From 38ce68d1d88e66598298f6e59169006a8aad000d Mon Sep 17 00:00:00 2001
From: Bozidar Proevski <bozidar.proevski@finki.ukim.mk>
Date: Sun, 4 Oct 2020 09:40:25 +0000
Subject: [PATCH] Added role mysql with volume creation for persistent data
keeping Added role misp for MISP Threat Sharing platform
---
group_vars/all/main.yml | 13 ++-
roles/build/tasks/centos.yml | 6 --
roles/build/tasks/main.yml | 2 +
roles/build/tasks/misp.yml | 20 +++++
roles/build/tasks/mysql.yml | 15 ++++
roles/build/templates/misp/Dockerfile.j2 | 84 +++++++++++++++++++
roles/build/templates/misp/start.sh.j2 | 25 ++++++
.../build/templates/misp/supervisord.conf.j2 | 25 ++++++
roles/build/templates/mysql/Dockerfile.j2 | 13 +++
.../build/templates/mysql/supervisord.conf.j2 | 7 ++
roles/ca/tasks/main.yml | 19 +++++
roles/docker/tasks/main.yml | 4 +-
roles/docker/tasks/misp.yml | 23 +++++
roles/docker/tasks/mysql.yml | 21 +++++
roles/docker/tasks/volumecreate.yml | 8 ++
roles/misp/defaults/main.yml | 0
roles/misp/files/.empty | 0
roles/misp/handlers/main.yml | 0
roles/misp/meta/main.yml | 0
roles/misp/tasks/main.yml | 59 +++++++++++++
roles/misp/templates/checkdb.sh.j2 | 5 ++
roles/misp/templates/config.php.j2 | 84 +++++++++++++++++++
roles/misp/templates/database.php.j2 | 75 +++++++++++++++++
roles/misp/templates/misp.conf.j2 | 33 ++++++++
roles/misp/templates/mysql_secure.sql.j2 | 14 ++++
roles/misp/vars/main.yml | 0
roles/mysql/defaults/main.yml | 0
roles/mysql/files/.empty | 0
roles/mysql/handlers/main.yml | 0
roles/mysql/meta/main.yml | 0
roles/mysql/tasks/main.yml | 4 +
roles/mysql/tasks/misp.yml | 26 ++++++
roles/mysql/tasks/secure.yml | 72 ++++++++++++++++
roles/mysql/templates/dotmy.cnf.j2 | 3 +
roles/mysql/templates/mysql_secure.sql.j2 | 14 ++++
roles/mysql/vars/main.yml | 0
soctools-inventory | 6 ++
startsoctools.yml | 11 +++
38 files changed, 683 insertions(+), 8 deletions(-)
create mode 100644 roles/build/tasks/misp.yml
create mode 100644 roles/build/tasks/mysql.yml
create mode 100644 roles/build/templates/misp/Dockerfile.j2
create mode 100755 roles/build/templates/misp/start.sh.j2
create mode 100644 roles/build/templates/misp/supervisord.conf.j2
create mode 100644 roles/build/templates/mysql/Dockerfile.j2
create mode 100644 roles/build/templates/mysql/supervisord.conf.j2
create mode 100644 roles/docker/tasks/misp.yml
create mode 100644 roles/docker/tasks/mysql.yml
create mode 100644 roles/misp/defaults/main.yml
create mode 100644 roles/misp/files/.empty
create mode 100644 roles/misp/handlers/main.yml
create mode 100644 roles/misp/meta/main.yml
create mode 100644 roles/misp/tasks/main.yml
create mode 100644 roles/misp/templates/checkdb.sh.j2
create mode 100644 roles/misp/templates/config.php.j2
create mode 100755 roles/misp/templates/database.php.j2
create mode 100644 roles/misp/templates/misp.conf.j2
create mode 100644 roles/misp/templates/mysql_secure.sql.j2
create mode 100644 roles/misp/vars/main.yml
create mode 100644 roles/mysql/defaults/main.yml
create mode 100644 roles/mysql/files/.empty
create mode 100644 roles/mysql/handlers/main.yml
create mode 100644 roles/mysql/meta/main.yml
create mode 100644 roles/mysql/tasks/main.yml
create mode 100644 roles/mysql/tasks/misp.yml
create mode 100644 roles/mysql/tasks/secure.yml
create mode 100644 roles/mysql/templates/dotmy.cnf.j2
create mode 100644 roles/mysql/templates/mysql_secure.sql.j2
create mode 100644 roles/mysql/vars/main.yml
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index ec6afaa..c923378 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -28,7 +28,7 @@ soctools_network: "172.22.0.0/16"
repo: gn43-dsl
version: 7
-suffix: a20200612
+suffix: a20201004
temp_root: "/tmp/centosbuild"
@@ -42,6 +42,10 @@ nifi_img: "{{repo}}/nifi:{{version}}{{suffix}}"
nginx_name: "dsoclab-nginx"
nginx_img: "{{repo}}/nginx:{{version}}{{suffix}}"
+mysql_name: "dsoclab-mysql"
+mysql_img: "{{repo}}/mysql:{{version}}{{suffix}}"
+mysql_dbrootpass: "Pass006"
+
kspass: "Testing003"
tspass: "Testing003"
@@ -80,3 +84,10 @@ elastic_username: "admin"
misp_token: ""
misp_url: ""
maxmind_key: ""
+
+misp_dbname: "mispdb"
+misp_dbuser: "misp"
+misp_dbpass: "Pass007"
+# misp_salt generated with: openssl rand -base64 32
+misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
+
diff --git a/roles/build/tasks/centos.yml b/roles/build/tasks/centos.yml
index e8d4927..c03dadf 100644
--- a/roles/build/tasks/centos.yml
+++ b/roles/build/tasks/centos.yml
@@ -65,13 +65,7 @@
path: "{{temp_root}}/{{item}}"
state: absent
with_items:
- - usr/lib/locale
- - usr/share/locale
- - usr/lib64/gconv
- - usr/bin/localedef
- - usr/sbin/build-locale-archive
- usr/share/cracklib
- - usr/share/i18n
- var/cache/yum
- sbin/sln
- etc/ld.so.cache
diff --git a/roles/build/tasks/main.yml b/roles/build/tasks/main.yml
index 23ea830..b01c987 100644
--- a/roles/build/tasks/main.yml
+++ b/roles/build/tasks/main.yml
@@ -7,9 +7,11 @@
- include: centos.yml
- include: nginx.yml
+- include: mysql.yml
- include: openjdk.yml
- include: zookeeper.yml
- include: nifi.yml
- include: odfees.yml
- include: odfekibana.yml
- include: keycloak.yml
+- include: misp.yml
diff --git a/roles/build/tasks/misp.yml b/roles/build/tasks/misp.yml
new file mode 100644
index 0000000..d52c39c
--- /dev/null
+++ b/roles/build/tasks/misp.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Configure the misp Dockerfile
+ template:
+ src: misp/Dockerfile.j2
+ dest: "{{role_path}}/files/mispDockerfile"
+
+- name: Configure the misp supervisor
+ template:
+ src: misp/supervisord.conf.j2
+ dest: "{{role_path}}/files/mispsupervisord.conf"
+
+- name: Configure the misp worker startscript
+ template:
+ src: misp/start.sh.j2
+ dest: "{{role_path}}/files/mispstart.sh"
+
+- name: Build misp image
+ command: docker build -t {{repo}}/misp:{{version}}{{suffix}} -f {{role_path}}/files/mispDockerfile {{role_path}}/files
+
diff --git a/roles/build/tasks/mysql.yml b/roles/build/tasks/mysql.yml
new file mode 100644
index 0000000..a028190
--- /dev/null
+++ b/roles/build/tasks/mysql.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Configure the mysql Dockerfile
+ template:
+ src: mysql/Dockerfile.j2
+ dest: "{{role_path}}/files/mysqlDockerfile"
+
+- name: Configure the mysql supervisor
+ template:
+ src: mysql/supervisord.conf.j2
+ dest: "{{role_path}}/files/mysqlsupervisord.conf"
+
+- name: Build mysql image
+ command: docker build -t {{repo}}/mysql:{{version}}{{suffix}} -f {{role_path}}/files/mysqlDockerfile {{role_path}}/files
+
diff --git a/roles/build/templates/misp/Dockerfile.j2 b/roles/build/templates/misp/Dockerfile.j2
new file mode 100644
index 0000000..b99d2a8
--- /dev/null
+++ b/roles/build/templates/misp/Dockerfile.j2
@@ -0,0 +1,84 @@
+FROM {{repo}}/centos:{{version}}{{suffix}}
+
+USER root
+RUN yum install -y epel-release centos-release-scl scl-utils ; \
+ yum install -y gcc git zip openssl supervisor rh-git218 httpd24 mod_ssl mod_auth_openidc rh-redis32 libxslt-devel zlib-devel libcaca-devel ssdeep-devel rh-php72 rh-php72-php-fpm rh-php72-php-devel rh-php72-php-mysqlnd rh-php72-php-mbstring rh-php72-php-xml rh-php72-php-bcmath rh-php72-php-opcache rh-php72-php-gd mariadb devtoolset-7 make cmake3 cppcheck libcxx-devel gpgme-devel openjpeg-devel gcc gcc-c++ poppler-cpp-devel pkgconfig python-devel redhat-rpm-config rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel wget screen rh-python36-mod_wsgi postfix curl make cmake python3 python3-devel python3-pip python3-yara python3-wheel python3-redis python3-zmq python3-setuptools redis sudo vim zip sqlite moreutils rng-tools libxml2-devel libxslt-devel zlib-devel libpqxx openjpeg2-devel ssdeep-devel ruby asciidoctor tesseract ImageMagick poppler-cpp-devel python36-virtualenv opencv-devel zbar zbar-devel ; \
+ yum -y clean all ; \
+ sed -i "s/max_execution_time = 30/max_execution_time = 300/" /etc/opt/rh/rh-php72/php.ini ; \
+ sed -i "s/memory_limit = 128M/memory_limit = 2048M/" /etc/opt/rh/rh-php72/php.ini ; \
+ sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/" /etc/opt/rh/rh-php72/php.ini ; \
+ sed -i "s/post_max_size = 8M/post_max_size = 50M/" /etc/opt/rh/rh-php72/php.ini ; \
+ mkdir -p /var/www/MISP ; \
+ chown -R apache:apache /var/www/MISP
+
+USER apache
+WORKDIR /var/www/MISP
+RUN git clone https://github.com/MISP/MISP.git /var/www/MISP ; \
+ git submodule update --init --recursive ; \
+ git submodule foreach --recursive git config core.filemode false ; \
+ git config core.filemode false
+
+USER root
+RUN pip3 install --upgrade pip ; \
+ pip3 install git+https://github.com/CybOXProject/mixbox.git ; \
+ pip3 install git+https://github.com/CybOXProject/python-cybox.git ; \
+ pip3 install git+https://github.com/STIXProject/python-stix.git ; \
+ pip3 install git+https://github.com/MAECProject/python-maec.git ; \
+ pip3 install /var/www/MISP/cti-python-stix2 ; \
+ pip3 install /var/www/MISP/PyMISP ; \
+ pip3 install git+https://github.com/kbandla/pydeep.git ; \
+ pip3 install https://github.com/lief-project/packages/raw/lief-master-latest/pylief-0.9.0.dev.zip ; \
+ pip3 install jsonschema ; \
+ pip3 install reportlab ; \
+ pip3 install python-magic ; \
+ pip3 install pyzmq ; \
+ pip3 install redis
+
+USER apache
+WORKDIR /var/www/MISP
+RUN git submodule init ; \
+ git submodule update
+
+USER root
+WORKDIR /usr/local/src
+RUN git clone https://github.com/MISP/misp-modules.git
+WORKDIR /usr/local/src/misp-modules
+RUN git checkout ; \
+ # sudo pip3 install -I -r REQUIREMENTS ; \
+ LANG=en_US.UTF-8 pip3 install -I -r REQUIREMENTS; \
+ pip3 install -I . ; \
+ mkdir /var/www/.composer && chown -R apache:apache /var/www/.composer ; \
+ cd /tmp ; \
+ wget https://github.com/ssdeep-project/ssdeep/releases/download/release-2.14.1/ssdeep-2.14.1.tar.gz ; \
+ tar zxvf ssdeep-2.14.1.tar.gz && cd ssdeep-2.14.1 && ./configure && make && make install ; \
+ /usr/bin/scl enable rh-php72 "pecl install ssdeep" ; \
+ echo "extension=ssdeep.so" > /etc/opt/rh/rh-php72/php.d/88-ssdeep.ini ; \
+ cd
+
+USER apache
+WORKDIR /var/www/MISP/app
+RUN wget https://getcomposer.org/download/1.2.1/composer.phar -O composer.phar ; \
+ COMPOSER_CACHE_DIR=/var/www/.composer /usr/bin/scl enable rh-php72 "php composer.phar require kamisama/cake-resque:4.1.2" ; \
+ COMPOSER_CACHE_DIR=/var/www/.composer /usr/bin/scl enable rh-php72 "php composer.phar config vendor-dir Vendor" ; \
+ COMPOSER_CACHE_DIR=/var/www/.composer /usr/bin/scl enable rh-php72 "php composer.phar install" ; \
+ sed -i -e "s/bind 127.0.0.1/bind 0.0.0.0/" /etc/redis.conf ; \
+ cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php ; \
+ cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php ; \
+ cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php ; \
+ cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php ; \
+ cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php
+
+USER root
+COPY mispstart.sh /var/www/MISP/app/Console/worker/start.sh
+RUN chown -R apache:apache /var/www/MISP ; \
+ chmod -R 750 /var/www/MISP ; \
+ chmod -R g+ws /var/www/MISP/app/tmp ; \
+ chmod -R g+ws /var/www/MISP/app/files ; \
+ chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
+
+# 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ
+EXPOSE 80 443 6443 6379 6666 50000
+
+COPY mispsupervisord.conf /etc/supervisord.conf
+#ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
+
diff --git a/roles/build/templates/misp/start.sh.j2 b/roles/build/templates/misp/start.sh.j2
new file mode 100755
index 0000000..d6a5fc0
--- /dev/null
+++ b/roles/build/templates/misp/start.sh.j2
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#dockerfile from ansible
+
+# Check if run as root
+if [ "$EUID" -eq 0 ]; then
+ echo "Please DO NOT run the worker script as root"
+ exit 1
+fi
+
+PATH_TO_MISP='/var/www/MISP'
+RUN_PHP="/usr/bin/scl enable rh-php72"
+PHP_INI="/etc/opt/rh/rh-php72/php.ini"
+CAKE="${PATH_TO_MISP}/app/Console/cake"
+
+# Extract base directory where this script is and cd into it
+cd "${0%/*}"
+$RUN_PHP -- $CAKE CakeResque.CakeResque stop --all
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue default
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue prio
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue cache
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue email
+$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue update
+$RUN_PHP -- $CAKE CakeResque.CakeResque startscheduler --interval 5
+
+exit 0
diff --git a/roles/build/templates/misp/supervisord.conf.j2 b/roles/build/templates/misp/supervisord.conf.j2
new file mode 100644
index 0000000..fbd4dea
--- /dev/null
+++ b/roles/build/templates/misp/supervisord.conf.j2
@@ -0,0 +1,25 @@
+[supervisord]
+nodaemon=false
+user=root
+
+[program:php-fpm]
+# EnvironmentFile=/etc/opt/rh/rh-php72/sysconfig/php-fpm
+command=/opt/rh/rh-php72/root/usr/sbin/php-fpm --nodaemonize
+
+[program:redis-server]
+process_name = redis-server
+directory = /var/opt/rh/rh-redis32/lib/redis/
+command=/opt/rh/rh-redis32/root/usr/bin/redis-server /etc/opt/rh/rh-redis32/redis.conf
+user=redis
+
+[program:apache2]
+command=/usr/sbin/httpd -DFOREGROUND
+
+[program:misp-modules]
+command=/bin/bash -c "/usr/local/bin/misp-modules -l '0.0.0.0' -s"
+user = apache
+startsecs = 0
+
+[program:workers]
+command=/bin/bash /var/www/MISP/app/Console/worker/start.sh
+user=apache
diff --git a/roles/build/templates/mysql/Dockerfile.j2 b/roles/build/templates/mysql/Dockerfile.j2
new file mode 100644
index 0000000..c7b7d23
--- /dev/null
+++ b/roles/build/templates/mysql/Dockerfile.j2
@@ -0,0 +1,13 @@
+FROM {{repo}}/centos:{{version}}{{suffix}}
+
+USER root
+RUN yum -y update && yum install -y epel-release centos-release-scl scl-utils && \
+ yum install -y rh-mariadb103 python36-PyMySQL MySQL-python supervisor && \
+ /usr/bin/scl enable rh-mariadb103 -- /opt/rh/rh-mariadb103/root/usr/libexec/mysql-prepare-db-dir /var/opt/rh/rh-mariadb103/lib/mysql
+RUN yum clean all
+
+EXPOSE 3306
+COPY mysqlsupervisord.conf /etc/supervisord.conf
+
+ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
+
diff --git a/roles/build/templates/mysql/supervisord.conf.j2 b/roles/build/templates/mysql/supervisord.conf.j2
new file mode 100644
index 0000000..e44e9fe
--- /dev/null
+++ b/roles/build/templates/mysql/supervisord.conf.j2
@@ -0,0 +1,7 @@
+[supervisord]
+loglevel=debug
+nodaemon=true
+[program:mysql]
+user=mysql
+directory=/var/lib/mysql
+command=/opt/rh/rh-mariadb103/root/usr/libexec/mysqld-scl-helper enable rh-mariadb103 -- /opt/rh/rh-mariadb103/root/usr/libexec/mysqld --basedir=/opt/rh/rh-mariadb103/root/usr
diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index b721654..72ea1e8 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -43,6 +43,7 @@
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
- "{{ groups['keycloakcontainers'] }}"
+ - "{{ groups['mispcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -59,6 +60,7 @@
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
- "{{ groups['keycloakcontainers'] }}"
+ - "{{ groups['mispcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -91,6 +93,7 @@
- "{{ groups['odfeescontainers'] }}"
- "{{ groups['odfekibanacontainers'] }}"
- "{{ groups['keycloakcontainers'] }}"
+ - "{{ groups['mispcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
@@ -144,6 +147,20 @@
with_items:
- "{{ groups['keycloakcontainers'] }}"
+- name: Copy misp host certs to misp role
+ copy:
+ src: roles/ca/files/CA/issued/{{item}}.crt
+ dest: roles/misp/files/{{item}}.crt
+ with_items:
+ - "{{ groups['mispcontainers'] }}"
+
+- name: Copy misp host keys to misp role
+ copy:
+ src: roles/ca/files/CA/private/{{item}}.key
+ dest: roles/misp/files/{{item}}.key
+ with_items:
+ - "{{ groups['mispcontainers'] }}"
+
- name: Copy truststore to roles
copy:
src: roles/ca/files/truststore/cacerts.jks
@@ -153,6 +170,7 @@
- odfees
- odfekibana
- keycloak
+ - misp
- name: Copy ca cert to roles
copy:
@@ -163,6 +181,7 @@
- odfees
- odfekibana
- keycloak
+ - misp
- name: Check for existing user certificates
command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 7c22b2c..d0526f7 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -2,12 +2,14 @@
- include: networkcreate.yml
- include: volumecreate.yml
+- include: mysql.yml
- include: keycloak.yml
- include: zookeeper.yml
- include: nifi.yml
- include: odfees.yml
- include: odfekibana.yml
-- include: keycloak.yml
+- include: misp.yml
+#- include: keycloak.yml
- include: nginx.yml
- include: networkremove.yml
diff --git a/roles/docker/tasks/misp.yml b/roles/docker/tasks/misp.yml
new file mode 100644
index 0000000..34a42ad
--- /dev/null
+++ b/roles/docker/tasks/misp.yml
@@ -0,0 +1,23 @@
+---
+
+- name: Create misp container
+ docker_container:
+ name: "{{ misp_name }}"
+ hostname: "{{ misp_name }}"
+ image: "{{ misp_img }}"
+ networks:
+ - name: "{{ soctools_netname}}"
+ networks_cli_compatible: yes
+ entrypoint: "/bin/bash"
+ interactive: "yes"
+ published_ports:
+ - "6443:6443"
+ tags:
+ - start
+
+- name: Destroy misp container
+ docker_container:
+ name: "{{ misp_name }}"
+ state: absent
+ tags:
+ - stop
diff --git a/roles/docker/tasks/mysql.yml b/roles/docker/tasks/mysql.yml
new file mode 100644
index 0000000..ada6fb4
--- /dev/null
+++ b/roles/docker/tasks/mysql.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Create mysql container
+ docker_container:
+ name: "{{ mysql_name }}"
+ hostname: "{{ mysql_name }}"
+ image: "{{ mysql_img }}"
+ networks:
+ - name: "{{ soctools_netname}}"
+ networks_cli_compatible: yes
+ volumes:
+ - "{{mysql_name}}:/var/opt/rh/rh-mariadb103/lib/mysql"
+ tags:
+ - start
+
+- name: Destroy mysql container
+ docker_container:
+ name: "{{ mysql_name }}"
+ state: absent
+ tags:
+ - stop
diff --git a/roles/docker/tasks/volumecreate.yml b/roles/docker/tasks/volumecreate.yml
index cb131af..656d1e9 100644
--- a/roles/docker/tasks/volumecreate.yml
+++ b/roles/docker/tasks/volumecreate.yml
@@ -1,5 +1,13 @@
---
+- name: Create mysql volumes
+ docker_volume:
+ name: "{{item}}"
+ with_items:
+ - "{{ groups['mysql'] }}"
+ tags:
+ - start
+
- name: Create NiFi volumes
docker_volume:
name: "{{item}}"
diff --git a/roles/misp/defaults/main.yml b/roles/misp/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/misp/files/.empty b/roles/misp/files/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/roles/misp/handlers/main.yml b/roles/misp/handlers/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/misp/meta/main.yml b/roles/misp/meta/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/misp/tasks/main.yml b/roles/misp/tasks/main.yml
new file mode 100644
index 0000000..826e9dc
--- /dev/null
+++ b/roles/misp/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+
+- name: Copy certificates in apache cert dir
+ copy:
+ src: "{{ item.local }}"
+ dest: "{{ item.remote }}"
+ mode: "{{ item.mode}}"
+ with_items:
+ - local: "files/{{ inventory_hostname }}.crt"
+ remote: /etc/ssl/certs/misp.crt
+ mode: '0644'
+ - local: "files/{{ inventory_hostname }}.key"
+ remote: /etc/ssl/certs/misp.key
+ mode: '0600'
+ - local: "files/{{ ca_cn }}.crt"
+ remote: /etc/ssl/certs/ca.crt
+ mode: '0644'
+ tags:
+ - start
+
+- name: Configure Apache web server for misp
+ template:
+ src: misp.conf.j2
+ dest: /etc/httpd/conf.d/misp.conf
+ tags:
+ - start
+
+- name: Configure MISP database access
+ template:
+ src: database.php.j2
+ dest: /var/www/MISP/app/Config/database.php
+ tags:
+ - start
+
+- name: Configure MISP app
+ template:
+ src: config.php.j2
+ dest: /var/www/MISP/app/Config/config.php
+ tags:
+ - start
+
+- name: Configure MISP database initialization script
+ template:
+ src: checkdb.sh.j2
+ dest: /var/www/MISP/checkdb.sh
+ mode: '0700'
+ tags:
+ - start
+
+- name: Check if database is initialized
+ command: /var/www/MISP/checkdb.sh
+ tags:
+ - start
+
+- name: Start MISP
+ command: "/usr/bin/supervisord -c /etc/supervisord.conf"
+ tags:
+ - start
+
diff --git a/roles/misp/templates/checkdb.sh.j2 b/roles/misp/templates/checkdb.sh.j2
new file mode 100644
index 0000000..5aba69f
--- /dev/null
+++ b/roles/misp/templates/checkdb.sh.j2
@@ -0,0 +1,5 @@
+#!/bin/bash -x
+MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+if [ ${MISPINIT} == "0" ]; then
+ cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
+fi
diff --git a/roles/misp/templates/config.php.j2 b/roles/misp/templates/config.php.j2
new file mode 100644
index 0000000..46ca1ca
--- /dev/null
+++ b/roles/misp/templates/config.php.j2
@@ -0,0 +1,84 @@
+<?php
+$config = array (
+ 'debug' => 0,
+ 'MISP' =>
+ array (
+ 'baseurl' => 'https://{{dslproxy}}:6443',
+ 'footermidleft' => '',
+ 'footermidright' => '',
+ 'org' => 'ORGNAME',
+ 'showorg' => true,
+ 'threatlevel_in_email_subject' => true,
+ 'email_subject_TLP_string' => 'tlp:amber',
+ 'email_subject_tag' => 'tlp',
+ 'email_subject_include_tag_name' => true,
+ 'background_jobs' => true,
+ 'cached_attachments' => true,
+ 'email' => 'email@address.com',
+ 'contact' => 'email@address.com',
+ 'cveurl' => 'https://cve.circl.lu/cve/',
+ 'cweurl' => 'https://cve.circl.lu/cwe/',
+ 'disablerestalert' => false,
+ 'default_event_distribution' => '1',
+ 'default_attribute_distribution' => 'event',
+ 'tagging' => true,
+ 'full_tags_on_event_index' => true,
+ 'attribute_tagging' => true,
+ 'full_tags_on_attribute_index' => true,
+ 'footer_logo' => '',
+ 'take_ownership_xml_import' => false,
+ 'unpublishedprivate' => false,
+ 'disable_emailing' => false,
+ 'manage_workers' => true,
+ 'Attributes_Values_Filter_In_Event' => 'id, uuid, value, comment, type, category, Tag.name',
+ 'uuid' => '6ec3e533-99f9-42ac-952d-002664d1500f',
+ 'live' => true,
+ ),
+ 'GnuPG' =>
+ array (
+ 'onlyencrypted' => false,
+ 'email' => '',
+ 'homedir' => '',
+ 'password' => '',
+ 'bodyonlyencrypted' => false,
+ 'sign' => true,
+ 'obscure_subject' => false,
+ ),
+ 'SMIME' =>
+ array (
+ 'enabled' => false,
+ 'email' => '',
+ 'cert_public_sign' => '',
+ 'key_sign' => '',
+ 'password' => '',
+ ),
+ 'Proxy' =>
+ array (
+ 'host' => '',
+ 'port' => '',
+ 'method' => '',
+ 'user' => '',
+ 'password' => '',
+ ),
+ 'SecureAuth' =>
+ array (
+ 'amount' => 5,
+ 'expire' => 300,
+ ),
+ 'Security' =>
+ array (
+ 'level' => 'medium',
+ 'salt' => '{{misp_salt}}',
+ 'cipherSeed' => '',
+ ),
+ 'Session.defaults' => 'php',
+ 'Session.timeout' => 60,
+ 'Session.cookieTimeout' => 60,
+ 'Session.autoRegenerate' => false,
+ 'Session.checkAgent' => false,
+ 'site_admin_debug' => NULL,
+ 'Plugin' => NULL,
+ 'CertAuth' => NULL,
+ 'ApacheShibbAuth' => NULL,
+ 'ApacheSecureAuth' => NULL,
+);
diff --git a/roles/misp/templates/database.php.j2 b/roles/misp/templates/database.php.j2
new file mode 100755
index 0000000..0cf1934
--- /dev/null
+++ b/roles/misp/templates/database.php.j2
@@ -0,0 +1,75 @@
+<?php
+/**
+ * This is core configuration file.
+ *
+ * Use it to configure core behaviour of Cake.
+ *
+ * PHP 5
+ *
+ * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
+ * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
+ * @link http://cakephp.org CakePHP(tm) Project
+ * @package app.Config
+ * @since CakePHP(tm) v 0.2.9
+ * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
+ */
+/**
+ * In this file you set up your database connection details.
+ *
+ * @package cake.config
+ */
+/**
+ * Database configuration class.
+ * You can specify multiple configurations for production, development and testing.
+ *
+ * datasource => The name of a supported datasource; valid options are as follows:
+ * Database/Mysql - MySQL 4 & 5,
+ * Database/Sqlite - SQLite (PHP5 only),
+ * Database/Postgres - PostgreSQL 7 and higher,
+ * Database/Sqlserver - Microsoft SQL Server 2005 and higher
+ *
+ * You can add custom database datasources (or override existing datasources) by adding the
+ * appropriate file to app/Model/Datasource/Database. Datasources should be named 'MyDatasource.php',
+ *
+ *
+ * persistent => true / false
+ * Determines whether or not the database should use a persistent connection
+ *
+ * host =>
+ * the host you connect to the database. To add a socket or port number, use 'port' => #
+ *
+ * prefix =>
+ * Uses the given prefix for all the tables in this database. This setting can be overridden
+ * on a per-table basis with the Model::$tablePrefix property.
+ *
+ * schema =>
+ * For Postgres specifies which schema you would like to use the tables in. Postgres defaults to 'public'.
+ *
+ * encoding =>
+ * For MySQL, Postgres specifies the character encoding to use when connecting to the
+ * database. Uses database default not specified.
+ *
+ * unix_socket =>
+ * For MySQL to connect via socket specify the `unix_socket` parameter instead of `host` and `port`
+ */
+class DATABASE_CONFIG {
+
+ public $default = array(
+ 'datasource' => 'Database/Mysql',
+ //'datasource' => 'Database/Postgres',
+ 'persistent' => false,
+ 'host' => '{{groups['mysql'][0]}}',
+ 'login' => '{{misp_dbuser}}',
+ 'port' => 3306, // MySQL & MariaDB
+ //'port' => 5432, // PostgreSQL
+ 'password' => '{{misp_dbpass}}',
+ 'database' => '{{misp_dbname}}',
+ 'prefix' => '',
+ 'encoding' => 'utf8',
+ );
+}
diff --git a/roles/misp/templates/misp.conf.j2 b/roles/misp/templates/misp.conf.j2
new file mode 100644
index 0000000..3a9cb85
--- /dev/null
+++ b/roles/misp/templates/misp.conf.j2
@@ -0,0 +1,33 @@
+Listen 6443 https
+<VirtualHost *:6443>
+ServerAdmin admin@{{dslproxy}}
+ServerName {{dslproxy}}
+DocumentRoot /var/www/MISP/app/webroot
+<Directory /var/www/MISP/app/webroot>
+Options -Indexes
+AllowOverride all
+</Directory>
+
+DirectoryIndex index.php
+
+# ProxyPassMatch ^/info$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/info.php
+ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/$1
+
+#<FilesMatch "\.php$">
+# SetHandler "proxy:fcgi://127.0.0.1:9000"
+# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+# AddHandler php72-fcgi .php
+# Action php72-fcgi /cgi-bin/php72.fcgi
+#</FilesMatch>
+
+SSLEngine On
+SSLCertificateFile /etc/ssl/certs/misp.crt
+SSLCertificateKeyFile /etc/ssl/certs/misp.key
+SSLCACertificateFile /etc/ssl/certs/ca.crt
+#SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
+LogLevel warn
+ErrorLog /var/log/httpd/misp_ssl_error.log
+CustomLog /var/log/httpd/misp_ssl_access.log combined
+ServerSignature Off
+</VirtualHost>
+
diff --git a/roles/misp/templates/mysql_secure.sql.j2 b/roles/misp/templates/mysql_secure.sql.j2
new file mode 100644
index 0000000..7b8dd28
--- /dev/null
+++ b/roles/misp/templates/mysql_secure.sql.j2
@@ -0,0 +1,14 @@
+UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+DELETE FROM mysql.user WHERE User='';
+DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+
+CREATE DATABASE {{misp_dbname}};
+{% for misp_host in groups['mispcontainers'] %}
+GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
+{% endfor %}
+
+
+FLUSH PRIVILEGES;
diff --git a/roles/misp/vars/main.yml b/roles/misp/vars/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mysql/defaults/main.yml b/roles/mysql/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mysql/files/.empty b/roles/mysql/files/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mysql/handlers/main.yml b/roles/mysql/handlers/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mysql/meta/main.yml b/roles/mysql/meta/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
new file mode 100644
index 0000000..f915611
--- /dev/null
+++ b/roles/mysql/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+
+- include: secure.yml
+- include: misp.yml
diff --git a/roles/mysql/tasks/misp.yml b/roles/mysql/tasks/misp.yml
new file mode 100644
index 0000000..60e1d0a
--- /dev/null
+++ b/roles/mysql/tasks/misp.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Create misp db
+ mysql_db:
+ name: "{{misp_dbname}}"
+ state: present
+ tags:
+ - start
+
+- name: Create misp user
+ mysql_user:
+ name: "{{misp_dbuser}}"
+ host: "{{item}}.{{soctools_netname}}"
+ password: "{{misp_dbpass}}"
+ priv: "{{misp_dbname}}.*:ALL"
+ with_items: "{{groups['mispcontainers']}}"
+ tags:
+ - start
+
+
+# CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
+# {% for misp_host in groups['mispcontainers'] %}
+# GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+# GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
+# {% endfor %}
+#
diff --git a/roles/mysql/tasks/secure.yml b/roles/mysql/tasks/secure.yml
new file mode 100644
index 0000000..18f098e
--- /dev/null
+++ b/roles/mysql/tasks/secure.yml
@@ -0,0 +1,72 @@
+---
+
+- name: Set root password
+ mysql_user:
+ name: root
+ host_all: yes
+ password: "{{mysql_dbrootpass}}"
+ tags:
+ - start
+ ignore_errors: true
+
+- name: Configure root access to db
+ template:
+ src: dotmy.cnf.j2
+ dest: /root/.my.cnf
+ mode: 0600
+ tags:
+ - start
+
+- name: Remove all anonymous user accounts
+ mysql_user:
+ name: ''
+ host_all: yes
+ state: absent
+ tags:
+ - start
+
+- name: Remove MySQL test database
+ mysql_db:
+ name: test
+ state: absent
+ tags:
+ - start
+
+
+# template:
+# src: mysql_secure.sql.j2
+# dest: /opt/rh/rh-mariadb103/root/root/mysql_secure.sql
+# tags:
+# - start
+# - reconf
+#
+# - name: Apply mysql conf
+# command: "/opt/rh/rh-mariadb103/root/usr/bin/mysql -v -v -v -u root -e 'source /opt/rh/rh-mariadb103/root/root/mysql_secure.sql'"
+# register: mysqlconf
+# tags:
+# - start
+# - reconf
+#
+# - name: show output from mysql command
+# debug: msg="{{mysqlconf.stdout}}"
+# tags:
+# - start
+#
+#
+#
+# UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+# DELETE FROM mysql.user WHERE User='';
+# DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+# DROP DATABASE IF EXISTS test;
+# DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+#
+#
+#
+#
+# #!/bin/bash -x
+# MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+# #MISPINIT=$(echo "select count(id) from users;" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+# if [ ${MISPINIT} == "0" ]; then
+# cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
+# touch /var/www/MISP/dbchecked-$(date +%Y%m%d_%H%M%S)
+# fi
diff --git a/roles/mysql/templates/dotmy.cnf.j2 b/roles/mysql/templates/dotmy.cnf.j2
new file mode 100644
index 0000000..56feaea
--- /dev/null
+++ b/roles/mysql/templates/dotmy.cnf.j2
@@ -0,0 +1,3 @@
+[client]
+user=root
+password='{{mysql_dbrootpass}}'
diff --git a/roles/mysql/templates/mysql_secure.sql.j2 b/roles/mysql/templates/mysql_secure.sql.j2
new file mode 100644
index 0000000..c1f602d
--- /dev/null
+++ b/roles/mysql/templates/mysql_secure.sql.j2
@@ -0,0 +1,14 @@
+UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+DELETE FROM mysql.user WHERE User='';
+DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+
+CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
+{% for misp_host in groups['mispcontainers'] %}
+GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
+{% endfor %}
+
+
+FLUSH PRIVILEGES;
diff --git a/roles/mysql/vars/main.yml b/roles/mysql/vars/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/soctools-inventory b/soctools-inventory
index ee70732..2533152 100644
--- a/soctools-inventory
+++ b/soctools-inventory
@@ -19,3 +19,9 @@ dsoclab-keycloak ansible_connection=docker
[nginx]
dsoclab-nginx ansible_connection=docker
+[mysql]
+dsoclab-mysql ansible_connection=docker
+
+[mispcontainers]
+dsoclab-misp ansible_connection=docker
+
diff --git a/startsoctools.yml b/startsoctools.yml
index 3ddc7dc..e69de14 100644
--- a/startsoctools.yml
+++ b/startsoctools.yml
@@ -10,6 +10,11 @@
roles:
- nginx
+- name: Reconfigure and start mysql
+ hosts: mysql
+ roles:
+ - mysql
+
- name: Reconfigure and start Keycloak
hosts: keycloakcontainers
roles:
@@ -29,3 +34,9 @@
hosts: odfekibanacontainers
roles:
- odfekibana
+
+- name: Reconfigure and start misp
+ hosts: mispcontainers
+ roles:
+ - misp
+
--
GitLab