diff --git a/README.md b/README.md index dc6e118..29c3083 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,8 @@ New ansible v2.2 letsencrypt module allow certificate creation but no renewal of * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html * https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388 +* "Error, do this: mount -t proc proc /proc" in /var/log/apache2/error.log: Likely due to misp doing some process listing command requiring /proc (for workers for example) and server build on lxc (including proxmox). Ensure /proc is mounted and no proc restrictions for example at systemd level (InaccessiblePaths) for web user and service. + ## TODO * role is not managing upgrade (Work in progress/git pull between minor releases) * monitoring unless using serverspec diff --git a/defaults/main.yml b/defaults/main.yml index 46cb22c..f070620 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,11 +7,12 @@ install_archives: /var/_install ## branch or tags to use # misp_version: 'HEAD' -misp_version: '2.4' +misp_version: '2.5' misp_rootdir: /var/www/_MISP/MISP misp_virtualenv: /var/www/_MISP/venv misp_modules_enable: true mispmodules_rootdir: /opt +mispmodules_version: '03165ad2cd7bae5f3fcfa1b5ba396b8031cc92a0' # 2.4.199 misp_webserver: 'apache2' # misp_webserver: 'nginx' misp_webserver_harden: true @@ -21,12 +22,12 @@ misp_lief_rootdir: /var/lief misp_config_php_template: config.php.j2 misp_git_update_force: false -misp_pip_cybox_version: '2.1.0.20' -misp_pip_stix_version: '1.2.0.7' +misp_pip_cybox_version: '2.1.0.21' +misp_pip_stix_version: '1.2.0.11' # v2.4.167/dec 2022 is the last one supporting python <3.10 # overridden by misp-modules REQUIREMENTS # https://github.com/MISP/misp-modules/blob/main/REQUIREMENTS -misp_pymisp_version: 'v2.4.162' +misp_pymisp_version: 'v2.5.2' # HEAD in misp-modules REQUIREMENTS misp_latest_pymisp: false @@ -79,6 +80,7 @@ misp_webusers_list: [] # misp_web_apikey: misp_email_contact: email@address.com +misp_email_reply_to: misp-no-reply@localhost ## default provided feeds. you need to know their id misp_enable_feeds: @@ -111,8 +113,7 @@ misp_php_snuffleupagus_enable: false # if adding ::1, ensure IPv6 is functional. https://github.com/antirez/redis/issues/3241 misp_redis_bind: '127.0.0.1' -# FIXME! https://github.com/MISP/MISP/issues/3452 -# misp_redis_password: redis_password_to_change +misp_redis_password: redis_password_to_change misp_redis_securecommands: - { re: '^rename-command FLUSHDB .*', l: 'rename-command FLUSHDB ""' } - { re: '^rename-command FLUSHALL .*', l: 'rename-command FLUSHALL ""' } @@ -124,3 +125,7 @@ misp_redis_securecommands: # Update Galaxies, ObjectTemplates, Warninglists, Noticelists and Templates before first login misp_run_updates: false misp_run_updates_lock: "{{ misp_rootdir }}/.run_updates_lock" + +misp_cgroups_restriction_enable: true + +is_container: false diff --git a/handlers/main.yml b/handlers/main.yml index f7576df..7101847 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,22 @@ --- + +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: yes + become: yes + become_user: root + when: + - not is_container|bool + +- name: Restart misp-modules + ansible.builtin.service: + name: misp-modules + state: restarted + become: yes + become_user: root + when: + - not is_container|bool + - name: Restart webserver ansible.builtin.service: name: "{{ apache_svc }}" @@ -52,3 +70,8 @@ ansible.builtin.service: name: mysql state: restarted + +- name: Restart redis + ansible.builtin.service: + name: redis + state: restarted diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index be9ecc0..dff7f21 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -29,30 +29,55 @@ (ansible_os_family == "RedHat" and ansible_distribution_major_version | int >= 8) - name: 22.04 | Set fact ansible.builtin.set_fact: + misp_version: '2.4' + misp_pymisp_version: 'v2.4.200' misp_modules_enable: false - when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 22) + harden_apache_php74_debian_enable: true + when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int <= 22) - name: 24.04 | Set fact ansible.builtin.set_fact: misp_version: '2.5' misp_php_snuffleupagus_enable: false harden_php7_snuffleupagus: false - misp_modules_enable: false when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 24) vars: + misp_local_base_url: "https://localhost" + misp_pymisp_base_url: "https://localhost" + misp_pymisp_verifycert: false misp_pymisp_validation_fatal: false - # need pymisp - misp_enable_feeds: [] - misp_webusers_list: [] - misp_testing: false + misp_testing: true + misp_testing_user: _misp + misp_testing_user_home: "/home/{{ misp_testing_user }}" + misp_testing_key_file: "{{ misp_key_file }}" + misp_base_url: "https://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}" + misp_base_ip: 127.0.0.1 + misp_base_port: 443 + misp_no_log: false + misp_webusers_list: + - { u: dupont@admin.test, p: 'dupont_passphrase.', email: dupont@localhost, org: 1, role: 2 } + - { u: dupond@admin.test, p: 'dupond_passphrase.', email: dupond@localhost, org: 1, role: 4 } + hardenwebserver_enable_defaultssl: false + harden_php_memory_limit: 2048M harden_php_allow_url_fopen: On - harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellarg,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup' + harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup' + hardenwebserver_header_csp: '' # done by MISP directly + harden_apache_stapling_enable: false + harden_apache_systemd_inaccessiblepaths: '' + harden_apache_modsecurity_lines: + ## https://isc.sans.edu/diary/Tracking+HTTP+POST+data+with+ELK/20345 + - { re: '^SecRule REQUEST_METHOD POST id:1000,', l: 'SecRule REQUEST_METHOD POST id:1000,phase:2,ctl:auditEngine=On,nolog,pass' } + ## https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg + - { re: '^SecAction nolog,phase:2,id:131,', l: 'SecAction nolog,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword' } + - { re: '^SecTmpDir .*', l: 'SecTmpDir /tmp/modsectmp' } + - { re: '^SecDataDir .*', l: 'SecDataDir /tmp/modsecdata' } + # `grep ModSecurity /var/log/apache2/misp.local_error.log | sed 's/.*id "\([0-9]*\)".*/\1/' | sort | uniq -c` + # Host header is a numeric IP address + - { re: '^SecRuleRemoveById 920350', l: 'SecRuleRemoveById 920350' } misp_php_snuffleupagus_enable: true harden_php7_snuffleupagus: true harden_php7_snuffleupagus_rules_template: 'misp-snuffleupagus-rules.ini.j2' - harden_apache_php_variants: ['apache2'] - harden_apache_php74_debian_enable: true + harden_apache_php_variants: ['apache2', 'cli'] harden_apache_php74_rhel9_enable: true - misp_no_log: false roles: - { role: juju4.redhat_epel, when: ansible_os_family == 'RedHat' } - juju4.harden_apache diff --git a/tasks/main.yml b/tasks/main.yml index e3355a6..3092770 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,6 +12,22 @@ ## must be last to override previous vars - name: Include webserver+distribution-specific variables ansible.builtin.include_vars: "{{ misp_webserver }}-{{ ansible_distribution }}.yml" +- name: Include MISP 2.4 variables + ansible.builtin.include_vars: "misp24.yml" + when: + - misp_version == '2.4' +- name: Include MISP 2.5 variables + ansible.builtin.include_vars: "misp25.yml" + when: + - misp_version == '2.5' + +- name: Set fact is_container + ansible.builtin.set_fact: + is_container: true + when: > + (ansible_virtualization_type is defined and + (ansible_virtualization_type == "docker" or ansible_virtualization_type == "containerd") + ) - name: Import debian ansible.builtin.fail: @@ -235,6 +251,8 @@ PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" become: yes become_user: "{{ www_user }}" + when: + - misp_version == '2.4' - name: Install python dependencies with pip - python, latest ansible.builtin.pip: @@ -298,6 +316,8 @@ mode: '0644' remote_src: true backup: yes + when: + - misp_version == '2.4' - name: Validate permissions ansible.builtin.file: @@ -610,7 +630,7 @@ # snuffleupagus sp.readonly_exec.enable() = php file must be non-writeable (issue with auto-update?) - name: Ensure that webroot files are not executable and not writeable - ansible.builtin.command: "find {{ misp_rootdir }}/app/ -type f -iname '{{ item }}' ! -path {{ misp_rootdir }}/app/Config/config.php ! -name include_paths.php ! -path {{ misp_rootdir }}/app/Config/bootstrap.php ! -path {{ misp_rootdir }}/app/Config/database.php ! -path {{ misp_rootdir }}/app/Config/core.php ! -path {{ misp_rootdir }}/app/Config/email.php ! -path {{ misp_rootdir }}/app/Vendor/ -exec chmod 0444 {} \\;" # noqa no-changed-when + ansible.builtin.command: "find {{ misp_rootdir }}/app/ -type f -iname '{{ item }}' ! -path {{ misp_rootdir }}/app/Config/config.php ! -name include_paths.php ! -path {{ misp_rootdir }}/app/Config/bootstrap.php ! -path {{ misp_rootdir }}/app/Config/database.php ! -path {{ misp_rootdir }}/app/Config/core.php ! -path {{ misp_rootdir }}/app/Config/email.php ! -path {{ misp_rootdir }}/app/Vendor -exec chmod 0444 {} \\;" # noqa no-changed-when with_items: - '*.php' - '*.ctp' @@ -644,20 +664,16 @@ ansible.posix.patch: src: "{{ item.s }}" basedir: "{{ item.b }}" - with_items: - - { s: patch-cakephp-snuffleupagus-strict, b: "{{ misp_rootdir }}/app/Lib" } - - { s: patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" } - - { s: patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Core" } - - { s: patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Network" } - - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" } - - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" } - - { s: patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" } - when: misp_php_snuffleupagus_enable + with_items: "{{ misp_php_harden_patches | default([]) }}" + when: + - misp_php_snuffleupagus_enable | bool - name: Patch kamisama/php-resque-ex with stricter casting to support sp.global_strict ansible.posix.patch: src: patch-php-resque-ex-master-lib-Resque-Redis.php basedir: "{{ misp_rootdir }}/app/Vendor/kamisama/php-resque-ex/lib/Resque" - when: misp_php_snuffleupagus_enable + when: + - misp_php_snuffleupagus_enable | bool + - misp_version == '2.4' - name: Import lief ansible.builtin.import_tasks: lief.yml @@ -665,9 +681,13 @@ - name: Import misp-modules ansible.builtin.import_tasks: misp-modules.yml - when: misp_modules_enable|bool + when: + - misp_modules_enable|bool + - name: Import misp-gem ansible.builtin.import_tasks: misp-gem.yml + when: + - misp_version == '2.4' - name: Import background-jobs ansible.builtin.import_tasks: background-jobs.yml diff --git a/tasks/misp-modules.yml b/tasks/misp-modules.yml index 973eba3..4e05108 100644 --- a/tasks/misp-modules.yml +++ b/tasks/misp-modules.yml @@ -1,58 +1,6 @@ --- ## https://github.com/MISP/misp-modules -- name: Ensure misp-modules directory exists - ansible.builtin.file: - dest: "{{ mispmodules_rootdir }}/misp-modules" - owner: "{{ www_user }}" - group: "{{ www_user }}" - state: directory - mode: '0755' - -- name: Git clone MISP modules - ansible.builtin.git: - repo: https://github.com/MISP/misp-modules.git - dest: "{{ mispmodules_rootdir }}/misp-modules" - version: "{{ mispmodules_version | default('eaff5700de16a2a24c4a8f6f4a7e06f903223eba') }}" - update: no - force: no - become: yes - become_user: "{{ www_user }}" - -- name: Ubuntu 16.04 | Disable PyIntel471 - Python 3.6+ required - ansible.builtin.lineinfile: - dest: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - regexp: '^git\+https:\/\/github.com\/MISP\/PyIntel471.git' - state: absent - backup: yes - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '16.04' - -- name: Ubuntu 18.04, RHEL8 | Disable Trustar - trustar-python#100 - ansible.builtin.lineinfile: - dest: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - regexp: '^trustar==.*' - state: absent - when: > - (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '18.04') or - (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8) - -- name: Ubuntu 22.04 | Update numpy - numpy#22520, opencv-python#571 - ansible.builtin.lineinfile: - dest: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - regexp: '^numpy==.*' - line: 'numpy==1.23.4' - when: > - (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '22.04') - -- name: Enforce latest PyMISP - ansible.builtin.replace: - dest: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - regexp: '^-e git\+https:\/\/github.com\/MISP\/PyMISP.git.*' - replace: '-e git+https://github.com/MISP/PyMISP.git#egg=pymisp' - mode: '0644' - backup: yes - when: misp_latest_pymisp - - name: Ensure pip cache directory exists ansible.builtin.file: dest: "/var/www/.cache/pip/http" @@ -61,30 +9,6 @@ state: directory mode: '0755' -- name: Debian | install pillow dependency for MISP modules (pip3) - ansible.builtin.pip: - name: pillow - virtualenv: "{{ misp_virtualenv }}" - virtualenv_python: "{{ python3_bin }}" - chdir: "{{ mispmodules_rootdir }}/misp-modules" - when: ansible_os_family == 'Debian' - register: pkg_result - until: pkg_result is success - become: yes - become_user: "{{ www_user }}" - -- name: Debian | install dependencies for MISP modules (pip3) - ansible.builtin.pip: - requirements: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - virtualenv: "{{ misp_virtualenv }}" - virtualenv_python: "{{ python3_bin }}" - chdir: "{{ mispmodules_rootdir }}/misp-modules" - when: ansible_os_family == 'Debian' - register: pkg_result - until: pkg_result is success - become: yes - become_user: "{{ www_user }}" - - name: RedHat | ensure permissions for pip cache ansible.builtin.file: dest: /usr/share/httpd/.cache/pip/http @@ -94,47 +18,9 @@ recurse: yes when: ansible_os_family == 'RedHat' -## centos7: pip points to python3x -- name: Redhat | install dependencies for MISP modules (pip) - # ansible.builtin.pip: - # requirements: "{{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" - # virtualenv: "{{ misp_virtualenv }}" - # virtualenv_python: "{{ python3_bin }}" - # chdir: "{{ mispmodules_rootdir }}/misp-modules" - ansible.builtin.command: "{{ item.c }}" - args: - creates: "{{ item.t | default(omit) }}" - chdir: "{{ mispmodules_rootdir }}/misp-modules" - with_items: - - { c: "virtualenv -p {{ python3_bin }} {{ misp_virtualenv }}", t: "{{ misp_virtualenv }}" } - - { c: "{{ misp_virtualenv }}/bin/pip install --upgrade pip", t: "{{ misp_virtualenv }}/bin/pip.notest" } - - { c: "{{ misp_virtualenv }}/bin/pip install -r {{ mispmodules_rootdir }}/misp-modules/REQUIREMENTS" } - when: ansible_os_family == 'RedHat' - environment: - PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - register: pkg_result - until: pkg_result is success - become: yes - become_user: "{{ www_user }}" - become_flags: -H - -- name: Redhat8+ | install zbar-py dependencies for MISP modules (pip) - ansible.builtin.command: # noqa no-changed-when - cmd: "{{ misp_virtualenv }}/bin/pip install zbar-py" - args: - chdir: "{{ mispmodules_rootdir }}/misp-modules" - when: ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8 - environment: - PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - register: pkg_result - until: pkg_result is success - become: yes - become_user: "{{ www_user }}" - become_flags: -H - - name: Install MISP modules (pip3) ansible.builtin.pip: - name: "file://{{ mispmodules_rootdir }}/misp-modules" + name: misp-modules virtualenv: "{{ misp_virtualenv }}" virtualenv_python: "{{ python3_bin }}" environment: @@ -147,26 +33,21 @@ - name: Debian | install dependencies for MISP modules (pip3) - post-install ansible.builtin.pip: name: - - censys - - pyfaup + - git+https://github.com/cartertemm/ODTReader.git + - git+https://github.com/abenassi/Google-Search-API + - git+https://github.com/SteveClement/trustar-python.git + - git+https://github.com/sebdraven/pydnstrails.git + - git+https://github.com/sebdraven/pyonyphe.git virtualenv: "{{ misp_virtualenv }}" virtualenv_python: "{{ python3_bin }}" chdir: "{{ mispmodules_rootdir }}/misp-modules" - when: ansible_os_family == 'Debian' register: pkg_result until: pkg_result is success become: yes become_user: "{{ www_user }}" -- name: Add MISP modules script for boot - ansible.builtin.lineinfile: - dest: /etc/rc.local - regexp: "sudo -H -u {{ www_user }} {{ misp_virtualenv }}/bin/misp-modules .* &" - line: "sudo -H -u {{ www_user }} {{ misp_virtualenv }}/bin/misp-modules -s > /tmp/misp-modules.boot 2>&1 &" - mode: '0755' - insertbefore: "^exit 0" - create: yes - backup: yes +- name: Systemd + ansible.builtin.import_tasks: systemd-misp-modules.yml - name: Check if misp modules is running ansible.builtin.shell: "ps axu |grep misp-modules" @@ -179,11 +60,3 @@ become: yes become_user: "{{ www_user }}" when: "'misp-modules' not in ps.stdout" - -- name: Redhat7 | libpcre symlink for python yara module - ansible.builtin.file: - src: /usr/lib64/libpcre.so.1 - dest: /usr/lib64/libpcre.so.3 - mode: '0644' - state: link - when: ansible_os_family == "RedHat" and ansible_distribution_version.split('.')[0] == '7' diff --git a/tasks/systemd-misp-modules.yml b/tasks/systemd-misp-modules.yml new file mode 100644 index 0000000..01edcc1 --- /dev/null +++ b/tasks/systemd-misp-modules.yml @@ -0,0 +1,21 @@ +--- + +- name: Ensure systemd is present + ansible.builtin.package: + name: systemd + state: present + +- name: Configure misp-modules systemd unit + ansible.builtin.template: + src: systemd-misp-modules.service.j2 + dest: /etc/systemd/system/misp-modules.service + mode: '0644' + notify: + - Reload systemd + - Restart misp-modules + +- name: Enable and start misp-modules service + ansible.builtin.service: + name: misp-modules + state: started + enabled: yes diff --git a/tasks/testing.yml b/tasks/testing.yml index afa398f..916bd73 100644 --- a/tasks/testing.yml +++ b/tasks/testing.yml @@ -17,7 +17,7 @@ - name: Replace misp.local hostname ansible.builtin.replace: - dest: "{{ misp_rootdir }}/tests/curl_tests.sh" + dest: "{{ misp_curl_tests }}" regexp: 'http:\/\/misp.local' replace: "{{ misp_base_url }}" mode: '0755' @@ -162,7 +162,7 @@ - name: Allow self-signed certificates in curl_tests.sh ansible.builtin.replace: - dest: "{{ misp_rootdir }}/tests/curl_tests.sh" + dest: "{{ misp_curl_tests }}" regexp: '^curl -([iH].)' replace: 'curl -k -\1' mode: '0755' diff --git a/templates/config.php.j2 b/templates/config.php.j2 index 988e77b..e9717c8 100644 --- a/templates/config.php.j2 +++ b/templates/config.php.j2 @@ -18,6 +18,7 @@ $config = array ( {% endif %} 'cached_attachments' => true, 'email' => '{{ misp_email_contact }}', + 'email_reply_to' => '{{ misp_email_reply_to }}', 'contact' => '{{ misp_email_contact }}', 'cveurl' => 'http://cve.circl.lu/cve/', 'cweurl' => 'http://cwe.circl.lu/cwe/', @@ -72,6 +73,12 @@ $config = array ( 'user_email_notification_ban_time_threshold' => 120, 'user_email_notification_ban_amount_threshold' => 10, 'block_old_event_alert_by_date' => 30, + 'default_object_distribution' => 'event', + 'default_eventreport_distribution' => 'event', + 'newUserText' => 'Dear new MISP user,\\n\\nWe would hereby like to welcome you to the $org MISP community.\\n\\n Use the credentials below to log into MISP at $misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: $username\\nPassword: $password\\n\\nIf you have any questions, don\'t hesitate to contact us at: $contact.\\n\\nBest regards,\\nYour $org MISP support team', + 'passwordResetText' => 'Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at $misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: $username\\nYour temporary password: $password\\n\\nIf you have any questions, don\'t hesitate to contact us at: $contact.\\n\\nBest regards,\\nYour $org MISP support team', + 'enableSightingBlocklisting' => true, + 'attachment_scan_module' => 'clamav', ), 'GnuPG' => array ( @@ -80,6 +87,8 @@ $config = array ( 'homedir' => '{{ misp_gpg_homedir }}', 'password' => '{{ misp_gpg_pass }}', 'bodyonlyencrypted' => false, + 'obscure_subject' => true, + 'key_fetching_disabled' => false, ), 'SMIME' => NULL, 'Proxy' => @@ -110,6 +119,9 @@ $config = array ( 'force_https' => true, 'disable_browser_cache' => true, 'check_sec_fetch_site_header' => true, + 'username_in_response_header' => true, + 'alert_on_suspicious_logins' => true, + 'self_registration_message' => 'If you would like to send us a registration request, please fill out the form below. Make sure you fill out as much information as possible in order to ease the task of the administrators.', ), 'Session.defaults' => 'php', 'Session.timeout' => 60, @@ -125,6 +137,7 @@ $config = array ( 'Enrichment_services_port' => 6666, 'Enrichment_timeout' => 10, 'Enrichment_hover_timeout' => 5, + 'Enrichment_clamav_connection' => 'unix:///var/run/clamav/clamd.ctl', 'Import_services_enable' => true, 'Import_services_url' => 'http://127.0.0.1', 'Import_services_port' => 6666, @@ -147,6 +160,104 @@ $config = array ( 'Action_services_port' => 6666, 'Action_timeout' => 10, 'Workflow_enable' => false, + 'Sightings_anonymise_as' => 0, + 'Sightings_enable_realtime_publish' => false, + 'Workflow_debug_url' => 'http://127.0.0.1:27051', + 'CTIInfoExtractor_enable' => false, + 'Enrichment_cuckoo_submit_enabled' => false, + 'Enrichment_vmray_submit_enabled' => false, + 'Enrichment_circl_passivedns_enabled' => false, + 'Enrichment_qrcode_enabled' => false, + 'Enrichment_ocr_enrich_enabled' => false, + 'Enrichment_pdf_enrich_enabled' => false, + 'Enrichment_docx_enrich_enabled' => false, + 'Enrichment_xlsx_enrich_enabled' => false, + 'Enrichment_pptx_enrich_enabled' => false, + 'Enrichment_ods_enrich_enabled' => false, + 'Enrichment_odt_enrich_enabled' => false, + 'Enrichment_joesandbox_submit_enabled' => false, + 'Enrichment_joesandbox_query_enabled' => false, + 'Enrichment_urlhaus_enabled' => false, + 'Enrichment_virustotal_public_enabled' => false, + 'Enrichment_apiosintds_enabled' => false, + 'Enrichment_urlscan_enabled' => false, + 'Enrichment_securitytrails_enabled' => false, + 'Enrichment_apivoid_enabled' => false, + 'Enrichment_assemblyline_submit_enabled' => false, + 'Enrichment_assemblyline_query_enabled' => false, + 'Enrichment_ransomcoindb_enabled' => false, + 'Enrichment_malwarebazaar_enabled' => false, + 'Enrichment_lastline_query_enabled' => false, + 'Enrichment_lastline_submit_enabled' => false, + 'Enrichment_sophoslabs_intelix_enabled' => false, + 'Enrichment_cytomic_orion_enabled' => false, + 'Enrichment_censys_enrich_enabled' => false, + 'Enrichment_trustar_enrich_enabled' => false, + 'Enrichment_recordedfuture_enabled' => false, + 'Enrichment_html_to_markdown_enabled' => false, + 'Enrichment_socialscan_enabled' => false, + 'Enrichment_passive_ssh_enabled' => false, + 'Enrichment_qintel_qsentry_enabled' => false, + 'Enrichment_mwdb_enabled' => false, + 'Enrichment_hashlookup_enabled' => false, + 'Enrichment_mmdb_lookup_enabled' => false, + 'Enrichment_ipqs_fraud_and_risk_scoring_enabled' => false, + 'Enrichment_clamav_enabled' => true, + 'Enrichment_jinja_template_rendering_enabled' => false, + 'Enrichment_hyasinsight_enabled' => false, + 'Enrichment_variotdbs_enabled' => false, + 'Enrichment_crowdsec_enabled' => false, + 'Enrichment_extract_url_components_enabled' => false, + 'Enrichment_ipinfo_enabled' => false, + 'Enrichment_whoisfreaks_enabled' => false, + 'Enrichment_ip2locationio_enabled' => false, + 'Enrichment_stairwell_enabled' => false, + 'Enrichment_google_threat_intelligence_enabled' => false, + 'Enrichment_vulnerability_lookup_enabled' => false, + 'Enrichment_vysion_enabled' => false, + 'Enrichment_mcafee_insights_enrich_enabled' => false, + 'Enrichment_threatfox_enabled' => false, + 'Enrichment_yeti_enabled' => false, + 'Enrichment_abuseipdb_enabled' => false, + 'Enrichment_vmware_nsx_enabled' => false, + 'Enrichment_sigmf_expand_enabled' => false, + 'Enrichment_google_safe_browsing_enabled' => false, + 'Enrichment_google_search_enabled' => false, + 'Enrichment_whois_enabled' => false, + 'Enrichment_triage_submit_enabled' => false, + 'Enrichment_virustotal_upload_enabled' => false, + 'Enrichment_malshare_upload_enabled' => false, + 'Enrichment_convert_markdown_to_pdf_enabled' => false, + 'Import_vmray_import_enabled' => false, + 'Import_lastline_import_enabled' => false, + 'Import_ocr_enabled' => false, + 'Import_cuckooimport_enabled' => false, + 'Import_goamlimport_enabled' => false, + 'Import_email_import_enabled' => false, + 'Import_mispjson_enabled' => false, + 'Import_openiocimport_enabled' => false, + 'Import_threatanalyzer_import_enabled' => false, + 'Import_csvimport_enabled' => false, + 'Import_cof2misp_enabled' => false, + 'Import_joe_import_enabled' => false, + 'Import_taxii21_enabled' => false, + 'Import_url_import_enabled' => false, + 'Import_vmray_summary_json_import_enabled' => false, + 'Import_import_blueprint_enabled' => false, + 'Export_cef_export_enabled' => false, + 'Export_mass_eql_export_enabled' => false, + 'Export_liteexport_enabled' => false, + 'Export_goamlexport_enabled' => false, + 'Export_threat_connect_export_enabled' => false, + 'Export_pdfexport_enabled' => false, + 'Export_threatStream_misp_export_enabled' => false, + 'Export_osqueryexport_enabled' => false, + 'Export_nexthinkexport_enabled' => false, + 'Export_vt_graph_enabled' => false, + 'Export_defender_endpoint_export_enabled' => false, + 'Export_virustotal_collections_enabled' => false, + 'Export_yara_export_enabled' => false, + 'Export_cisco_firesight_manager_ACL_rule_export_enabled' => false, ), {% if ( (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int >= 20) or diff --git a/templates/systemd-misp-modules.service.j2 b/templates/systemd-misp-modules.service.j2 new file mode 100644 index 0000000..d3a76f6 --- /dev/null +++ b/templates/systemd-misp-modules.service.j2 @@ -0,0 +1,109 @@ +{{ ansible_managed | comment }} + +# /etc/systemd/system/misp-modules.service +# https://misp.github.io/misp-modules/install/ +# Exposure level ? + +[Unit] +Description=MISP modules +Requires=network.target + +[Service] +Type=simple +User={{ www_user }} +Group={{ www_user }} +ExecStart={{ misp_virtualenv }}/bin/misp-modules -l 127.0.0.1 -s +Restart=on-failure +RestartSec=15 + +# Reduce Attack Surface +NoNewPrivileges=yes +PrivateTmp=true +ProtectHome=yes +ProtectSystem=yes +# ProtectSystem=strict +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 21 %} +# ProtectProc=noaccess +{% endif %} + +PrivateDevices=yes +DeviceAllow= + +# PrivateUsers=yes + +UMask=077 + +# ERROR: /proc not mounted - LibreOffice is unlikely to work well if at all +# InaccessiblePaths=/proc + +ProtectKernelTunables=true +ProtectKernelModules=yes +{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 20) or + (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 8 ) +%} +ProtectKernelLogs=yes +ProtectHostname=yes +ProtectClock=yes +{% endif %} + +ProtectControlGroups=true +LockPersonality=true +RestrictRealtime=true +RestrictNamespaces=yes +# RestrictNamespaces=~CLONE_NEWCGROUP CLONE_NEWIPC CLONE_NEWNET CLONE_NEWPID +RestrictSUIDSGID=yes +# "Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).", "v8::internal::PagedSpace::SetReadAndExecutable()" +# MemoryDenyWriteExecute=yes + +# PrivateNetwork=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +IPAccounting=yes +# If using below and a proxy exists, ensure to include it. +# IPAddressAllow=localhost link-local multicast 10.0.0.0/8 192.168.0.0/16 + +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH +CapabilityBoundingSet=~CAP_SYS_RAWIO +CapabilityBoundingSet=~CAP_SYS_PTRACE +CapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER +CapabilityBoundingSet=~CAP_NET_ADMIN +CapabilityBoundingSet=~CAP_KILL +CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST +CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE +CapabilityBoundingSet=~CAP_SYS_BOOT +CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=~CAP_SYS_CHROOT +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND +CapabilityBoundingSet=~CAP_LEASE +CapabilityBoundingSet=~CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_SYS_ADMIN +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID +CapabilityBoundingSet=~CAP_SETPCAP +CapabilityBoundingSet=~CAP_CHOWN +CapabilityBoundingSet=~CAP_FSETID CAP_SETFCAP +CapabilityBoundingSet=~CAP_NET_RAW +CapabilityBoundingSet=~CAP_IPC_LOCK + +{% if not (ansible_virtualization_type is defined and + ansible_virtualization_type == "docker" + ) +%} +{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 8) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int > 18) %} +SystemCallFilter=@system-service +{% endif %} +# SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged @resources @reboot @swap @raw-io @module +SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @resources @reboot @swap @raw-io @module +# When system call is disallowed, return error code instead of killing process +SystemCallErrorNumber=EPERM +{% endif %} +SystemCallArchitectures=native + +{% if misp_cgroups_restriction_enable|bool %} +CPUWeight={{ misp_cgroups_cpushares | default('1024') }} +CPUQuota={{ misp_cgroups_cpuquota | default('80%') }} +MemoryMax={{ misp_cgroups_memorylimit | default('4G') }} +{% endif %} + +[Install] +WantedBy=multi-user.target diff --git a/vars/Ubuntu-24.04.yml b/vars/Ubuntu-24.04.yml index dba7b90..938d073 100644 --- a/vars/Ubuntu-24.04.yml +++ b/vars/Ubuntu-24.04.yml @@ -48,6 +48,7 @@ misp_pkg_list: - acl - sudo - cron + - libgl1 ## pillow - libtiff5-dev - libjpeg8-dev @@ -72,6 +73,8 @@ misp_pkg_list: - libopenblas-dev - libatlas-base-dev - libatlas3-base + # attachment scan + - clamav-daemon misp_gem_list: - { name: asciidoctor-pdf, v: 2.3.2 } diff --git a/vars/misp24.yml b/vars/misp24.yml new file mode 100644 index 0000000..4bdaa2d --- /dev/null +++ b/vars/misp24.yml @@ -0,0 +1,14 @@ +--- + +misp_php_harden_patches: + - { s: patch-cakephp-snuffleupagus-strict, b: "{{ misp_rootdir }}/app/Lib" } + - { s: patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" } + - { s: patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Core" } + - { s: patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Network" } + - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" } + - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" } + - { s: patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" } +misp_curl_tests: "{{ misp_rootdir }}/tests/curl_tests.sh" + +misp_config_src: "{{ misp_rootdir }}/INSTALL/setup/config.php" +misp_config_dest: "{{ misp_rootdir }}/app/Plugin/CakeResque/Config/config.php" diff --git a/vars/misp25.yml b/vars/misp25.yml new file mode 100644 index 0000000..8b97595 --- /dev/null +++ b/vars/misp25.yml @@ -0,0 +1,6 @@ +--- + +misp_curl_tests: "{{ misp_rootdir }}/tests/curl_tests_GH.sh" + +misp_config_src: "{{ misp_rootdir }}/app/Config/config.default.php" +misp_config_dest: "{{ misp_rootdir }}/app/Config/config.php"