@ -22,7 +22,7 @@ # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. #ServerTokens Minimal -ServerTokens OS +ServerTokens Prod #ServerTokens Full # @@ -33,7 +33,7 @@ ServerTokens OS # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail #ServerSignature Off -ServerSignature On +ServerSignature Off # # Allow TRACE method
Resources¶
IT Security Guidelines for TLS by NCSC.nl