-
Notifications
You must be signed in to change notification settings - Fork 90
/
configure_misp.sh
executable file
·297 lines (248 loc) · 13.6 KB
/
configure_misp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
#!/bin/bash
source /rest_client.sh
[ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
[ -z "$OIDC_PROVIDER_URL" ] && OIDC_PROVIDER_URL="test_provider"
[ -z "$OIDC_CLIENT_ID" ] && OIDC_CLIENT_ID="test_client_id"
[ -z "$OIDC_CLIENT_SECRET" ] && OIDC_CLIENT_SECRET="test_client_secret"
[ -z "$OIDC_ROLES_PROPERTY" ] && OIDC_ROLES_PROPERTY="roles"
[ -z "$OIDC_ROLES_MAPPING" ] && OIDC_ROLES_MAPPING="{
\"admin\": \"1\",
\"sync-user\": \"5\"
}"
[ -z "$OIDC_DEFAULT_ORG" ] && OIDC_DEFAULT_ORG="$ADMIN_ORG"
# Switches to selectively disable configuration logic
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
init_configuration(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring default settings"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$HOSTNAME"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${MISP_CONTACT-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Import_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_enable" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Export_services_url" "$MISP_MODULES_FQDN"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Cortex_services_enable" false
}
init_workers(){
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
echo "... configuring background workers"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.enabled" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_port" 9001
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_password" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.supervisor_user" "supervisor"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "SimpleBackgroundJobs.redis_host" "$REDIS_FQDN"
echo "... starting background workers"
supervisorctl start misp-workers:*
}
configure_gnupg() {
if [ "$AUTOCONF_GPG" != "true" ]; then
echo "... GPG auto configuration disabled"
return
fi
GPG_DIR=/var/www/MISP/.gnupg
GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
GPG_TMP=/tmp/gpg.tmp
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "... generating new GPG key in ${GPG_DIR}"
cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 3072
Name-Real: MISP Admin
Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL}
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
%commit
%echo Done
GPGEOF
mkdir -p ${GPG_DIR}
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP}
else
echo "... found pre-generated GPG key in ${GPG_DIR}"
fi
# Fix permissions
chown -R www-data:www-data ${GPG_DIR}
find ${GPG_DIR} -type f -exec chmod 600 {} \;
find ${GPG_DIR} -type d -exec chmod 700 {} \;
if [ ! -f ${GPG_ASC} ]; then
echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC}
else
echo "... found exported key ${GPG_ASC}"
fi
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${MISP_EMAIL-$ADMIN_EMAIL}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
}
set_up_oidc() {
if [[ "$OIDC_ENABLE" != "true" ]]; then
echo "... OIDC authentication disabled"
return
fi
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": [\"OidcAuth.Oidc\"]
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"OidcAuth\": {
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
\"client_id\": \"${OIDC_CLIENT_ID}\",
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
\"role_mapper\": ${OIDC_ROLES_MAPPING},
\"default_org\": \"${OIDC_DEFAULT_ORG}\"
}
}" > /dev/null
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
}
apply_updates() {
# Disable weird default
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
# Run updates (strip colors since output might end up in a log)
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
}
init_user() {
# Create the main user if it is not there already
sudo -u www-data /var/www/MISP/app/Console/cake userInit -q 2>&1 > /dev/null
echo "UPDATE misp.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQLCMD}
if [ ! -z "$ADMIN_ORG" ]; then
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
fi
if [ -n "$ADMIN_KEY" ]; then
echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then
echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
else
echo "... admin user key auto generation disabled"
fi
if [[ -v CHANGE_CMD[@] ]]; then
ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}')
echo "... admin user key set to '${ADMIN_KEY}'"
fi
if [ ! -z "$ADMIN_PASSWORD" ]; then
echo "... setting admin password to '${ADMIN_PASSWORD}'"
PASSWORD_POLICY=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_complexity" | jq ".value" -r)
PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value")
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/'
sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}"
else
echo "... setting admin password skipped"
fi
echo 'UPDATE misp.users SET change_pw = 0 WHERE id = 1;' | ${MYSQLCMD}
}
apply_critical_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.external_baseurl" "${HOSTNAME}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.host_org_id" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Action_services_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_enable" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_popover_only" false
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.csp_enforce" true
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"rest_client_baseurl\": \"${HOSTNAME}\"
}
}" > /dev/null
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": \"\"
}
}" > /dev/null
# Avoids displaying errors not relevant to a docker container
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.self_update" false
}
apply_optional_fixes() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
# This is not necessary because we update the DB directly
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_timeout" 30
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.Enrichment_hover_timeout" 5
}
update_components() {
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
}
create_sync_servers() {
if [ -z "$ADMIN_KEY" ]; then
echo "... admin key auto configuration is required to configure sync servers"
return
fi
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
DATA="SYNCSERVERS_${ID}_DATA"
# Validate #1
NAME=$(echo "${!DATA}" | jq -r '.name')
if [[ -z $NAME ]]; then
echo "... error missing sync server name"
continue
fi
# Skip sync server if we can
echo "... searching sync server ${NAME}"
SERVER_ID=$(get_server ${HOSTNAME} ${ADMIN_KEY} ${NAME})
if [[ -n "$SERVER_ID" ]]; then
echo "... found existing sync server ${NAME} with id ${SERVER_ID}"
continue
fi
# Validate #2
UUID=$(echo "${!DATA}" | jq -r '.remote_org_uuid')
if [[ -z "$UUID" ]]; then
echo "... error missing sync server remote_org_uuid"
continue
fi
# Get remote organization
echo "... searching remote organization ${UUID}"
ORG_ID=$(get_organization ${HOSTNAME} ${ADMIN_KEY} ${UUID})
if [[ -z "$ORG_ID" ]]; then
# Add remote organization if missing
echo "... adding missing organization ${UUID}"
add_organization ${HOSTNAME} ${ADMIN_KEY} ${NAME} false ${UUID} > /dev/null
ORG_ID=$(get_organization ${HOSTNAME} ${ADMIN_KEY} ${UUID})
fi
# Add sync server
echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id}')
add_server ${HOSTNAME} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
done
}
echo "MISP | Initialize configuration ..." && init_configuration
echo "MISP | Initialize workers ..." && init_workers
echo "MISP | Configure GPG key ..." && configure_gnupg
echo "MISP | Apply updates ..." && apply_updates
echo "MISP | Init default user and organization ..." && init_user
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
echo "MISP | Create sync servers ..." && create_sync_servers
echo "MISP | Update components ..." && update_components
echo "MISP | Set Up OIDC ..." && set_up_oidc
echo "MISP | Mark instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1