feat: bump misp version to 2.5 along dependencies (24.04 only, PHP8.2…

…+), add variables and config settings, clean old stuff, misp-modules systemd

README.md

@@ -139,6 +139,8 @@ New ansible v2.2 letsencrypt module allow certificate creation but no renewal of
   * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html
   * https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388
 
+* "Error, do this: mount -t proc proc /proc" in /var/log/apache2/error.log: Likely due to misp doing some process listing command requiring /proc (for workers for example) and server build on lxc (including proxmox). Ensure /proc is mounted and no proc restrictions for example at systemd level (InaccessiblePaths) for web user and service.
+
 ## TODO
 * role is not managing upgrade (Work in progress/git pull between minor releases)
 * monitoring unless using serverspec

defaults/main.yml

@@ -7,11 +7,12 @@ install_archives: /var/_install
 
 ## branch or tags to use
 # misp_version: 'HEAD'
-misp_version: '2.4'
+misp_version: '2.5'
 misp_rootdir: /var/www/_MISP/MISP
 misp_virtualenv: /var/www/_MISP/venv
 misp_modules_enable: true
 mispmodules_rootdir: /opt
+mispmodules_version: '03165ad2cd7bae5f3fcfa1b5ba396b8031cc92a0'  # 2.4.199
 misp_webserver: 'apache2'
 # misp_webserver: 'nginx'
 misp_webserver_harden: true
@@ -21,12 +22,12 @@ misp_lief_rootdir: /var/lief
 misp_config_php_template: config.php.j2
 misp_git_update_force: false
 
-misp_pip_cybox_version: '2.1.0.20'
-misp_pip_stix_version: '1.2.0.7'
+misp_pip_cybox_version: '2.1.0.21'
+misp_pip_stix_version: '1.2.0.11'
 # v2.4.167/dec 2022 is the last one supporting python <3.10
 # overridden by misp-modules REQUIREMENTS
 # https://github.com/MISP/misp-modules/blob/main/REQUIREMENTS
-misp_pymisp_version: 'v2.4.162'
+misp_pymisp_version: 'v2.5.2'
 # HEAD in misp-modules REQUIREMENTS
 misp_latest_pymisp: false
 
@@ -79,6 +80,7 @@ misp_webusers_list: []
 # misp_web_apikey:
 
 misp_email_contact: [email protected]
+misp_email_reply_to: misp-no-reply@localhost
 
 ## default provided feeds. you need to know their id
 misp_enable_feeds:
@@ -111,8 +113,7 @@ misp_php_snuffleupagus_enable: false
 
 # if adding ::1, ensure IPv6 is functional. https://github.com/antirez/redis/issues/3241
 misp_redis_bind: '127.0.0.1'
-# FIXME! https://github.com/MISP/MISP/issues/3452
-# misp_redis_password: redis_password_to_change
+misp_redis_password: redis_password_to_change
 misp_redis_securecommands:
   - { re: '^rename-command FLUSHDB .*', l: 'rename-command FLUSHDB ""' }
   - { re: '^rename-command FLUSHALL .*', l: 'rename-command FLUSHALL ""' }
@@ -124,3 +125,7 @@ misp_redis_securecommands:
 # Update Galaxies, ObjectTemplates, Warninglists, Noticelists and Templates before first login
 misp_run_updates: false
 misp_run_updates_lock: "{{ misp_rootdir }}/.run_updates_lock"
+
+misp_cgroups_restriction_enable: true
+
+is_container: false

handlers/main.yml

@@ -1,4 +1,22 @@
 ---
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  become: yes
+  become_user: root
+  when:
+    - not is_container|bool
+
+- name: Restart misp-modules
+  ansible.builtin.service:
+    name: misp-modules
+    state: restarted
+  become: yes
+  become_user: root
+  when:
+    - not is_container|bool
+
 - name: Restart webserver
   ansible.builtin.service:
     name: "{{ apache_svc }}"
@@ -52,3 +70,8 @@
   ansible.builtin.service:
     name: mysql
     state: restarted
+
+- name: Restart redis
+  ansible.builtin.service:
+    name: redis
+    state: restarted

molecule/default/converge.yml

@@ -29,30 +29,55 @@
         (ansible_os_family == "RedHat" and ansible_distribution_major_version | int >= 8)
     - name: 22.04 | Set fact
       ansible.builtin.set_fact:
+        misp_version: '2.4'
+        misp_pymisp_version: 'v2.4.200'
         misp_modules_enable: false
-      when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 22)
+        harden_apache_php74_debian_enable: true
+      when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int <= 22)
     - name: 24.04 | Set fact
       ansible.builtin.set_fact:
         misp_version: '2.5'
         misp_php_snuffleupagus_enable: false
         harden_php7_snuffleupagus: false
-        misp_modules_enable: false
       when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 24)
   vars:
+    misp_local_base_url: "https://localhost"
+    misp_pymisp_base_url: "https://localhost"
+    misp_pymisp_verifycert: false
     misp_pymisp_validation_fatal: false
-    # need pymisp
-    misp_enable_feeds: []
-    misp_webusers_list: []
-    misp_testing: false
+    misp_testing: true
+    misp_testing_user: _misp
+    misp_testing_user_home: "/home/{{ misp_testing_user }}"
+    misp_testing_key_file: "{{ misp_key_file }}"
+    misp_base_url: "https://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
+    misp_base_ip: 127.0.0.1
+    misp_base_port: 443
+    misp_no_log: false
+    misp_webusers_list:
+      - { u: [email protected], p: 'dupont_passphrase.', email: dupont@localhost, org: 1, role: 2 }
+      - { u: [email protected], p: 'dupond_passphrase.', email: dupond@localhost, org: 1, role: 4 }
+    hardenwebserver_enable_defaultssl: false
+    harden_php_memory_limit: 2048M
     harden_php_allow_url_fopen: On
-    harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellarg,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
+    harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
+    hardenwebserver_header_csp: ''  # done by MISP directly
+    harden_apache_stapling_enable: false
+    harden_apache_systemd_inaccessiblepaths: ''
+    harden_apache_modsecurity_lines:
+      ## https://isc.sans.edu/diary/Tracking+HTTP+POST+data+with+ELK/20345
+      - { re: '^SecRule REQUEST_METHOD POST id:1000,', l: 'SecRule REQUEST_METHOD POST id:1000,phase:2,ctl:auditEngine=On,nolog,pass' }
+      ## https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg
+      - { re: '^SecAction nolog,phase:2,id:131,', l: 'SecAction nolog,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword' }
+      - { re: '^SecTmpDir .*', l: 'SecTmpDir /tmp/modsectmp' }
+      - { re: '^SecDataDir .*', l: 'SecDataDir /tmp/modsecdata' }
+      # `grep ModSecurity /var/log/apache2/misp.local_error.log | sed 's/.*id "\([0-9]*\)".*/\1/' | sort | uniq -c`
+      # Host header is a numeric IP address
+      - { re: '^SecRuleRemoveById 920350', l: 'SecRuleRemoveById 920350' }
     misp_php_snuffleupagus_enable: true
     harden_php7_snuffleupagus: true
     harden_php7_snuffleupagus_rules_template: 'misp-snuffleupagus-rules.ini.j2'
-    harden_apache_php_variants: ['apache2']
-    harden_apache_php74_debian_enable: true
+    harden_apache_php_variants: ['apache2', 'cli']
     harden_apache_php74_rhel9_enable: true
-    misp_no_log: false
   roles:
     - { role: juju4.redhat_epel, when: ansible_os_family == 'RedHat' }
     - juju4.harden_apache

tasks/main.yml

@@ -12,6 +12,22 @@
 ## must be last to override previous vars
 - name: Include webserver+distribution-specific variables
   ansible.builtin.include_vars: "{{ misp_webserver }}-{{ ansible_distribution }}.yml"
+- name: Include MISP 2.4 variables
+  ansible.builtin.include_vars: "misp24.yml"
+  when:
+    - misp_version == '2.4'
+- name: Include MISP 2.5 variables
+  ansible.builtin.include_vars: "misp25.yml"
+  when:
+    - misp_version == '2.5'
+
+- name: Set fact is_container
+  ansible.builtin.set_fact:
+    is_container: true
+  when: >
+    (ansible_virtualization_type is defined and
+      (ansible_virtualization_type == "docker" or ansible_virtualization_type == "containerd")
+    )
 
 - name: Import debian
   ansible.builtin.fail:
@@ -235,6 +251,8 @@
     PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
   become: yes
   become_user: "{{ www_user }}"
+  when:
+    - misp_version == '2.4'
 
 - name: Install python dependencies with pip - python, latest
   ansible.builtin.pip:
@@ -298,6 +316,8 @@
     mode: '0644'
     remote_src: true
     backup: yes
+  when:
+    - misp_version == '2.4'
 
 - name: Validate permissions
   ansible.builtin.file:
@@ -610,7 +630,7 @@
 
 # snuffleupagus sp.readonly_exec.enable() = php file must be non-writeable (issue with auto-update?)
 - name: Ensure that webroot files are not executable and not writeable
-  ansible.builtin.command: "find {{ misp_rootdir }}/app/ -type f -iname '{{ item }}' ! -path {{ misp_rootdir }}/app/Config/config.php ! -name include_paths.php ! -path {{ misp_rootdir }}/app/Config/bootstrap.php ! -path {{ misp_rootdir }}/app/Config/database.php ! -path {{ misp_rootdir }}/app/Config/core.php ! -path {{ misp_rootdir }}/app/Config/email.php ! -path {{ misp_rootdir }}/app/Vendor/ -exec chmod 0444 {} \\;"  # noqa no-changed-when
+  ansible.builtin.command: "find {{ misp_rootdir }}/app/ -type f -iname '{{ item }}' ! -path {{ misp_rootdir }}/app/Config/config.php ! -name include_paths.php ! -path {{ misp_rootdir }}/app/Config/bootstrap.php ! -path {{ misp_rootdir }}/app/Config/database.php ! -path {{ misp_rootdir }}/app/Config/core.php ! -path {{ misp_rootdir }}/app/Config/email.php ! -path {{ misp_rootdir }}/app/Vendor -exec chmod 0444 {} \\;"  # noqa no-changed-when
   with_items:
     - '*.php'
     - '*.ctp'
@@ -644,30 +664,30 @@
   ansible.posix.patch:
     src: "{{ item.s }}"
     basedir: "{{ item.b }}"
-  with_items:
-    - { s: patch-cakephp-snuffleupagus-strict, b: "{{ misp_rootdir }}/app/Lib" }
-    - { s: patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" }
-    - { s: patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Core" }
-    - { s: patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Network" }
-    - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" }
-    - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" }
-    - { s: patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" }
-  when: misp_php_snuffleupagus_enable
+  with_items: "{{ misp_php_harden_patches | default([]) }}"
+  when:
+    - misp_php_snuffleupagus_enable | bool
 - name: Patch kamisama/php-resque-ex with stricter casting to support sp.global_strict
   ansible.posix.patch:
     src: patch-php-resque-ex-master-lib-Resque-Redis.php
     basedir: "{{ misp_rootdir }}/app/Vendor/kamisama/php-resque-ex/lib/Resque"
-  when: misp_php_snuffleupagus_enable
+  when:
+    - misp_php_snuffleupagus_enable | bool
+    - misp_version == '2.4'
 
 - name: Import lief
   ansible.builtin.import_tasks: lief.yml
   when: misp_lief_enable
 
 - name: Import misp-modules
   ansible.builtin.import_tasks: misp-modules.yml
-  when: misp_modules_enable|bool
+  when:
+    - misp_modules_enable|bool
+
 - name: Import misp-gem
   ansible.builtin.import_tasks: misp-gem.yml
+  when:
+    - misp_version == '2.4'
 
 - name: Import background-jobs
   ansible.builtin.import_tasks: background-jobs.yml