Skip to content

INSTALLATION INSTRUCTIONS

for Ubuntu 18.04.1-server with Webmin

Notice

Tested semi-working by @SteveClement on 20181120.

Notice

Maintained and tested by the community.
Parts of the installation procedures can also be found in the automatic VM generator script bootstrap.sh of misp-packer.

MISP configuration variables

# <snippet-begin 0_global-vars.sh>
# $ eval "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/docs/generic/globalVariables.md | grep -v \`\`\`)"
# $ MISPvars
MISPvars () {
  debug "Setting generic ${LBLUE}MISP${NC} variables shared by all flavours" 2> /dev/null
  # Local non-root MISP user
  MISP_USER='misp'
  MISP_PASSWORD="$(openssl rand -hex 32)"

  # MISP configuration variables
  PATH_TO_MISP='/var/www/MISP'

  # The web server user
  # RHEL/CentOS
  if [[ -f "/etc/redhat-release" ]]; then
    WWW_USER='apache'
  # Debian flavoured
  elif [[ -f "/etc/debian_version" ]]; then
    WWW_USER="www-data"
  # OpenBSD
  elif [[ "$(uname -s)" == "OpenBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/var/www/htdocs/MISP"
  # NetBSD
  elif [[ "$(uname -s)" == "NetBSD" ]]; then
    WWW_USER="www"
    PATH_TO_MISP="/usr/pkg/share/httpd/htdocs/MISP"
  else
    # I am feeling lucky
    WWW_USER="www-data"
  fi

  if [ -z "$FQDN" ]; then
    FQDN="misp.local"
  fi

  if [ -z "$MISP_BASEURL" ]; then
    MISP_BASEURL='""'
  fi

  MISP_LIVE='1'

  # Database configuration
  DBHOST='localhost'
  DBNAME='misp'
  DBUSER_ADMIN='root'
  DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
  DBUSER_MISP='misp'
  DBPASSWORD_MISP="$(openssl rand -hex 32)"

  # OpenSSL configuration
  OPENSSL_CN=$FQDN
  OPENSSL_C='LU'
  OPENSSL_ST='State'
  OPENSSL_L='Location'
  OPENSSL_O='Organization'
  OPENSSL_OU='Organizational Unit'
  OPENSSL_EMAILADDRESS="info@$FQDN"

  # GPG configuration
  GPG_REAL_NAME='Autogenerated Key'
  # On a REAL install, please do not set a comment, see here for why: https://www.debian-administration.org/users/dkg/weblog/97
  GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
  GPG_EMAIL_ADDRESS='admin@admin.test'
  # 3072 bits used as per suggestions here: https://riseup.net/en/security/message-security/openpgp/best-practices
  GPG_KEY_LENGTH='3072'
  GPG_PASSPHRASE="$(openssl rand -hex 32)"

  # debug alias to make sure people are not confused when blindly copy pasting blobs of code
  alias debug="echo -e"

  # checkAptLock alias to make sure people are not confused when blindly copy pasting blobs of code
  alias checkAptLock="echo 'Function used in Installer to make sure apt is not locked'"

  # php.ini configuration
  upload_max_filesize=50M
  post_max_size=50M
  max_execution_time=300
  memory_limit=2048M

  CAKE="$PATH_TO_MISP/app/Console/cake"

  # sudo config to run $LUSER commands
  if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then
    SUDO_USER="sudo -H -u ${MISP_USER} -g staff"
  else
    SUDO_USER="sudo -H -u ${MISP_USER}"
  fi
  SUDO_WWW="sudo -H -u ${WWW_USER} "

  echo "The following DB Passwords were generated..."
  echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
  echo "User  (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
}
# <snippet-end 0_global-vars.sh>
PHP_ETC_BASE=/etc/php/7.2
PHP_INI=${PHP_ETC_BASE}/apache2/php.ini
VIRT_USER=misp.misp-vm.local
PATH_TO_MISP=/home/${VIRT_USER}/public_html/MISP

Why Webmin/Virtualmin?

Some may not be full time sysadmin and prefer a platform that once it has been setup works and is decently easy to manage.

Assumptions

Assuming you created the subdomanin misp.yourserver.tld to where MISP will be installed and that the user "misp" is in the sudoers group and that you have already configured SSL with Lets Encrypt on the subdomain.

1/ Minimal Ubuntu install


Install a minimal Ubuntu 18.04-server system with the software:

  • OpenSSH server
  • This guide assumes a user name of 'misp' with sudo working

install etckeeper and sudo (optional)

# <snippet-begin 0_sudoKeeper.sh>
# check if sudo is installed
checkSudoKeeper () {
  echo "Checking for sudo and installing etckeeper"
  if [[ ! -f $(which sudo) ]]; then
    echo "Please enter your root password below to install etckeeper"
    su -c "apt install etckeeper -y"
    echo "Please enter your root password below to install sudo"
    su -c "apt install sudo -y"
    echo "Please enter your root password below to install sudo"
    su -c "apt install curl -y"
    echo "Please enter your root password below to add ${MISP_USER} to sudo group"
    su -c "/usr/sbin/adduser ${MISP_USER} sudo"
    echo "We added ${MISP_USER} to group sudo and now we need to log out and in again."
    exit
  else
    sudo apt update
    sudo apt install etckeeper -y
  fi
}
# <snippet-end 0_sudoKeeper.sh>
add the misp user to staff and www-data (mandatory)
# <snippet-begin add-user.sh>
## FIXME: This function is a duplicate included in: # <snippet-begin 0_support-functions.sh>
# check is /usr/local/src is RW by misp user
checkUsrLocalSrc () {
  echo ""
  if [[ -e /usr/local/src ]]; then
    WRITEABLE=$(sudo -H -u $MISP_USER touch /usr/local/src 2> /dev/null ; echo $?)
    if [[ "$WRITEABLE" == "0" ]]; then
      echo "Good, /usr/local/src exists and is writeable as $MISP_USER"
    else
      # TODO: The below might be shorter, more elegant and more modern
      #[[ -n $KALI ]] || [[ -n $UNATTENDED ]] && echo "Just do it" 
      sudo chmod 2775 /usr/local/src
      sudo chown root:staff /usr/local/src
    fi
  else
    echo "/usr/local/src does not exist, creating."
    mkdir -p /usr/local/src
    sudo chmod 2775 /usr/local/src
    # TODO: Better handling /usr/local/src permissions
    if [[ "$(cat /etc/group |grep staff > /dev/null 2>&1)" == "0" ]]; then
      sudo chown root:staff /usr/local/src
    fi
  fi
}
# <snippet-end add-user.sh>

Network Interface Name salvage (optional)

This will bring back 'ethX' e.g: eth0

# <snippet-end interfaces.sh>
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
DEFAULT_GRUB=/etc/default/grub

echo "--- Using old style name (ethX) for interfaces"
#for key in GRUB_CMDLINE_LINUX
#do
#    sudo sed -i "s/^\($key\)=.*/\1=\"$(eval echo \${$key})\"/" $DEFAULT_GRUB
#done
sed  -r  's/^(GRUB_CMDLINE_LINUX=).*/\1\"net\.ifnames=0\ biosdevname=0\"/' /etc/default/grub | sudo tee /etc/default/grub > /dev/null

# install ifupdown since ubuntu 18.04
sudo apt-get update
sudo apt-get install -y ifupdown

# enable eth0
echo "--- Configuring eth0"

echo "# The primary network interface
auto eth0
iface eth0 inet dhcp" | sudo tee /etc/network/interfaces
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo update-grub  > /dev/null 2>&1
# <snippet-end interfaces.sh>

Notice

On recent Ubuntu install Netplan is default and you need to change the Network name.

sudo sed -i "s/enp0s3/eth0/" /etc/netplan/50-cloud-init.yaml
OR on Ubuntu 19.04 (yay for changing this every 5 commits... #n00bs)
sudo sed -i "s/enp0s3/eth0/" /etc/netplan/01-netcfg.yaml

Make sure your system is up2date

sudo apt-get update
sudo apt-get upgrade

Get Virtualmin

wget -O /tmp/install.sh http://software.virtualmin.com/gpl/scripts/install.sh

Install it

chmod +x /tmp/install.sh
sudo /tmp/install.sh

2/ Configure basic Virtualmin environment


Once the system is installed you can perform the following steps:

Install the dependencies: (some might already be installed)

sudo apt-get install curl gcc git gnupg-agent make python openssl redis-server sudo vim zip virtualenv -y

Stop MySQL and install MariaDB (a MySQL fork/alternative)

Warning

Databases and data will be lost! It is assumed you are installing on a new server with no existing DBs

Notice

At present, a simple...

sudo service mysql stop && sudo apt-get install mariadb-client mariadb-server'
... doesn't work well with 18.04.1 so you should do the following:
sudo apt purge mysql-client-5.7 mysql-client-core-5.7 mysql-common mysql-server-5.7 mysql-server-core-5.7 mysql-server
---> NOT VERIFIED, NEED TO CLARIFY <---

Issues may arise if you leave the MySQL configuration in place, remove config files in /etc/mysql if needed.

Remove and cleanup packages

sudo apt autoremove && sudo apt -f install

Add repositories for Mariadb 10.3 and install it

sudo apt-get install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http://mariadb.mirrors.ovh.net/MariaDB/repo/10.3/ubuntu bionic main'
sudo apt update
# Install MariaDB (a MySQL fork/alternative)
sudo apt-get install mariadb-client mariadb-server -y

# Make sure auth_socket.so is loaded
grep auth_socket /etc/mysql/mariadb.conf.d/50-server.cnf
## If not add this in the [mysqld] section
### [mysqld]
### plugin-load-add = auth_socket.so
sudo systemctl restart mariadb.service

sudo apt install expect -y

# Add your credentials if needed, if sudo has NOPASS, comment out the relevant lines
pw="Password1234"

expect -f - <<-EOF
  set timeout 10

  spawn sudo mysql_secure_installation
  expect "*?assword*"
  send -- "$pw\r"
  expect "Enter current password for root (enter for none):"
  send -- "\r"
  expect "Set root password?"
  send -- "y\r"
  expect "New password:"
  send -- "${DBPASSWORD_ADMIN}\r"
  expect "Re-enter new password:"
  send -- "${DBPASSWORD_ADMIN}\r"
  expect "Remove anonymous users?"
  send -- "y\r"
  expect "Disallow root login remotely?"
  send -- "y\r"
  expect "Remove test database and access to it?"
  send -- "y\r"
  expect "Reload privilege tables now?"
  send -- "y\r"
  expect eof
EOF
sudo apt-get purge -y expect ; sudo apt autoremove -y

Go through the Webmin post-installation Wizard and configure your misp.yourdomain.tld virtual server

That should create the 'misp' user and related directories Add the 'misp' user to the sudo group

Also make sure the variable ${VIRT_USER} is set to the user you created when you created the virtual server. This might NOT be 'misp' but something completely different, like: 'misp.misp-vm.local' or 'misp.example.com' or 'misp-virtual'.

Install PHP and dependencies

sudo apt-get install libapache2-mod-php php php-cli php-gnupg php-dev php-json php-mysql php-opcache php-readline php-redis php-xml php-mbstring php-gd -y

Apply all changes

sudo systemctl restart apache2

3/ MISP code


Assuming you created the subdomain virtual server misp.yourserver.tld Download MISP using git in the /home/${VIRT_USER}/public_html/ as ${VIRT_USER}

sudo su - ${VIRT_USER}
# or log out root and log back in as your virtual server user

git clone https://github.com/MISP/MISP.git ${PATH_TO_MISP}
cd ${PATH_TO_MISP}
git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
# (you only have to create a new branch, if you want to change stuff and do a pull request for example)

git submodule update --init --recursive

# Make git ignore filesystem permission differences
git submodule foreach --recursive git config core.filemode false

# Create a python3 virtualenv
virtualenv -p python3 ${PATH_TO_MISP}/venv

cd $PATH_TO_MISP/app/files/scripts
git clone https://github.com/CybOXProject/python-cybox.git
git clone https://github.com/STIXProject/python-stix.git
git clone https://github.com/MAECProject/python-maec.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
${PATH_TO_MISP}/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
${PATH_TO_MISP}/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-maec
${PATH_TO_MISP}/venv/bin/pip install .

# install mixbox to accommodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/
git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
${PATH_TO_MISP}/venv/bin/pip install .

# install PyMISP
cd $PATH_TO_MISP/PyMISP
${PATH_TO_MISP}/venv/bin/pip install .

4/ CakePHP


# CakePHP is included as a submodule of MISP

# Install CakeResque along with its dependencies if you intend to use the built in background jobs:
cd ${PATH_TO_MISP}/app
php composer.phar install

# Enable CakeResque with php-redis
sudo phpenmod redis
sudo phpenmod gnupg

# To use the scheduler worker for scheduled tasks, do the following:
cp -fa ${PATH_TO_MISP}/INSTALL/setup/config.php ${PATH_TO_MISP}/app/Plugin/CakeResque/Config/config.php

# If you have multiple MISP instances on the same system, don't forget to have a different Redis per MISP instance for the CakeResque workers
# The default Redis port can be updated in Plugin/CakeResque/Config/config.php

5/ Set the permissions


# Check if the permissions are set correctly using the following commands:
sudo chown -R ${VIRT_USER}:${VIRT_USER} ${PATH_TO_MISP}
sudo chmod -R 750 ${PATH_TO_MISP}
sudo chmod -R g+ws ${PATH_TO_MISP}/app/tmp
sudo chmod -R g+ws ${PATH_TO_MISP}/app/files
sudo chmod -R g+ws ${PATH_TO_MISP}/app/files/scripts/tmp

6/ Create a database and user


# Enter the mysql shell
sudo mysql -u root -p

# If all went well when you created the misp user in Virtualmin you should already have a misp database
# otherwise create it with:
create database misp;
# Make sure password and all privileges are set
grant usage on *.* to misp@localhost identified by 'XXXXdbpasswordhereXXXXX';
grant all privileges on misp.* to misp@localhost;
flush privileges;
exit

# Import the empty MISP database from MYSQL.sql
sudo -u ${VIRT_USER} cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME

7/ Apache configuration


Most of it should have been done when you created the subdomain but add these changes as well

# Under <VirtualHost <IP, FQDN, or *>:80>
#        ServerName <your.FQDN.here>
# add

        Redirect permanent / https://<your.FQDN.here>
        ServerSignature Off

# Closing tag </VirtualHost>


# Under <VirtualHost <IP, FQDN, or *>:443>
#        ServerAdmin admin@<your.FQDN.here>
#        ServerName <your.FQDN.here>
# etc...
# find the document root and change it as follows

        DocumentRoot /home/misp/public_html/MISP/app/webroot

# The Directory tag should be changed to:

        <Directory /home/misp/public_html/MISP/app/webroot>

# The rest should't require modifications. Restart Apache

sudo service apache2 restart

9/ MISP configuration


# There are 4 sample configuration files in ${PATH_TO_MISP}/app/Config that need to be copied
cp -a ${PATH_TO_MISP}/app/Config/bootstrap.default.php ${PATH_TO_MISP}/app/Config/bootstrap.php
cp -a ${PATH_TO_MISP}/app/Config/database.default.php ${PATH_TO_MISP}/app/Config/database.php
cp -a ${PATH_TO_MISP}/app/Config/core.default.php ${PATH_TO_MISP}/app/Config/core.php
cp -a ${PATH_TO_MISP}/app/Config/config.default.php ${PATH_TO_MISP}/app/Config/config.php

# Configure the fields in the newly created files:
vi ${PATH_TO_MISP}/app/Config/database.php
# DATABASE_CONFIG has to be filled
# With the default values provided in section 6, this would look like:
# class DATABASE_CONFIG {
#   public $default = array(
#       'datasource' => 'Database/Mysql',
#       'persistent' => false,
#       'host' => 'localhost',
#       'login' => 'misp', // grant usage on *.* to misp@localhost
#       'port' => 3306,
#       'password' => 'XXXXdbpasswordhereXXXXX', // identified by 'XXXXdbpasswordhereXXXXX';
#       'database' => 'misp', // create database misp;
#       'prefix' => '',
#       'encoding' => 'utf8',
#   );
#}

# Important! Change the salt key in ${PATH_TO_MISP}/app/Config/config.php
# see line 7 (may change)
# 'salt' => 'yoursaltkeyhere' 
# The salt key must be a string at least 32 bytes long.
# The admin user account will be generated on the first login, make sure that the salt is changed before you create that user
# If you forget to do this step, and you are still dealing with a fresh installation, just alter the salt,
# delete the user from mysql and log in again using the default admin credentials (admin@admin.test / admin)

# Change base url in config.php
vi ${PATH_TO_MISP}/app/Config/config.php
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
# 'baseurl' => '',
# 'email' => 'anemail@yourdomain.tld, set an email address that will be used for gpg

# and make sure the file permissions are still OK
chmod -R 750 ${PATH_TO_MISP}/app/Config

# Generate a GPG encryption key.

mkdir ${PATH_TO_MISP}/.gnupg
chmod 700 ${PATH_TO_MISP}/.gnupg

cat >/tmp/gen-key-script <<EOF
    %echo Generating a default key
    Key-Type: default
    Key-Length: $GPG_KEY_LENGTH
    Subkey-Type: default
    Name-Real: $GPG_REAL_NAME
    Name-Comment: $GPG_COMMENT
    Name-Email: $GPG_EMAIL_ADDRESS
    Expire-Date: 0
    Passphrase: $GPG_PASSPHRASE
    # Do a commit here, so that we can later print "done"
    %commit
    %echo done
EOF

gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file

# And export the public key to the webroot
sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | tee $PATH_TO_MISP/app/webroot/gpg.asc

# If you get no satisfaction with your entropy install this:
sudo apt-get install haveged pv

#Generate entropy for the next step, open a new shell and run the following command:
haveged -n 0 | pv > /dev/null

# It should start saying something like "Writing unlimited bytes to stdout"
# let it run and go back to the previous shell

# You can now Ctrl+C the running haveged in the other shell
# and return to the "install" shell

# To make the background workers start on boot
chmod +x ${PATH_TO_MISP}/app/Console/worker/start.sh

# Activate rc.local in systemd
# Systemd developers, in their wisdom, decided to complicate things a bit so you'll have to
# create the rc-local.service
sudo vi /etc/systemd/system/rc-local.service
# and paste the following in it
[Unit]
 Description=/etc/rc.local Compatibility
 ConditionPathExists=/etc/rc.local

[Service]
 Type=forking
 ExecStart=/etc/rc.local start
 TimeoutSec=0
 StandardOutput=tty
 RemainAfterExit=yes
 SysVStartPriority=99

[Install]
 WantedBy=multi-user.target

# Hit the "esc" button then type :wq! to write the file and exit vi

# Create/edit /etc/rc.local
sudo vi /etc/rc.local
# If the file is empty add the following including the #
#!/bin/bash

# Then add this
sudo -u ${VIRT_USER} bash ${PATH_TO_MISP}/app/Console/worker/start.sh

# If the file was empty add this as the last line
exit 0

# save, quit vi and set permissions
sudo chmod +x /etc/rc.local

# Enable it in systemd
sudo systemctl enable rc-local

#Start the rc-local compatibility layer and check if AOK
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service

Notice

Once done, have a look at the diagnostics If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions you can do this by running the following commands:

sudo chmod -R 770 ${PATH_TO_MISP}/<directory path with an indicated issue>
sudo chown -R misp:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>

Notice

If anything goes wrong, make sure that you check MISP's logs for errors: ```

${PATH_TO_MISP}/app/tmp/logs/error.log

${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log

${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log

${PATH_TO_MISP}/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date

```

Warning

If you have installed the recommended Python 3 virtualenv to the recommended place of ${PATH_TO_MISP}/venv set the following MISP configurable

sudo -H -u www-data $CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python"
or on CentOS
sudo -u apache $RUN_PHP "$CAKE Admin setSetting "MISP.python_bin" "${PATH_TO_MISP}/venv/bin/python""

Warning

Make sure that the STIX libraries and GnuPG work as intended, if not, refer to the relevant sections in the install guide you are currently reading.

Notice

Now log in using the webinterface: http://misp/users/login
The default user/pass = admin@admin.test/admin
Using the server settings tool in the admin interface (Administration -> Server Settings), set MISP up to your preference.
It is especially vital that no critical issues remain!
Don't forget to change the email, password and authentication key after installation.
Once done, have a look at the diagnostics.

Notice

If any of the directories that MISP uses to store files is not writeable to the apache user, change the permissions
you can do this by running the following commands:

chmod -R 750 ${PATH_TO_MISP}/<directory path with an indicated issue>
# /!\ Depending on your OS replace www-data with apache or www or whatever user is the web server user.
chown -R www-data:www-data ${PATH_TO_MISP}/<directory path with an indicated issue>

Notice

If anything goes wrong, make sure that you check MISP's logs for errors:

# ${PATH_TO_MISP}/app/tmp/logs/error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-worker-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-scheduler-error.log
# ${PATH_TO_MISP}/app/tmp/logs/resque-2018-10-25.log //where the actual date is the current date


  • By default CakePHP exposes its name and version in email headers. Apply a patch to remove this behavior.

  • You should really harden your OS

  • You should really harden the configuration of Apache
  • You should really harden the configuration of MySQL
  • Keep your software up2date (MISP, CakePHP and everything else)
  • Log and audit

Hardening a base system

Intro

MISP is a web-based information sharing platform, by design it is kept rather simple and hardening can be done by following the common best practices.

Bare in mind that neither the MISP documentation efforts or the core MISP project can give you the ultimate guide on how to harden your system. This is not the purpose of the MISP Project but the purpose and care of those individuals and organizations deploying MISP Instances.

Nevertheless here is a very rough food for thoughts bulletpoint list for you to consider, and a list of some hardening ressources below.

  • Are we using SSL by default? (Especially when syncing over the internet and exposing the API)
  • How to we access the machine remotely? Via ssh? What is the path to get there? Does a bastion host make sense?
  • Is the machine shared with other user accounts? Do I need to care about useri-land security due to this sharing?
  • Is the instance deployed in the "cloud"? Is it a VPS? AWS? docker? ansible? kubernetes? whateverCloudContainterMagicIsFancibleNow?
  • Do we need to encrypt the partitions where some data is stored?
  • Are we redundant in case one MISP instance might fail?
  • Is the database server and any other servers running on the machine bound to localhost? Do we need to expose because our setup is more complex?
  • Do we have enough storage? What about MISP and size estimation anyways?
  • Do we care about BIOS updates?
  • Do we care about physical access to the servers? (Disabling USB ports etc...)
  • Is any fancy management engine à la IME in use?

Apache

To make Apache less verbose in terms of sending banners, the belo might help.

diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf
index f9f69d4..2e8fd78 100644
--- a/apache2/conf-available/security.conf
+++ b/apache2/conf-available/security.conf
@@ -22,7 +22,7 @@
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #ServerTokens Minimal
-ServerTokens OS
+ServerTokens Prod
 #ServerTokens Full

 #
@@ -33,7 +33,7 @@ ServerTokens OS
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 #ServerSignature Off
-ServerSignature On
+ServerSignature Off

 #
 # Allow TRACE method

Resources

IT Security Guidelines for TLS by NCSC.nl

Weak Diffie-Hellman and the Logjam Attack

Debian Wiki Hardening

CentOS Hardening

Some Linux hardening tips

Optional features


MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command

sudo pip3 install pyzmq
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis

MISP has a feature for publishing events to Kafka. To enable it, simply run the following commands

apt-get install librdkafka-dev php-dev
pecl install rdkafka
find /etc -name php.ini | while read f; do echo 'extension=rdkafka.so' | tee -a "$f"; done

Experimental ssdeep correlations

# installing ssdeep
wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz
tar zxvf ssdeep-2.13.tar.gz
cd ssdeep-2.13
./configure
make
sudo make install
ssdeep -h # test

#installing ssdeep_php
sudo pecl install ssdeep

# You should add "extension=ssdeep.so" to mods-available - Check /etc/php for your current version
echo "extension=ssdeep.so" | sudo tee /etc/php/7.2/mods-available/ssdeep.ini
sudo phpenmod ssdeep
sudo service apache2 restart

Notice

If you want to add the misp modules functionality, follow the setup procedure described in misp-modules:
https://github.com/MISP/misp-modules#how-to-install-and-start-misp-modules
Then the enrichment, export and import modules can be enabled in MISP via the settings.