Difference between revisions of "Cyber Security: MISP Install"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) (Created page with " Install MISP on Ubuntu 22.04/Ubuntu 20.04 gen_too|Last Updated: November 8, 2022|Security, HowTos, Monitoring|Leave a Comment In this tutorial, you will learn how to install...") |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
In this tutorial, you will learn how to install MISP on Ubuntu 22.04/Ubuntu 20.04. MISP, an acronym for Malware Information Sharing Platform, is an open source threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. | In this tutorial, you will learn how to install MISP on Ubuntu 22.04/Ubuntu 20.04. MISP, an acronym for Malware Information Sharing Platform, is an open source threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. | ||
| Line 21: | Line 18: | ||
To begin with, ensure your system package cache is up-to-date. | To begin with, ensure your system package cache is up-to-date. | ||
| − | sudo apt update | + | sudo apt update |
| + | |||
Install Postfix anf Other Required Packages | Install Postfix anf Other Required Packages | ||
If you want to configure MISP to sent out email notifications, you install Postfix to use with your preferred mail relays. | If you want to configure MISP to sent out email notifications, you install Postfix to use with your preferred mail relays. | ||
| − | sudo apt install postfix mailutils curl gcc git gpg-agent make libcaca-dev liblua5.3-dev \ | + | sudo apt install postfix mailutils curl gcc git gpg-agent make libcaca-dev liblua5.3-dev \ |
| − | python python3 openssl redis-server vim zip unzip virtualenv libfuzzy-dev sqlite3 \ | + | python python3 openssl redis-server vim zip unzip virtualenv libfuzzy-dev sqlite3 \ |
| − | moreutils python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev \ | + | moreutils python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev \ |
| − | python-setuptools openssl cmake | + | python-setuptools openssl cmake |
| + | |||
When prompted to choose the Postfix general type of mail configuration, select Internet Site | When prompted to choose the Postfix general type of mail configuration, select Internet Site | ||
| Line 37: | Line 36: | ||
Run the command below to create MISP user account and add it to other system groups. | Run the command below to create MISP user account and add it to other system groups. | ||
| − | sudo useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data,staff misp | + | sudo useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data,staff misp |
| + | |||
Set the password for the user account. | Set the password for the user account. | ||
| − | sudo passwd misp | + | sudo passwd misp |
| + | |||
Install LAMP Stack and Required Dependencies | Install LAMP Stack and Required Dependencies | ||
Run the command below to install LAMP stack and other required packages. | Run the command below to install LAMP stack and other required packages. | ||
| Line 46: | Line 47: | ||
Install MariaDB 10.9, current stable release version as of this writing. | Install MariaDB 10.9, current stable release version as of this writing. | ||
| − | curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.9 | + | curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.9 |
| − | sudo apt install mariadb-client mariadb-server -y | + | sudo apt install mariadb-client mariadb-server -y |
| + | |||
Install PHP 7.4 and required PHP modules; | Install PHP 7.4 and required PHP modules; | ||
| − | apt install libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php-opcache \ | + | apt install libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php-opcache \ |
| − | php-readline php-mbstring php-zip php-redis php-gnupg php-intl php-bcmath php-gd php-curl | + | php-readline php-mbstring php-zip php-redis php-gnupg php-intl php-bcmath php-gd php-curl |
| − | On Ubuntu 22.04, check this guide on how to install PHP 7.4 on Ubuntu 22.04. | + | On Ubuntu 22.04, check this guide on how to install PHP 7.4 on Ubuntu 22.04. |
Next, update the following PHP configuration options; | Next, update the following PHP configuration options; | ||
| − | vim /etc/php/7.4/apache2/php.ini | + | vim /etc/php/7.4/apache2/php.ini |
| − | upload_max_filesize="50M" | + | upload_max_filesize="50M" |
| − | post_max_size="50M" | + | post_max_size="50M" |
| − | max_execution_time="300" | + | max_execution_time="300" |
| − | memory_limit="2048M" | + | memory_limit="2048M" |
| + | |||
Similarly, update PHP session ID length and set strict session ID mode; | Similarly, update PHP session ID length and set strict session ID mode; | ||
| − | echo -e 'session0sid_length="32"\nsession0use_strict_mode="1"' | sudo tee -a /etc/php/7.4/apache2/php.ini | + | echo -e 'session0sid_length="32"\nsession0use_strict_mode="1"' | sudo tee -a /etc/php/7.4/apache2/php.ini |
| + | |||
Create MISP Database and Database User | Create MISP Database and Database User | ||
Login to MySQL and create MISP database and database user | Login to MySQL and create MISP database and database user | ||
| Line 70: | Line 74: | ||
First of all, run MySQL initial secure script; | First of all, run MySQL initial secure script; | ||
| − | sudo systemctl start mariadb | + | sudo systemctl start mariadb |
| − | sudo mysql_secure_installation | + | sudo mysql_secure_installation |
| + | |||
Once you have ran the script, proceed to create MISP database and database user; | Once you have ran the script, proceed to create MISP database and database user; | ||
| − | sudo mysql -u root -p -e "create database misp;" | + | sudo mysql -u root -p -e "create database misp;" |
| − | sudo mysql -u root -p -e "grant all on misp.* to mispadmin@localhost identified by 'MISP-DB-Password';" | + | sudo mysql -u root -p -e "grant all on misp.* to mispadmin@localhost identified by 'MISP-DB-Password';" |
| − | sudo mysql -u root -p -e "flush privileges;" | + | sudo mysql -u root -p -e "flush privileges;" |
| + | |||
Import MISP database into database created above; | Import MISP database into database created above; | ||
| − | sudo -Hu www-data cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -u mispadmin -p misp | + | sudo -Hu www-data cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -u mispadmin -p misp |
| + | |||
Install MISP on Ubuntu 22.04/Ubuntu 20.04 | Install MISP on Ubuntu 22.04/Ubuntu 20.04 | ||
Create MISP directory under /var/www; | Create MISP directory under /var/www; | ||
| + | sudo mkdir /var/www/MISP | ||
| − | |||
Clone the MISP Core Github repository into the directory above; | Clone the MISP Core Github repository into the directory above; | ||
| − | sudo git clone https://github.com/MISP/MISP.git /var/www/MISP/ | + | sudo git clone https://github.com/MISP/MISP.git /var/www/MISP/ |
| − | sudo git -C /var/www/MISP/ submodule update --progress --init --recursive | + | sudo git -C /var/www/MISP/ submodule update --progress --init --recursive |
| − | sudo chown -R www-data: /var/www/MISP | + | sudo chown -R www-data: /var/www/MISP |
| − | sudo -u www-data git -C /var/www/MISP submodule foreach --recursive git config core.filemode false | + | sudo -u www-data git -C /var/www/MISP submodule foreach --recursive git config core.filemode false |
| − | sudo -u www-data git -C /var/www/MISP config core.filemode false | + | sudo -u www-data git -C /var/www/MISP config core.filemode false |
| + | |||
Create a python3 virtualenv | Create a python3 virtualenv | ||
| − | sudo -u www-data virtualenv -p python3 /var/www/MISP/venv | + | sudo -u www-data virtualenv -p python3 /var/www/MISP/venv |
| + | |||
Create PIP cache directory; | Create PIP cache directory; | ||
| + | sudo mkdir /var/www/.cache/ | ||
| + | sudo chown -R www-data: /var/www/.cache/ | ||
| − | |||
| − | |||
Install python-stix | Install python-stix | ||
| − | sudo -u www-data /var/www/MISP/venv/bin/pip install ordered-set python-dateutil six weakrefmethod | + | sudo -u www-data /var/www/MISP/venv/bin/pip install ordered-set python-dateutil six weakrefmethod |
| − | sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/app/files/scripts/misp-stix | + | sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/app/files/scripts/misp-stix |
| + | |||
Install PyMISP; | Install PyMISP; | ||
| − | sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/PyMISP | + | sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/PyMISP |
| + | |||
Remove libfaup; | Remove libfaup; | ||
| − | cd /tmp | + | cd /tmp |
| − | git clone https://github.com/stricaud/faup.git faup | + | git clone https://github.com/stricaud/faup.git faup |
| − | sudo git clone https://github.com/stricaud/gtcaca.git gtcaca | + | sudo git clone https://github.com/stricaud/gtcaca.git gtcaca |
| − | sudo chown -R misp: faup gtcaca | + | sudo chown -R misp: faup gtcaca |
| − | sudo mkdir gtcaca/build && cd gtcaca/build | + | sudo mkdir gtcaca/build && cd gtcaca/build |
| − | sudo cmake .. && sudo make && sudo make install | + | sudo cmake .. && sudo make && sudo make install |
| − | sudo mkdir -p /tmp/faup/build && cd /tmp/faup/build | + | sudo mkdir -p /tmp/faup/build && cd /tmp/faup/build |
| − | sudo cmake .. && sudo make && sudo make install | + | sudo cmake .. && sudo make && sudo make install |
| + | |||
Create the necessary links and cache to the just installed libraries; | Create the necessary links and cache to the just installed libraries; | ||
| − | sudo ldconfig | + | sudo ldconfig |
| + | |||
Install PyDeep; | Install PyDeep; | ||
| + | sudo -u www-data /var/www/MISP/venv/bin/pip install git+https://github.com/kbandla/pydeep.git | ||
| − | |||
Install lief | Install lief | ||
| + | sudo -u www-data /var/www/MISP/venv/bin/pip install lief | ||
| − | |||
Install zmq | Install zmq | ||
| + | sudo -u www-data /var/www/MISP/venv/bin/pip install zmq redis | ||
| − | |||
Install python-magic | Install python-magic | ||
| + | sudo -u www-data /var/www/MISP/venv/bin/pip install python-magic | ||
| − | |||
| − | |||
| − | |||
Install plyara; | Install plyara; | ||
| + | sudo -u www-data /var/www/MISP/venv/bin/pip install plyara | ||
| − | |||
Install CakePHP | Install CakePHP | ||
| + | |||
Create PHP composer directory; | Create PHP composer directory; | ||
| + | sudo mkdir -p /var/www/.composer | ||
| − | |||
Set the ownership; | Set the ownership; | ||
| + | sudo chown -R www-data: /var/www/.composer | ||
| − | |||
| − | |||
Install CakePHP; | Install CakePHP; | ||
| + | cd /var/www/MISP/app | ||
| + | sudo -u www-data php composer.phar install --no-dev | ||
| − | |||
| − | |||
Enable CakeResque with php-redis | Enable CakeResque with php-redis | ||
| + | sudo phpenmod redis | ||
| + | sudo phpenmod gnupg | ||
| − | |||
| − | |||
Enable the use of scheduler worker for scheduled tasks; | Enable the use of scheduler worker for scheduled tasks; | ||
| + | sudo -u www-data cp -fa /var/www/MISP/INSTALL/setup/config.php | ||
| + | /var/www/MISP/app/Plugin/CakeResque/Config/config.php | ||
| − | |||
Set Proper Permissions and Ownership of MISP directories | Set Proper Permissions and Ownership of MISP directories | ||
| + | |||
Once the installation of MISP is done, update the ownership and permissions of the directories; | Once the installation of MISP is done, update the ownership and permissions of the directories; | ||
| + | sudo chown -R www-data: /var/www/MISP | ||
| + | sudo chmod -R 750 /var/www/MISP | ||
| + | sudo chmod -R g+ws /var/www/MISP/app/tmp /var/www/MISP/app/files | ||
| − | |||
| − | |||
| − | |||
Enable MISP Log Rotation | Enable MISP Log Rotation | ||
| − | sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp | + | sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp |
| − | sudo chmod 0640 /etc/logrotate.d/misp | + | sudo chmod 0640 /etc/logrotate.d/misp |
| + | |||
This is how to the config file is like; | This is how to the config file is like; | ||
| + | cat /etc/logrotate.d/misp | ||
| + | /var/www/MISP/app/tmp/logs/*.log { | ||
| + | rotate 30 | ||
| + | dateext | ||
| + | missingok | ||
| + | notifempty | ||
| + | compress | ||
| + | daily | ||
| + | size 50M | ||
| + | maxsize 500M | ||
| + | copytruncate | ||
| + | } | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Configure MISP | Configure MISP | ||
| + | |||
Rename the default configurations as follows; | Rename the default configurations as follows; | ||
| + | sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap{.default,}.php | ||
| + | sudo -u www-data cp -a /var/www/MISP/app/Config/database{.default,}.php | ||
| + | sudo -u www-data cp -a /var/www/MISP/app/Config/core{.default,}.php | ||
| + | sudo -u www-data cp -a /var/www/MISP/app/Config/config{.default,}.php | ||
| − | |||
| − | |||
| − | |||
| − | |||
Update database connection details; | Update database connection details; | ||
| + | sudo vim /var/www/MISP/app/Config/database.php | ||
| + | class DATABASE_CONFIG { | ||
| + | |||
| + | public $default = array( | ||
| + | 'datasource' => 'Database/Mysql', | ||
| + | //'datasource' => 'Database/Postgres', | ||
| + | 'persistent' => false, | ||
| + | 'host' => 'localhost', | ||
| + | 'login' => 'mispadmin', | ||
| + | 'port' => 3306, // MySQL & MariaDB | ||
| + | //'port' => 5432, // PostgreSQL | ||
| + | 'password' => 'MISP-DB-Password', | ||
| + | 'database' => 'misp', | ||
| + | 'prefix' => '', | ||
| + | 'encoding' => 'utf8', | ||
| + | ); | ||
| + | } | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Save and exit the file; | Save and exit the file; | ||
| Line 210: | Line 225: | ||
Create a batch file to define variable required for non-interactive GPG keys generation. | Create a batch file to define variable required for non-interactive GPG keys generation. | ||
| + | tee > ~/misp-gpg-batch-file << 'EOL' | ||
| + | Key-Type: default | ||
| + | Key-Length: 4096 | ||
| + | Subkey-Type: default | ||
| + | Name-Real: MISP-gpg-key | ||
| + | Name-Email: admin@kifarunix-demo.com | ||
| + | Expire-Date: 0 | ||
| + | Passphrase: 42e9865a824b4e237c5146b0af888016de8 | ||
| + | EOL | ||
| + | sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --batch --gen-key ~/misp-gpg-batch-file | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Sample output; | Sample output; | ||
| − | gpg: directory '/var/www/MISP/.gnupg' created | + | gpg: directory '/var/www/MISP/.gnupg' created |
| − | gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created | + | gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created |
| − | gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created | + | gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created |
| − | gpg: key DA6AA0A6057E4C28 marked as ultimately trusted | + | gpg: key DA6AA0A6057E4C28 marked as ultimately trusted |
| − | gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created | + | gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created |
| − | gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/757A0C2F91D894522A388A04DA6AA0A6057E4C28.rev' | + | gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/757A0C2F91D894522A388A04DA6AA0A6057E4C28.rev' |
| + | |||
Export the public key to MISP webroot | Export the public key to MISP webroot | ||
| + | sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor admin@kifarunix-demo.com \ | ||
| + | | sudo -u www-data tee /var/www/MISP/app/webroot/gpg.asc | ||
| − | |||
| − | |||
Setup MISP Background Workers | Setup MISP Background Workers | ||
Create a systemd service for MISP background workers; | Create a systemd service for MISP background workers; | ||
| + | sudo tee /etc/systemd/system/misp-workers.service << 'EOL' | ||
| + | [Unit] | ||
| + | Description=MISP background workers | ||
| + | After=network.target | ||
| + | |||
| + | [Service] | ||
| + | Type=forking | ||
| + | User=www-data | ||
| + | Group=www-data | ||
| + | ExecStart=/var/www/MISP/app/Console/worker/start.sh | ||
| + | Restart=always | ||
| + | RestartSec=10 | ||
| + | |||
| + | [Install] | ||
| + | WantedBy=multi-user.target | ||
| + | EOL | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Reload systemd configs and start the service; | Reload systemd configs and start the service; | ||
| + | sudo systemctl daemon-reload | ||
| + | sudo systemctl enable --now misp-workers | ||
| − | |||
| − | |||
Confirm status; | Confirm status; | ||
| − | systemctl status misp-workers.service | + | systemctl status misp-workers.service |
| − | ● misp-workers.service - MISP background workers | + | ● misp-workers.service - MISP background workers |
| − | + | Loaded: loaded (/etc/systemd/system/misp-workers.service; enabled; vendor preset: enabled) | |
| − | + | Active: active (running) since Fri 2022-11-04 20:24:54 UTC; 10s ago | |
| − | + | Process: 62522 ExecStart=/var/www/MISP/app/Console/worker/start.sh (code=exited, status=0/SUCCESS) | |
| − | + | Tasks: 12 (limit: 4610) | |
| − | + | Memory: 61.0M | |
| − | + | CGroup: /system.slice/misp-workers.service | |
| − | + | ├─62555 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true | |
| − | + | QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667> | |
| − | + | ├─62556 php ./bin/resque | |
| − | + | ├─62573 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true | |
| − | + | QUEUE='prio' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667593> | |
| − | + | ├─62574 php ./bin/resque | |
| − | + | ├─62589 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true | |
| − | + | QUEUE='cache' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759> | |
| − | + | ├─62590 php ./bin/resque | |
| − | + | ├─62606 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true | |
| − | + | QUEUE='email' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759> | |
| − | + | ├─62607 php ./bin/resque | |
| − | + | ├─62622 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true | |
| − | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62562]: Starting worker ... Done | + | QUEUE='update' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/16675> |
| − | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Creating workers | + | ├─62623 php ./bin/resque |
| − | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Starting worker ... Done | + | ├─62638 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex-scheduler'; |
| − | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Creating workers | + | VERBOSE=true QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResqu> |
| − | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Starting worker ... Done | + | └─62639 php ./bin/resque-scheduler.php |
| − | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Creating workers | + | |
| − | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Starting worker ... Done | + | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62562]: Starting worker ... Done |
| − | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Creating the scheduler workers | + | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Creating workers |
| − | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Starting scheduler worker ... Done | + | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Starting worker ... Done |
| − | Nov 04 20:24:54 thehive.kifarunix-demo.com systemd[1]: Started MISP background workers. | + | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Creating workers |
| + | Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Starting worker ... Done | ||
| + | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Creating workers | ||
| + | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Starting worker ... Done | ||
| + | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Creating the scheduler workers | ||
| + | Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Starting scheduler worker ... Done | ||
| + | Nov 04 20:24:54 thehive.kifarunix-demo.com systemd[1]: Started MISP background workers. | ||
Next; | Next; | ||
| Line 300: | Line 322: | ||
You can easily set a systemd service to sort the above; | You can easily set a systemd service to sort the above; | ||
| − | sudo cat > /etc/systemd/system/thp-so-mo.service << 'EOL' | + | sudo cat > /etc/systemd/system/thp-so-mo.service << 'EOL' |
| − | |||
| − | |||
| − | [Service] | + | [Unit] |
| − | Type=simple | + | Description=Disable Kernel Support for THP, Set Socket Max Conxs and Enable Memory Overcommit. |
| − | ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && \ | + | |
| − | echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && \ | + | [Service] |
| − | echo 1024 > /proc/sys/net/core/somaxconn && \ | + | Type=simple |
| − | sysctl vm.overcommit_memory=1" | + | ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && \ |
| + | echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && \ | ||
| + | echo 1024 > /proc/sys/net/core/somaxconn && \ | ||
| + | sysctl vm.overcommit_memory=1" | ||
| + | |||
| + | [Install] | ||
| + | WantedBy=multi-user.target | ||
| + | EOL | ||
| − | |||
| − | |||
| − | |||
Initialize MISP Configuration | Initialize MISP Configuration | ||
Initialize the user and fetch authentication key; | Initialize the user and fetch authentication key; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake userInit -q | ||
| − | |||
Sample out; | Sample out; | ||
| + | dLiRqsfiiNAIIza9U7zqnwKKZBf83kDBSd2BUdeA | ||
| − | |||
Enable database updates; | Enable database updates; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin runUpdates | ||
| − | |||
Define global time outs | Define global time outs | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.timeout" 600 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.cookieTimeout" 3600 | ||
| − | |||
| − | |||
| − | |||
Set default tmp directory; | Set default tmp directory; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.tmpdir" "/var/www/MISP/app/tmp" | ||
| − | |||
Enable GnuPG; | Enable GnuPG; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@kifarunix-demo.com" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.password" "42e9865a824b4e237c5146b0af888016de8" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.obscure_subject" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.binary" "$(which gpg)" | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Update other MISP configurations; | Update other MISP configurations; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.email" "admin@kifarunix-demo.com" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true --force | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.contact" "admin@kifarunix-demo.com" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_tag_collection" 0 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Tunning Cortex; | Tunning Cortex; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_port" 9000 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_timeout" 120 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_authkey" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_peer" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_host" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Update plugin settings; | Update plugin settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_policy" 0 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise_as" 1 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_range" 365 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_sighting_db_enable" false | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Disable API_Required modules; | Disable API_Required modules; | ||
| − | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cuckoo_submit_enabled false | |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cuckoo_submit_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vmray_submit_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vmray_submit_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivedns_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivedns_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivessl_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivessl_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_domaintools_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_domaintools_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_eupi_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_eupi_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_farsight_passivedns_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_farsight_passivedns_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_whois_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_whois_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_shodan_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_shodan_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_asn_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_asn_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_city_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_city_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_country_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_country_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_iprep_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_iprep_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_otx_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_otx_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulndb_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulndb_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_crowdstrike_falcon_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_crowdstrike_falcon_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_onyphe_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_onyphe_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_xforceexchange_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_xforceexchange_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulners_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulners_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_macaddress_io_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_macaddress_io_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_intel471_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_intel471_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_backscatter_io_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_backscatter_io_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_hibp_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_hibp_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_greynoise_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_greynoise_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_joesandbox_submit_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_joesandbox_submit_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_public_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_public_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apiosintds_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apiosintds_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_urlscan_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_urlscan_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_securitytrails_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_securitytrails_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apivoid_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apivoid_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_submit_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_submit_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_query_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_query_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_ransomcoindb_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_ransomcoindb_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_lastline_query_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_lastline_query_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_sophoslabs_intelix_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_sophoslabs_intelix_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cytomic_orion_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cytomic_orion_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_censys_enrich_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_censys_enrich_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_trustar_enrich_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_trustar_enrich_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_recordedfuture_enabled false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_recordedfuture_enabled false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.ElasticSearch_logging_enable false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.ElasticSearch_logging_enable false | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.S3_enable false |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.S3_enable false | ||
CustomAuth Plugin; | CustomAuth Plugin; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" false | ||
| − | |||
| − | |||
RPZ Plugin settings | RPZ Plugin settings | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_policy" "DROP" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_serial" "\$date00" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_refresh" "2h" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_retry" "30m" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_expiry" "30d" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_minimum_ttl" "1h" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ttl" "1w" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns" "localhost." | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns_alt" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_email" "root.localhost" | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Kafka settings; | Kafka settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_brokers" "kafka:9092" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_rdkafka_config" "/etc/rdkafka.ini" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_include_attachments" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_topic" "misp_event" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_topic" "misp_event_publish" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_topic" "misp_object" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_topic" "misp_object_reference" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_topic" "misp_attribute" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_topic" "misp_shadow_attribute" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_topic" "misp_tag" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_topic" "misp_sighting" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_topic" "misp_user" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_topic" "misp_organisation" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_topic" "misp_audit" | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
ZeroMQ settings; | ZeroMQ settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_host" "127.0.0.1" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_port" 50000 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_include_attachments" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Set default language and disable proposal attributes block; | Set default language and disable proposal attributes block; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.language" "eng" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false | ||
| − | |||
| − | |||
Set Redis settings; | Set Redis settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_password" "" | ||
| − | |||
| − | |||
| − | |||
| − | |||
Set MISP default settings; | Set MISP default settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableEventBlocklisting" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlocklisting" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_auth" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips_authkeys" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_login_change" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_password_change" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_add" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" "" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_by_date" "" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_threshold" 5 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_refresh_on_retry" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.maintenance_message" "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at admin@kifarunix-demo.com." | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidleft" "This is an initial install" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidright" "Please configure and harden accordingly" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_bottom" "Welcome to Kifarunix-demo MISP" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.attachments_dir" "/var/www/MISP/app/files" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.download_attachments_on_load" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_metadata_only" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.title_text" "MISP" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.terms_download" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showorgalternate" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_view_filter_fields" "id, uuid, value, comment, type, category, Tag.name" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "debug" 0 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.auth_enforced" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.log_each_individual_auth_fail" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.rest_client_baseurl" "" | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" false | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12 | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
MISP Security settings; | MISP Security settings; | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.disable_browser_cache" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.check_sec_fetch_site_header" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.do_not_log_authkeys" true | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.username_in_response_header" true | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Enable MISP user login; | Enable MISP user login; | ||
| − | + | sudo -Hu www-data /var/www/MISP/app/Console/cake Live 1 | |
| − | sudo -Hu www-data /var/www/MISP/app/Console/cake Live 1 | ||
Update MISP Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates | Update MISP Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateGalaxies | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateWarningLists | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists | ||
| + | sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "1337" | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Configure Apache Web Server for MISP | Configure Apache Web Server for MISP | ||
MISP ships with sample Apache HTTP/HTTPS configuration file under /var/www/MISP/INSTALL/apache.24.misp.ssl. | MISP ships with sample Apache HTTP/HTTPS configuration file under /var/www/MISP/INSTALL/apache.24.misp.ssl. | ||
| Line 556: | Line 574: | ||
Copy this file to Apache Sites available directory; | Copy this file to Apache Sites available directory; | ||
| − | sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp.conf | + | sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp.conf |
Sample contents; | Sample contents; | ||
| + | sudo cat /etc/apache2/sites-available/misp.conf | ||
| − | + | <VirtualHost *:80> | |
| − | <VirtualHost *:80> | + | ServerAdmin serveradmin@misp.local |
| − | + | ServerName misp.local | |
| − | + | ||
| − | + | # In theory not needed, left for debug purposes | |
| − | + | # LogLevel warn | |
| − | + | # ErrorLog /var/log/apache2/misp.local_p80_error.log | |
| − | + | # CustomLog /var/log/apache2/misp.local_p80_access.log combined | |
| − | + | ||
| − | + | Header always unset "X-Powered-By" | |
| − | + | ||
| − | + | RewriteEngine On | |
| − | + | RewriteCond %{HTTPS} !=on | |
| − | + | RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] | |
| − | + | ||
| − | + | ServerSignature Off | |
| − | + | </VirtualHost> | |
| − | </VirtualHost> | + | |
| − | + | <VirtualHost *:443> | |
| − | <VirtualHost *:443> | + | ServerAdmin serveradmin@misp.local |
| − | + | ServerName misp.local | |
| − | + | DocumentRoot /var/www/MISP/app/webroot | |
| − | + | <Directory /var/www/MISP/app/webroot> | |
| − | + | Options -Indexes | |
| − | + | AllowOverride all | |
| − | + | Require all granted | |
| − | + | </Directory> | |
| − | + | ||
| − | + | SSLEngine On | |
| − | + | ||
| − | + | # StrongCiphers4All! \o/ | |
| − | # StrongCiphers4All! \o/ | + | # This proposal adds strong cipher suites based on the Mozilla recommendations. |
| − | # This proposal adds strong cipher suites based on the Mozilla recommendations. | + | # mozilla config generator: https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1&guideline=5.6 |
| − | # mozilla config generator: https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1&guideline=5.6 | + | # intermediate configuration |
| − | # intermediate configuration | + | SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 |
| − | SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | + | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
| − | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | + | SSLHonorCipherOrder off |
| − | SSLHonorCipherOrder off | + | SSLSessionTickets off |
| − | SSLSessionTickets off | + | |
| − | + | # enable HTTP/2, if available | |
| − | # enable HTTP/2, if available | + | Protocols h2 http/1.1 |
| − | Protocols h2 http/1.1 | + | |
| − | + | SSLCertificateFile /etc/ssl/private/misp.local.crt | |
| − | + | SSLCertificateKeyFile /etc/ssl/private/misp.local.key | |
| − | + | # SSLCertificateChainFile /etc/ssl/private/misp-chain.crt | |
| − | # SSLCertificateChainFile /etc/ssl/private/misp-chain.crt | + | |
| − | + | LogLevel warn | |
| − | + | ErrorLog /var/log/apache2/misp.local_error.log | |
| − | + | CustomLog /var/log/apache2/misp.local_access.log combined | |
| − | + | ||
| − | + | ServerSignature Off | |
| − | + | ||
| − | + | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | |
| − | + | Header always set X-Content-Type-Options nosniff | |
| − | + | Header always set X-Frame-Options SAMEORIGIN | |
| − | + | Header always unset "X-Powered-By" | |
| − | + | ||
| + | # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy | ||
| + | ## Example: | ||
| + | # Header always set X-XSS-Protection "1; mode=block" | ||
| + | # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src | ||
| + | # Header always set Referrer-Policy "strict-origin-when-cross-origin" | ||
| + | # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'" | ||
| + | </VirtualHost> | ||
| + | |||
| + | # strongciphers4All! \o/ | ||
| + | SSLUseStapling On | ||
| + | SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
For me, there are only a few lines I will update; | For me, there are only a few lines I will update; | ||
| − | |||
ServerAdmin serveradmin@misp.local | ServerAdmin serveradmin@misp.local | ||
ServerName misp.local | ServerName misp.local | ||
ServerAdmin serveradmin@kifarunix-demo.com | ServerAdmin serveradmin@kifarunix-demo.com | ||
ServerName misp.kifarunix-demo.com | ServerName misp.kifarunix-demo.com | ||
| + | |||
Next, install the SSL/TLS certificates accordingly. | Next, install the SSL/TLS certificates accordingly. | ||
We are using self-signed SSL/TLS certs in this demo. | We are using self-signed SSL/TLS certs in this demo. | ||
| + | sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=*.kifarunix-demo.com" \ | ||
| + | -keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt | ||
| − | |||
| − | |||
| − | |||
Enable required modules; | Enable required modules; | ||
| + | sudo a2enmod status ssl rewrite headers | ||
| − | |||
Disable default Apache sites and enable MISP site; | Disable default Apache sites and enable MISP site; | ||
| + | sudo a2dissite 000-default.conf | ||
| + | sudo a2ensite misp.conf | ||
| − | |||
| − | |||
Check Apache config errors; | Check Apache config errors; | ||
| + | sudo apache2ctl -t | ||
| − | |||
| − | |||
Ensure the output is Syntax OK. | Ensure the output is Syntax OK. | ||
Restart Apache; | Restart Apache; | ||
| + | sudo systemctl restart apache2 | ||
| − | |||
Open Apache ports on firewall to allow external access; | Open Apache ports on firewall to allow external access; | ||
| + | ufw allow "Apache Full" | ||
| − | |||
| − | |||
Login to MISP User Interface | Login to MISP User Interface | ||
At this point, you can now login to MISP, using the address you defined before. e.g https://misp.kifarunix-demo.com | At this point, you can now login to MISP, using the address you defined before. e.g https://misp.kifarunix-demo.com | ||
| Line 667: | Line 683: | ||
Install MISP on Ubuntu 22.04/Ubuntu 20.04 | Install MISP on Ubuntu 22.04/Ubuntu 20.04 | ||
Default credentials; | Default credentials; | ||
| + | Username: admin@admin.test | ||
| + | Password: admin | ||
| − | |||
| − | |||
When you login, reset the admin password to proceed; | When you login, reset the admin password to proceed; | ||
Revision as of 07:20, 11 July 2023
In this tutorial, you will learn how to install MISP on Ubuntu 22.04/Ubuntu 20.04. MISP, an acronym for Malware Information Sharing Platform, is an open source threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Install MISP on Ubuntu 22.04/Ubuntu 20.04
To install MISP on Ubuntu 22.04/Ubuntu 20.04, you can use an install script or simply do the manual installation so you have an idea of what is going on. We will go the manual way in this guide.
Run system Update How to Update or Install Windows 11...
Pause
Unmute Remaining Time -2:25
Fullscreen
How to Update or Install Windows 11 22H2 on Unsupported PCs?
To begin with, ensure your system package cache is up-to-date.
sudo apt update
Install Postfix anf Other Required Packages If you want to configure MISP to sent out email notifications, you install Postfix to use with your preferred mail relays.
sudo apt install postfix mailutils curl gcc git gpg-agent make libcaca-dev liblua5.3-dev \ python python3 openssl redis-server vim zip unzip virtualenv libfuzzy-dev sqlite3 \ moreutils python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev \ python-setuptools openssl cmake
When prompted to choose the Postfix general type of mail configuration, select Internet Site
For the domain part, select your domain part (not FQDN). E.g if your hostname is misp.kifarunix-demo.com, use kifarunix-demo.com.
Create MISP User Account
Run the command below to create MISP user account and add it to other system groups.
sudo useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data,staff misp
Set the password for the user account.
sudo passwd misp
Install LAMP Stack and Required Dependencies Run the command below to install LAMP stack and other required packages.
Install MariaDB 10.9, current stable release version as of this writing.
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.9 sudo apt install mariadb-client mariadb-server -y
Install PHP 7.4 and required PHP modules;
apt install libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php-opcache \ php-readline php-mbstring php-zip php-redis php-gnupg php-intl php-bcmath php-gd php-curl On Ubuntu 22.04, check this guide on how to install PHP 7.4 on Ubuntu 22.04.
Next, update the following PHP configuration options;
vim /etc/php/7.4/apache2/php.ini upload_max_filesize="50M" post_max_size="50M" max_execution_time="300" memory_limit="2048M"
Similarly, update PHP session ID length and set strict session ID mode;
echo -e 'session0sid_length="32"\nsession0use_strict_mode="1"' | sudo tee -a /etc/php/7.4/apache2/php.ini
Create MISP Database and Database User Login to MySQL and create MISP database and database user
First of all, run MySQL initial secure script;
sudo systemctl start mariadb sudo mysql_secure_installation
Once you have ran the script, proceed to create MISP database and database user;
sudo mysql -u root -p -e "create database misp;" sudo mysql -u root -p -e "grant all on misp.* to mispadmin@localhost identified by 'MISP-DB-Password';" sudo mysql -u root -p -e "flush privileges;"
Import MISP database into database created above;
sudo -Hu www-data cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -u mispadmin -p misp
Install MISP on Ubuntu 22.04/Ubuntu 20.04 Create MISP directory under /var/www;
sudo mkdir /var/www/MISP
Clone the MISP Core Github repository into the directory above;
sudo git clone https://github.com/MISP/MISP.git /var/www/MISP/ sudo git -C /var/www/MISP/ submodule update --progress --init --recursive sudo chown -R www-data: /var/www/MISP sudo -u www-data git -C /var/www/MISP submodule foreach --recursive git config core.filemode false sudo -u www-data git -C /var/www/MISP config core.filemode false
Create a python3 virtualenv
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
Create PIP cache directory;
sudo mkdir /var/www/.cache/ sudo chown -R www-data: /var/www/.cache/
Install python-stix
sudo -u www-data /var/www/MISP/venv/bin/pip install ordered-set python-dateutil six weakrefmethod sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/app/files/scripts/misp-stix
Install PyMISP;
sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/PyMISP
Remove libfaup;
cd /tmp git clone https://github.com/stricaud/faup.git faup sudo git clone https://github.com/stricaud/gtcaca.git gtcaca sudo chown -R misp: faup gtcaca sudo mkdir gtcaca/build && cd gtcaca/build sudo cmake .. && sudo make && sudo make install sudo mkdir -p /tmp/faup/build && cd /tmp/faup/build sudo cmake .. && sudo make && sudo make install
Create the necessary links and cache to the just installed libraries;
sudo ldconfig
Install PyDeep;
sudo -u www-data /var/www/MISP/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
Install lief
sudo -u www-data /var/www/MISP/venv/bin/pip install lief
Install zmq
sudo -u www-data /var/www/MISP/venv/bin/pip install zmq redis
Install python-magic
sudo -u www-data /var/www/MISP/venv/bin/pip install python-magic
Install plyara;
sudo -u www-data /var/www/MISP/venv/bin/pip install plyara
Install CakePHP
Create PHP composer directory;
sudo mkdir -p /var/www/.composer
Set the ownership;
sudo chown -R www-data: /var/www/.composer
Install CakePHP;
cd /var/www/MISP/app sudo -u www-data php composer.phar install --no-dev
Enable CakeResque with php-redis
sudo phpenmod redis sudo phpenmod gnupg
Enable the use of scheduler worker for scheduled tasks;
sudo -u www-data cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
Set Proper Permissions and Ownership of MISP directories
Once the installation of MISP is done, update the ownership and permissions of the directories;
sudo chown -R www-data: /var/www/MISP sudo chmod -R 750 /var/www/MISP sudo chmod -R g+ws /var/www/MISP/app/tmp /var/www/MISP/app/files
Enable MISP Log Rotation
sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp sudo chmod 0640 /etc/logrotate.d/misp
This is how to the config file is like;
cat /etc/logrotate.d/misp
/var/www/MISP/app/tmp/logs/*.log {
rotate 30
dateext
missingok
notifempty
compress
daily
size 50M
maxsize 500M
copytruncate
}
Configure MISP
Rename the default configurations as follows;
sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/database{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/core{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/config{.default,}.php
Update database connection details;
sudo vim /var/www/MISP/app/Config/database.php
class DATABASE_CONFIG {
public $default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => 'localhost',
'login' => 'mispadmin',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => 'MISP-DB-Password',
'database' => 'misp',
'prefix' => ,
'encoding' => 'utf8',
);
}
Save and exit the file;
Generate MISP GnuPG key; Create a batch file to define variable required for non-interactive GPG keys generation.
tee > ~/misp-gpg-batch-file << 'EOL' Key-Type: default Key-Length: 4096 Subkey-Type: default Name-Real: MISP-gpg-key Name-Email: admin@kifarunix-demo.com Expire-Date: 0 Passphrase: 42e9865a824b4e237c5146b0af888016de8 EOL sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --batch --gen-key ~/misp-gpg-batch-file
Sample output;
gpg: directory '/var/www/MISP/.gnupg' created gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created gpg: key DA6AA0A6057E4C28 marked as ultimately trusted gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/757A0C2F91D894522A388A04DA6AA0A6057E4C28.rev'
Export the public key to MISP webroot
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor admin@kifarunix-demo.com \ | sudo -u www-data tee /var/www/MISP/app/webroot/gpg.asc
Setup MISP Background Workers Create a systemd service for MISP background workers;
sudo tee /etc/systemd/system/misp-workers.service << 'EOL' [Unit] Description=MISP background workers After=network.target [Service] Type=forking User=www-data Group=www-data ExecStart=/var/www/MISP/app/Console/worker/start.sh Restart=always RestartSec=10 [Install] WantedBy=multi-user.target EOL
Reload systemd configs and start the service;
sudo systemctl daemon-reload sudo systemctl enable --now misp-workers
Confirm status;
systemctl status misp-workers.service
● misp-workers.service - MISP background workers
Loaded: loaded (/etc/systemd/system/misp-workers.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-11-04 20:24:54 UTC; 10s ago
Process: 62522 ExecStart=/var/www/MISP/app/Console/worker/start.sh (code=exited, status=0/SUCCESS)
Tasks: 12 (limit: 4610)
Memory: 61.0M
CGroup: /system.slice/misp-workers.service
├─62555 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true
QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667>
├─62556 php ./bin/resque
├─62573 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true
QUEUE='prio' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667593>
├─62574 php ./bin/resque
├─62589 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true
QUEUE='cache' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759>
├─62590 php ./bin/resque
├─62606 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true
QUEUE='email' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759>
├─62607 php ./bin/resque
├─62622 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true
QUEUE='update' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/16675>
├─62623 php ./bin/resque
├─62638 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex-scheduler';
VERBOSE=true QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResqu>
└─62639 php ./bin/resque-scheduler.php
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62562]: Starting worker ... Done
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Creating workers
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Starting worker ... Done
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Creating workers
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Starting worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Creating workers
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Starting worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Creating the scheduler workers
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Starting scheduler worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com systemd[1]: Started MISP background workers.
Next;
disable Linux Kernel’s support for Transparent Huge Pages (THP),
limit the number of incoming connections to 1024,
Enable memory over-commit.
You can easily set a systemd service to sort the above;
sudo cat > /etc/systemd/system/thp-so-mo.service << 'EOL'
[Unit] Description=Disable Kernel Support for THP, Set Socket Max Conxs and Enable Memory Overcommit. [Service] Type=simple ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && \ echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && \ echo 1024 > /proc/sys/net/core/somaxconn && \ sysctl vm.overcommit_memory=1" [Install] WantedBy=multi-user.target EOL
Initialize MISP Configuration Initialize the user and fetch authentication key;
sudo -Hu www-data /var/www/MISP/app/Console/cake userInit -q
Sample out;
dLiRqsfiiNAIIza9U7zqnwKKZBf83kDBSd2BUdeA
Enable database updates;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin runUpdates
Define global time outs
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.timeout" 600 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.cookieTimeout" 3600
Set default tmp directory;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.tmpdir" "/var/www/MISP/app/tmp"
Enable GnuPG;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@kifarunix-demo.com" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.password" "42e9865a824b4e237c5146b0af888016de8" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.obscure_subject" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.binary" "$(which gpg)"
Update other MISP configurations;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.email" "admin@kifarunix-demo.com" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true --force sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.contact" "admin@kifarunix-demo.com" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_tag_collection" 0
Tunning Cortex;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_port" 9000 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_timeout" 120 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_authkey" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_peer" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_host" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
Update plugin settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_policy" 0 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise_as" 1 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_range" 365 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_sighting_db_enable" false
Disable API_Required modules;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cuckoo_submit_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vmray_submit_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivedns_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivessl_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_domaintools_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_eupi_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_farsight_passivedns_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_whois_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_shodan_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_asn_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_city_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_country_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_iprep_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_otx_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulndb_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_crowdstrike_falcon_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_onyphe_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_xforceexchange_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulners_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_macaddress_io_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_intel471_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_backscatter_io_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_hibp_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_greynoise_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_joesandbox_submit_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_public_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apiosintds_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_urlscan_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_securitytrails_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apivoid_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_submit_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_query_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_ransomcoindb_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_lastline_query_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_sophoslabs_intelix_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cytomic_orion_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_censys_enrich_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_trustar_enrich_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_recordedfuture_enabled false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.ElasticSearch_logging_enable false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.S3_enable false
CustomAuth Plugin;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" false
RPZ Plugin settings
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_policy" "DROP" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_serial" "\$date00" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_refresh" "2h" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_retry" "30m" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_expiry" "30d" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_minimum_ttl" "1h" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ttl" "1w" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns" "localhost." sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns_alt" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_email" "root.localhost"
Kafka settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_brokers" "kafka:9092" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_rdkafka_config" "/etc/rdkafka.ini" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_include_attachments" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_topic" "misp_event" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_topic" "misp_event_publish" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_topic" "misp_object" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_topic" "misp_object_reference" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_topic" "misp_attribute" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_topic" "misp_shadow_attribute" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_topic" "misp_tag" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_topic" "misp_sighting" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_topic" "misp_user" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_topic" "misp_organisation" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_topic" "misp_audit"
ZeroMQ settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_host" "127.0.0.1" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_port" 50000 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_include_attachments" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
Set default language and disable proposal attributes block;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.language" "eng" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false
Set Redis settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1" sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""
Set MISP default settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4 sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableEventBlocklisting" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlocklisting" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips_authkeys" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_login_change" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_password_change" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_add" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_by_date" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_threshold" 5
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_refresh_on_retry" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.maintenance_message" "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at admin@kifarunix-demo.com."
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_bottom" "Welcome to Kifarunix-demo MISP"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.attachments_dir" "/var/www/MISP/app/files"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.download_attachments_on_load" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_metadata_only" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.title_text" "MISP"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.terms_download" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showorgalternate" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_view_filter_fields" "id, uuid, value, comment, type, category, Tag.name"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "debug" 0
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.auth_enforced" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.log_each_individual_auth_fail" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.rest_client_baseurl" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
MISP Security settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.disable_browser_cache" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.check_sec_fetch_site_header" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.do_not_log_authkeys" true sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.username_in_response_header" true
Enable MISP user login;
sudo -Hu www-data /var/www/MISP/app/Console/cake Live 1
Update MISP Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateGalaxies sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateWarningLists sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "1337"
Configure Apache Web Server for MISP MISP ships with sample Apache HTTP/HTTPS configuration file under /var/www/MISP/INSTALL/apache.24.misp.ssl.
Copy this file to Apache Sites available directory;
sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp.conf
Sample contents;
sudo cat /etc/apache2/sites-available/misp.conf
<VirtualHost *:80>
ServerAdmin serveradmin@misp.local
ServerName misp.local
# In theory not needed, left for debug purposes
# LogLevel warn
# ErrorLog /var/log/apache2/misp.local_p80_error.log
# CustomLog /var/log/apache2/misp.local_p80_access.log combined
Header always unset "X-Powered-By"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerAdmin serveradmin@misp.local
ServerName misp.local
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
</Directory>
SSLEngine On
# StrongCiphers4All! \o/
# This proposal adds strong cipher suites based on the Mozilla recommendations.
# mozilla config generator: https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1&guideline=5.6
# intermediate configuration
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# enable HTTP/2, if available
Protocols h2 http/1.1
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always unset "X-Powered-By"
# TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
## Example:
# Header always set X-XSS-Protection "1; mode=block"
# Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
# Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
</VirtualHost>
# strongciphers4All! \o/
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
For me, there are only a few lines I will update;
ServerAdmin serveradmin@misp.local ServerName misp.local ServerAdmin serveradmin@kifarunix-demo.com ServerName misp.kifarunix-demo.com
Next, install the SSL/TLS certificates accordingly.
We are using self-signed SSL/TLS certs in this demo.
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=*.kifarunix-demo.com" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
Enable required modules;
sudo a2enmod status ssl rewrite headers
Disable default Apache sites and enable MISP site;
sudo a2dissite 000-default.conf sudo a2ensite misp.conf
Check Apache config errors;
sudo apache2ctl -t
Ensure the output is Syntax OK.
Restart Apache;
sudo systemctl restart apache2
Open Apache ports on firewall to allow external access;
ufw allow "Apache Full"
Login to MISP User Interface At this point, you can now login to MISP, using the address you defined before. e.g https://misp.kifarunix-demo.com
Install MISP on Ubuntu 22.04/Ubuntu 20.04 Default credentials;
Username: admin@admin.test Password: admin
When you login, reset the admin password to proceed;
Install MISP on Ubuntu 22.04/Ubuntu 20.04 Change admin user email address from admin@admin.test to your specific admin email address. To change admin user email address;
navigate to Administration > List Users.
Click the edit button against the admin user.
Install MISP on Ubuntu 22.04/Ubuntu 20.04
Change Email address and update the changes.
Install MISP on Ubuntu 22.04/Ubuntu 20.04 You can logout and login to confirm the user account changes.
The MISP Events On a fresh install, MISP has no events on it yet.
However, it ships with ability to pull events with patterns that can be used to detect malicious activities from some default open-source feeds. The default opensource feeds are disabled by default.
To enable the default feeds, navigate to Sync Actions > List Feeds.
misp list feeds Select the two default feeds and click Enable Selected.
enable default misp feeds
When you enable the feeds, it will start to download the events related to known malwares, APTs, ransomwares and all their attributes from the sources automatically. If the feeds are not fetched automatically, you can manually fetch the feeds by clicking the download arrow under the feed actions.
Monitor the download progress under Administration > Jobs. It may take some time to complete!
misp fetch events status As soon as the MISP events from the default opensource feeds begin to download, you should see events populated onto MISP.
Confirm by navigating to Event Actions > List Events.
sample MISP events
And that is it on how to install MISP on Ubuntu 22.04/Ubuntu 20.04