Tips-Of-Mine/soc-fortress
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first sync
Some checks failed
Deployment Verification / deploy-and-test (push) Failing after 29s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-03-04 07:59:21 +01:00
parent 9cdcf486b6
commit 506716e703
1450 changed files with 577316 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

232
misp/core/Dockerfile Normal file
View File

@@ -0,0 +1,232 @@
ARG DOCKER_HUB_PROXY=""
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as composer-build
ENV DEBIAN_FRONTEND noninteractive
ENV COMPOSER_ALLOW_SUPERUSER 1
ARG CORE_TAG
ARG CORE_COMMIT
RUN apt-get update; apt-get install -y --no-install-recommends \
ca-certificates \
php \
php-apcu \
php-curl \
php-xml \
php-intl \
php-bcmath \
php-mbstring \
php-mysql \
php-redis \
php-gd \
php-fpm \
php-zip \
unzip \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
WORKDIR /tmp
ADD https://raw.githubusercontent.com/MISP/MISP/${CORE_COMMIT:-${CORE_TAG}}/app/composer.json /tmp
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
RUN composer config --no-interaction allow-plugins.composer/installers true
RUN composer install
RUN composer require --with-all-dependencies --no-interaction \
supervisorphp/supervisor:^4.0 \
guzzlehttp/guzzle \
lstrojny/fxmlrpc \
php-http/message \
php-http/message-factory \
# docker image specific dependencies
elasticsearch/elasticsearch:^8.7.0 \
jakub-onderka/openid-connect-php:^1.0.0 \
aws/aws-sdk-php
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as php-build
ENV DEBIAN_FRONTEND noninteractive
ENV TZ Etc/UTC
RUN apt-get update; apt-get install -y --no-install-recommends \
gcc \
g++ \
make \
libfuzzy-dev \
ca-certificates \
php \
php-dev \
php-xml \
php-pear \
librdkafka-dev \
libsimdjson-dev \
git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl channel-update pecl.php.net && pecl install ssdeep && pecl install rdkafka && pecl install simdjson
RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && \
cd php-ext-brotli && phpize && ./configure && make && make install
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" as python-build
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
ARG PYPI_REDIS_VERSION
ARG PYPI_LIEF_VERSION
ARG PYPI_PYDEEP2_VERSION
ARG PYPI_PYTHON_MAGIC_VERSION
ARG PYPI_MISP_LIB_STIX2_VERSION
ARG PYPI_MAEC_VERSION
ARG PYPI_MIXBOX_VERSION
ARG PYPI_CYBOX_VERSION
ARG PYPI_PYMISP_VERSION
RUN apt-get update; apt-get install -y --no-install-recommends \
python3-pip \
git \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
# Download MISP using git in the /var/www/ directory. Remove unnecessary items.
RUN <<-EOF
if [ ! -z "${CORE_COMMIT}" ]; then
git clone https://github.com/MISP/MISP.git /var/www/MISP && cd /var/www/MISP && git checkout "${CORE_COMMIT}"
else
git clone --branch "${CORE_TAG}" --depth 1 https://github.com/MISP/MISP.git /var/www/MISP
fi
cd /var/www/MISP || exit; git submodule update --init --recursive .
EOF
RUN <<-EOF
mkdir /wheels
# Add additional dependencies (container specific)
# The "set" line contains the list of modules we want to ensure are present.
# PYPI_MODULE_NAME_VERSION env vars can be set to specify the version desired,
# e.g. PYPI_SURICATA_VERSION="==2.0" to specify exactly version 2.0 for the suricata package
#
# 1. Check for presence of each module in requirements.txt
# 2. If missing, add it (with optional version from env (defaults to empty string))
# 3. If present, replace with our specified version if it exists, otherwise leave
# the upstream version alone.
set -- "redis" "lief" "pydeep2" "python-magic" "misp-lib-stix2" "maec" "mixbox" "cybox" "pymisp"
for mod in "$@"; do
mod_version_var=$(echo "PYPI_${mod}_VERSION" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
mod_version=$(eval "echo \"\$$mod_version_var\"")
grep -q ${mod} /var/www/MISP/requirements.txt
exists=$?
if [ "${exists}" -eq "1" ]; then
echo "Adding missing module ${mod} with version '${mod_version}'"
echo ${mod}${mod_version} >> /var/www/MISP/requirements.txt
else
if [ "$(echo ${mod_version} | wc -m)" -gt 1 ]; then
echo "Overwriting existing module ${mod}, version '${mod_version}'"
sed -i "/${mod}/s/.*/${mod}${mod_version}/" /var/www/MISP/requirements.txt
else
echo "Skipping overwriting ${mod} due to missing version variable"
fi
fi
done;
pip3 wheel --no-cache-dir -w /wheels/ -r /var/www/MISP/requirements.txt
# Remove files we do not care for
rm -r /var/www/MISP/PyMISP
find /var/www/MISP/INSTALL/* ! -name 'MYSQL.sql' -type f -exec rm {} +
find /var/www/MISP/INSTALL/* ! -name 'MYSQL.sql' -type l -exec rm {} +
# Remove most files in .git - we do not use git functionality in docker
find /var/www/MISP/.git/* ! -name HEAD -exec rm -rf {} +
EOF
FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
ENV DEBIAN_FRONTEND noninteractive
ARG CORE_TAG
ARG CORE_COMMIT
ARG PHP_VER
RUN apt-get update; apt-get install -y --no-install-recommends \
procps \
sudo \
nginx \
supervisor \
cron \
openssl \
gpg \
gpg-agent \
ssdeep \
libfuzzy2 \
mariadb-client \
rsync \
# Python Requirements
python3 \
python3-setuptools \
python3-pip \
# PHP Requirements
php \
php-apcu \
php-curl \
php-xml \
php-intl \
php-bcmath \
php-mbstring \
php-mysql \
php-redis \
php-gd \
php-fpm \
php-zip \
php-ldap \
libldap-common \
librdkafka1 \
libbrotli1 \
libsimdjson5 \
# Unsure we need these
zip unzip \
# Require for advanced an unattended configuration
curl jq \
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
# Install python modules
COPY --from=python-build /wheels /wheels
RUN pip3 install --no-cache-dir /wheels/*.whl && rm -rf /wheels
# PHP: install prebuilt libraries, then install the app's PHP deps
COPY --from=php-build ["/usr/lib/php/${PHP_VER}/ssdeep.so", "/usr/lib/php/${PHP_VER}/rdkafka.so", "/usr/lib/php/${PHP_VER}/brotli.so", "/usr/lib/php/${PHP_VER}/simdjson.so", "/usr/lib/php/${PHP_VER}/"]
# Do an early chown to limit image size
COPY --from=python-build --chown=www-data:www-data --chmod=0550 /var/www/MISP /var/www/MISP
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Vendor /var/www/MISP/app/Vendor
COPY --from=composer-build --chown=www-data:www-data --chmod=0550 /tmp/Plugin /var/www/MISP/app/Plugin
# Gather these in one layer, only act on actual directories under /etc/php/
RUN <<-EOF
set -- "ssdeep" "rdkafka" "brotli" "simdjson"
for mod in "$@"; do
for dir in /etc/php/*/; do
echo "extension=${mod}.so" > "${dir}mods-available/${mod}.ini"
done;
phpenmod "${mod}"
done;
phpenmod redis
EOF
# nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
# Make a copy of the file and configuration stores, so we can sync from it
# The spirit of the upstream dockerization is to make:
# 1) User and group aligned in terms of permissions
# 2) Files executable and read only, because of some rogue scripts like 'cake'
# 3) Directories writable, because sometimes MISP add new files
RUN <<-EOF
cp -R /var/www/MISP/app/files /var/www/MISP/app/files.dist
cp -R /var/www/MISP/app/Config /var/www/MISP/app/Config.dist
find /var/www/MISP \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data '{}' +;
find /var/www/MISP -not -perm 550 -type f -exec chmod 0550 '{}' +;
find /var/www/MISP -not -perm 770 -type d -exec chmod 0770 '{}' +;
# Diagnostics wants this file to be present and writable even if we do not use git in docker land
touch /var/www/MISP/.git/ORIG_HEAD && chmod 0600 /var/www/MISP/.git/ORIG_HEAD && chown www-data:www-data /var/www/MISP/.git/ORIG_HEAD
EOF
# Copy all our image specific files to appropriate locations
COPY files/ /
ENTRYPOINT [ "/entrypoint.sh" ]
# Change Workdirectory
WORKDIR /var/www/MISP

327
misp/core/files/configure_misp.sh Normal file
View File

@@ -0,0 +1,327 @@
#!/bin/bash
source /rest_client.sh
source /utilities.sh
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
# Switches to selectively disable configuration logic
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
init_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$BASE_URL"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Cortex_services_enable" false
}
init_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
configure_gnupg() {
if [ "$AUTOCONF_GPG" != "true" ]; then
echo "... GPG auto configuration disabled"
return
fi
GPG_DIR=/var/www/MISP/.gnupg
GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
GPG_TMP=/tmp/gpg.tmp
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "... generating new GPG key in ${GPG_DIR}"
cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 3072
Name-Real: MISP Admin
Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL}
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
%commit
%echo Done
GPGEOF
mkdir -p ${GPG_DIR}
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP}
else
echo "... found pre-generated GPG key in ${GPG_DIR}"
fi
# Fix permissions
chown -R www-data:www-data ${GPG_DIR}
find ${GPG_DIR} -type f -exec chmod 600 {} \;
find ${GPG_DIR} -type d -exec chmod 700 {} \;
if [ ! -f ${GPG_ASC} ]; then
echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC}
else
echo "... found exported key ${GPG_ASC}"
fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
}
set_up_oidc() {
if [[ "$OIDC_ENABLE" != "true" ]]; then
echo "... OIDC authentication disabled"
return
fi
# Check required variables
check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": [\"OidcAuth.Oidc\"]
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"OidcAuth\": {
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
\"client_id\": \"${OIDC_CLIENT_ID}\",
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
\"role_mapper\": ${OIDC_ROLES_MAPPING},
\"default_org\": \"${OIDC_DEFAULT_ORG}\"
}
}" > /dev/null
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
}
set_up_ldap() {
if [[ "$LDAP_ENABLE" != "true" ]]; then
echo "... LDAP authentication disabled"
return
fi
# Check required variables
# LDAP_SEARCH_FILTER may be empty
check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"ApacheSecureAuth\": {
\"apacheEnv\": \"${LDAP_APACHE_ENV}\",
\"ldapServer\": \"${LDAP_SERVER}\",
\"starttls\": ${LDAP_STARTTLS},
\"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
\"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
\"ldapReaderUser\": \"${LDAP_READER_USER}\",
\"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
\"ldapDN\": \"${LDAP_DN}\",
\"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
\"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
\"ldapFilter\": ${LDAP_FILTER},
\"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
\"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
\"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
}
}" > /dev/null
}
apply_updates() {
# Disable weird default
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
# Run updates (strip colors since output might end up in a log)
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
}
init_user() {
# Create the main user if it is not there already
sudo -u www-data /var/www/MISP/app/Console/cake userInit -q 2>&1 > /dev/null
echo "UPDATE misp.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQLCMD}
if [ ! -z "$ADMIN_ORG" ]; then
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
fi
if [ -n "$ADMIN_KEY" ]; then
echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then
echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
else
echo "... admin user key auto generation disabled"
fi
if [[ -v CHANGE_CMD[@] ]]; then
ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}')
echo "... admin user key set to '${ADMIN_KEY}'"
fi
if [ ! -z "$ADMIN_PASSWORD" ]; then
echo "... setting admin password to '${ADMIN_PASSWORD}'"
PASSWORD_POLICY=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_complexity" | jq ".value" -r)
PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value")
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/'
sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}"
else
echo "... setting admin password skipped"
fi
echo 'UPDATE misp.users SET change_pw = 0 WHERE id = 1;' | ${MYSQLCMD}
}
apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.external_baseurl" "${BASE_URL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.host_org_id" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Action_services_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.csp_enforce" true
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${BASE_URL}\"
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
# Avoids displaying errors not relevant to a docker container
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.self_update" false
}
apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
# This is not necessary because we update the DB directly
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_timeout" 30
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_timeout" 5
}
update_components() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
}
create_sync_servers() {
if [ -z "$ADMIN_KEY" ]; then
echo "... admin key auto configuration is required to configure sync servers"
return
fi
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
DATA="SYNCSERVERS_${ID}_DATA"
# Validate #1
NAME=$(echo "${!DATA}" | jq -r '.name')
if [[ -z $NAME ]]; then
echo "... error missing sync server name"
continue
fi
# Skip sync server if we can
echo "... searching sync server ${NAME}"
SERVER_ID=$(get_server ${BASE_URL} ${ADMIN_KEY} ${NAME})
if [[ -n "$SERVER_ID" ]]; then
echo "... found existing sync server ${NAME} with id ${SERVER_ID}"
continue
fi
# Validate #2
UUID=$(echo "${!DATA}" | jq -r '.remote_org_uuid')
if [[ -z "$UUID" ]]; then
echo "... error missing sync server remote_org_uuid"
continue
fi
# Get remote organization
echo "... searching remote organization ${UUID}"
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
if [[ -z "$ORG_ID" ]]; then
# Add remote organization if missing
echo "... adding missing organization ${UUID}"
add_organization ${BASE_URL} ${ADMIN_KEY} ${NAME} false ${UUID} > /dev/null
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
fi
# Add sync server
echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id}')
add_server ${BASE_URL} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
done
}
echo "MISP | Update CA certificates ..." && update-ca-certificates
echo "MISP | Initialize configuration ..." && init_configuration
echo "MISP | Initialize workers ..." && init_workers
echo "MISP | Configure GPG key ..." && configure_gnupg
echo "MISP | Apply updates ..." && apply_updates
echo "MISP | Init default user and organization ..." && init_user
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
echo "MISP | Create sync servers ..." && create_sync_servers
echo "MISP | Update components ..." && update_components
echo "MISP | Set Up OIDC ..." && set_up_oidc
echo "MISP | Set Up LDAP ..." && set_up_ldap
echo "MISP | Mark instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

11
misp/core/files/entrypoint.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# export env variables again so they are not mandatory in docker-compose.yml in a backward compatible manner
export NUM_WORKERS_DEFAULT=${NUM_WORKERS_DEFAULT:-${WORKERS:-5}}
export NUM_WORKERS_PRIO=${NUM_WORKERS_PRIO:-${WORKERS:-5}}
export NUM_WORKERS_EMAIL=${NUM_WORKERS_EMAIL:-${WORKERS:-5}}
export NUM_WORKERS_UPDATE=${NUM_WORKERS_UPDATE:-${WORKERS:-1}}
export NUM_WORKERS_CACHE=${NUM_WORKERS_CACHE:-${WORKERS:-5}}
# start supervisord using the main configuration file so we have a socket interface
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf

47
misp/core/files/entrypoint_cron.sh Normal file
View File

@@ -0,0 +1,47 @@
#!/bin/bash
[ -z "$CRON_USER_ID" ] && CRON_USER_ID=1
term_procs() {
echo "Entrypoint CRON caught SIGTERM signal!"
echo "Killing process $p1_pid"
kill -TERM "$p1_pid" 2>/dev/null
echo "Killing process $p2_pid"
kill -TERM "$p2_pid" 2>/dev/null
}
trap term_procs SIGTERM
# Create the misp cron tab
cat << EOF > /etc/cron.d/misp
20 2 * * * www-data /var/www/MISP/app/Console/cake Server cacheFeed "$CRON_USER_ID" all > /tmp/cronlog 2>&1
30 2 * * * www-data /var/www/MISP/app/Console/cake Server fetchFeed "$CRON_USER_ID" all > /tmp/cronlog 2>&1
0 0 * * * www-data /var/www/MISP/app/Console/cake Server pullAll "$CRON_USER_ID" > /tmp/cronlog 2>&1
0 1 * * * www-data /var/www/MISP/app/Console/cake Server pushAll "$CRON_USER_ID" > /tmp/cronlog 2>&1
00 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateGalaxies > /tmp/cronlog 2>&1
10 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies > /tmp/cronlog 2>&1
20 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateWarningLists > /tmp/cronlog 2>&1
30 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists > /tmp/cronlog 2>&1
45 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" > /tmp/cronlog 2>&1
EOF
# Build a fifo buffer for the cron logs, 777 so anyone can write to it
if [[ ! -p /tmp/cronlog ]]; then
mkfifo -m 777 /tmp/cronlog
fi
# Build another fifo for the cron pipe
if [[ ! -p /tmp/cronpipe ]]; then
mkfifo /tmp/cronpipe
fi
# Execute the cron pipe
cron -l -f > /tmp/cronpipe & p1_pid=$!
tail -f /tmp/cronlog < /tmp/cronpipe & p2_pid=$!
# Wait for both processes of the cron pipe
wait "$p2_pid"
wait "$p1_pid"

32
misp/core/files/entrypoint_fpm.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
term_proc() {
echo "Entrypoint FPM caught SIGTERM signal!"
echo "Killing process $master_pid"
kill -TERM "$master_pid" 2>/dev/null
}
trap term_proc SIGTERM
change_php_vars() {
for FILE in /etc/php/*/fpm/php.ini
do
[[ -e $FILE ]] || break
sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
sed -i "s/max_execution_time = .*/max_execution_time = 300/" "$FILE"
sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE"
sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE"
sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
sed -i "s|.*session.save_path = .*|session.save_path = 'tcp://${REDIS_FQDN}:6379'|" "$FILE"
done
}
echo "Configure PHP | Change PHP values ..." && change_php_vars
echo "Configure PHP | Starting PHP FPM"
/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
# Wait for it
wait "$master_pid"

272
misp/core/files/entrypoint_nginx.sh Normal file
View File

@@ -0,0 +1,272 @@
#!/bin/bash
term_proc() {
echo "Entrypoint NGINX caught SIGTERM signal!"
echo "Killing process $master_pid"
kill -TERM "$master_pid" 2>/dev/null
}
trap term_proc SIGTERM
[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
[ -z "$MYSQL_USER" ] && MYSQL_USER=misp
[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
[ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
[ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1"
[ -z "$BASE_URL" ] && export BASE_URL="https://localhost"
[ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false
init_mysql(){
# Test when MySQL is ready....
# wait for Database come ready
isDBup () {
echo "SHOW STATUS" | $MYSQLCMD 1>/dev/null
echo $?
}
isDBinitDone () {
# Table attributes has existed since at least v2.1
echo "DESCRIBE attributes" | $MYSQLCMD 1>/dev/null
echo $?
}
RETRY=100
until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
echo "... waiting for database to come up"
sleep 5
RETRY=$(( RETRY - 1))
done
if [ $RETRY -le 0 ]; then
>&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
exit 1
fi
if [ $(isDBinitDone) -eq 0 ]; then
echo "... database has already been initialized"
else
echo "... database has not been initialized, importing MySQL scheme..."
$MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
fi
}
init_misp_data_files(){
# Init config (shared with host)
echo "... initialize configuration files"
MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
# workaround for https://forums.docker.com/t/sed-couldnt-open-temporary-file-xyz-permission-denied-when-using-virtiofs/125473
# [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
# [ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
# [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
# [ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
# [ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
# [ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
[ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/bootstrap.default.php of=$MISP_APP_CONFIG_PATH/bootstrap.php
[ -f $MISP_APP_CONFIG_PATH/database.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/database.default.php of=$MISP_APP_CONFIG_PATH/database.php
[ -f $MISP_APP_CONFIG_PATH/core.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/core.default.php of=$MISP_APP_CONFIG_PATH/core.php
[ -f $MISP_APP_CONFIG_PATH/config.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php
[ -f $MISP_APP_CONFIG_PATH/email.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/email.php of=$MISP_APP_CONFIG_PATH/email.php
[ -f $MISP_APP_CONFIG_PATH/routes.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/routes.php of=$MISP_APP_CONFIG_PATH/routes.php
echo "... initialize database.php settings"
# workaround for https://forums.docker.com/t/sed-couldnt-open-temporary-file-xyz-permission-denied-when-using-virtiofs/125473
# sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
# sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
# sed -i "s/3306/$MYSQL_PORT/" $MISP_APP_CONFIG_PATH/database.php
# sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
# sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
chmod +w $MISP_APP_CONFIG_PATH/database.php
sed "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
sed "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
sed "s/3306/$MYSQL_PORT/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
sed "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
sed "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
echo "... initialize email.php settings"
chmod +w $MISP_APP_CONFIG_PATH/email.php
tee $MISP_APP_CONFIG_PATH/email.php > /dev/null <<EOT
<?php
class EmailConfig {
public \$default = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$smtp = array(
'transport' => 'Smtp',
'from' => array('misp-dev@admin.test' => 'Misp DEV'),
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => false,
);
public \$fast = array(
'from' => 'misp-dev@admin.test',
'sender' => null,
'to' => null,
'cc' => null,
'bcc' => null,
'replyTo' => null,
'readReceipt' => null,
'returnPath' => null,
'messageId' => true,
'subject' => null,
'message' => null,
'headers' => null,
'viewRender' => null,
'template' => false,
'layout' => false,
'viewVars' => null,
'attachments' => null,
'emailFormat' => null,
'transport' => 'Smtp',
'host' => 'mail',
'port' => 25,
'timeout' => 30,
'client' => null,
'log' => true,
);
}
EOT
chmod -w $MISP_APP_CONFIG_PATH/email.php
# Init files (shared with host)
echo "... initialize app files"
MISP_APP_FILES_PATH=/var/www/MISP/app/files
if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
touch ${MISP_APP_FILES_PATH}/INIT
fi
}
update_misp_data_files(){
for DIR in $(ls /var/www/MISP/app/files.dist); do
if [ "$DIR" = "certs" ]; then
echo "... rsync -azh \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
rsync -azh "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
else
echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
fi
done
}
enforce_misp_data_permissions(){
echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
# We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
# Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
# Directories are also writable, because there seems to be a requirement to add new files every once in a while
echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
# We make configuration files read only
echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
}
flip_nginx() {
local live="$1";
local reload="$2";
if [[ "$live" = "true" ]]; then
NGINX_DOC_ROOT=/var/www/MISP/app/webroot
elif [[ -x /custom/files/var/www/html/index.php ]]; then
NGINX_DOC_ROOT=/custom/files/var/www/html/
else
NGINX_DOC_ROOT=/var/www/html/
fi
# must be valid for all roots
echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
if [[ "$reload" = "true" ]]; then
echo "... nginx reloaded"
nginx -s reload
fi
}
init_nginx() {
# Testing for files also test for links, and generalize better to mounted files
if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
echo "... enabling port 80 redirect"
if [[ "$DISABLE_IPV6" = "true" ]]; then
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80
fi
ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
else
echo "... port 80 already configured"
fi
# Testing for files also test for links, and generalize better to mounted files
if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
echo "... enabling port 443"
if [[ "$DISABLE_IPV6" = "true" ]]; then
sed -i "/\[::\]/d" /etc/nginx/sites-available/misp
fi
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
else
echo "... port 443 already configured"
fi
if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
echo "... generating new self-signed TLS certificate"
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
else
echo "... TLS certificates found"
fi
if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "... generating new DH parameters"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
else
echo "... DH parameters found"
fi
flip_nginx false false
}
# Initialize MySQL
echo "INIT | Initialize MySQL ..." && init_mysql
# Initialize NGINX
echo "INIT | Initialize NGINX ..." && init_nginx
nginx -g 'daemon off;' & master_pid=$!
# Initialize MISP
echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
echo "INIT | Flip NGINX live ..." && flip_nginx true true
# Run configure MISP script
echo "INIT | Configure MISP installation ..."
/configure_misp.sh
if [[ -x /custom/files/customize_misp.sh ]]; then
echo "INIT | Customize MISP installation ..."
/custom/files/customize_misp.sh
fi
# Wait for it
wait "$master_pid"

53
misp/core/files/etc/nginx/sites-available/misp Normal file
View File

@@ -0,0 +1,53 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# define the root dir
root /var/www/MISP/app/webroot;
index index.php;
client_max_body_size 50M;
# disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# enable HSTS
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
add_header X-Frame-Options SAMEORIGIN;
# added headers for hardening browser security
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location / {
try_files $uri $uri/ /index.php$is_args$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_read_timeout 300;
}
}

11
misp/core/files/etc/nginx/sites-available/misp80 Normal file
View File

@@ -0,0 +1,11 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
# Disable access logs
access_log off;
log_not_found off;
error_log /dev/stderr error;
return 301 https://$host$request_uri;
}

39
misp/core/files/etc/supervisor/conf.d/10-supervisor.conf Normal file
View File

@@ -0,0 +1,39 @@
[supervisord]
nodaemon=true
user=root
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[inet_http_server]
port=127.0.0.1:9001
username=supervisor
password=supervisor
[program:nginx]
command=/entrypoint_nginx.sh
autorestart=true
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:php-fpm]
command=/entrypoint_fpm.sh
autorestart=true
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:cron]
command=/entrypoint_cron.sh
autorestart=true
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0

68
misp/core/files/etc/supervisor/conf.d/50-workers.conf Normal file
View File

@@ -0,0 +1,68 @@
# Workers are set to NOT auto start so we have time to enforce permissions on the cache first
[group:misp-workers]
programs=default,email,cache,prio,update
[program:default]
directory=/var/www/MISP
command=/var/www/MISP/app/Console/cake start_worker default
process_name=%(program_name)s_%(process_num)02d
numprocs=%(ENV_NUM_WORKERS_DEFAULT)s
autostart=false
autorestart=true
redirect_stderr=false
stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
directory=/var/www/MISP
user=www-data
[program:prio]
directory=/var/www/MISP
command=/var/www/MISP/app/Console/cake start_worker prio
process_name=%(program_name)s_%(process_num)02d
numprocs=%(ENV_NUM_WORKERS_PRIO)s
autostart=false
autorestart=true
redirect_stderr=false
stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
directory=/var/www/MISP
user=www-data
[program:email]
directory=/var/www/MISP
command=/var/www/MISP/app/Console/cake start_worker email
process_name=%(program_name)s_%(process_num)02d
numprocs=%(ENV_NUM_WORKERS_EMAIL)s
autostart=false
autorestart=true
redirect_stderr=false
stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
directory=/var/www/MISP
user=www-data
[program:update]
directory=/var/www/MISP
command=/var/www/MISP/app/Console/cake start_worker update
process_name=%(program_name)s_%(process_num)02d
numprocs=%(ENV_NUM_WORKERS_UPDATE)s
autostart=false
autorestart=true
redirect_stderr=false
stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
directory=/var/www/MISP
user=www-data
[program:cache]
directory=/var/www/MISP
command=/var/www/MISP/app/Console/cake start_worker cache
process_name=%(program_name)s_%(process_num)02d
numprocs=%(ENV_NUM_WORKERS_CACHE)s
autostart=false
autorestart=true
redirect_stderr=false
stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
user=www-data

48
misp/core/files/rest_client.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
if ! command -v jq &> /dev/null
then
echo "aborting. jq could not be found"
exit
fi
if ! command -v curl &> /dev/null
then
echo "aborting. curl could not be found"
exit
fi
add_organization() {
# empty uuid fallbacks to auto-generate
curl -s --show-error -k \
-H "Authorization: ${2}" \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-d "{ \
\"uuid\": \"${5}\", \
\"name\": \"${3}\", \
\"local\": ${4} \
}" ${1}/admin/organisations/add
}
get_organization() {
curl -s --show-error -k \
-H "Authorization: ${2}" \
-H "Accept: application/json" \
-H "Content-type: application/json" ${1}/organisations/view/${3} | jq -e -r ".Organisation.id // empty"
}
add_server() {
curl -s --show-error -k \
-H "Authorization: ${2}" \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-d "${3}" ${1}/servers/add
}
get_server() {
curl -s --show-error -k \
-H "Authorization: ${2}" \
-H "Accept: application/json" \
-H "Content-type: application/json" ${1}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${3}\") | .Server.id"
}

18
misp/core/files/utilities.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Check whether passed env variables are defined
check_env_vars() {
local required_vars=("$@")
missing_vars=()
for i in "${required_vars[@]}"
do
test -n "${!i:+y}" || missing_vars+=("$i")
done
if [ ${#missing_vars[@]} -ne 0 ]
then
echo "The following env variables are not set:"
printf ' %q\n' "${missing_vars[@]}"
exit 1
fi
}

3
misp/core/files/var/www/html/index.php Normal file
View File

@@ -0,0 +1,3 @@
<html>
MISP is loading...
</html>