first sync

misp/core/files/configure_misp.sh

@@ -0,0 +1,327 @@
+#!/bin/bash
+
+source /rest_client.sh
+source /utilities.sh
+
+[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
+[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
+[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
+[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
+
+# Switches to selectively disable configuration logic
+[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
+[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
+[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
+[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
+
+init_configuration(){
+    # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
+    echo "... configuring default settings"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$BASE_URL"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3)
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_enable" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_enable" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_enable" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Cortex_services_enable" false
+}
+
+init_workers(){
+    # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
+    echo "... configuring background workers"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.enabled" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_port" 9001
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_password" "supervisor"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_user" "supervisor"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
+
+    echo "... starting background workers"
+    supervisorctl start misp-workers:*
+}
+
+configure_gnupg() {
+    if [ "$AUTOCONF_GPG" != "true" ]; then
+        echo "... GPG auto configuration disabled"
+        return
+    fi
+
+    GPG_DIR=/var/www/MISP/.gnupg
+    GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
+    GPG_TMP=/tmp/gpg.tmp
+
+    if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
+        echo "... generating new GPG key in ${GPG_DIR}"
+        cat >${GPG_TMP} <<GPGEOF
+%echo Generating a basic OpenPGP key
+Key-Type: RSA
+Key-Length: 3072
+Name-Real: MISP Admin
+Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL}
+Expire-Date: 0
+Passphrase: $GPG_PASSPHRASE
+%commit
+%echo Done
+GPGEOF
+        mkdir -p ${GPG_DIR}
+        gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
+        rm -f ${GPG_TMP}
+    else
+        echo "... found pre-generated GPG key in ${GPG_DIR}"
+    fi
+
+    # Fix permissions
+    chown -R www-data:www-data ${GPG_DIR}
+    find ${GPG_DIR} -type f -exec chmod 600 {} \;
+    find ${GPG_DIR} -type d -exec chmod 700 {} \;
+
+    if [ ! -f ${GPG_ASC} ]; then
+        echo "... exporting GPG key"
+        sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC}
+    else
+        echo "... found exported key ${GPG_ASC}"
+    fi
+
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
+}
+
+set_up_oidc() {
+    if [[ "$OIDC_ENABLE" != "true" ]]; then
+        echo "... OIDC authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"auth\": [\"OidcAuth.Oidc\"]
+        }
+    }" > /dev/null
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"OidcAuth\": {
+            \"provider_url\": \"${OIDC_PROVIDER_URL}\",
+            \"client_id\": \"${OIDC_CLIENT_ID}\",
+            \"client_secret\": \"${OIDC_CLIENT_SECRET}\",
+            \"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
+            \"role_mapper\": ${OIDC_ROLES_MAPPING},
+            \"default_org\": \"${OIDC_DEFAULT_ORG}\"
+        }
+    }" > /dev/null
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
+set_up_ldap() {
+    if [[ "$LDAP_ENABLE" != "true" ]]; then
+        echo "... LDAP authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    # LDAP_SEARCH_FILTER may be empty
+    check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS 
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"ApacheSecureAuth\": {
+            \"apacheEnv\": \"${LDAP_APACHE_ENV}\",
+            \"ldapServer\": \"${LDAP_SERVER}\",
+            \"starttls\": ${LDAP_STARTTLS},
+            \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
+            \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
+            \"ldapReaderUser\": \"${LDAP_READER_USER}\",
+            \"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
+            \"ldapDN\": \"${LDAP_DN}\",
+            \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
+            \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
+            \"ldapFilter\": ${LDAP_FILTER},
+            \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
+            \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
+            \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
+            \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
+        }
+    }" > /dev/null
+}
+
+apply_updates() {
+    # Disable weird default
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
+    # Run updates (strip colors since output might end up in a log)
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
+}
+
+init_user() {
+    # Create the main user if it is not there already
+    sudo -u www-data /var/www/MISP/app/Console/cake userInit -q 2>&1 > /dev/null
+
+    echo "UPDATE misp.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQLCMD}
+
+    if [ ! -z "$ADMIN_ORG" ]; then
+        echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
+    fi
+
+    if [ -n "$ADMIN_KEY" ]; then
+        echo "... setting admin key to '${ADMIN_KEY}'"
+        CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
+    elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then
+        echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
+        CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
+    else
+        echo "... admin user key auto generation disabled"
+    fi
+
+    if [[ -v CHANGE_CMD[@] ]]; then
+        ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}')
+        echo "... admin user key set to '${ADMIN_KEY}'"
+    fi
+
+    if [ ! -z "$ADMIN_PASSWORD" ]; then
+        echo "... setting admin password to '${ADMIN_PASSWORD}'"
+        PASSWORD_POLICY=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_complexity" | jq ".value" -r)
+        PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value")
+        sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1
+        sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/'
+        sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}"
+        sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}"
+        sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}"
+    else
+        echo "... setting admin password skipped"
+    fi
+    echo 'UPDATE misp.users SET change_pw = 0 WHERE id = 1;' | ${MYSQLCMD}
+}
+
+apply_critical_fixes() {
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.external_baseurl" "${BASE_URL}"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.host_org_id" 1
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Action_services_enable" false
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_enable" false
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_popover_only" false
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.csp_enforce" true
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"rest_client_baseurl\": \"${BASE_URL}\"
+        }
+    }" > /dev/null
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"auth\": \"\"
+        }
+    }" > /dev/null
+    # Avoids displaying errors not relevant to a docker container
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.self_update" false
+}
+
+apply_optional_fixes() {
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
+
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
+    # This is not necessary because we update the DB directly
+    # sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
+
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true
+
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_timeout" 30
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_timeout" 5
+}
+
+update_components() {
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
+}
+
+
+create_sync_servers() {
+    if [ -z "$ADMIN_KEY" ]; then
+        echo "... admin key auto configuration is required to configure sync servers"
+        return
+    fi
+
+    SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
+    for ID in $SPLITTED_SYNCSERVERS; do
+        DATA="SYNCSERVERS_${ID}_DATA"
+
+        # Validate #1
+        NAME=$(echo "${!DATA}" | jq -r '.name')
+        if [[ -z $NAME ]]; then
+            echo "... error missing sync server name"
+            continue
+        fi
+
+        # Skip sync server if we can
+        echo "... searching sync server ${NAME}"
+        SERVER_ID=$(get_server ${BASE_URL} ${ADMIN_KEY} ${NAME})
+        if [[ -n "$SERVER_ID" ]]; then
+            echo "... found existing sync server ${NAME} with id ${SERVER_ID}"
+            continue
+        fi
+
+        # Validate #2
+        UUID=$(echo "${!DATA}" | jq -r '.remote_org_uuid')
+        if [[ -z "$UUID" ]]; then
+            echo "... error missing sync server remote_org_uuid"
+            continue
+        fi
+
+        # Get remote organization
+        echo "... searching remote organization ${UUID}"
+        ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
+        if [[ -z "$ORG_ID" ]]; then
+            # Add remote organization if missing
+            echo "... adding missing organization ${UUID}"
+            add_organization ${BASE_URL} ${ADMIN_KEY} ${NAME} false ${UUID} > /dev/null
+            ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
+        fi
+
+        # Add sync server
+        echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
+        JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id}')
+        add_server ${BASE_URL} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
+    done
+}
+
+echo "MISP | Update CA certificates ..." && update-ca-certificates
+
+echo "MISP | Initialize configuration ..." && init_configuration
+
+echo "MISP | Initialize workers ..." && init_workers
+
+echo "MISP | Configure GPG key ..." && configure_gnupg
+
+echo "MISP | Apply updates ..." && apply_updates
+
+echo "MISP | Init default user and organization ..." && init_user
+
+echo "MISP | Resolve critical issues ..." && apply_critical_fixes
+
+echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
+
+echo "MISP | Create sync servers ..." && create_sync_servers
+
+echo "MISP | Update components ..." && update_components
+
+echo "MISP | Set Up OIDC ..." && set_up_oidc
+
+echo "MISP | Set Up LDAP ..." && set_up_ldap
+
+echo "MISP | Mark instance live"
+sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

misp/core/files/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# export env variables again so they are not mandatory in docker-compose.yml in a backward compatible manner
+export NUM_WORKERS_DEFAULT=${NUM_WORKERS_DEFAULT:-${WORKERS:-5}}
+export NUM_WORKERS_PRIO=${NUM_WORKERS_PRIO:-${WORKERS:-5}}
+export NUM_WORKERS_EMAIL=${NUM_WORKERS_EMAIL:-${WORKERS:-5}}
+export NUM_WORKERS_UPDATE=${NUM_WORKERS_UPDATE:-${WORKERS:-1}}
+export NUM_WORKERS_CACHE=${NUM_WORKERS_CACHE:-${WORKERS:-5}}
+
+# start supervisord using the main configuration file so we have a socket interface
+/usr/bin/supervisord -c /etc/supervisor/supervisord.conf

misp/core/files/entrypoint_cron.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+[ -z "$CRON_USER_ID" ] && CRON_USER_ID=1
+
+term_procs() {
+    echo "Entrypoint CRON caught SIGTERM signal!"
+    echo "Killing process $p1_pid"
+    kill -TERM "$p1_pid" 2>/dev/null
+    echo "Killing process $p2_pid"
+    kill -TERM "$p2_pid" 2>/dev/null
+}
+
+trap term_procs SIGTERM
+
+# Create the misp cron tab
+cat << EOF > /etc/cron.d/misp
+20 2 * * * www-data /var/www/MISP/app/Console/cake Server cacheFeed "$CRON_USER_ID" all > /tmp/cronlog 2>&1
+30 2 * * * www-data /var/www/MISP/app/Console/cake Server fetchFeed "$CRON_USER_ID" all > /tmp/cronlog 2>&1
+
+0 0 * * * www-data /var/www/MISP/app/Console/cake Server pullAll "$CRON_USER_ID" > /tmp/cronlog 2>&1
+0 1 * * * www-data /var/www/MISP/app/Console/cake Server pushAll "$CRON_USER_ID" > /tmp/cronlog 2>&1
+
+00 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateGalaxies > /tmp/cronlog 2>&1
+10 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies > /tmp/cronlog 2>&1
+20 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateWarningLists > /tmp/cronlog 2>&1
+30 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists > /tmp/cronlog 2>&1
+45 3 * * * www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID" > /tmp/cronlog 2>&1
+
+EOF
+
+# Build a fifo buffer for the cron logs, 777 so anyone can write to it
+if [[ ! -p /tmp/cronlog ]]; then
+    mkfifo -m 777 /tmp/cronlog
+fi
+
+# Build another fifo for the cron pipe
+if [[ ! -p /tmp/cronpipe ]]; then
+    mkfifo /tmp/cronpipe
+fi
+
+# Execute the cron pipe
+cron -l -f > /tmp/cronpipe & p1_pid=$!
+tail -f /tmp/cronlog < /tmp/cronpipe & p2_pid=$!
+
+# Wait for both processes of the cron pipe
+wait "$p2_pid"
+wait "$p1_pid"

misp/core/files/entrypoint_fpm.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+[ -z "$REDIS_FQDN" ] && REDIS_FQDN=redis
+
+term_proc() {
+    echo "Entrypoint FPM caught SIGTERM signal!"
+    echo "Killing process $master_pid"
+    kill -TERM "$master_pid" 2>/dev/null
+}
+
+trap term_proc SIGTERM
+
+change_php_vars() {
+    for FILE in /etc/php/*/fpm/php.ini
+    do
+        [[ -e $FILE ]] || break
+        sed -i "s/memory_limit = .*/memory_limit = 2048M/" "$FILE"
+        sed -i "s/max_execution_time = .*/max_execution_time = 300/" "$FILE"
+        sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE"
+        sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE"
+        sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
+        sed -i "s|.*session.save_path = .*|session.save_path = 'tcp://${REDIS_FQDN}:6379'|" "$FILE"
+    done
+}
+
+echo "Configure PHP | Change PHP values ..." && change_php_vars
+
+echo "Configure PHP | Starting PHP FPM"
+/usr/sbin/php-fpm7.4 -R -F & master_pid=$!
+
+# Wait for it
+wait "$master_pid"

misp/core/files/entrypoint_nginx.sh

@@ -0,0 +1,272 @@
+#!/bin/bash
+
+term_proc() {
+    echo "Entrypoint NGINX caught SIGTERM signal!"
+    echo "Killing process $master_pid"
+    kill -TERM "$master_pid" 2>/dev/null
+}
+
+trap term_proc SIGTERM
+
+[ -z "$MYSQL_HOST" ] && MYSQL_HOST=db
+[ -z "$MYSQL_PORT" ] && MYSQL_PORT=3306
+[ -z "$MYSQL_USER" ] && MYSQL_USER=misp
+[ -z "$MYSQL_PASSWORD" ] && MYSQL_PASSWORD=example
+[ -z "$MYSQL_DATABASE" ] && MYSQL_DATABASE=misp
+[ -z "$MYSQLCMD" ] && export MYSQLCMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
+[ -z "$CRON_USER_ID" ] && export CRON_USER_ID="1"
+[ -z "$BASE_URL" ] && export BASE_URL="https://localhost"
+[ -z "$DISABLE_IPV6" ] && export DISABLE_IPV6=false
+
+init_mysql(){
+    # Test when MySQL is ready....
+    # wait for Database come ready
+    isDBup () {
+        echo "SHOW STATUS" | $MYSQLCMD 1>/dev/null
+        echo $?
+    }
+
+    isDBinitDone () {
+        # Table attributes has existed since at least v2.1
+        echo "DESCRIBE attributes" | $MYSQLCMD 1>/dev/null
+        echo $?
+    }
+
+    RETRY=100
+    until [ $(isDBup) -eq 0 ] || [ $RETRY -le 0 ] ; do
+        echo "... waiting for database to come up"
+        sleep 5
+        RETRY=$(( RETRY - 1))
+    done
+    if [ $RETRY -le 0 ]; then
+        >&2 echo "... error: Could not connect to Database on $MYSQL_HOST:$MYSQL_PORT"
+        exit 1
+    fi
+
+    if [ $(isDBinitDone) -eq 0 ]; then
+        echo "... database has already been initialized"
+    else
+        echo "... database has not been initialized, importing MySQL scheme..."
+        $MYSQLCMD < /var/www/MISP/INSTALL/MYSQL.sql
+    fi
+}
+
+init_misp_data_files(){
+    # Init config (shared with host)
+    echo "... initialize configuration files"
+    MISP_APP_CONFIG_PATH=/var/www/MISP/app/Config
+    # workaround for https://forums.docker.com/t/sed-couldnt-open-temporary-file-xyz-permission-denied-when-using-virtiofs/125473
+    # [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH.dist/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php
+    # [ -f $MISP_APP_CONFIG_PATH/database.php ] || cp $MISP_APP_CONFIG_PATH.dist/database.default.php $MISP_APP_CONFIG_PATH/database.php
+    # [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH.dist/core.default.php $MISP_APP_CONFIG_PATH/core.php
+    # [ -f $MISP_APP_CONFIG_PATH/config.php ] || cp $MISP_APP_CONFIG_PATH.dist/config.default.php $MISP_APP_CONFIG_PATH/config.php
+    # [ -f $MISP_APP_CONFIG_PATH/email.php ] || cp $MISP_APP_CONFIG_PATH.dist/email.php $MISP_APP_CONFIG_PATH/email.php
+    # [ -f $MISP_APP_CONFIG_PATH/routes.php ] || cp $MISP_APP_CONFIG_PATH.dist/routes.php $MISP_APP_CONFIG_PATH/routes.php
+    [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/bootstrap.default.php of=$MISP_APP_CONFIG_PATH/bootstrap.php
+    [ -f $MISP_APP_CONFIG_PATH/database.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/database.default.php of=$MISP_APP_CONFIG_PATH/database.php
+    [ -f $MISP_APP_CONFIG_PATH/core.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/core.default.php of=$MISP_APP_CONFIG_PATH/core.php
+    [ -f $MISP_APP_CONFIG_PATH/config.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/config.default.php of=$MISP_APP_CONFIG_PATH/config.php
+    [ -f $MISP_APP_CONFIG_PATH/email.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/email.php of=$MISP_APP_CONFIG_PATH/email.php
+    [ -f $MISP_APP_CONFIG_PATH/routes.php ] || dd if=$MISP_APP_CONFIG_PATH.dist/routes.php of=$MISP_APP_CONFIG_PATH/routes.php
+
+    echo "... initialize database.php settings"
+    # workaround for https://forums.docker.com/t/sed-couldnt-open-temporary-file-xyz-permission-denied-when-using-virtiofs/125473
+    # sed -i "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php
+    # sed -i "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php
+    # sed -i "s/3306/$MYSQL_PORT/" $MISP_APP_CONFIG_PATH/database.php
+    # sed -i "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php
+    # sed -i "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php
+    chmod +w $MISP_APP_CONFIG_PATH/database.php
+    sed "s/localhost/$MYSQL_HOST/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
+    sed "s/db\s*login/$MYSQL_USER/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
+    sed "s/3306/$MYSQL_PORT/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
+    sed "s/db\s*password/$MYSQL_PASSWORD/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
+    sed "s/'database' => 'misp'/'database' => '$MYSQL_DATABASE'/" $MISP_APP_CONFIG_PATH/database.php > tmp; cat tmp > $MISP_APP_CONFIG_PATH/database.php; rm tmp
+
+    echo "... initialize email.php settings"
+    chmod +w $MISP_APP_CONFIG_PATH/email.php
+    tee $MISP_APP_CONFIG_PATH/email.php > /dev/null <<EOT
+<?php
+class EmailConfig {
+    public \$default = array(
+        'transport'     => 'Smtp',
+        'from'          => array('misp-dev@admin.test' => 'Misp DEV'),
+        'host'          => 'mail',
+        'port'          => 25,
+        'timeout'       => 30,
+        'client'        => null,
+        'log'           => false,
+    );
+    public \$smtp = array(
+        'transport'     => 'Smtp',
+        'from'          => array('misp-dev@admin.test' => 'Misp DEV'),
+        'host'          => 'mail',
+        'port'          => 25,
+        'timeout'       => 30,
+        'client'        => null,
+        'log'           => false,
+    );
+    public \$fast = array(
+        'from'          => 'misp-dev@admin.test',
+        'sender'        => null,
+        'to'            => null,
+        'cc'            => null,
+        'bcc'           => null,
+        'replyTo'       => null,
+        'readReceipt'   => null,
+        'returnPath'    => null,
+        'messageId'     => true,
+        'subject'       => null,
+        'message'       => null,
+        'headers'       => null,
+        'viewRender'    => null,
+        'template'      => false,
+        'layout'        => false,
+        'viewVars'      => null,
+        'attachments'   => null,
+        'emailFormat'   => null,
+        'transport'     => 'Smtp',
+        'host'          => 'mail',
+        'port'          => 25,
+        'timeout'       => 30,
+        'client'        => null,
+        'log'           => true,
+    );
+}
+EOT
+    chmod -w $MISP_APP_CONFIG_PATH/email.php
+
+    # Init files (shared with host)
+    echo "... initialize app files"
+    MISP_APP_FILES_PATH=/var/www/MISP/app/files
+    if [ ! -f ${MISP_APP_FILES_PATH}/INIT ]; then
+        cp -R ${MISP_APP_FILES_PATH}.dist/* ${MISP_APP_FILES_PATH}
+        touch ${MISP_APP_FILES_PATH}/INIT
+    fi
+}
+
+update_misp_data_files(){
+    for DIR in $(ls /var/www/MISP/app/files.dist); do
+        if [ "$DIR" = "certs" ]; then
+            echo "... rsync -azh \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
+            rsync -azh "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
+        else
+            echo "... rsync -azh --delete \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
+            rsync -azh --delete "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
+        fi
+    done
+}
+
+enforce_misp_data_permissions(){
+    echo "... chown -R www-data:www-data /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
+    # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
+    echo "... chmod -R 0550 files /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 550 -type f -exec chmod 0550 {} +
+    # Directories are also writable, because there seems to be a requirement to add new files every once in a while
+    echo "... chmod -R 0770 directories /var/www/MISP/app/tmp" && find /var/www/MISP/app/tmp -not -perm 770 -type d -exec chmod 0770 {} +
+    # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
+    echo "... chmod -R u+w,g+w /var/www/MISP/app/tmp" && chmod -R u+w,g+w /var/www/MISP/app/tmp
+    
+    echo "... chown -R www-data:www-data /var/www/MISP/app/files" && find /var/www/MISP/app/files \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
+    # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
+    echo "... chmod -R 0550 files /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 550 -type f -exec chmod 0550 {} +
+    # Directories are also writable, because there seems to be a requirement to add new files every once in a while
+    echo "... chmod -R 0770 directories /var/www/MISP/app/files" && find /var/www/MISP/app/files -not -perm 770 -type d -exec chmod 0770 {} +
+    # We make 'files' and 'tmp' (logs) directories and files user and group writable (we removed the SGID bit)
+    echo "... chmod -R u+w,g+w /var/www/MISP/app/files" && chmod -R u+w,g+w /var/www/MISP/app/files
+    
+    echo "... chown -R www-data:www-data /var/www/MISP/app/Config" && find /var/www/MISP/app/Config \( ! -user www-data -or ! -group www-data \) -exec chown www-data:www-data {} +
+    # Files are also executable and read only, because we have some rogue scripts like 'cake' and we can not do a full inventory
+    echo "... chmod -R 0550 files /var/www/MISP/app/Config ..." && find /var/www/MISP/app/Config -not -perm 550 -type f -exec chmod 0550 {} +
+    # Directories are also writable, because there seems to be a requirement to add new files every once in a while
+    echo "... chmod -R 0770 directories /var/www/MISP/app/Config" && find /var/www/MISP/app/Config -not -perm 770 -type d -exec chmod 0770 {} +
+    # We make configuration files read only
+    echo "... chmod 600 /var/www/MISP/app/Config/{config,database,email}.php" && chmod 600 /var/www/MISP/app/Config/{config,database,email}.php
+}
+
+flip_nginx() {
+    local live="$1";
+    local reload="$2";
+
+    if [[ "$live" = "true" ]]; then
+        NGINX_DOC_ROOT=/var/www/MISP/app/webroot
+    elif [[ -x /custom/files/var/www/html/index.php ]]; then
+        NGINX_DOC_ROOT=/custom/files/var/www/html/
+    else
+        NGINX_DOC_ROOT=/var/www/html/
+    fi
+
+    # must be valid for all roots
+    echo "... nginx docroot set to ${NGINX_DOC_ROOT}"
+    sed -i "s|root.*var/www.*|root ${NGINX_DOC_ROOT};|" /etc/nginx/sites-available/misp
+
+    if [[ "$reload" = "true" ]]; then
+        echo "... nginx reloaded"
+        nginx -s reload
+    fi
+}
+
+init_nginx() {
+    # Testing for files also test for links, and generalize better to mounted files
+    if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
+        echo "... enabling port 80 redirect"
+        if [[ "$DISABLE_IPV6" = "true" ]]; then
+            sed -i "/\[::\]/d" /etc/nginx/sites-available/misp80
+        fi
+        ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
+    else
+        echo "... port 80 already configured"
+    fi
+
+    # Testing for files also test for links, and generalize better to mounted files
+    if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
+        echo "... enabling port 443"
+        if [[ "$DISABLE_IPV6" = "true" ]]; then
+            sed -i "/\[::\]/d" /etc/nginx/sites-available/misp
+        fi
+        ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
+    else
+        echo "... port 443 already configured"
+    fi
+    
+    if [[ ! -f /etc/nginx/certs/cert.pem || ! -f /etc/nginx/certs/key.pem ]]; then
+        echo "... generating new self-signed TLS certificate"
+        openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout /etc/nginx/certs/key.pem -out /etc/nginx/certs/cert.pem -days 365
+    else
+        echo "... TLS certificates found"
+    fi
+    
+    if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
+        echo "... generating new DH parameters"
+        openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
+    else
+        echo "... DH parameters found"
+    fi
+
+    flip_nginx false false
+}
+
+
+# Initialize MySQL
+echo "INIT | Initialize MySQL ..." && init_mysql
+
+# Initialize NGINX
+echo "INIT | Initialize NGINX ..." && init_nginx
+nginx -g 'daemon off;' & master_pid=$!
+
+# Initialize MISP
+echo "INIT | Initialize MISP files and configurations ..." && init_misp_data_files
+echo "INIT | Update MISP app/files directory ..." && update_misp_data_files
+echo "INIT | Enforce MISP permissions ..." && enforce_misp_data_permissions
+echo "INIT | Flip NGINX live ..." && flip_nginx true true
+
+# Run configure MISP script
+echo "INIT | Configure MISP installation ..."
+/configure_misp.sh
+
+if [[ -x /custom/files/customize_misp.sh ]]; then
+    echo "INIT | Customize MISP installation ..."
+    /custom/files/customize_misp.sh
+fi
+
+# Wait for it
+wait "$master_pid"

misp/core/files/etc/nginx/sites-available/misp

@@ -0,0 +1,53 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # define the root dir
+    root /var/www/MISP/app/webroot;
+    index index.php;
+
+    client_max_body_size 50M;
+
+    # disable access logs
+    access_log off;
+    log_not_found off;
+    error_log  /dev/stderr error;
+
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/certs/key.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_dhparam /etc/nginx/certs/dhparams.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # enable HSTS
+    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+    add_header X-Frame-Options SAMEORIGIN;
+
+    # added headers for hardening browser security
+    add_header Referrer-Policy "no-referrer" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    location / {
+        try_files $uri $uri/ /index.php$is_args$query_string;
+    }
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+        fastcgi_read_timeout 300;
+    }
+}

misp/core/files/etc/nginx/sites-available/misp80

@@ -0,0 +1,11 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    # Disable access logs
+    access_log off;
+    log_not_found off;
+    error_log  /dev/stderr error;
+
+    return 301 https://$host$request_uri;
+}

misp/core/files/etc/supervisor/conf.d/10-supervisor.conf

@@ -0,0 +1,39 @@
+[supervisord]
+nodaemon=true
+user=root
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[inet_http_server]
+port=127.0.0.1:9001
+username=supervisor
+password=supervisor
+
+[program:nginx]
+command=/entrypoint_nginx.sh
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:php-fpm]
+command=/entrypoint_fpm.sh
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:cron]
+command=/entrypoint_cron.sh
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

misp/core/files/etc/supervisor/conf.d/50-workers.conf

@@ -0,0 +1,68 @@
+# Workers are set to NOT auto start so we have time to enforce permissions on the cache first
+
+[group:misp-workers]
+programs=default,email,cache,prio,update
+
+[program:default]
+directory=/var/www/MISP
+command=/var/www/MISP/app/Console/cake start_worker default
+process_name=%(program_name)s_%(process_num)02d
+numprocs=%(ENV_NUM_WORKERS_DEFAULT)s
+autostart=false
+autorestart=true
+redirect_stderr=false
+stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
+stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
+directory=/var/www/MISP
+user=www-data
+
+[program:prio]
+directory=/var/www/MISP
+command=/var/www/MISP/app/Console/cake start_worker prio
+process_name=%(program_name)s_%(process_num)02d
+numprocs=%(ENV_NUM_WORKERS_PRIO)s
+autostart=false
+autorestart=true
+redirect_stderr=false
+stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
+stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
+directory=/var/www/MISP
+user=www-data
+
+[program:email]
+directory=/var/www/MISP
+command=/var/www/MISP/app/Console/cake start_worker email
+process_name=%(program_name)s_%(process_num)02d
+numprocs=%(ENV_NUM_WORKERS_EMAIL)s
+autostart=false
+autorestart=true
+redirect_stderr=false
+stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
+stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
+directory=/var/www/MISP
+user=www-data
+
+[program:update]
+directory=/var/www/MISP
+command=/var/www/MISP/app/Console/cake start_worker update
+process_name=%(program_name)s_%(process_num)02d
+numprocs=%(ENV_NUM_WORKERS_UPDATE)s
+autostart=false
+autorestart=true
+redirect_stderr=false
+stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
+stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
+directory=/var/www/MISP
+user=www-data
+
+[program:cache]
+directory=/var/www/MISP
+command=/var/www/MISP/app/Console/cake start_worker cache
+process_name=%(program_name)s_%(process_num)02d
+numprocs=%(ENV_NUM_WORKERS_CACHE)s
+autostart=false
+autorestart=true
+redirect_stderr=false
+stderr_logfile=/var/www/MISP/app/tmp/logs/misp-workers-errors.log
+stdout_logfile=/var/www/MISP/app/tmp/logs/misp-workers.log
+user=www-data

misp/core/files/rest_client.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+if ! command -v jq &> /dev/null
+then
+    echo "aborting. jq could not be found"
+    exit
+fi
+
+if ! command -v curl &> /dev/null
+then
+    echo "aborting. curl could not be found"
+    exit
+fi
+
+add_organization() {
+    # empty uuid fallbacks to auto-generate
+    curl -s --show-error -k \
+     -H "Authorization: ${2}" \
+     -H "Accept: application/json" \
+     -H "Content-type: application/json" \
+     -d "{ \
+        \"uuid\": \"${5}\", \
+        \"name\": \"${3}\", \
+        \"local\": ${4} \
+     }" ${1}/admin/organisations/add
+}
+
+get_organization() {
+    curl -s --show-error -k \
+     -H "Authorization: ${2}" \
+     -H "Accept: application/json" \
+     -H "Content-type: application/json" ${1}/organisations/view/${3} | jq -e -r ".Organisation.id // empty"
+}
+
+add_server() {
+    curl -s --show-error -k \
+     -H "Authorization: ${2}" \
+     -H "Accept: application/json" \
+     -H "Content-type: application/json" \
+     -d "${3}" ${1}/servers/add
+}
+
+get_server() {
+    curl -s --show-error -k \
+     -H "Authorization: ${2}" \
+     -H "Accept: application/json" \
+     -H "Content-type: application/json" ${1}/servers | jq -e -r ".[] | select(.Server[\"name\"] == \"${3}\") | .Server.id"
+}

misp/core/files/utilities.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Check whether passed env variables are defined
+check_env_vars() {
+    local required_vars=("$@")
+
+    missing_vars=()
+    for i in "${required_vars[@]}"
+    do
+        test -n "${!i:+y}" || missing_vars+=("$i")
+    done
+    if [ ${#missing_vars[@]} -ne 0 ]
+    then
+        echo "The following env variables are not set:"
+        printf ' %q\n' "${missing_vars[@]}"
+        exit 1
+    fi
+}

misp/core/files/var/www/html/index.php

@@ -0,0 +1,3 @@
+<html>
+MISP is loading...
+</html>