├── .ansible-lint
├── .codespellignore
├── .github
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── ISSUE_TEMPLATE
│ ├── Bug_report.yml
│ ├── Feature_request.yml
│ ├── Report_security_issue.yml
│ └── config.yml
├── PULL_REQUEST_TEMPLATE.md
├── dependabot.yml
├── stale.yml
└── workflows
│ ├── default-bare.yml
│ ├── default.yml
│ ├── galaxy-release.yml
│ └── lint.yml
├── .gitignore
├── .kitchen.docker.yml
├── .kitchen.vagrant.yml
├── .kitchen.yml
├── .pre-commit-config.yaml
├── .yamllint
├── CHANGELOG.md
├── Jenkinsfile
├── LICENSE
├── README.md
├── SECURITY.md
├── defaults
└── main.yml
├── files
├── disable_strict_mode.cnf
├── patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php
├── patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php
├── patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php
├── patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php
├── patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php
├── patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database
├── patch-cakephp-snuffleupagus-strict
├── patch-misp-snuffleupagus-strict
├── patch-php-resque-ex-master-lib-Resque-Redis.php
├── pgp-09e2cd4944e6cbcd.asc
├── pgp-4aee18f83afdeb23.asc
└── pgp-6bbed1b63a6d639f.asc
├── get-dependencies.sh
├── handlers
└── main.yml
├── meta
└── main.yml
├── molecule
└── default
│ ├── converge.yml
│ ├── molecule.yml
│ ├── playbook.yml
│ ├── requirements.yml
│ └── verify.yml
├── packer
├── ansible.sh
├── azure-packer-centos7.json
├── azure-packer-misp-focal.json
├── cleanup.sh
├── http
│ └── preseed.cfg
├── packer-MISP-bionic.json
├── packer-MISP-trusty.json
├── packer-MISP-xenial.json
├── set_symlinks.sh
└── setup.sh
├── tasks
├── apache2.yml
├── background-jobs.yml
├── composer.yml
├── debian-php74.yml
├── debian.yml
├── lief.yml
├── main.yml
├── misp-add-user.yml
├── misp-add-users.yml
├── misp-feeds.yml
├── misp-gem.yml
├── misp-key-file.yml
├── misp-modules.yml
├── misp-run-updates.yml
├── mysql-configure.yml
├── nginx.yml
├── php-conflict.yml
├── random.yml
├── redhat-logrotate.yml
├── redhat-remi.yml
├── redhat.yml
├── redis-secure.yml
├── selinux-context.yml
├── stix-cybox.yml
├── systemd-misp-modules.yml
├── testing.yml
└── travis.yml
├── templates
├── apache2-misp.conf.j2
├── backup-misp.sh.j2
├── config.php.j2
├── gpg-template.j2
├── misp-php.ini.j2
├── misp-snuffleupagus-rules.ini.j2
├── misp-workers.conf.j2
├── nginx-empty.conf.j2
├── nginx-misp.conf.j2
├── restore-misp.sh.j2
└── systemd-misp-modules.service.j2
├── test
├── integration
│ ├── default-HEAD
│ │ ├── bats
│ │ │ ├── idempotency.bats
│ │ │ └── process.bats
│ │ ├── default.yml
│ │ └── serverspec
│ │ │ ├── Gemfile
│ │ │ ├── Rakefile
│ │ │ ├── gpg_spec.rb
│ │ │ ├── misp2_spec.rb
│ │ │ ├── misp_log_spec.rb
│ │ │ ├── misp_spec.rb
│ │ │ ├── mispapi_spec.rb
│ │ │ ├── mispmodules_spec.rb
│ │ │ ├── mysql_spec.rb
│ │ │ ├── redis_spec.rb
│ │ │ ├── run-local-tests.sh
│ │ │ ├── snuffleupagus_spec.rb
│ │ │ ├── supervisor.rb
│ │ │ └── webserver_spec.rb
│ ├── default-nosnuffle
│ │ ├── bats
│ │ │ ├── idempotency.bats
│ │ │ └── process.bats
│ │ ├── default.yml
│ │ └── serverspec
│ │ │ ├── Gemfile
│ │ │ ├── Rakefile
│ │ │ ├── gpg_spec.rb
│ │ │ ├── misp2_spec.rb
│ │ │ ├── misp_log_spec.rb
│ │ │ ├── misp_spec.rb
│ │ │ ├── mispapi_spec.rb
│ │ │ ├── mispmodules_spec.rb
│ │ │ ├── mysql_spec.rb
│ │ │ ├── redis_spec.rb
│ │ │ ├── run-local-tests.sh
│ │ │ ├── supervisor.rb
│ │ │ └── webserver_spec.rb
│ ├── default
│ │ ├── bats
│ │ │ ├── idempotency.bats
│ │ │ └── process.bats
│ │ ├── default.yml
│ │ └── serverspec
│ │ │ ├── Gemfile
│ │ │ ├── Rakefile
│ │ │ ├── gpg_spec.rb
│ │ │ ├── misp2_spec.rb
│ │ │ ├── misp_spec.rb
│ │ │ ├── mispapi_spec.rb
│ │ │ ├── mispmodules_spec.rb
│ │ │ ├── mysql_spec.rb
│ │ │ ├── redis_spec.rb
│ │ │ ├── run-local-tests.sh
│ │ │ ├── snuffleupagus_spec.rb
│ │ │ ├── supervisor.rb
│ │ │ └── webserver_spec.rb
│ └── nginx
│ │ ├── default.yml
│ │ └── serverspec
│ │ ├── Rakefile
│ │ ├── misp2_spec.rb
│ │ ├── misp_spec.rb
│ │ ├── mysql_spec.rb
│ │ ├── supervisor.rb
│ │ └── webserver_spec.rb
├── lxd
│ ├── centos-ssh-image.sh
│ └── debian-ssh-image.sh
└── vagrant
│ ├── Vagrantfile
│ ├── ansible.cfg
│ └── site.yml
└── vars
├── Debian-11.yml
├── RedHat-6.yml
├── RedHat-7.yml
├── RedHat-8.yml
├── RedHat-9.yml
├── Ubuntu-12.04.yml
├── Ubuntu-14.04.yml
├── Ubuntu-16.04.yml
├── Ubuntu-18.04.yml
├── Ubuntu-20.04.yml
├── Ubuntu-22.04.yml
├── Ubuntu-24.04.yml
├── apache2-CentOS.yml
├── apache2-Debian.yml
├── apache2-RedHat.yml
├── apache2-Rocky.yml
├── apache2-Ubuntu.yml
├── misp24.yml
├── misp25.yml
├── nginx-CentOS.yml
├── nginx-RedHat.yml
└── nginx-Ubuntu.yml
/.ansible-lint:
--------------------------------------------------------------------------------
1 | ---
2 | warn_list:
3 | - experimental
4 | exclude_paths:
5 | - .github/workflows/galaxy.yml
6 |
--------------------------------------------------------------------------------
/.codespellignore:
--------------------------------------------------------------------------------
1 | # selinux file extension
2 | te
3 | # Jenkinsfile docker volume
4 | ro
5 | # LIEF
6 | lief
7 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Bug_report.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | description: You're having technical issues
4 | title: "Bug: "
5 | labels: ["bug", "triage needed"]
6 | body:
7 | - type: markdown
8 | attributes:
9 | value: |
10 | Thanks for taking the time to report this issue.
11 |
12 | Few Troubleshooting resources to help
13 | * [Tech Support Cheat Sheet, xkcd](https://xkcd.com/627/)
14 | * [Software Problem Solving Cheat Sheet, nextron-systems](https://www.nextron-systems.com/2018/06/10/software-problem-solving-cheat-sheet/)
15 | - type: textarea
16 | id: prerequisites
17 | attributes:
18 | label: Prerequisites
19 | value: |
20 |
21 |
22 | - [ ] Ensure no duplicate issue
23 | - [ ] Using an up-to-date latest release or tag
24 | - [ ] Tested an up-to-date latest HEAD
25 | - [ ] Collected play logs on verbose mode aka `ansible-playbook -vvv playbook.yml`. Redact any sensitive information.
26 | - [ ] Ensuring using latest stable underlying software (ansible, operating systems...)
27 | validations:
28 | required: true
29 | - type: textarea
30 | id: environment
31 | attributes:
32 | label: Your Environment
33 | value: |
34 |
35 | * Version used:
36 | * Server type and version:
37 | * Operating System and version:
38 | * Link to your project:
39 | validations:
40 | required: true
41 | - type: textarea
42 | id: expected-behavior
43 | attributes:
44 | label: Expected behavior
45 | validations:
46 | required: true
47 | - type: textarea
48 | id: actual-behavior
49 | attributes:
50 | label: Actual behavior
51 | validations:
52 | required: true
53 | - type: textarea
54 | id: steps-to-reproduce
55 | attributes:
56 | label: Steps to reproduce
57 | description: Please be as thorough as possible.
58 | validations:
59 | required: true
60 | - type: textarea
61 | id: solution
62 | attributes:
63 | label: Possible Solution (Not obligatory)
64 | description: Suggest a reason for the bug or how to fix it.
65 | validations:
66 | required: false
67 | - type: textarea
68 | id: context
69 | attributes:
70 | label: More context
71 | description: Suggest a reason for the bug or how to fix it.
72 | value: |
73 |
74 |
75 |
76 | validations:
77 | required: false
78 | - type: textarea
79 | id: logs
80 | attributes:
81 | label: Relevant log output
82 | description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
83 | render: shell
84 | - type: textarea
85 | id: extra-attachments
86 | attributes:
87 | label: Extra attachments
88 | description: Please add any other relevant attachments such as screenshots, log files, etc. here.
89 | - type: checkboxes
90 | id: terms
91 | attributes:
92 | label: Code of Conduct
93 | description: By submitting this issue, you agree to follow our [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html)
94 | options:
95 | - label: I agree to follow this project's Code of Conduct
96 | required: true
97 | #
98 | # https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
99 | # https://github.com/stevemao/github-issue-templates/blob/master/bugs-only/ISSUE_TEMPLATE.md
100 | # https://www.talater.com/open-source-templates/#/page/1
101 | # https://github.com/MISP/MISP/tree/2.4/.github/ISSUE_TEMPLATE
102 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Feature_request.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | description: You're having an idea to improve this project
4 | title: "Feature request: "
5 | labels: ["feature request", "triage needed"]
6 | body:
7 | - type: markdown
8 | attributes:
9 | value: |
10 | Thanks for taking the time to share your idea.
11 | - type: textarea
12 | id: description
13 | attributes:
14 | label: Detailed Description
15 | description: Provide a detailed description of the change or addition you are proposing.
16 | validations:
17 | required: true
18 | - type: textarea
19 | id: context
20 | attributes:
21 | label: More context
22 | description: Suggest a reason for the bug or how to fix it.
23 | value: |
24 |
25 |
26 | validations:
27 | required: false
28 | - type: textarea
29 | id: implementation
30 | attributes:
31 | label: Possible Implementation
32 | description: Not obligatory, but suggest an idea for implementing addition or change.
33 | validations:
34 | required: false
35 | - type: textarea
36 | id: alternatives
37 | attributes:
38 | label: Describe alternatives you've considered
39 | placeholder: A clear and concise description of any alternative solutions or features you've considered.
40 | - type: checkboxes
41 | id: terms
42 | attributes:
43 | label: Code of Conduct
44 | description: By submitting this issue, you agree to follow our [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html)
45 | options:
46 | - label: I agree to follow this project's Code of Conduct
47 | required: true
48 | #
49 | # https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
50 | # https://github.com/stevemao/github-issue-templates/blob/master/bugs-only/ISSUE_TEMPLATE.md
51 | # https://www.talater.com/open-source-templates/#/page/98
52 | # https://github.com/MISP/MISP/tree/2.4/.github/ISSUE_TEMPLATE
53 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Report_security_issue.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Report a security issue
3 | description: You found a security issue
4 | title: "Security: "
5 | labels: ["security", "triage needed"]
6 | body:
7 | - type: markdown
8 | attributes:
9 | value: |
10 | Thanks for taking the time to report this issue. If issue is sensitive, please use web form or GitHub private vulnerability reporting as per SECURITY.md.
11 | - type: input
12 | id: contact
13 | attributes:
14 | label: Contact Details
15 | description: How can we get in touch with you if we need more info?
16 | placeholder: ex. email@example.com
17 | validations:
18 | required: false
19 | - type: input
20 | id: affected
21 | attributes:
22 | label: Affected version(s)
23 | description: Commit, tag or release affected
24 | validations:
25 | required: false
26 | - type: textarea
27 | id: findings
28 | attributes:
29 | label: What did you found?
30 | description: Precise and detailed steps (include screenshots) that created the problem
31 | placeholder: Tell us what you see!
32 | value: "pop!"
33 | validations:
34 | required: true
35 | - type: dropdown
36 | id: securitytype
37 | attributes:
38 | label: Type
39 | description: What kind of security issue did you find?
40 | options:
41 | - Security Incident
42 | - Vulnerability
43 | - Other
44 | validations:
45 | required: true
46 | - type: textarea
47 | id: reproduce
48 | attributes:
49 | label: How to reproduce issue?
50 | description: Step-by-step instructions to reproduce the issue, eventually with Proof-of-concept or exploit code.
51 | - type: textarea
52 | id: logs
53 | attributes:
54 | label: Relevant log(s) output
55 | description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
56 | render: shell
57 | - type: textarea
58 | id: mitigations
59 | attributes:
60 | label: Mitigations or workarounds.
61 | description: Any condition(s) that limit impact of the issue?
62 | - type: textarea
63 | id: known
64 | attributes:
65 | label: Is issue public? exploited in the wild?
66 | description: Whether this vulnerability is public or known to third parties. If it is, please provide details.
67 | - type: checkboxes
68 | id: terms
69 | attributes:
70 | label: Code of Conduct
71 | description: By submitting this issue, you agree to follow our [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct.html)
72 | options:
73 | - label: I agree to follow this project's Code of Conduct
74 | required: true
75 | # https://github.com/github/securitylab/blob/main/docs/report-template.md
76 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
3 | blank_issues_enabled: true
4 | contact_links:
5 | - name: Discussions
6 | url: https://github.com/juju4/ansible-adduser/discussions
7 | about: Please ask and answer questions here.
8 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Description
4 |
5 |
6 | ## Motivation and Context
7 |
8 |
9 |
10 | ## How Has This Been Tested?
11 |
12 |
13 |
14 |
15 | ## Screenshots (if appropriate):
16 |
17 | ## Types of changes
18 |
19 | - [ ] Bug fix (non-breaking change which fixes an issue)
20 | - [ ] New feature (non-breaking change which adds functionality)
21 | - [ ] Breaking change (fix or feature that would cause existing functionality to change)
22 |
23 | ## Checklist:
24 |
25 |
26 | - [ ] My code follows the code style of this project.
27 | - [ ] My change requires a change to the documentation.
28 | - [ ] I have updated the documentation accordingly.
29 | - [ ] I have read the **CONTRIBUTING** document.
30 | - [ ] I have added tests to cover my changes.
31 | - [ ] All new and existing tests passed including pre-commit and github actions.
32 | - [ ] Used in production.
33 |
34 |
37 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
3 | # Set update schedule for GitHub Actions
4 |
5 | version: 2
6 | updates:
7 |
8 | - package-ecosystem: "github-actions"
9 | directory: "/"
10 | schedule:
11 | # Check for updates to GitHub Actions every week
12 | interval: "weekly"
13 |
--------------------------------------------------------------------------------
/.github/stale.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Configuration for probot-stale - https://github.com/probot/stale
3 |
4 | # Number of days of inactivity before an Issue or Pull Request becomes stale
5 | daysUntilStale: 60
6 |
7 | # Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
8 | # Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
9 | daysUntilClose: 30
10 |
11 | # Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
12 | onlyLabels: []
13 |
14 | # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
15 | exemptLabels:
16 | - pinned
17 | - security
18 | - "[Status] Maybe Later"
19 |
20 | # Set to true to ignore issues in a project (defaults to false)
21 | exemptProjects: false
22 |
23 | # Set to true to ignore issues in a milestone (defaults to false)
24 | exemptMilestones: false
25 |
26 | # Set to true to ignore issues with an assignee (defaults to false)
27 | exemptAssignees: false
28 |
29 | # Label to use when marking as stale
30 | staleLabel: wontfix
31 |
32 | # Comment to post when marking as stale. Set to `false` to disable
33 | markComment: >
34 | This issue has been automatically marked as stale because it has not had
35 | recent activity. It will be closed if no further activity occurs. Thank you
36 | for your contributions.
37 |
38 | # Comment to post when removing the stale label.
39 | # unmarkComment: >
40 | # Your comment here.
41 |
42 | # Comment to post when closing a stale Issue or Pull Request.
43 | # closeComment: >
44 | # Your comment here.
45 |
46 | # Limit the number of actions per hour, from 1-30. Default is 30
47 | limitPerRun: 30
48 |
49 | # Limit to only `issues` or `pulls`
50 | # only: issues
51 |
52 | # Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
53 | # pulls:
54 | # daysUntilStale: 30
55 | # markComment: >
56 | # This pull request has been automatically marked as stale because it has not had
57 | # recent activity. It will be closed if no further activity occurs. Thank you
58 | # for your contributions.
59 |
60 | # issues:
61 | # exemptLabels:
62 | # - confirmed
63 |
--------------------------------------------------------------------------------
/.github/workflows/default.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: AnsibleCI
3 |
4 | on:
5 | push:
6 | pull_request:
7 | workflow_dispatch:
8 | schedule: # run weekly, every Monday 01:00
9 | - cron: '0 1 * * 1'
10 |
11 | permissions: {}
12 |
13 | jobs:
14 | build:
15 | permissions:
16 | contents: read
17 | runs-on: ubuntu-latest
18 | continue-on-error: ${{ matrix.experimental }}
19 | strategy:
20 | fail-fast: false
21 | max-parallel: 4
22 | matrix:
23 | include:
24 | - molecule_ditro: 'debian:bookworm'
25 | experimental: false
26 | - molecule_ditro: 'debian:bullseye'
27 | experimental: false
28 | - molecule_distro: 'rockylinux:9'
29 | experimental: true
30 | - molecule_distro: 'ubuntu:24.04'
31 | experimental: true
32 | - molecule_distro: 'ubuntu:22.04'
33 | experimental: false
34 | env:
35 | ANSIBLE_CALLBACKS_ENABLED: profile_tasks
36 | MOLECULE_NO_LOG: "false"
37 | ANSIBLE_ROLE: juju4.misp
38 |
39 | steps:
40 | - uses: actions/checkout@v4
41 | with:
42 | path: ${{ env.ANSIBLE_ROLE }}
43 | - name: Set up Python
44 | uses: actions/setup-python@v5
45 | with:
46 | python-version: '3.x'
47 | - name: Install dependencies
48 | run: |
49 | python -m pip install --upgrade pip
50 | pip install molecule[docker] ansible-lint flake8 testinfra ansible
51 | mkdir -p $HOME/.ansible/roles && ln -s $GITHUB_WORKSPACE/$ANSIBLE_ROLE $HOME/.ansible/roles/
52 | # template search only in currently executed role root/tasks/templates folders and molecule scenario root/templates folders
53 | cp $GITHUB_WORKSPACE/$ANSIBLE_ROLE/templates/misp-snuffleupagus-rules.ini.j2 $GITHUB_WORKSPACE/$ANSIBLE_ROLE/molecule/default/
54 | - name: Fetch central settings repository
55 | run: |
56 | export settings_repo="https://raw.githubusercontent.com/juju4/ansible-ci-settings/main"
57 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE
58 | set -x
59 | curl -o requirements.txt "$settings_repo/requirements.txt"
60 | curl -o .ansible-lint "$settings_repo/.ansible-lint"
61 | curl -o .yamllint "$settings_repo/.yamllint"
62 | pip install -r requirements.txt
63 | continue-on-error: true
64 | - name: Environment
65 | run: |
66 | pwd
67 | env
68 | find -ls
69 | - name: run test
70 | run: |
71 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && molecule test
72 | env:
73 | PY_COLORS: '1'
74 | ANSIBLE_FORCE_COLOR: '1'
75 | MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
76 |
--------------------------------------------------------------------------------
/.github/workflows/galaxy-release.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Galaxy-NG Roles Import
3 |
4 | on:
5 | release:
6 | types: [created, edited, published, released]
7 | push:
8 | tags:
9 | - '*'
10 |
11 | permissions: {}
12 |
13 | jobs:
14 | build:
15 | name: Galaxy Role Importer
16 | runs-on: ubuntu-latest
17 |
18 | steps:
19 | - name: 'Checkout git repo'
20 | uses: actions/checkout@v4
21 | with:
22 | submodules: true
23 | fetch-depth: 0
24 |
25 | - name: 'Release on galaxy'
26 | uses: ansible-actions/ansible-galaxy-action@388fe24563eb7889730a1c10587a8acd005bd42a
27 | with:
28 | galaxy_api_key: ${{ secrets.galaxy_api_key }}
29 | galaxy_version: 'main'
30 |
--------------------------------------------------------------------------------
/.github/workflows/lint.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: lint
3 |
4 | on:
5 | push:
6 | pull_request:
7 | workflow_dispatch:
8 |
9 | permissions: {}
10 |
11 | jobs:
12 | build:
13 |
14 | runs-on: ubuntu-latest
15 | strategy:
16 | fail-fast: false
17 | max-parallel: 4
18 | env:
19 | ANSIBLE_CALLBACKS_ENABLED: profile_tasks
20 | ANSIBLE_EXTRA_VARS: ""
21 | ANSIBLE_ROLE: juju4.misp
22 |
23 | steps:
24 | - uses: actions/checkout@v4
25 | with:
26 | path: ${{ env.ANSIBLE_ROLE }}
27 | - name: Set up Python
28 | uses: actions/setup-python@v5
29 | with:
30 | python-version: '3.x'
31 | - name: Install dependencies
32 | run: |
33 | python3 -m pip install --upgrade pip
34 | pip3 install ansible-lint flake8 yamllint
35 | which ansible
36 | pip3 install ansible
37 | pip3 show ansible
38 | ls -l $HOME/.local/bin || true
39 | ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true
40 | echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH
41 | ansible --version
42 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE
43 | [ -f molecule/default/requirements.yml ] && ansible-galaxy install -r molecule/default/requirements.yml
44 | [ -f get-dependencies.sh ] && sh -x get-dependencies.sh
45 | { echo '[defaults]'; echo 'callbacks_enabled = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
46 | - name: Fetch central settings repository
47 | run: |
48 | export settings_repo="https://raw.githubusercontent.com/juju4/ansible-ci-settings/main"
49 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE
50 | set -x
51 | curl -o requirements.txt "$settings_repo/requirements.txt"
52 | curl -o .ansible-lint "$settings_repo/.ansible-lint"
53 | curl -o .yamllint "$settings_repo/.yamllint"
54 | pip install -r requirements.txt
55 | continue-on-error: true
56 | - name: Environment
57 | run: |
58 | pwd
59 | env
60 | find . -ls
61 | - uses: codespell-project/actions-codespell@master
62 | with:
63 | ignore_words_file: ${{ env.ANSIBLE_ROLE }}/.codespellignore
64 | skip: .git
65 | exclude_file: "*/files/pgp-09e2cd4944e6cbcd.asc"
66 | path: ${{ env.ANSIBLE_ROLE }}
67 | if: ${{ always() }}
68 | - name: yamllint
69 | run: |
70 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && yamllint .
71 | if: ${{ always() }}
72 | - name: ansible-lint
73 | run: |
74 | cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-lint
75 | if: ${{ always() }}
76 |
--------------------------------------------------------------------------------
/.kitchen.docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | driver:
3 | name: docker
4 | ## https://github.com/test-kitchen/kitchen-docker/issues/54
5 | use_sudo: false
6 | ## resources limit
7 | cpu: 2
8 | memory: 1GB
9 | run_options: --cpus=0.8
10 |
11 | transport:
12 | name: sftp
13 |
14 | provisioner:
15 | name: ansible_playbook
16 | roles_path: ../
17 | hosts: all
18 | # ansible_verbose: true
19 | ansible_verbose: false
20 | ansible_verbosity: 4
21 | # ansible_version: 2.7.7
22 | ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
23 | ansible_cfg_path: test/vagrant/ansible.cfg
24 | # require_chef_omnibus: false
25 | require_ansible_omnibus: true
26 | # require_chef_for_busser: false
27 | enable_yum_epel: true
28 | ansible_connection: ssh
29 |
30 | platforms:
31 | - name: centos-8
32 | - name: centos-7
33 | - name: debian-bullseye
34 | - name: ubuntu-20.04
35 |
36 | suites:
37 | - name: default
38 | run_list:
39 | attributes:
40 | - name: default-HEAD
41 | run_list:
42 | attributes:
43 | - name: nginx
44 | run_list:
45 | attributes:
46 |
--------------------------------------------------------------------------------
/.kitchen.vagrant.yml:
--------------------------------------------------------------------------------
1 | ---
2 | driver:
3 | name: vagrant
4 | provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %>
5 |
6 | transport:
7 | name: sftp
8 |
9 | driver_config:
10 | customize:
11 | # cpus: 2
12 | memory: 1024
13 |
14 | provisioner:
15 | name: ansible_playbook
16 | roles_path: ../
17 | hosts: all
18 | # ansible_verbose: true
19 | ansible_verbose: false
20 | ansible_verbosity: 3
21 | ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
22 | ansible_cfg_path: test/vagrant/ansible.cfg
23 |
24 | platforms:
25 | - name: centos-8
26 | - name: centos-7
27 | driver_config:
28 | network:
29 | - ["forwarded_port", {guest: 80, host: 8589}]
30 | - name: debian-bullseye
31 | - name: ubuntu-20.04
32 |
33 | suites:
34 | - name: default
35 | run_list:
36 | attributes:
37 | - name: default-HEAD
38 | run_list:
39 | attributes:
40 | - name: nginx
41 | run_list:
42 | attributes:
43 | misp_webserver: 'nginx'
44 |
--------------------------------------------------------------------------------
/.kitchen.yml:
--------------------------------------------------------------------------------
1 | ---
2 | driver:
3 | name: lxd_cli
4 |
5 | transport:
6 | name: sftp
7 |
8 | driver_config:
9 | cutomize:
10 | # cpus: 2
11 | memory: 1024
12 |
13 | provisioner:
14 | name: ansible_playbook
15 | roles_path: ../
16 | hosts: all
17 | ansible_verbose: true
18 | # ansible_verbose: false
19 | ansible_verbosity: 2
20 | # ansible_version: 2.7.7
21 | ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
22 | ansible_cfg_path: test/vagrant/ansible.cfg
23 | require_ansible_omnibus: true
24 | # planned for deprecation per https://docs.chef.io/workstation/config_yml_kitchen/
25 | require_chef_omnibus: true
26 | # https://github.com/neillturner/kitchen-ansible#ruby-install-to-run-serverspec-verify
27 | require_chef_for_busser: false
28 | require_ruby_for_busser: false
29 | chef_omnibus_url: https://omnitruck.chef.io/install.sh
30 | enable_yum_epel: true
31 | ansible_connection: ssh
32 | ansible_omnibus_url: https://raw.githubusercontent.com/juju4/omnibus-ansible/master/ansible_install.sh
33 |
34 | verifier:
35 | name: serverspec
36 | sudo_path: true
37 |
38 | platforms:
39 | - name: centos-9-Stream
40 | - name: centos-8-Stream
41 | - name: centos-7
42 | ## httpd/centos7/capability issue on lxc
43 | ## https://github.com/lxc/lxd/issues/1245 = only choice is privileged
44 | ## https://bugzilla.redhat.com/show_bug.cgi?id=1012952
45 | driver:
46 | config:
47 | security.privileged: true
48 | - name: debian-bullseye
49 | - name: ubuntu-22.04
50 | - name: ubuntu-20.04
51 |
52 | suites:
53 | - name: default
54 | run_list:
55 | attributes:
56 | - name: default-HEAD
57 | run_list:
58 | attributes:
59 | - name: default-nosnuffle
60 | run_list:
61 | attributes:
62 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | repos:
3 | - repo: https://github.com/pre-commit/pre-commit-hooks
4 | rev: v5.0.0
5 | hooks:
6 | - id: check-yaml
7 | - id: end-of-file-fixer
8 | exclude: 'files/patch-*'
9 | - id: trailing-whitespace
10 | exclude: 'files/patch-*'
11 | - id: check-added-large-files
12 | - id: check-json
13 | - id: detect-private-key
14 | - id: check-case-conflict
15 | - id: double-quote-string-fixer
16 | - id: requirements-txt-fixer
17 | - repo: https://github.com/ansible-community/ansible-lint.git
18 | rev: v25.1.3
19 | hooks:
20 | - id: ansible-lint
21 | files: \.(yaml|yml)$
22 | - repo: https://github.com/codespell-project/codespell
23 | rev: v2.4.1
24 | hooks:
25 | - id: codespell
26 | args: [-I, .codespellignore, --exclude-file, files/pgp-09e2cd4944e6cbcd.asc]
27 | # - repo: git@github.com:Yelp/detect-secrets
28 | # rev: v1.1.0
29 | # hooks:
30 | # - id: detect-secrets
31 | # args: ['--baseline', '.secrets.baseline']
32 | # exclude: .*/tests/.*
33 |
--------------------------------------------------------------------------------
/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | extends: default
3 |
4 | rules:
5 | line-length: disable
6 | braces: disable
7 | truthy: disable
8 | comments:
9 | min-spaces-from-content: 1
10 | comments-indentation: false
11 | octal-values:
12 | forbid-implicit-octal: true
13 | forbid-explicit-octal: true
14 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 | All notable changes to this project will be documented in this file.
3 |
4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
6 |
7 | ## [Unreleased]
8 |
9 | ### Added
10 | - Github Action
11 |
12 | ### Changed
13 | - lint
14 | - test/default: use lief 0.10.1 instead of recent 0.11 - bionic only
15 | - system and pip packages dependencies update
16 | - misp-add-users permissions review
17 |
18 | ### Removed
19 | - Travis-ci
20 |
21 | ## [1.1.0] - 2020-07-19
22 |
23 | ### Added
24 | - Ubuntu 20.04
25 |
26 | ## [1.0.0] - 2020-02-23
27 |
28 | ### Added
29 | - add test/support for RedHat/Centos 8
30 |
31 | ### Changed
32 | - Travis: force test-kitchen 0.1.25 to keep compatibility with kitchen-lxd_cli
33 | - Travis: dist from trusty to xenial + lxd3
34 | https://blog.travis-ci.com/2018-11-08-xenial-release
35 | - Travis: rvm 2.6
36 | - Travis: remove testing of Ubuntu 16.04 as recent MISP/PyMISP/misp-modules updates requires python 3.6. Only 3.5 available in normal distribution.
37 | - Github: rename tags to match semantic versioning: 0.7.0, 0.8.0
38 | - misp-modules dependencies update
39 | - update patch to support php strict
40 | - more linting
41 | - handlers to manage services inside docker
42 | - lief with python3
43 |
44 | ## [0.9.0] - 2019-02-17
45 |
46 | ### Added
47 | - Gitignore
48 | - test/default+nginx: include juju4.harden-apache or juju4.harden-nginx
49 | - packer: Azure configuration
50 |
51 | ### Changed
52 | - Heavy lint following galaxy new rules following adoption of ansible-lint
53 | https://groups.google.com/forum/#!topic/ansible-project/ehrb6AEptzA
54 | https://docs.ansible.com/ansible-lint/rules/default_rules.html
55 | https://github.com/ansible/ansible-lint
56 | - PyIntel471: not supported on Xenial - python 3.6 required
57 | - test/default (apache): switch to https by default - self-signed certificate
58 | - snuffleupagus support (php7 hardening)
59 | - update galaxy naming (juju4.MISP -> juju4.misp, redhat_epel, harden_apache...)
60 | - redis hardening (rename-command) - password protection triggers issue [TODO]
61 | - Centos/RHEL7: fix multiple issues
62 |
63 | ## [v0.8] - 2018-06-17
64 |
65 | ### Added
66 | - LIEF support: https://github.com/lief-project/LIEF.git
67 | - Centos/RHEL: selinux support, php-opcache
68 | - PyMISP verifycert option
69 | - git signed commit retrieve support (not enforced as not all commits are signed)
70 | - Jenkinsfile: extra testing with zap, arachni...
71 |
72 | ### Changed
73 |
74 | ## [v0.7] - 2017-01-30
75 |
76 | ### Added
77 | - Initial commit on Github, include simple travis, kitchen and vagrant tests
78 | - Jenkinsfile
79 | - packer: Virtualbox, Vmware configurations
80 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2015, juju4@users.noreply.github.com
2 | All rights reserved.
3 |
4 | Redistribution and use in source and binary forms, with or without
5 | modification, are permitted provided that the following conditions are met:
6 |
7 | * Redistributions of source code must retain the above copyright notice, this
8 | list of conditions and the following disclaimer.
9 |
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 | this list of conditions and the following disclaimer in the documentation
12 | and/or other materials provided with the distribution.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security policy
2 |
3 | DISCLAIMER!
4 | * This is personally maintained opensource project. Best effort will be made to support its security and resiliency but as per license, no warranty.
5 | * As deployment role for ansible, vulnerability for ansible, targeted deployed software(s) or underlying operating system(s) won't be accepted. It is the responsibility of the user to ensure those are maintained appropriately and in non-vulnerable versions.
6 | * I believe in transparency. Considering the scope of project, it is less likely that a security issue would be a major impact and full disclosure should not be an issue but if you believe otherwise, use the web form.
7 |
8 | ## Security bulletins
9 |
10 | When applicable, Security Advisories will be created inside GitHub following [Creating a repository security advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory).
11 |
12 | ## Reporting a vulnerability
13 |
14 | Please use one of below process to report a vulnerability to the project:
15 |
16 |
17 | - [x] GitHub issue "Report a security issue":
18 |
19 | - [x] [Web Form](https://docs.google.com/forms/d/1alWCY1VAekedhOCuP6lW-ZylsjkGKsrrDApHk36Kqe4)
20 | - [x] [GitHub Private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
21 | - [ ] Email
22 | - [ ] Bug Bounty
23 |
24 | If issue is critical and not public, please use the web form.
25 | You can use [First.org Common Vulnerability Scoring System Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0) to score vulnerability.
26 |
27 | Do not forget to tell us if and how you want to be acknowledged.
28 |
29 | This project follows an immediate (public issue) or 30-days (web form) disclosure timeline.
30 |
31 | This project won't request CVE(s).
32 |
33 | ## Bug Bounty or Vulnerability Disclosure Program.
34 |
35 | This project is not part of any Bug Bounty program.
36 |
37 | ## Supported Versions
38 |
39 | Only latest release or tag is supported along HEAD for main branch.
40 | Tests are usually focus on the latest LTS from RedHat and Ubuntu but contributions for other distributions or versions are welcomed.
41 |
42 | ## Preferred Languages
43 |
44 | We prefer all communications to be in English.
45 |
46 | # References
47 |
48 | * [CNCF template SECURITY.md](https://github.com/cncf/tag-security/blob/main/project-resources/templates/SECURITY.md)
49 | * [security.txt](https://securitytxt.org/) when applicable website.
50 | * [Vulnerability Disclosure Cheat Sheet, OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html)
51 | * [About coordinated disclosure of security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities)
52 | * [Confidential issues, Gitlab](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html)
53 | * [Confidential (private) issues on public repo, gitea](https://github.com/go-gitea/gitea/issues/3217)
54 | * [Report/Request CVE](https://www.cve.org/ResourcesSupport/ReportRequest)
55 |
--------------------------------------------------------------------------------
/files/disable_strict_mode.cnf:
--------------------------------------------------------------------------------
1 | [mysqld]
2 | sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
3 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php:
--------------------------------------------------------------------------------
1 | --- Configure.php.0 2021-06-09 10:43:34.802433991 +0000
2 | +++ Configure.php 2021-06-09 10:44:17.339123481 +0000
3 | @@ -170,9 +170,9 @@
4 |
5 | if (isset($config['debug']) && function_exists('ini_set')) {
6 | if (static::$_values['debug']) {
7 | - ini_set('display_errors', 1);
8 | + ini_set('display_errors', '1');
9 | } else {
10 | - ini_set('display_errors', 0);
11 | + ini_set('display_errors', '0');
12 | }
13 | }
14 | return true;
15 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php:
--------------------------------------------------------------------------------
1 | --- Mysql.php.0 2021-06-09 22:58:52.356860917 +0000
2 | +++ Mysql.php 2021-06-09 22:59:17.141262264 +0000
3 | @@ -361,7 +361,7 @@
4 | $fields[$column->Field]['unsigned'] = $this->_unsigned($column->Type);
5 | }
6 | if (in_array($fields[$column->Field]['type'], array('timestamp', 'datetime')) &&
7 | - in_array(strtoupper($column->Default), array('CURRENT_TIMESTAMP', 'CURRENT_TIMESTAMP()'))
8 | + in_array(strtoupper((string)$column->Default), array('CURRENT_TIMESTAMP', 'CURRENT_TIMESTAMP()'))
9 | ) {
10 | $fields[$column->Field]['default'] = null;
11 | }
12 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php:
--------------------------------------------------------------------------------
1 | --- DboSource.php.0 2021-06-09 23:36:30.077421439 +0000
2 | +++ DboSource.php 2021-06-09 23:36:42.145616865 +0000
3 | @@ -386,7 +386,7 @@
4 | return $this->_connection->quote($this->boolean($data, true), PDO::PARAM_BOOL);
5 | case 'string':
6 | case 'text':
7 | - return $this->_connection->quote($data, PDO::PARAM_STR);
8 | + return $this->_connection->quote((string)$data, PDO::PARAM_STR);
9 | default:
10 | if ($data === '') {
11 | return $null ? 'NULL' : '""';
12 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php:
--------------------------------------------------------------------------------
1 | --- CakeRequest.php.0 2021-06-09 11:04:19.550610527 +0000
2 | +++ CakeRequest.php 2021-06-09 11:04:42.150976864 +0000
3 | @@ -919,7 +919,7 @@
4 | */
5 | protected static function _parseAcceptWithQualifier($header) {
6 | $accept = array();
7 | - $header = explode(',', $header);
8 | + $header = explode(',', (string)$header);
9 | foreach (array_filter($header) as $value) {
10 | $prefValue = '1.0';
11 | $value = trim($value);
12 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php:
--------------------------------------------------------------------------------
1 | --- CakeSession.php.0 2021-06-09 11:23:42.169455802 +0000
2 | +++ CakeSession.php 2021-06-09 11:23:57.657706856 +0000
3 | @@ -578,7 +578,7 @@
4 | if (empty($_SESSION) && !headers_sent() && (!function_exists('session_status') || session_status() !== PHP_SESSION_ACTIVE)) {
5 | if (!empty($sessionConfig['ini']) && is_array($sessionConfig['ini'])) {
6 | foreach ($sessionConfig['ini'] as $setting => $value) {
7 | - if (ini_set($setting, $value) === false) {
8 | + if (ini_set($setting, (string)$value) === false) {
9 | throw new CakeSessionException(__d('cake_dev', 'Unable to configure the session, setting %s failed.', $setting));
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/files/patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database:
--------------------------------------------------------------------------------
1 | --- Mysql.php.0 2021-03-07 21:51:50.195652983 +0000
2 | +++ Mysql.php 2021-03-07 21:52:43.940540686 +0000
3 | @@ -831,7 +831,7 @@
4 | */
5 | public function value($data, $column = null, $null = true) {
6 | $value = parent::value($data, $column, $null);
7 | - if (is_numeric($value) && substr($column, 0, 3) === 'set') {
8 | + if (is_numeric($value) && substr((string) $column, 0, 3) === 'set') {
9 | return $this->_connection->quote($value);
10 | }
11 | return $value;
12 |
--------------------------------------------------------------------------------
/files/patch-misp-snuffleupagus-strict:
--------------------------------------------------------------------------------
1 | --- app.orig/Controller/AppController.php 2018-12-18 06:15:57.464044001 +0000
2 | +++ app/Controller/AppController.php 2018-12-18 06:23:33.259828000 +0000
3 | @@ -478,7 +478,7 @@
4 |
5 | private function __convertEmailToName($email)
6 | {
7 | - $name = explode('@', $email);
8 | + $name = explode('@', (string)$email);
9 | $name = explode('.', $name[0]);
10 | foreach ($name as $key => $value) {
11 | $name[$key] = ucfirst($value);
12 | @@ -621,7 +621,7 @@
13 | foreach ($options['paramArray'] as $p) {
14 | if (
15 | isset($options['ordered_url_params'][$p]) &&
16 | - (!in_array(strtolower($options['ordered_url_params'][$p]), array('null', '0', false, 'false', null)))
17 | + (!in_array(strtolower((string)$options['ordered_url_params'][$p]), array('null', '0', false, 'false', null)))
18 | ) {
19 | $data[$p] = $options['ordered_url_params'][$p];
20 | $data[$p] = str_replace(';', ':', $data[$p]);
21 |
--------------------------------------------------------------------------------
/files/patch-php-resque-ex-master-lib-Resque-Redis.php:
--------------------------------------------------------------------------------
1 | --- Redis.php.0 2021-03-07 17:22:34.893788318 +0000
2 | +++ Redis.php 2021-03-07 17:24:35.120737618 +0000
3 | @@ -20,7 +20,7 @@
4 |
5 | function establishConnection()
6 | {
7 | - $this->pconnect($this->host, (int) $this->port, (int) $this->timeout, getmypid());
8 | + $this->pconnect($this->host, (int) $this->port, (int) $this->timeout, (string)getmypid());
9 | if ($this->password !== null) {
10 | $this->auth($this->password);
11 | }
12 |
--------------------------------------------------------------------------------
/files/pgp-6bbed1b63a6d639f.asc:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
2 | Version: SKS 1.1.6
3 | Comment: Hostname: pgp.mit.edu
4 |
5 | mQENBFnD1ZYBCADSXPjZEXNWHsEzdTURjH8znwZaQlYGtIFnwYMmrjvlkXvNKSh/Ugfwezda
6 | 05+n1orCW8AJgI2T540hDpqQ6UPST3IWdJ9kbTiFWq9Gfy6EQUdQO5bVTbQXa9rRJFnRmi1q
7 | h0r5kgmDpRCDMSeDKUzZlFsJ6wXIQj0ba5YKp28fu8nyQ6/Q1ROKxM8srOuPnCCNlbefMNkJ
8 | P767GM2+NGJ0X2E8v8y/S0+teR7s/JApz5HSN+rFH6ItvYqU20lQzrGtCvuq4mv7EGK7Gomn
9 | bjHxBfJgkcSRy++8WT6kFX4urprDU18LiCvlXk7YUzUwO7bg/qqRYnnEXNdYOU1Eac6FABEB
10 | AAG0LENocmlzdGlhbiBTdHVkZXIgPGNocmlzdGlhbi5zdHVkZXJAY2lyY2wubHU+iQE3BBMB
11 | CAAhBQJZw9WWAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEGu+0bY6bWOfWRMH/1Rk
12 | hxHFx4r5JLU7FiGdhb/a1i0nkNWG2I030Ywbt9mDt3AdrE9f1JMihjpFQF++6lbebrHZpuak
13 | 8JrsigaluduN6gUdQYRtKnmUKpyaowCd6Bg8aZieRWAeDreDl3qUW4VQ4iCwwu1+TuPFRaTL
14 | +8h/KmRF9fBtIW/BYZGyu/HF1dkqite37i+kJXlWYe3d2+TyMxkOfrXnFXxHXBvIjhx/xNoI
15 | 7uG0aITUcqQk78fdfEU3trraEJFyMT6dzKi4jVg9fSm1sNTuuS7DCt1usYGUZV8dDoRbCnBv
16 | 26MMUNx/0cytJSyPTz+IB1BMBnxGYvFhiNXuhYq8gGlqDD0nq3O5AQ0EWcPVlgEIAOvuuTKa
17 | l0gQBM/smkA85BL0ZLQshnt7PiDyEug9IsfJjFSO9neFZiNWuljB5B3UFdOxyTUMfpAR6KYk
18 | T7AQCije3bBniQJnogm7aWYaMjGiROX1PoGASmEHvKSsB9F3rwtDJUKnC1CYgxv1JA0cKi+R
19 | TA17h/OPy7Iwr3WOT+IjZ0+RPUGT3S+Wm7IT+8VWqu6W7gTzMW6tZaOufJn5Th6n9pGo6TIK
20 | YgQulkaX/WLXxSQKbTexQVbL/mX5nUkZ4V2ejGMAimcfFyuVnLLYtIjDE6GpBzb9FAqSztlX
21 | +9gMR8HiAXTtNzNInppD0nKbULu8H0lnuuCKmq6YpR40IDMAEQEAAYkBHwQYAQgACQUCWcPV
22 | lgIbDAAKCRBrvtG2Om1jn6paCAC5lS1X9cwiKsG2U9tppCmrScGOlzIVWhzB3jpyHBxtBakQ
23 | cXQ4qYprm9U+GyJ75sNL6xYnKtogtopYSWP3NesIRsZwWdzR5txeYW0RKYZBpuA2NV7j9kz4
24 | yh977iQVo9qvxQ01YpEw3W8r55lLyacEfsQOXAvjfkpAOuKhBDRor5x+No2fEH2OyfP1c7Lz
25 | dXgkFSeEgs+5eLBLO5HWRG1vH6fGqfxAoj6XyWmzaKNsr2bcUHSCsplu11uD0jHyjdFj/P8d
26 | J0rkLJRymZlSB+bBnhgVf77xg6T3Zcb2AviurrxnYXDZkgSAlxi9Bz3xqnmVelMp98+2ETmh
27 | 6Vzr1fzP
28 | =Bist
29 | -----END PGP PUBLIC KEY BLOCK-----
30 |
--------------------------------------------------------------------------------
/get-dependencies.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ## one script to be used by travis, jenkins, packer...
3 |
4 | umask 022
5 |
6 | if [ $# != 0 ]; then
7 | rolesdir=$1
8 | else
9 | rolesdir=$(dirname $0)/..
10 | fi
11 |
12 | [ ! -d $rolesdir/juju4.redhat_epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat_epel
13 | [ ! -d $rolesdir/geerlingguy.nginx ] && git clone https://github.com/geerlingguy/ansible-role-nginx.git $rolesdir/geerlingguy.nginx
14 | [ ! -d $rolesdir/geerlingguy.apache ] && git clone https://github.com/geerlingguy/ansible-role-apache.git $rolesdir/geerlingguy.apache
15 | #[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql
16 | [ ! -d $rolesdir/juju4.harden_apache ] && git clone https://github.com/juju4/ansible-harden-apache $rolesdir/juju4.harden_apache
17 | [ ! -d $rolesdir/juju4.harden_nginx ] && git clone https://github.com/juju4/ansible-harden-nginx $rolesdir/juju4.harden_nginx
18 | [ ! -d $rolesdir/juju4.faup ] && git clone https://github.com/juju4/ansible-faup $rolesdir/juju4.faup
19 | #[ ! -d $rolesdir/w3af ] && git clone https://github.com/juju4/ansible-w3af $rolesdir/w3af
20 | ## galaxy naming: kitchen fails to transfer symlink folder
21 | #[ ! -e $rolesdir/juju4.MISP ] && ln -s ansible-MISP $rolesdir/juju4.MISP
22 | [ ! -e $rolesdir/juju4.misp ] && cp -R $rolesdir/ansible-MISP $rolesdir/juju4.misp
23 | [ ! -e $rolesdir/juju4.misp ] && cp -R $rolesdir/juju4.MISP $rolesdir/juju4.misp
24 |
25 | ## don't stop build on this script return code
26 | true
27 |
--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Reload systemd
4 | ansible.builtin.systemd:
5 | daemon_reload: yes
6 | become: yes
7 | become_user: root
8 | when:
9 | - not is_container|bool
10 |
11 | - name: Restart misp-modules
12 | ansible.builtin.service:
13 | name: misp-modules
14 | state: restarted
15 | become: yes
16 | become_user: root
17 | when:
18 | - not is_container|bool
19 |
20 | - name: Restart webserver
21 | ansible.builtin.service:
22 | name: "{{ apache_svc }}"
23 | state: "restarted"
24 | when: not (ansible_virtualization_type is defined and ansible_virtualization_type == "docker")
25 |
26 | - name: Restart webserver - docker,debian
27 | ansible.builtin.command: # noqa no-changed-when
28 | cmd: "apache2ctl restart"
29 | environment:
30 | APACHE_RUN_USER: www-data
31 | APACHE_RUN_GROUP: www-data
32 | APACHE_PID_FILE: /var/run/apache2/apache2.pid
33 | APACHE_RUN_DIR: /var/run/apache2
34 | APACHE_LOCK_DIR: /var/lock/apache2
35 | APACHE_LOG_DIR: /var/log/apache2
36 | LANG: C
37 | when:
38 | - (ansible_virtualization_type is defined and ansible_virtualization_type == "docker")
39 | - ansible_os_family == "Debian"
40 |
41 | - name: Restart webserver - docker,redhat
42 | ansible.builtin.command: # noqa no-changed-when
43 | cmd: "apachectl restart"
44 | when:
45 | - (ansible_virtualization_type is defined and ansible_virtualization_type == "docker")
46 | - ansible_os_family == "RedHat"
47 |
48 | - name: Restart php-fpm
49 | ansible.builtin.service:
50 | name: php-fpm
51 | state: restarted
52 |
53 | - name: Restart rng-tools
54 | ansible.builtin.service:
55 | name: rng-tools
56 | state: restarted
57 |
58 | - name: Updating existing MISP submodules - minor releases
59 | ansible.builtin.command: # noqa command-instead-of-module no-changed-when
60 | cmd: "git submodule update --init --force"
61 | args:
62 | chdir: "{{ misp_rootdir }}"
63 |
64 | - name: Supervisor update
65 | ansible.builtin.service:
66 | name: "{{ supervisor_service }}"
67 | state: "restarted"
68 |
69 | - name: Restart mysql
70 | ansible.builtin.service:
71 | name: mysql
72 | state: restarted
73 |
74 | - name: Restart redis
75 | ansible.builtin.service:
76 | name: redis
77 | state: restarted
78 | when:
79 | - not is_container|bool
80 |
--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | galaxy_info:
3 | role_name: misp
4 | author: juju4
5 | description: MISP - Malware Information Sharing Platform & Threat Sharing
6 | license: BSD
7 | min_ansible_version: '1.9'
8 | #
9 | # Below are all platforms currently available. Just uncomment
10 | # the ones that apply to your role. If you don't see your
11 | # platform on this list, let us know and we'll get it added!
12 | #
13 | platforms:
14 | - name: EL
15 | versions:
16 | - all
17 | - name: Ubuntu
18 | versions:
19 | - jammy
20 | - focal
21 | - bionic
22 | #
23 | # Below are all categories currently available. Just as with
24 | # the platforms above, uncomment those that apply to your role.
25 | #
26 | galaxy_tags:
27 | - system
28 | - security
29 | - threatintelligence
30 | - informationsharing
31 | dependencies: []
32 |
--------------------------------------------------------------------------------
/molecule/default/molecule.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependency:
3 | name: galaxy
4 | driver:
5 | name: docker
6 | platforms:
7 | - name: instance
8 | image: ${MOLECULE_DISTRO:-ubuntu:20.04}
9 | # env:
10 | # http_proxy: ${http_proxy}
11 | # https_proxy: ${https_proxy}
12 | # no_proxy: ${no_proxy}
13 | groups:
14 | - mispgroup
15 | provisioner:
16 | name: ansible
17 | config_options:
18 | defaults:
19 | verbosity: 2
20 | scenario:
21 | name: default
22 | test_sequence:
23 | - dependency
24 | # - lint
25 | - cleanup
26 | - destroy
27 | - syntax
28 | - create
29 | - prepare
30 | - converge
31 | # - idempotence
32 | - verify
33 | verifier:
34 | name: ansible
35 |
--------------------------------------------------------------------------------
/molecule/default/playbook.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Converge
3 | hosts: all
4 | vars:
5 | misp_pymisp_validation_fatal: false
6 | roles:
7 | - juju4.misp
8 |
--------------------------------------------------------------------------------
/molecule/default/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | collections:
4 | - ansible.posix
5 |
6 | roles:
7 | - src: https://github.com/juju4/ansible-redhat-epel/
8 | version: main
9 | name: juju4.redhat_epel
10 | - src: https://github.com/juju4/ansible-harden-apache/
11 | version: main
12 | name: juju4.harden_apache
13 | - src: https://github.com/juju4/ansible-harden-nginx/
14 | version: main
15 | name: juju4.harden_nginx
16 | - src: https://github.com/juju4/ansible-faup/
17 | version: main
18 | name: juju4.faup
19 | - name: geerlingguy.nginx
20 | - name: geerlingguy.apache
21 |
--------------------------------------------------------------------------------
/packer/ansible.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -eux
2 |
3 | # Install Ansible repository.
4 | apt-get -y update && apt-get -y upgrade
5 | apt-get -y install software-properties-common
6 | apt-add-repository ppa:ansible/ansible
7 |
8 | # Install Ansible.
9 | apt-get -y update
10 | DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" install ansible git
11 |
--------------------------------------------------------------------------------
/packer/azure-packer-centos7.json:
--------------------------------------------------------------------------------
1 | {
2 | "variables": {
3 | "azure_ad_tenant_id": "{{env `az_tenant_id`}}",
4 | "azure_subscription_id": "{{env `az_subscription_id`}}",
5 | "app_id": "{{env `az_client_id`}}",
6 | "client_secret": "{{env `az_client_secret`}}",
7 | "resource_group": "Testing",
8 | "storage_account": "mylab0packer"
9 | },
10 | "provisioners": [
11 | {
12 | "execute_command": "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'",
13 | "inline_shebang": "/bin/sh -x",
14 | "type": "shell",
15 | "inline": [
16 | "whoami",
17 | "env",
18 | "sudo yum -y update"
19 | ]
20 | },
21 | {
22 | "type": "ansible",
23 | "playbook_file": "../test/integration/default/default.yml"
24 | }
25 | ],
26 | "builders": [
27 | {
28 | "type": "azure-arm",
29 | "subscription_id": "{{user `azure_subscription_id`}}",
30 | "tenant_id": "{{user `azure_ad_tenant_id`}}",
31 | "object_id": "{{user `object_id`}}",
32 | "client_id": "{{user `app_id`}}",
33 | "client_secret": "{{user `client_secret`}}",
34 |
35 | "cloud_environment_name": "AzurePublicCloud",
36 | "location": "eastus",
37 | "vm_size": "Standard_D1",
38 |
39 | "managed_image_resource_group_name": "Testing",
40 | "managed_image_name": "juju4.misp-centos7-{{isotime \"2006-01-02\"}}",
41 |
42 | "os_type": "Linux",
43 | "image_publisher": "OpenLogic",
44 | "image_offer": "CentOS",
45 | "image_sku": "7.6",
46 | "image_version": "latest"
47 | }
48 | ]
49 | }
50 |
--------------------------------------------------------------------------------
/packer/azure-packer-misp-focal.json:
--------------------------------------------------------------------------------
1 | {
2 | "variables": {
3 | "azure_ad_tenant_id": "{{env `az_tenant_id`}}",
4 | "azure_subscription_id": "{{env `az_subscription_id`}}",
5 | "app_id": "{{env `az_client_id`}}",
6 | "client_secret": "{{env `az_client_secret`}}",
7 | "resource_group": "Testing",
8 | "storage_account": "mylab0packer"
9 | },
10 | "provisioners": [
11 | {
12 | "execute_command": "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'",
13 | "inline_shebang": "/bin/sh -x",
14 | "type": "shell",
15 | "inline": [
16 | "whoami",
17 | "ifconfig -a",
18 | "env"
19 | ]
20 | },
21 | {
22 | "type": "ansible",
23 | "playbook_file": "../test/integration/default/default.yml",
24 | "extra_arguments": [ "--become" ]
25 | }
26 | ],
27 | "builders": [
28 | {
29 | "type": "azure-arm",
30 | "subscription_id": "{{user `azure_subscription_id`}}",
31 | "tenant_id": "{{user `azure_ad_tenant_id`}}",
32 | "object_id": "{{user `object_id`}}",
33 | "client_id": "{{user `app_id`}}",
34 | "client_secret": "{{user `client_secret`}}",
35 |
36 | "cloud_environment_name": "AzurePublicCloud",
37 | "location": "eastus",
38 | "vm_size": "Standard_D1",
39 |
40 | "managed_image_resource_group_name": "Testing",
41 | "managed_image_name": "juju4.misp-focal-{{isotime \"2006-01-02\"}}",
42 |
43 | "os_type": "Linux",
44 | "image_publisher": "Canonical",
45 | "image_offer": "0001-com-ubuntu-server-focal",
46 | "image_sku": "20_04-lts",
47 | "image_version": "latest"
48 | }
49 | ]
50 | }
51 |
--------------------------------------------------------------------------------
/packer/cleanup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -eux
2 |
3 | # Uninstall Ansible and remove PPA.
4 | apt-get -y remove --purge ansible
5 | apt-add-repository --remove ppa:ansible/ansible
6 | apt-get autoremove
7 | apt-get update
8 |
9 | # Delete unneeded files.
10 | rm -f /home/vagrant/*.sh
11 |
12 | # Zero out the rest of the free space using dd, then delete the written file.
13 | dd if=/dev/zero of=/EMPTY bs=1M
14 | rm -f /EMPTY
15 |
16 | # Add `sync` so Packer doesn't quit too early, before the large file is deleted.
17 | sync
18 |
--------------------------------------------------------------------------------
/packer/http/preseed.cfg:
--------------------------------------------------------------------------------
1 | choose-mirror-bin mirror/http/proxy string
2 | d-i base-installer/kernel/override-image string linux-server
3 | d-i clock-setup/utc boolean true
4 | d-i clock-setup/utc-auto boolean true
5 | d-i finish-install/reboot_in_progress note
6 | d-i grub-installer/only_debian boolean true
7 | d-i grub-installer/with_other_os boolean true
8 | d-i partman-auto-lvm/guided_size string max
9 | d-i partman-auto/choose_recipe select atomic
10 | d-i partman-auto/method string lvm
11 | d-i partman-lvm/confirm boolean true
12 | d-i partman-lvm/confirm boolean true
13 | d-i partman-lvm/confirm_nooverwrite boolean true
14 | d-i partman-lvm/device_remove_lvm boolean true
15 | d-i partman/choose_partition select finish
16 | d-i partman/confirm boolean true
17 | d-i partman/confirm_nooverwrite boolean true
18 | d-i partman/confirm_write_new_label boolean true
19 | d-i pkgsel/include string openssh-server cryptsetup build-essential libssl-dev libreadline-dev zlib1g-dev linux-source dkms nfs-common
20 | d-i pkgsel/install-language-support boolean false
21 | d-i pkgsel/update-policy select unattended-upgrades
22 | d-i pkgsel/upgrade select full-upgrade
23 | d-i time/zone string UTC
24 | tasksel tasksel/first multiselect standard, ubuntu-server
25 |
26 | d-i console-setup/ask_detect boolean false
27 | d-i keyboard-configuration/layoutcode string us
28 | d-i keyboard-configuration/modelcode string pc105
29 | d-i debian-installer/locale string en_US
30 |
31 | # Create vagrant user account.
32 | d-i passwd/user-fullname string vagrant
33 | d-i passwd/username string vagrant
34 | d-i passwd/user-password password vagrant
35 | d-i passwd/user-password-again password vagrant
36 | d-i user-setup/allow-password-weak boolean true
37 | d-i user-setup/encrypt-home boolean false
38 | d-i passwd/user-default-groups vagrant sudo
39 | d-i passwd/user-uid string 900
40 |
--------------------------------------------------------------------------------
/packer/set_symlinks.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -x
3 | ln -s /opt/tmp/vagrant/homelab/packer_builds builds
4 | ln -s /opt/tmp/vagrant/homelab/packer_cache
5 |
--------------------------------------------------------------------------------
/packer/setup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -eux
2 | ## from https://github.com/geerlingguy/packer-ubuntu-1404/blob/master/scripts/setup.sh
3 |
4 | # Add vagrant user to sudoers.
5 | echo "vagrant ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
6 | sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
7 |
--------------------------------------------------------------------------------
/tasks/apache2.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | ## FIXME! or ssl ?
4 | - name: Configure apache
5 | ansible.builtin.template:
6 | src: apache2-misp.conf.j2
7 | dest: "{{ apache_sitedir }}/misp.conf"
8 | mode: '0644'
9 | backup: yes
10 | notify:
11 | - Restart webserver
12 | - Restart webserver - docker,debian
13 | - Restart webserver - docker,redhat
14 |
15 | - name: Debian | Disable default apache config
16 | ansible.builtin.file:
17 | dest: /etc/apache2/sites-enabled/000-default.conf
18 | state: absent
19 | notify:
20 | - Restart webserver
21 | - Restart webserver - docker,debian
22 | - Restart webserver - docker,redhat
23 | when: ansible_os_family == 'Debian'
24 |
25 | - name: Debian | ensure required modules are present
26 | community.general.apache2_module:
27 | state: present
28 | name: "{{ item }}"
29 | with_items:
30 | - headers
31 | - rewrite
32 | notify:
33 | - Restart webserver
34 | - Restart webserver - docker,debian
35 | - Restart webserver - docker,redhat
36 | when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
37 |
38 | - name: Debian | Enable misp apache config
39 | ansible.builtin.file:
40 | src: "{{ apache_sitedir }}/misp.conf"
41 | dest: /etc/apache2/sites-enabled/misp.conf
42 | mode: '0644'
43 | state: link
44 | notify:
45 | - Restart webserver
46 | - Restart webserver - docker,debian
47 | - Restart webserver - docker,redhat
48 | when: ansible_os_family == 'Debian'
49 |
--------------------------------------------------------------------------------
/tasks/background-jobs.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://github.com/MISP/MISP/blob/2.4/docs/background-jobs-migration-guide.md
3 |
4 | - name: Ensure supervisor is present
5 | ansible.builtin.package:
6 | name: supervisor
7 | state: present
8 | register: pkg_result
9 | until: pkg_result is success
10 |
11 | - name: Ensure composer files permissions are correct
12 | ansible.builtin.file:
13 | path: "{{ item }}"
14 | mode: '0644'
15 | loop:
16 | - "{{ misp_rootdir }}/app/Vendor/composer/installed.php"
17 | - "{{ misp_rootdir }}/app/Vendor/composer/InstalledVersions.php"
18 | # - "{{ misp_rootdir }}/app/Vendor/composer/autoload.php"
19 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_classmap.php"
20 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_files.php"
21 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_namespaces.php"
22 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_psr4.php"
23 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_real.php"
24 | - "{{ misp_rootdir }}/app/Vendor/composer/autoload_static.php"
25 | - "{{ misp_rootdir }}/app/Vendor/composer/platform_check.php"
26 | - "{{ misp_rootdir }}/app/Vendor/composer/ClassLoader.php"
27 | failed_when: false
28 |
29 | - name: Allow-plugins php-http/discovery as required
30 | community.general.composer:
31 | command: config
32 | arguments: allow-plugins.php-http/discovery true
33 | working_dir: "{{ misp_rootdir }}/app"
34 | executable: "{{ php_bin | default(omit) }}"
35 | register: pkg_result
36 | until: pkg_result is success
37 | become: yes
38 | become_user: "{{ www_user }}"
39 |
40 | - name: Install PHP composer dependencies for background-jobs
41 | community.general.composer:
42 | command: require
43 | arguments: |
44 | --no-ansi --no-interaction --no-progress --with-all-dependencies \
45 | supervisorphp/supervisor:^4.0 \
46 | guzzlehttp/guzzle \
47 | php-http/message \
48 | lstrojny/fxmlrpc
49 | working_dir: "{{ misp_rootdir }}/app"
50 | executable: "{{ php_bin | default(omit) }}"
51 | no_plugins: true
52 | prefer_dist: true
53 | register: pkg_result
54 | until: pkg_result is success
55 | become: yes
56 | become_user: "{{ www_user }}"
57 |
58 | - name: Add http server for supervisord
59 | ansible.builtin.blockinfile:
60 | path: "{{ supervisor_conf }}"
61 | mode: '0644'
62 | block: |
63 | [inet_http_server]
64 | port=127.0.0.1:9001
65 | username={{ misp_supervisorhttp_user }}
66 | password={{ misp_supervisorhttp_pass }}
67 | notify:
68 | - Supervisor update
69 |
70 | - name: Configure misp-workers in supervisor
71 | ansible.builtin.template:
72 | src: misp-workers.conf.j2
73 | dest: "{{ supervisor_confdir }}/misp-workers.{{ supervisor_ext }}"
74 | mode: '0644'
75 | notify:
76 | - Supervisor update
77 |
78 | - name: Ensure supervisor service is enabled
79 | ansible.builtin.service:
80 | name: "{{ supervisor_service }}"
81 | enabled: "yes"
82 |
--------------------------------------------------------------------------------
/tasks/composer.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | ## No gpg signature: https://github.com/composer/composer/issues/38
4 | ## https://composer.github.io/pubkeys.html
5 | ## https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
6 | - name: Download Composer installer.
7 | ansible.builtin.get_url:
8 | url: "{{ item.u }}"
9 | dest: "{{ item.d }}"
10 | mode: "{{ item.m }}"
11 | with_items: "{{ misp_composer_dl }}"
12 |
13 | - name: Get installer checksum
14 | ansible.builtin.stat:
15 | path: /tmp/composer-installer.php
16 | checksum_algorithm: sha384
17 | register: installer
18 | - name: Get signature hash
19 | ansible.builtin.command: cat /tmp/installer.sig
20 | register: installersig
21 | changed_when: false
22 | ignore_errors: true
23 |
24 | - name: Composer signature
25 | when: installer.stat.checksum != installersig.stdout
26 | block:
27 | - name: Debug | installer var
28 | ansible.builtin.debug:
29 | var: installer.stat.checksum
30 | - name: Debug | installersig var
31 | ansible.builtin.debug:
32 | var: installersig.stdout
33 | - name: Check composer signature
34 | ansible.builtin.fail:
35 | msg: "FATAL! composer signature not matching."
36 |
37 | - name: Install composer
38 | ansible.builtin.command: "{{ php_bin | default('php') }} -q /tmp/composer-installer.php --install-dir=/usr/local/bin --filename=composer"
39 | args:
40 | creates: /usr/local/bin/composer
41 |
42 | - name: Install composers components
43 | block:
44 | - name: Allow-plugins composer/installers as required
45 | community.general.composer:
46 | command: config
47 | arguments: allow-plugins.composer/installers true
48 | working_dir: "{{ misp_rootdir }}/app"
49 | executable: "{{ php_bin | default(omit) }}"
50 | register: pkg_result
51 | until: pkg_result is success
52 | become: yes
53 | become_user: "{{ www_user }}"
54 |
55 | - name: Install PHP dependencies via composer (kamisama/cake-resque, Vendor)
56 | community.general.composer:
57 | command: install
58 | working_dir: "{{ misp_rootdir }}/app"
59 | executable: "{{ php_bin | default(omit) }}"
60 | register: pkg_result
61 | until: pkg_result is success
62 | become: yes
63 | become_user: "{{ www_user }}"
64 | rescue:
65 | - name: Composer diagnose
66 | community.general.composer:
67 | command: diagnose
68 | working_dir: "{{ misp_rootdir }}/app"
69 | executable: "{{ php_bin | default(omit) }}"
70 | register: pkg_result
71 | until: pkg_result is success
72 | failed_when: false
73 | become: yes
74 | become_user: "{{ www_user }}"
75 | - name: Composer global diagnose
76 | community.general.composer:
77 | command: global
78 | arguments: diagnose
79 | working_dir: "{{ misp_rootdir }}/app"
80 | executable: "{{ php_bin | default(omit) }}"
81 | register: pkg_result
82 | until: pkg_result is success
83 | failed_when: false
84 | become: yes
85 | become_user: "{{ www_user }}"
86 | - name: Composer version profile
87 | community.general.composer:
88 | command: ""
89 | arguments: --version --profile -vvv --no-interaction
90 | working_dir: "{{ misp_rootdir }}/app"
91 | executable: "{{ php_bin | default(omit) }}"
92 | register: pkg_result
93 | until: pkg_result is success
94 | become: yes
95 | become_user: "{{ www_user }}"
96 |
--------------------------------------------------------------------------------
/tasks/debian-php74.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Debian PHP7.4 | Ensure gnupg is present
4 | ansible.builtin.apt:
5 | name: gnupg
6 | state: present
7 | update_cache: yes
8 | cache_valid_time: 3600
9 | register: pkg_result
10 | until: pkg_result is success
11 |
12 | - name: Debian PHP7.4 | Add ondrej/php repository from PPA
13 | ansible.builtin.apt_repository:
14 | repo: ppa:ondrej/php
15 |
16 | - name: Debian PHP7.4 | Ensure php is present
17 | ansible.builtin.apt:
18 | name: "{{ misp_pkg_list + webserver }}"
19 | state: present
20 | update_cache: yes
21 | cache_valid_time: 3600
22 | async: 3600
23 | poll: 300
24 | register: pkg_result
25 | until: pkg_result is success
26 |
--------------------------------------------------------------------------------
/tasks/debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Import debian-php74
4 | ansible.builtin.import_tasks: debian-php74.yml
5 | when: ansible_distribution_release == 'jammy'
6 |
7 | - name: Debian | MISP dependencies install
8 | ansible.builtin.apt:
9 | name: "{{ misp_pkg_list + webserver }}"
10 | state: present
11 | update_cache: yes
12 | cache_valid_time: 3600
13 | async: 3600
14 | poll: 300
15 | register: pkg_result
16 | until: pkg_result is success
17 |
--------------------------------------------------------------------------------
/tasks/lief.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.rhel7.txt#L368
3 |
4 | - name: Ensure lief dependencies are present
5 | ansible.builtin.package:
6 | name: cmake
7 | state: present
8 |
9 | - name: Install lief with pip
10 | ansible.builtin.pip:
11 | name: lief
12 | state: present
13 | version: "{{ misp_lief_version | default(omit) }}"
14 | virtualenv: "{{ misp_virtualenv }}"
15 | virtualenv_python: "{{ python3_bin }}"
16 | when: >
17 | ansible_os_family == 'Debian' or
18 | (ansible_os_family == "RedHat" and ansible_distribution_major_version | int >= 7)
19 | register: pkg_result
20 | until: pkg_result is success
21 | become: yes
22 | become_user: "{{ www_user }}"
23 |
24 | - name: Ensure LIEF is working
25 | ansible.builtin.command: "python -c 'import lief'"
26 | environment:
27 | PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
28 | changed_when: false
29 |
--------------------------------------------------------------------------------
/tasks/misp-add-user.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # - debug: var=list
4 | - name: Add user {{ user.email }}
5 | ansible.builtin.command: # noqa no-changed-when
6 | cmd: "{{ misp_virtualenv }}/bin/python ./add_user.py -e {{ user.email }} -o {{ user.org }} -r {{ user.role }}"
7 | become: yes
8 | become_user: "{{ www_user }}"
9 | args:
10 | chdir: "{{ misp_rootdir }}/PyMISP/examples"
11 | environment:
12 | PYTHONPATH: /usr/local/lib/python3.6/site-packages
13 | when:
14 | - user.email is defined
15 | - list.stdout.find(user.email) == -1
16 | register: out
17 | # - debug: var=out
18 |
--------------------------------------------------------------------------------
/tasks/misp-add-users.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Import misp-key-file
4 | ansible.builtin.import_tasks: misp-key-file.yml
5 |
6 | ## FIXME! how to do it once only!
7 | ## Note: more a reset as next login, will ask to change password...
8 | - name: Check if admin pass already set
9 | ansible.builtin.stat:
10 | path: "{{ misp_rootdir }}/.admin_pass_set"
11 | register: ap
12 | - name: Set admin password
13 | # ansible.builtin.command: "{{ misp_rootdir }}/app/Console/cake Password \"{{ misp_web_user }}\" \"{{ misp_web_pass }}\""
14 | ansible.builtin.command: # noqa no-changed-when
15 | cmd: "{{ misp_rootdir }}/app/Console/cake user change_pw \"{{ misp_web_user }}\" \"{{ misp_web_pass }}\""
16 | become: yes
17 | become_user: "{{ www_user }}"
18 | when: not ap.stat.exists
19 | register: cakep
20 | failed_when: "'User not found.' in cakep.stdout or 'Error:' in cakep.stderr"
21 | - name: Admin pass set marker
22 | ansible.builtin.file:
23 | dest: "{{ misp_rootdir }}/.admin_pass_set"
24 | mode: '0600'
25 | state: touch
26 | when: not ap.stat.exists
27 |
28 | # - block:
29 | # - name: set extra users
30 | # command: "{{ misp_rootdir }}/app/Console/cake Password {{ item.u }} \"{{ item.p }}\""
31 | # with_items: "{{ misp_webusers_list }}"
32 | # when: misp_webusers_list is defined and misp_webusers_list
33 |
34 | - name: Set local variables in PyMISP/examples/keys.py
35 | ansible.builtin.lineinfile:
36 | dest: "{{ misp_rootdir }}/PyMISP/examples/keys.py"
37 | regexp: "{{ item.re }}"
38 | line: "{{ item.l }}"
39 | create: yes
40 | mode: '0640'
41 | group: "{{ www_user }}"
42 | with_items:
43 | - { re: "^misp_url = .*", l: "misp_url = \"{{ misp_pymisp_base_url | default(misp_base_url) }}\"" }
44 | - { re: "^misp_key = .*", l: "misp_key = \"{{ userkey }}\"" }
45 | - { re: '^misp_verifycert = .*', l: "misp_verifycert = {{ misp_pymisp_verifycert }}" }
46 | no_log: "{{ misp_no_log }}"
47 |
48 | - name: Flush handlers as we need service up for API call
49 | ansible.builtin.meta: flush_handlers
50 |
51 | - name: Wait for MISP port to be opened
52 | ansible.builtin.wait_for:
53 | host: "{{ misp_base_ip }}"
54 | port: "{{ misp_base_port }}"
55 | timeout: 300
56 |
57 | - name: Ensure PyMISP API working
58 | ansible.builtin.command: "{{ misp_virtualenv }}/bin/python ./last.py -l 10"
59 | become: yes
60 | become_user: "{{ www_user }}"
61 | args:
62 | chdir: "{{ misp_rootdir }}/PyMISP/examples"
63 | environment:
64 | debug: 'True'
65 | PYTHONPATH: /usr/local/lib/python3.6/site-packages
66 | register: test
67 | changed_when: false
68 | ignore_errors: true
69 |
70 | - name: Test MISP API
71 | block:
72 | - name: List current users
73 | ansible.builtin.command: "{{ misp_virtualenv }}/bin/python ./users_list.py"
74 | become: yes
75 | become_user: "{{ www_user }}"
76 | args:
77 | chdir: "{{ misp_rootdir }}/PyMISP/examples"
78 | environment:
79 | PYTHONPATH: /usr/local/lib/python3.6/site-packages
80 | register: listusers
81 | changed_when: false
82 | rescue:
83 | - name: Check MISP logs
84 | ansible.builtin.command: "tail -n100 {{ misp_rootdir }}/app/tmp/logs/error.log {{ misp_rootdir }}/app/tmp/logs/debug.log"
85 | changed_when: false
86 | - name: Fail
87 | ansible.builtin.fail:
88 | msg: "Test of MISP API failed"
89 | when: misp_pymisp_validation_fatal | bool
90 |
91 | - name: Add users
92 | when: misp_webusers_list is defined and misp_webusers_list != []
93 | block:
94 | - name: Include misp-add-user
95 | ansible.builtin.include_tasks: misp-add-user.yml
96 | vars:
97 | user: "{{ item }}"
98 | list: "{{ listusers }}"
99 | with_items: "{{ misp_webusers_list }}"
100 |
--------------------------------------------------------------------------------
/tasks/misp-feeds.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Flush handlers as we need service up for API call
4 | ansible.builtin.meta: flush_handlers
5 |
6 | ## FIXME! not idempotent, no way to list feeds with their status
7 | - name: Enable feeds
8 | ansible.builtin.uri:
9 | url: "{{ misp_local_base_url | default(misp_base_url) }}/feeds/enable/{{ item }}"
10 | method: POST
11 | headers:
12 | Authorization: "{{ userkey }}"
13 | Accept: application/json
14 | Content-Type: application/json
15 | validate_certs: False
16 | with_items: "{{ misp_enable_feeds }}"
17 | register: enableresults
18 |
19 | # - debug: var=enableresults
20 |
21 | - name: Fetch from feeds
22 | ansible.builtin.uri:
23 | url: "{{ misp_local_base_url | default(misp_base_url) }}/feeds/fetchFromFeed/{{ item }}"
24 | method: GET
25 | headers:
26 | Authorization: "{{ userkey }}"
27 | Accept: application/json
28 | Content-Type: application/json
29 | validate_certs: False
30 | with_items: "{{ misp_fetch_feeds }}"
31 | register: fetchresults
32 |
33 | - name: Disable feeds
34 | ansible.builtin.uri:
35 | url: "{{ misp_local_base_url | default(misp_base_url) }}/feeds/disable/{{ item }}"
36 | method: POST
37 | headers:
38 | Authorization: "{{ userkey }}"
39 | Accept: application/json
40 | Content-Type: application/json
41 | validate_certs: False
42 | with_items: "{{ misp_disable_feeds }}"
43 | register: disableresults
44 |
45 | # - debug: var=disableresults
46 |
--------------------------------------------------------------------------------
/tasks/misp-gem.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Install gem dependencies
4 | community.general.gem:
5 | name: "{{ item.name }}"
6 | version: "{{ item.v | default(omit) }}"
7 | pre_release: yes
8 | state: present
9 | user_install: no
10 | with_items: "{{ misp_gem_list | default([]) }}"
11 | register: pkg_result
12 | until: pkg_result is success
13 |
--------------------------------------------------------------------------------
/tasks/misp-key-file.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Check if existing key file
4 | ansible.builtin.stat:
5 | path: "{{ misp_key_file }}"
6 | register: skey
7 |
8 | # - debug: var=skey
9 |
10 | - name: Key file
11 | when: not skey.stat.exists or skey.stat.size == 0
12 | block:
13 | - name: "Replace default MISP admin by {{ misp_web_user }}"
14 | ansible.builtin.replace:
15 | dest: "{{ d }}"
16 | regexp: 'admin@admin.test'
17 | replace: "{{ misp_web_user }}"
18 | mode: '0640'
19 | owner: "{{ www_user }}"
20 | group: "{{ www_user }}"
21 | loop:
22 | - "{{ misp_rootdir }}/app/Console/Command/Ls22Shell.php"
23 | - "{{ misp_rootdir }}/app/Model/User.php"
24 | loop_control:
25 | loop_var: d
26 | when: misp_web_user != 'admin@admin.test'
27 | - name: Generate key file - cake userInit
28 | ansible.builtin.shell: "{{ misp_rootdir }}/app/Console/cake userInit -q | tee {{ misp_key_file }}"
29 | args:
30 | creates: "{{ misp_key_file }}"
31 | become: yes
32 | become_user: "{{ www_user }}"
33 | register: userinit
34 | no_log: "{{ misp_no_log }}"
35 | failed_when: "'Error' in userinit.stderr"
36 | ignore_errors: true
37 | # - debug: var=userinit
38 | - name: Set fact userkey
39 | ansible.builtin.set_fact:
40 | userkey: "{{ userinit.stdout }}"
41 | no_log: "{{ misp_no_log }}"
42 | - name: Existing key file
43 | when: skey.stat.exists
44 | block:
45 | - name: Get existing key file
46 | ansible.builtin.command: "cat {{ misp_key_file }}"
47 | changed_when: false
48 | register: userinit2
49 | no_log: "{{ misp_no_log }}"
50 | - name: Set fact userkey
51 | ansible.builtin.set_fact:
52 | userkey: "{{ userinit2.stdout }}"
53 |
54 | # - debug: var=userkey
55 |
56 | ## FIXME! fail if returns 'Script aborted: MISP instance already initialised.'
57 | - name: Check no script error
58 | ansible.builtin.fail:
59 | msg: "Fatal! error retrieving user key"
60 | when: "'Script aborted: MISP instance already initialised.' in userkey or not userkey"
61 |
--------------------------------------------------------------------------------
/tasks/misp-modules.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ## https://github.com/MISP/misp-modules
3 |
4 | - name: Ensure pip cache directory exists
5 | ansible.builtin.file:
6 | dest: "/var/www/.cache/pip/http"
7 | owner: "{{ www_user }}"
8 | group: "{{ www_user }}"
9 | state: directory
10 | mode: '0755'
11 |
12 | - name: RedHat | ensure permissions for pip cache
13 | ansible.builtin.file:
14 | dest: /usr/share/httpd/.cache/pip/http
15 | state: directory
16 | owner: "{{ www_user }}"
17 | mode: '0755'
18 | recurse: yes
19 | when: ansible_os_family == 'RedHat'
20 |
21 | - name: Install MISP modules (pip3)
22 | ansible.builtin.pip:
23 | name: misp-modules
24 | virtualenv: "{{ misp_virtualenv }}"
25 | virtualenv_python: "{{ python3_bin }}"
26 | environment:
27 | PATH: "{{ misp_virtualenv }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
28 | register: pkg_result
29 | until: pkg_result is success
30 | become: yes
31 | become_user: "{{ www_user }}"
32 |
33 | - name: Debian | install dependencies for MISP modules (pip3) - post-install
34 | ansible.builtin.pip:
35 | name:
36 | - git+https://github.com/cartertemm/ODTReader.git
37 | - git+https://github.com/abenassi/Google-Search-API
38 | - git+https://github.com/SteveClement/trustar-python.git
39 | - git+https://github.com/sebdraven/pydnstrails.git
40 | - git+https://github.com/sebdraven/pyonyphe.git
41 | virtualenv: "{{ misp_virtualenv }}"
42 | virtualenv_python: "{{ python3_bin }}"
43 | chdir: "{{ mispmodules_rootdir }}/misp-modules"
44 | register: pkg_result
45 | until: pkg_result is success
46 | become: yes
47 | become_user: "{{ www_user }}"
48 |
49 | - name: Systemd
50 | ansible.builtin.import_tasks: systemd-misp-modules.yml
51 |
52 | - name: Check if misp modules is running
53 | ansible.builtin.shell: "ps axu |grep misp-modules"
54 | register: ps
55 | changed_when: false
56 | ignore_errors: true
57 | - name: Start MISP modules app
58 | ansible.builtin.shell: # noqa no-changed-when
59 | cmd: "{{ misp_virtualenv }}/bin/misp-modules -s > /tmp/misp-modules.start 2>&1 &"
60 | become: yes
61 | become_user: "{{ www_user }}"
62 | when: "'misp-modules' not in ps.stdout"
63 |
--------------------------------------------------------------------------------
/tasks/misp-run-updates.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: "Run admin update routines before first login"
4 | become: yes
5 | become_user: "{{ www_user }}"
6 | ansible.builtin.command:
7 | chdir: "{{ misp_rootdir }}"
8 | cmd: "{{ misp_rootdir }}/app/Console/cake admin {{ c }}"
9 | creates: "{{ misp_run_updates_lock }}"
10 | loop:
11 | - "runUpdates"
12 | - "updateGalaxies"
13 | - "updateWarningLists"
14 | - "updateNoticeLists"
15 | loop_control:
16 | loop_var: c
17 | when: (misp_run_updates is defined) and misp_run_updates
18 | register: run_updates_routines
19 |
20 | - name: "Update object templates for {{ misp_web_user }}"
21 | become: yes
22 | become_user: "{{ www_user }}"
23 | ansible.builtin.command:
24 | chdir: "{{ misp_rootdir }}"
25 | cmd: "{{ misp_rootdir }}/app/Console/cake admin updateObjectTemplates 1"
26 | creates: "{{ misp_run_updates_lock }}"
27 | when: (misp_run_updates is defined) and misp_run_updates
28 | register: run_updates_objects
29 |
30 | - name: "Create lock file on {{ misp_run_updates_lock }}"
31 | ansible.builtin.command:
32 | cmd: "dd if=/dev/random of={{ misp_run_updates_lock }} bs=1 count=1"
33 | creates: "{{ misp_run_updates_lock }}"
34 | when:
35 | - (run_updates_routines is defined) and run_updates_routines
36 | - (run_updates_objects is defined) and run_updates_objects
37 |
--------------------------------------------------------------------------------
/tasks/mysql-configure.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Database initialization
4 | block:
5 | - name: Creating mysql misp db
6 | community.mysql.mysql_db:
7 | name: misp
8 | state: present
9 | login_user: "{{ misp_mysql_user | default(omit) }}"
10 | login_password: "{{ misp_mysql_pass | default(omit) }}"
11 | no_log: "{{ misp_no_log }}"
12 | rescue:
13 | - name: Ensure db user has not empty password
14 | community.mysql.mysql_user:
15 | name: "{{ misp_mysql_user }}"
16 | password: "{{ misp_mysql_pass }}"
17 | state: present
18 | login_user: "{{ misp_mysql_user }}"
19 | login_password: ""
20 | when:
21 | - misp_mysql_user is defined and misp_mysql_user|length > 0
22 | - misp_mysql_pass is defined and misp_mysql_pass|length > 0
23 | - name: Creating mysql misp db
24 | community.mysql.mysql_db:
25 | name: misp
26 | state: present
27 | login_user: "{{ misp_mysql_user | default(omit) }}"
28 | login_password: "{{ misp_mysql_pass | default(omit) }}"
29 | no_log: "{{ misp_no_log }}"
30 | - name: Check if mysql import done
31 | ansible.builtin.stat:
32 | path: /root/.mysql_misp_imported
33 | register: mispdbloaded
34 |
35 | - name: Pre-mysql5.6 | force MyISAM mysql engine to support FULLTEXT indexes
36 | ansible.builtin.replace:
37 | dest: "{{ misp_rootdir }}/INSTALL/MYSQL.sql"
38 | regexp: "ENGINE=\\w+"
39 | replace: "ENGINE=MyISAM"
40 | mode: '0644'
41 | backup: yes
42 | when: ansible_distribution_major_version == '7'
43 |
44 | - name: Importing mysql misp db template
45 | community.mysql.mysql_db:
46 | name: misp
47 | state: import
48 | target: "{{ misp_rootdir }}/INSTALL/MYSQL.sql"
49 | login_user: "{{ misp_mysql_user | default(omit) }}"
50 | login_password: "{{ misp_mysql_pass | default(omit) }}"
51 | no_log: "{{ misp_no_log }}"
52 | when: not mispdbloaded.stat.exists
53 | - name: Add marker for mysql import
54 | ansible.builtin.file:
55 | dest: /root/.mysql_misp_imported
56 | mode: '0600'
57 | state: touch
58 | when: not mispdbloaded.stat.exists
59 | - name: Creating mysql misp db user
60 | community.mysql.mysql_user:
61 | name: "{{ misp_db_user }}"
62 | password: "{{ misp_db_pass }}"
63 | priv: "*.*:USAGE/misp.*:ALL"
64 | state: present
65 | login_user: "{{ misp_mysql_user | default(omit) }}"
66 | login_password: "{{ misp_mysql_pass | default(omit) }}"
67 | no_log: "{{ misp_no_log }}"
68 |
69 | - name: Ubuntu xenial
70 | when: ansible_distribution_release == 'xenial'
71 | block:
72 | - name: Temporary workaround - mysql57 disable strict mode
73 | ansible.builtin.copy:
74 | src: disable_strict_mode.cnf
75 | dest: /etc/mysql/conf.d/disable_strict_mode.cnf
76 | mode: '0644'
77 | notify:
78 | - Restart mysql
79 |
--------------------------------------------------------------------------------
/tasks/nginx.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Debug | apache_sitedir var
4 | ansible.builtin.debug:
5 | var: apache_sitedir
6 | - name: Debug | ansible_distribution var
7 | ansible.builtin.debug:
8 | var: ansible_distribution
9 |
10 | - name: Set misp nginx configuration
11 | ansible.builtin.template:
12 | src: nginx-misp.conf.j2
13 | dest: "{{ apache_sitedir }}/misp.conf"
14 | mode: '0644'
15 | notify:
16 | - Restart webserver
17 |
18 | - name: Debian
19 | when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
20 | block:
21 | - name: Debian | enable misp configuration
22 | ansible.builtin.file:
23 | src: /etc/nginx/sites-available/misp.conf
24 | dest: /etc/nginx/sites-enabled/misp.conf
25 | mode: '0644'
26 | state: link
27 | notify:
28 | - Restart webserver
29 | - name: Debian | disable default configuration
30 | ansible.builtin.file:
31 | dest: /etc/nginx/sites-enabled/default
32 | state: absent
33 | notify:
34 | - Restart webserver
35 |
36 | - name: Set nginx default configuration
37 | ansible.builtin.template:
38 | src: nginx-empty.conf.j2
39 | dest: /etc/nginx/nginx.conf
40 | mode: '0644'
41 | backup: yes
42 | notify:
43 | - Restart webserver
44 | when: ansible_os_family == "RedHat"
45 |
--------------------------------------------------------------------------------
/tasks/php-conflict.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Gather the package facts
4 | ansible.builtin.package_facts:
5 | manager: auto
6 |
7 | - name: List installed php packages
8 | ansible.builtin.debug:
9 | msg: "{{ item }}"
10 | loop: "{{ ansible_facts.packages | select('match', '^php-*') | list }}"
11 |
12 | - name: Check debian alternatives
13 | ansible.builtin.command:
14 | cmd: update-alternatives --config php
15 | become: yes
16 | changed_when: false
17 |
18 | - name: Set debian alternatives
19 | ansible.builtin.command:
20 | cmd: update-alternatives --set php /usr/bin/php7.4
21 | become: yes
22 | changed_when: false
23 | when:
24 | - (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int == 22)
25 |
--------------------------------------------------------------------------------
/tasks/random.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # secretdir
3 | # secretprefix
4 | # name_random
5 |
6 | - name: Ensure openssl is present
7 | ansible.builtin.package:
8 | name: openssl
9 | state: present
10 | register: pkg_result
11 | until: pkg_result is success
12 |
13 | - name: Generating salt # noqa no-free-form
14 | ansible.builtin.shell: |
15 | set -o pipefail
16 | openssl rand -base64 32 | sed 's@[=\\/\\+]@@g;'| tee {{ secretdir }}/{{ secretprefix }}-{{ name_random }}
17 | args:
18 | executable: /bin/bash
19 | creates: "{{ secretdir }}/{{ secretprefix }}-{{ name_random }}"
20 | register: secrets
21 | changed_when: false
22 | no_log: true
23 |
24 | - name: Check if existing secrets
25 | ansible.builtin.stat:
26 | path: "{{ secretdir }}/{{ secretprefix }}-{{ name_random }}"
27 | register: s
28 |
29 | - name: Recover existing salt
30 | ansible.builtin.command: "cat {{ secretdir }}/{{ secretprefix }}-{{ name_random }}"
31 | changed_when: false
32 | register: s2
33 | when: s.stat.exists
34 | no_log: true
35 |
36 | - name: Set fact salt
37 | ansible.builtin.set_fact: # noqa no-handler
38 | secret: "{{ secrets.stdout_lines.0 }}"
39 | when: secrets.changed
40 | no_log: true
41 |
42 | - name: Set fact salt
43 | ansible.builtin.set_fact:
44 | secret: "{{ s2.stdout_lines.0 }}"
45 | when: s.stat.exists
46 | no_log: true
47 |
--------------------------------------------------------------------------------
/tasks/redhat-logrotate.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Ensure misp web logs are rotated
4 | ansible.builtin.copy:
5 | src: "{{ misp_rootdir }}/INSTALL/misp.logrotate"
6 | dest: "/etc/logrotate.d/misp"
7 | mode: '0644'
8 | remote_src: true
9 | backup: yes
10 |
11 | - name: Ensure misp web logs have right selinux context for rotation
12 | community.general.sefcontext:
13 | target: "{{ misp_rootdir }}/app/tmp/logs(/.*)?"
14 | setype: httpd_log_t
15 | state: present
16 | when: ansible_selinux.status is defined and ansible_selinux.status != 'disabled'
17 |
18 | - name: Allow logrotate to read /var/www
19 | ansible.builtin.command: "{{ item.c }}"
20 | args:
21 | creates: "{{ item.t }}"
22 | with_items:
23 | - { c: "checkmodule -M -m -o /root/misplogrotate.mod {{ misp_rootdir }}/INSTALL/misplogrotate.te",
24 | t: "/root/misplogrotate.mod"
25 | }
26 | - { c: "semodule_package -o /root/misplogrotate.pp -m /root/misplogrotate.mod", t: "/root/misplogrotate.pp" }
27 | - { c: "semodule -i /root/misplogrotate.pp", t: "/tmp/doesnotexist" }
28 | when: ansible_selinux.status is defined and ansible_selinux.status != 'disabled'
29 |
--------------------------------------------------------------------------------
/tasks/redhat-remi.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Get the package facts
4 | ansible.builtin.package_facts:
5 | manager: "auto"
6 |
7 | - name: Show packages
8 | ansible.builtin.debug:
9 | var: ansible_facts.packages
10 | verbosity: 3
11 |
12 | - name: Import Remi rpm repository keys
13 | ansible.builtin.rpm_key:
14 | key: "{{ item }}"
15 | state: present
16 | with_items:
17 | - https://rpms.remirepo.net/RPM-GPG-KEY-remi
18 | - https://rpms.remirepo.net/RPM-GPG-KEY-remi2017
19 | - https://rpms.remirepo.net/RPM-GPG-KEY-remi2018
20 | - https://rpms.remirepo.net/RPM-GPG-KEY-remi2021
21 | register: pkg_result
22 | until: pkg_result is success
23 |
24 | - name: RedHat | Install Remi repo
25 | ansible.builtin.dnf:
26 | name: "http://rpms.remirepo.net/enterprise/remi-release-{{ ansible_distribution_major_version }}.rpm"
27 | state: present
28 | when: "'remi-release' not in ansible_facts.packages"
29 | register: pkg_result
30 | until: pkg_result is success
31 |
32 | - name: Check if remi-php repo is enabled
33 | ansible.builtin.command: "grep '^enabled=' /etc/yum.repos.d/remi-php{{ php_remi_version }}.repo"
34 | register: remistate
35 | changed_when: false
36 | when: ansible_distribution_major_version | int < 8
37 |
38 | # https://github.com/ansible/ansible-modules-extras/issues/2384
39 | - name: Enable remi repository for php
40 | ansible.builtin.command: # noqa no-changed-when
41 | cmd: "yum-config-manager --enable remi-php{{ php_remi_version }}"
42 | # yum_repository:
43 | # name: remi-php56
44 | # enable: yes
45 | when:
46 | - ansible_distribution_major_version | int < 8
47 | - remistate.stdout is defined
48 | - not ('enabled=1' in remistate.stdout)
49 |
50 | - name: RHEL8 | reset php stream to use remi latest
51 | ansible.builtin.command: # noqa no-changed-when
52 | cmd: "dnf module reset php -y"
53 | when:
54 | - ansible_distribution_major_version | int >= 8
55 | - ansible_facts.packages['php-fpm'] is defined
56 | - ansible_facts.packages['php-fpm'][0]['version'] is version_compare('7.4', '<')
57 | - name: RHEL8 | enable remi repository for php
58 | ansible.builtin.command: # noqa no-changed-when
59 | cmd: "dnf module enable php:remi-7.4 -y"
60 | when: ansible_distribution_major_version | int >= 8
61 |
--------------------------------------------------------------------------------
/tasks/redis-secure.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://redis.io/topics/security
3 | # https://www.digitalocean.com/community/tutorials/how-to-secure-your-redis-installation-on-ubuntu-18-04
4 |
5 | - name: Redis | configure network binding
6 | ansible.builtin.lineinfile:
7 | dest: "{{ redis_conf }}"
8 | regexp: '^bind .*'
9 | line: "bind {{ misp_redis_bind }}"
10 | mode: '0644'
11 | backup: yes
12 | notify:
13 | - Restart redis
14 |
15 | - name: Redis | require password
16 | ansible.builtin.lineinfile:
17 | dest: "{{ redis_conf }}"
18 | regexp: '^requirepass .*'
19 | line: "requirepass {{ misp_redis_password }}"
20 | mode: '0644'
21 | backup: yes
22 | when: misp_redis_password is defined and misp_redis_password
23 | notify:
24 | - Restart redis
25 |
26 | - name: Redis | rename dangerous commands
27 | ansible.builtin.lineinfile:
28 | dest: "{{ redis_conf }}"
29 | regexp: "{{ item.re }}"
30 | line: "{{ item.l }}"
31 | mode: '0644'
32 | with_items: "{{ misp_redis_securecommands }}"
33 | when: misp_redis_securecommands is defined and misp_redis_securecommands != []
34 | notify:
35 | - Restart redis
36 |
37 | - name: Redis | overcommit
38 | ansible.posix.sysctl:
39 | name: vm.overcommit_memory
40 | value: '1'
41 | sysctl_set: true
42 | state: present
43 | reload: true
44 |
--------------------------------------------------------------------------------
/tasks/selinux-context.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: RedHat | Ensure selinux context for MISP httpd directories
4 | ansible.builtin.command: "chcon -R -t httpd_sys_rw_content_t {{ item }}" # noqa no-changed-when
5 | # community.general.sefcontext:
6 | # target: "{{ item }}(/.*)?"
7 | # setype: httpd_sys_rw_content_t
8 | # state: present
9 | with_items:
10 | - "{{ misp_rootdir }}/app/files"
11 | - "{{ misp_rootdir }}/app/files/terms"
12 | - "{{ misp_rootdir }}/app/files/scripts/tmp"
13 | - "{{ misp_rootdir }}/app/Plugin/CakeResque/tmp"
14 | - "{{ misp_rootdir }}/app/tmp"
15 | - "{{ misp_rootdir }}/app/tmp/cache/persistent"
16 | - "{{ misp_rootdir }}/app/webroot/img/orgs"
17 | - "{{ misp_rootdir }}/app/webroot/img/custom"
18 | - "{{ misp_rootdir }}/.gnupg"
19 | - "{{ misp_rootdir }}/app/Config/config.php"
20 |
--------------------------------------------------------------------------------
/tasks/stix-cybox.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | ## https://github.com/ansible/ansible-modules-core/issues/2697
4 | - name: Install python dependencies with pip - version enforced
5 | # pip: name="{{ item }}" extra_args='--no-input'
6 | ansible.builtin.pip:
7 | name: "{{ item.n }}"
8 | version: "{{ item.v }}"
9 | extra_args: "--exists-action=w"
10 | virtualenv: "{{ misp_virtualenv }}"
11 | virtualenv_python: "{{ python3_bin }}"
12 | with_items:
13 | - { n: cybox, v: "{{ misp_pip_cybox_version }}" }
14 | - { n: stix, v: "{{ misp_pip_stix_version }}" }
15 | environment:
16 | PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
17 | become: yes
18 | become_user: "{{ www_user }}"
19 |
20 | - name: Install python dependencies with pip - latest
21 | ansible.builtin.pip:
22 | name: ['mixbox', 'maec']
23 | extra_args: "--exists-action=w"
24 | virtualenv: "{{ misp_virtualenv }}"
25 | virtualenv_python: "{{ python3_bin }}"
26 | environment:
27 | PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
28 | register: pkg_result
29 | until: pkg_result is success
30 | become: yes
31 | become_user: "{{ www_user }}"
32 |
33 | - name: Install cti-python-stix2
34 | ansible.builtin.pip:
35 | name: "file://{{ misp_rootdir }}/app/files/scripts/cti-python-stix2"
36 | extra_args: "--exists-action=w"
37 | virtualenv: "{{ misp_virtualenv }}"
38 | virtualenv_python: "{{ python3_bin }}"
39 | environment:
40 | PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
41 | register: pkg_result
42 | until: pkg_result is success
43 | become: yes
44 | become_user: "{{ www_user }}"
45 | when:
46 | # https://github.com/MISP/cti-python-stix2/blob/main/pyproject.toml
47 | - ansible_python_version is version('3.7', '>=')
48 |
--------------------------------------------------------------------------------
/tasks/systemd-misp-modules.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Ensure systemd is present
4 | ansible.builtin.package:
5 | name: systemd
6 | state: present
7 |
8 | - name: Configure misp-modules systemd unit
9 | ansible.builtin.template:
10 | src: systemd-misp-modules.service.j2
11 | dest: /etc/systemd/system/misp-modules.service
12 | mode: '0644'
13 | notify:
14 | - Reload systemd
15 | - Restart misp-modules
16 |
17 | - name: Enable and start misp-modules service
18 | ansible.builtin.service:
19 | name: misp-modules
20 | state: started
21 | enabled: yes
22 | when:
23 | - not is_container|bool
24 |
--------------------------------------------------------------------------------
/tasks/travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Travis workaround
3 |
4 | ## Travis error:
5 | ## "asn1 encoding routines:ASN1_mbstring_ncopy:string too longi:a_mbstr.c:154:maxsize=64" as
6 | ## cn=testing-gce-4d114f77-0ff1-41fb-bd33-22879d3249da.c.eco-emissary-99515.internal
7 | - name: Default | set certificate_cn
8 | ansible.builtin.set_fact:
9 | certificate_cn: "{{ ansible_fqdn }}"
10 |
11 | - name: Travis | set certificate_cn to shorter name to avoid openssl bug
12 | ansible.builtin.set_fact:
13 | certificate_cn: "testing-travis.internal"
14 | travisci: true
15 | rolesroot: '/etc/ansible/roles'
16 | # misp_testing_user: travis
17 | # misp_testing_user_home: "/home/{{ misp_testing_user }}"
18 | # misp_testing_key_file: "{{ misp_testing_user_home }}/build/key.txt"
19 | when: ansible_env['TRAVIS'] is defined and ansible_env['TRAVIS'] == 'true'
20 |
21 | - name: Check if /home/kitchen/.gem exists
22 | ansible.builtin.stat:
23 | path: /home/kitchen/.gem
24 | register: gemdir
25 |
26 | - name: Travis | kitchen-docker | ensure /home/kitchen/.gem permissions are correct
27 | ansible.builtin.file:
28 | dest: /home/kitchen/.gem
29 | owner: kitchen
30 | mode: '0755'
31 | recurse: yes
32 | when: gemdir.stat.exists
33 |
--------------------------------------------------------------------------------
/templates/apache2-misp.conf.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 |
3 | {% if misp_base_port != 80 and misp_base_port != 443 and ansible_os_family == "Debian" %}
4 | Listen {{ misp_base_port }}
5 | {% elif misp_base_port != 80 and ansible_os_family == "RedHat" %}
6 | Listen {{ misp_base_port }}
7 |
8 | {% endif %}
9 |
10 | ServerAdmin {{ misp_email_contact }}
11 | ServerName {{ misp_servername }}
12 | DocumentRoot {{ misp_rootdir }}/app/webroot
13 |
14 | Options -Indexes
15 | AllowOverride all
16 | Order allow,deny
17 | allow from all
18 |
19 |
20 | {% if misp_fcgi_enable %}
21 |
22 | SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
23 | DirectoryIndex /index.php index.php
24 |
25 | SetHandler "proxy:fcgi://127.0.0.1:9000"
26 |
27 |
28 |
29 | {% endif %}
30 | LogLevel warn
31 | ErrorLog {{ apache_logs }}/misp.local_error.log
32 | CustomLog {{ apache_logs }}/misp.local_access.log combined
33 | ServerSignature Off
34 | Header set X-Content-Type-Options nosniff
35 | Header set X-Frame-Options DENY
36 |
37 | {% if misp_base_port == 443 %}
38 | {% if ansible_os_family == "RedHat" %}
39 | SSLEngine on
40 | {% endif %}
41 | SSLCertificateFile {{ ssl_dir }}/{{ ansible_fqdn }}.crt
42 | SSLCertificateKeyFile {{ ssl_privatedir }}/{{ ansible_fqdn }}.key
43 |
44 | {% if misp_webserver_harden %}
45 | Include {{ apacheetc }}/harden-apache2-https.conf
46 | {% endif %}
47 |
48 | {% else %}
49 | # If direct access without https, ensure CSP is not including
50 | # Upgrade-Insecure-Requests
51 | Header set Content-Security-Policy "default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport;"
52 |
53 | {% endif %}
54 |
55 |
56 | SecRuleRemoveById 920180
57 |
58 |
59 |
60 |
61 | SecRuleRemoveById 920180
62 |
63 |
64 |
65 |
66 | SecRuleRemoveById 920180
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/templates/backup-misp.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | {{ ansible_managed | comment }}
3 | ## backup script for misp
4 |
5 | export PATH=/usr/sbin:/usr/bin:/sbin:/bin
6 | umask 022
7 |
8 | date=$(date +%Y-%m-%d)
9 | dest={{ backupdir }}
10 | [ ! -d "$dest" ] && install -d -m 0700 -o root "$dest"
11 | destfile=$dest/backup-misp-$date.tar.gz
12 |
13 | dirs="{{ misp_rootdir }}/app/files {{ misp_rootdir }}/app/Config"
14 | mysqldump -u misp --opt --single-transaction misp > "${dest}/mysqldump-misp.sql"
15 |
16 | tar czf "${destfile}" "${dirs}" "${dest}/mysqldump-misp.sql"
17 | rm "${dest}/mysqldump-misp.sql"
18 | tar tzf "${destfile}" > /dev/null
19 | openssl dgst -sha512 "${destfile}" > "${destfile}.distinfo"
20 |
--------------------------------------------------------------------------------
/templates/gpg-template.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 | # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
3 | %echo Generating a basic OpenPGP key
4 | Key-Type: DSA
5 | Key-Length: 2048
6 | Subkey-Type: ELG-E
7 | Subkey-Length: 1024
8 | Name-Real: MISP Service
9 | Name-Comment: generated by ansible
10 | Name-Email: {{ misp_gpg_email }}
11 | Expire-Date: 3y
12 | Passphrase: {{ misp_gpg_pass }}
13 | %pubring misp.pub
14 | %secring misp.sec
15 | # Do a commit here, so that we can later print "done" :-)
16 | %commit
17 | %echo done
18 |
--------------------------------------------------------------------------------
/templates/misp-php.ini.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment(decoration="; ") }}
2 | ; settings for MISP
3 |
4 | max_execution_time = 300
5 | memory_limit = 512M
6 | upload_max_filesize = 50M
7 | post_max_size = 50M
8 |
--------------------------------------------------------------------------------
/templates/misp-workers.conf.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 | [group:misp-workers]
3 | programs=default,email,cache,prio,update
4 |
5 | [program:default]
6 | directory={{ misp_rootdir }}
7 | command={{ misp_rootdir }}/app/Console/cake start_worker default
8 | process_name=%(program_name)s_%(process_num)02d
9 | numprocs=5
10 | autostart=true
11 | autorestart=true
12 | redirect_stderr=false
13 | stderr_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers-errors.log
14 | stdout_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers.log
15 | directory={{ misp_rootdir }}
16 | user={{ www_user }}
17 |
18 | [program:prio]
19 | directory={{ misp_rootdir }}
20 | command={{ misp_rootdir }}/app/Console/cake start_worker prio
21 | process_name=%(program_name)s_%(process_num)02d
22 | numprocs=5
23 | autostart=true
24 | autorestart=true
25 | redirect_stderr=false
26 | stderr_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers-errors.log
27 | stdout_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers.log
28 | directory={{ misp_rootdir }}
29 | user={{ www_user }}
30 |
31 | [program:email]
32 | directory={{ misp_rootdir }}
33 | command={{ misp_rootdir }}/app/Console/cake start_worker email
34 | process_name=%(program_name)s_%(process_num)02d
35 | numprocs=5
36 | autostart=true
37 | autorestart=true
38 | redirect_stderr=false
39 | stderr_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers-errors.log
40 | stdout_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers.log
41 | directory={{ misp_rootdir }}
42 | user={{ www_user }}
43 |
44 | [program:update]
45 | directory={{ misp_rootdir }}
46 | command={{ misp_rootdir }}/app/Console/cake start_worker update
47 | process_name=%(program_name)s_%(process_num)02d
48 | numprocs=1
49 | autostart=true
50 | autorestart=true
51 | redirect_stderr=false
52 | stderr_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers-errors.log
53 | stdout_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers.log
54 | directory={{ misp_rootdir }}
55 | user={{ www_user }}
56 |
57 | [program:cache]
58 | directory={{ misp_rootdir }}
59 | command={{ misp_rootdir }}/app/Console/cake start_worker cache
60 | process_name=%(program_name)s_%(process_num)02d
61 | numprocs=5
62 | autostart=true
63 | autorestart=true
64 | redirect_stderr=false
65 | stderr_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers-errors.log
66 | stdout_logfile={{ misp_rootdir }}/app/tmp/logs/misp-workers.log
67 | user={{ www_user }}
68 |
--------------------------------------------------------------------------------
/templates/nginx-empty.conf.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 | ## /etc/nginx/nginx.default (centos) for MISP
3 |
4 | #user nobody;
5 | worker_processes 1;
6 |
7 | #error_log logs/error.log;
8 | #error_log logs/error.log notice;
9 | #error_log logs/error.log info;
10 |
11 | #pid logs/nginx.pid;
12 |
13 |
14 | events {
15 | worker_connections 1024;
16 | }
17 |
18 |
19 | http {
20 | include mime.types;
21 | default_type application/octet-stream;
22 |
23 | #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
24 | # '$status $body_bytes_sent "$http_referer" '
25 | # '"$http_user_agent" "$http_x_forwarded_for"';
26 |
27 | #access_log logs/access.log main;
28 |
29 | sendfile on;
30 | #tcp_nopush on;
31 |
32 | #keepalive_timeout 0;
33 | keepalive_timeout 65;
34 |
35 | #gzip on;
36 |
37 | include /etc/nginx/conf.d/*.conf;
38 | }
39 |
--------------------------------------------------------------------------------
/templates/nginx-misp.conf.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 |
3 | server {
4 | listen 80;
5 |
6 | root {{ misp_rootdir }}/app/webroot/;
7 | index index.php index.html index.htm;
8 |
9 | server_name _;
10 |
11 | location / {
12 | try_files $uri $uri/ /index.php;
13 | }
14 |
15 | location ~ \.php$ {
16 | try_files $uri =404;
17 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
18 | include fastcgi_params;
19 | fastcgi_pass unix:{{ nginx_sock }};
20 |
21 | ## https://httpoxy.org/, 201607
22 | fastcgi_param HTTP_PROXY "";
23 | }
24 |
25 | ## just in case
26 | location ~* /PyMISP {
27 | deny all;
28 | }
29 | location ~* /keys.(py|txt)$ {
30 | deny all;
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/templates/restore-misp.sh.j2:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | {{ ansible_managed | comment }}
3 | ## restore script for misp
4 |
5 | export PATH=/usr/sbin:/usr/bin:/sbin:/bin
6 | umask 022
7 |
8 | if [ $# -gt 1 -a -r "$1" ]; then
9 | backupfile=$1
10 | else
11 | backupfile={{ backupdir }}/backup-misp.tar.gz
12 | fi
13 |
14 | tmpdir=$(mktemp -d "/tmp/restore.XXXXXX" || exit 1)
15 | dirs="{{ misp_rootdir }}/app/files {{ misp_rootdir }}/app/Config"
16 |
17 | tar xzf "${backupfile}" -C "${tmpdir}"
18 |
19 | mysql -u misp < "${tmpdir}{{ backupdir }}/mysqldump-misp.sql"
20 |
21 | for d in ${dirs}; do
22 | rsync -rvl "${tmpdir}/${d}" "${d}"
23 | done
24 |
--------------------------------------------------------------------------------
/templates/systemd-misp-modules.service.j2:
--------------------------------------------------------------------------------
1 | {{ ansible_managed | comment }}
2 |
3 | # /etc/systemd/system/misp-modules.service
4 | # https://misp.github.io/misp-modules/install/
5 | # Exposure level ?
6 |
7 | [Unit]
8 | Description=MISP modules
9 | Requires=network.target
10 |
11 | [Service]
12 | Type=simple
13 | User={{ www_user }}
14 | Group={{ www_user }}
15 | ExecStart={{ misp_virtualenv }}/bin/misp-modules -l 127.0.0.1 -s
16 | Restart=on-failure
17 | RestartSec=15
18 |
19 | # Reduce Attack Surface
20 | NoNewPrivileges=yes
21 | PrivateTmp=true
22 | ProtectHome=yes
23 | ProtectSystem=yes
24 | # ProtectSystem=strict
25 | {% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 21 %}
26 | # ProtectProc=noaccess
27 | {% endif %}
28 |
29 | PrivateDevices=yes
30 | DeviceAllow=
31 |
32 | # PrivateUsers=yes
33 |
34 | UMask=077
35 |
36 | # ERROR: /proc not mounted - LibreOffice is unlikely to work well if at all
37 | # InaccessiblePaths=/proc
38 |
39 | ProtectKernelTunables=true
40 | ProtectKernelModules=yes
41 | {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 20) or
42 | (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 8 )
43 | %}
44 | ProtectKernelLogs=yes
45 | ProtectHostname=yes
46 | ProtectClock=yes
47 | {% endif %}
48 |
49 | ProtectControlGroups=true
50 | LockPersonality=true
51 | RestrictRealtime=true
52 | RestrictNamespaces=yes
53 | # RestrictNamespaces=~CLONE_NEWCGROUP CLONE_NEWIPC CLONE_NEWNET CLONE_NEWPID
54 | RestrictSUIDSGID=yes
55 | # "Check failed: reservation_.SetPermissions(protect_start, protect_size, permission).", "v8::internal::PagedSpace::SetReadAndExecutable()"
56 | # MemoryDenyWriteExecute=yes
57 |
58 | # PrivateNetwork=yes
59 | RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
60 |
61 | IPAccounting=yes
62 | # If using below and a proxy exists, ensure to include it.
63 | # IPAddressAllow=localhost link-local multicast 10.0.0.0/8 192.168.0.0/16
64 |
65 | CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH
66 | CapabilityBoundingSet=~CAP_SYS_RAWIO
67 | CapabilityBoundingSet=~CAP_SYS_PTRACE
68 | CapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER
69 | CapabilityBoundingSet=~CAP_NET_ADMIN
70 | CapabilityBoundingSet=~CAP_KILL
71 | CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST
72 | CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
73 | CapabilityBoundingSet=~CAP_SYS_BOOT
74 | CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
75 | CapabilityBoundingSet=~CAP_SYS_CHROOT
76 | CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
77 | CapabilityBoundingSet=~CAP_LEASE
78 | CapabilityBoundingSet=~CAP_SYS_PACCT
79 | CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
80 | CapabilityBoundingSet=~CAP_SYS_ADMIN
81 | CapabilityBoundingSet=~CAP_SETUID CAP_SETGID
82 | CapabilityBoundingSet=~CAP_SETPCAP
83 | CapabilityBoundingSet=~CAP_CHOWN
84 | CapabilityBoundingSet=~CAP_FSETID CAP_SETFCAP
85 | CapabilityBoundingSet=~CAP_NET_RAW
86 | CapabilityBoundingSet=~CAP_IPC_LOCK
87 |
88 | {% if not (ansible_virtualization_type is defined and
89 | ansible_virtualization_type == "docker"
90 | )
91 | %}
92 | {% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 8) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int > 18) %}
93 | SystemCallFilter=@system-service
94 | {% endif %}
95 | # SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged @resources @reboot @swap @raw-io @module
96 | SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @resources @reboot @swap @raw-io @module
97 | # When system call is disallowed, return error code instead of killing process
98 | SystemCallErrorNumber=EPERM
99 | {% endif %}
100 | SystemCallArchitectures=native
101 |
102 | {% if misp_cgroups_restriction_enable|bool %}
103 | CPUWeight={{ misp_cgroups_cpushares | default('1024') }}
104 | CPUQuota={{ misp_cgroups_cpuquota | default('80%') }}
105 | MemoryMax={{ misp_cgroups_memorylimit | default('4G') }}
106 | {% endif %}
107 |
108 | [Install]
109 | WantedBy=multi-user.target
110 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/bats/idempotency.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 | #
3 |
4 | #
5 | # Idempotence test
6 | # from https://github.com/neillturner/kitchen-ansible/issues/92
7 | #
8 |
9 | @test "Second run should change nothing" {
10 | skip "not compliant: rng-tools service start, pip install from url"
11 | run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
12 | [ "$status" -eq 0 ]
13 | }
14 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/bats/process.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 |
3 | setup() {
4 | apt-get install -y curl >/dev/null || yum -y install curl >/dev/null; true
5 | }
6 |
7 | @test "MISP url should be accessible" {
8 | run curl -sSqLk https://localhost/
9 | [ "$status" -eq 0 ]
10 | [[ "$output" =~ "Users - MISP" ]]
11 | }
12 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/default.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Test playbook - HEAD
4 | hosts: all
5 | vars:
6 | misp_version: HEAD
7 | mispmodules_version: HEAD
8 | misp_latest_pymisp: true
9 | misp_lief_version: HEAD
10 | misp_testing: true
11 | misp_testing_user: _misp
12 | misp_testing_user_home: "/home/{{ misp_testing_user }}"
13 | misp_testing_key_file: "{{ misp_key_file }}"
14 | # misp_testing_key_file: "{{ misp_testing_user_home }}/build/key.txt"
15 | misp_base_url: https://localhost
16 | misp_base_ip: 127.0.0.1
17 | misp_base_port: 443
18 | misp_webusers_list:
19 | - { p: 'dupont_passphrase.', email: dupont@localhost.local, org: 1, role: 2 }
20 | - { p: 'dupond_passphrase.', email: dupond@localhost.local, org: 1, role: 4 }
21 | # - { p: 'dupond_passphrase.', email: dupona@localhost.local, org: 1, role: 4 }
22 | misp_no_log: false
23 | hardenwebserver_enable_defaultssl: false
24 | harden_php_allow_url_fopen: On
25 | harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_get_status,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
26 | harden_php7_snuffleupagus_rules_template: '/tmp/kitchen/juju4.misp/templates/misp-snuffleupagus-rules.ini.j2'
27 | harden_apache_php_variants: ['apache2']
28 | faup_virtualenv_path: "{{ misp_virtualenv }}"
29 | faup_virtualenv_user: "{{ www_user }}"
30 | pre_tasks:
31 | - name: Php-cli hardening for Composer
32 | ansible.builtin.set_fact:
33 | harden_php_allow_url_fopen: On
34 | harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
35 | faup_ownership:
36 | - { d: /usr/share/httpd/.cache/pip, s: directory, m: '0755', o: "apache" }
37 | - { d: "{{ toolsetdir }}/faup/src/lib/bindings/python/build", s: directory, m: '0755', o: "apache" }
38 | - { d: "{{ toolsetdir }}/faup/src/lib/bindings/python/pyfaup.egg-info", s: directory, m: '0755', o: "apache" }
39 | when: ansible_os_family == "RedHat" and ansible_distribution_version.split('.')[0] | int >= 7
40 | - name: Ubuntu Bionic+ | set fact
41 | ansible.builtin.set_fact:
42 | faup_ownership:
43 | - { d: /var/www/.cache/pip, s: directory, m: '0755', o: "www-data" }
44 | - { d: "{{ toolsetdir }}/faup/src/lib/bindings/python/build", s: directory, m: '0755', o: "www-data" }
45 | - { d: "{{ toolsetdir }}/faup/src/lib/bindings/python/pyfaup.egg-info", s: directory, m: '0755', o: "www-data" }
46 | when: ansible_distribution == "Ubuntu" and ansible_distribution_version.split('.')[0] | int >= 18
47 | roles:
48 | # - geerlingguy.apache
49 | - juju4.harden_apache
50 | - juju4.faup
51 | - juju4.misp
52 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 |
3 | gem 'serverspec'
4 | gem 'rake'
5 | ## for junit output and jenkins support
6 | ## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
7 | #gem 'yarjuf'
8 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/Rakefile:
--------------------------------------------------------------------------------
1 | require 'rake'
2 | require 'rspec/core/rake_task'
3 |
4 | task :spec => 'spec:all'
5 | task :default => :spec
6 |
7 | namespace :spec do
8 | targets = [ 'localhost' ]
9 |
10 | task :all => targets
11 | task :default => :all
12 |
13 | targets.each do |target|
14 | original_target = target == "_default" ? target[1..-1] : target
15 | desc "Run serverspec tests to #{original_target}"
16 | RSpec::Core::RakeTask.new(target.to_sym) do |t|
17 | ENV['TARGET_HOST'] = original_target
18 | # t.pattern = "spec/#{original_target}/*_spec.rb"
19 | t.pattern = "test/integration/default/serverspec/*_spec.rb"
20 | end
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/gpg_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | describe file("#{misp_rootdir}/.gnupg/pubring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
8 | it { should be_file }
9 | it { should exist }
10 | it { should be_readable.by('owner') }
11 | it { should_not be_readable.by('others') }
12 | its(:content) { should_not be_empty }
13 | end
14 |
15 | describe file("#{misp_rootdir}/.gnupg/secring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
16 | it { should be_file }
17 | it { should exist }
18 | it { should be_readable.by('owner') }
19 | it { should_not be_readable.by('others') }
20 | # its(:content) { should_not be_empty }
21 | end
22 |
23 | describe file("#{misp_rootdir}/app/webroot/gpg.asc") do
24 | it { should be_file }
25 | it { should exist }
26 | it { should be_readable.by('owner') }
27 | it { should be_readable.by('group') }
28 | it { should be_readable.by('others') }
29 | its(:content) { should_not be_empty }
30 | end
31 |
32 | describe command("gpg --homedir #{misp_rootdir}/.gnupg --list-keys") do
33 | its(:stdout) { should match /MISP Service \(generated by ansible\)/}
34 | its(:stdout) { should_not match /Error/}
35 | its(:exit_status) { should eq 0 }
36 | let(:sudo_options) { '-u www-data -H' }
37 | end
38 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/misp2_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | misp_virtualenv = '/var/www/_MISP/venv'
8 |
9 | describe command("cd #{misp_rootdir}/tests && ./curl_tests.sh `cat /var/www/_MISP/MISP/.ht_key` | tee /tmp/curl_tests.out") do
10 | ## FIXME! is it normal first run get 'HTTP/1.1 500 Internal Server Error', second run: 'HTTP/1.1 100 Continue' + 'HTTP/1.1 302 Found'
11 | ## not like https://travis-ci.org/MISP/MISP/jobs/128166085
12 | its(:stdout) { should match /548847db-060c-4275-a0c7-15bb950d210b/}
13 | its(:stdout) { should_not match /HTTP\/1.1 500 Internal Server Error/}
14 | its(:stderr) { should match /diff compare.csv 1.csv/}
15 | its(:stderr) { should_not match /error/}
16 | its(:exit_status) { should eq 0 }
17 | let(:sudo_options) { '-u _misp -H' }
18 | end
19 |
20 | ## FIXME!
21 | #describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/nosetests --with-coverage --cover-package=pymisp tests/test_offline.py 2>&1 | tee /tmp/nosetests.out") do
22 | # its(:stdout) { should match /TOTAL/}
23 | # its(:stdout) { should match /OK/}
24 | # its(:stdout) { should_not match /FAILED/}
25 | # its(:exit_status) { should eq 0 }
26 | # let(:sudo_options) { '-u _misp -H' }
27 | #end
28 |
29 | describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/python tests/test.py | tee /tmp/tests.out") do
30 | its(:exit_status) { should eq 0 }
31 | let(:sudo_options) { '-u _misp -H' }
32 | end
33 |
34 | #describe command("cd #{misp_rootdir}/PyMISP/examples/events && #{misp_virtualenv}/bin/python ./create_massive_dummy_events.py -l 5 -a 30") do
35 | # its(:stdout) { should_not match /500 Server Error: Internal Server Error/}
36 | # its(:exit_status) { should eq 0 }
37 | # let(:sudo_options) { '-u _misp -H' }
38 | #end
39 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/misp_log_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 |
8 | describe file("#{misp_rootdir}/app/tmp/logs/error.log") do
9 | # its(:size) { should > 0 }
10 | # its(:content) { should_not match /Error:/ }
11 | its(:content) { should_not match /Warning:/ }
12 | end
13 |
14 | #describe file("#{misp_rootdir}/app/tmp/logs/resque-worker-error.log") do
15 | # its(:size) { should > 0 }
16 | #end
17 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/misp_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | #describe process('python') do
7 | # it { should be_running }
8 | # its(:args) { should match /manage.py runserver\b/ }
9 | # it "is listening on port 8000" do
10 | # expect(port(8000)).to be_listening
11 | # end
12 | #end
13 |
14 | curl_args='-sSvLk'
15 | #misp_url = 'http://localhost'
16 | misp_url = 'https://localhost'
17 |
18 | describe command("curl #{curl_args} #{misp_url}") do
19 | its(:stdout) { should match /Users - MISP/ }
20 | end
21 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/mispapi_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | ## API test: need to retrieve API key???
7 | #curl -i -H "Accept: application/xml" -H "content-type: text/xml" -H "Authorization: ABCDEF" --data "@input/event.xml" -X POST https:///events
8 |
9 | curl_args='-sSvLk'
10 | #misp_url = 'http://localhost'
11 | misp_url = 'https://localhost'
12 | misp_rootdir = '/var/www/_MISP/MISP'
13 |
14 | ## any content in default/pristine db?
15 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/events/xml/download.json") do
16 | # its(:stdout) { should match /{"request": {/ }
17 | its(:stdout) { should_not match /Error: <\/strong>/ }
18 | its(:stdout) { should_not match /{"name":"Not Found"/ }
19 | # its(:stdout) { should_not match /Either specify the search terms in the url/ }
20 | end
21 | describe command("curl #{curl_args} -X POST -H 'Accept: application/xml' -H 'Content-Type: application/xml' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download") do
22 | # its(:stdout) { should match // }
23 | its(:stdout) { should_not match /Error: <\/strong>/ }
24 | # its(:stdout) { should_not match /Not Found<\/name>/ }
25 | end
26 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download.json") do
27 | # its(:stdout) { should match /{"request": {/ }
28 | its(:stdout) { should_not match /Error: <\/strong>/ }
29 | # its(:stdout) { should_not match /{"name":"Not Found"/ }
30 | end
31 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/attributes/text/download/md5") do
32 | # its(:stdout) { should match /{"request": {/ }
33 | its(:stdout) { should_not match /Error: <\/strong>/ }
34 | its(:stdout) { should_not match /{"name":"Not Found"/ }
35 | end
36 |
37 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/sharing_groups/index.json") do
38 | its(:stdout) { should match /{"response":\[\]}/ }
39 | its(:stdout) { should_not match /Error: <\/strong>/ }
40 | its(:stdout) { should_not match /{"name":"Not Found"/ }
41 | end
42 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/admin/users") do
43 | its(:stdout) { should match /"User": {/ }
44 | its(:stdout) { should match /"id": "1",/ }
45 | its(:stdout) { should_not match /Error: <\/strong>/ }
46 | its(:stdout) { should_not match /{"name":"Not Found"/ }
47 | end
48 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/mispmodules_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | set :path, '/usr/local/bin:$PATH'
7 |
8 | misp_rootdir = '/var/www/_MISP/MISP'
9 | misp_virtualenv = '/var/www/_MISP/venv'
10 |
11 | describe command("#{misp_virtualenv}/bin/pip freeze") do
12 | its(:stdout) { should match /cybox/ }
13 | its(:stdout) { should match /pymisp/ }
14 | its(:stdout) { should match /stix/ }
15 | end
16 |
17 | ## any content in default/pristine db?
18 | describe command("curl -s http://127.0.0.1:6666/modules | jq .") do
19 | its(:stdout) { should_not match /"name": "passivetotal",/ }
20 | its(:stdout) { should_not match /Error: <\/strong>/ }
21 | its(:stdout) { should_not match /{"name":"Not Found"/ }
22 | end
23 |
24 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'ubuntu' do
25 | its(:stderr) { should_not match /Error/ }
26 | its(:stderr) { should_not match /Failed/ }
27 | its(:exit_status) { should eq 0 }
28 | end
29 |
30 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'ubuntu' do
31 | its(:stderr) { should_not match /Error/ }
32 | its(:stderr) { should_not match /Failed/ }
33 | its(:exit_status) { should eq 0 }
34 | end
35 |
36 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
37 | its(:stderr) { should_not match /Error/ }
38 | its(:stderr) { should_not match /Failed/ }
39 | its(:exit_status) { should eq 0 }
40 | end
41 |
42 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
43 | its(:stderr) { should_not match /Error/ }
44 | its(:stderr) { should_not match /Failed/ }
45 | its(:exit_status) { should eq 0 }
46 | end
47 |
48 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
49 | its(:stdout) { should_not match /ERROR/ }
50 | # its(:stdout) { should_not match /WARNING/ }
51 | let(:sudo_options) { '-u www-data -H' }
52 | end
53 |
54 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
55 | its(:stdout) { should_not match /ERROR/ }
56 | # its(:stdout) { should_not match /WARNING/ }
57 | let(:sudo_options) { '-u www-data -H' }
58 | end
59 |
60 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '7' do
61 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
62 | its(:stdout) { should_not match /ERROR/ }
63 | its(:stdout) { should_not match /WARNING/ }
64 | let(:sudo_options) { '-u www-data -H' }
65 | end
66 |
67 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '8' do
68 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
69 | its(:stdout) { should_not match /ERROR/ }
70 | # its(:stdout) { should_not match /WARNING/ }
71 | let(:sudo_options) { '-u www-data -H' }
72 | end
73 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/mysql_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('mariadb-server'), :if => os[:family] == 'redhat' && os[:release] == '7' do
8 | it { should be_installed }
9 | end
10 | describe package('mysql-server'), :if => os[:family] == 'redhat' && os[:release] == '6' do
11 | it { should be_installed }
12 | end
13 |
14 | describe package('mysql-server'), :if => os[:family] == 'ubuntu' do
15 | it { should be_installed }
16 | end
17 |
18 | describe service('mariadb'), :if => os[:family] == 'redhat' && os[:release] == '7' do
19 | it { should be_enabled }
20 | it { should be_running }
21 | end
22 | describe service('mysqld'), :if => os[:family] == 'redhat' && os[:release] == '6' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | #describe service('mysql-server'), :if => os[:family] == 'ubuntu' do
28 | # it { should be_enabled }
29 | # it { should be_running }
30 | #end
31 |
32 | #describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
33 | # it { should be_enabled }
34 | # it { should be_running }
35 | #end
36 |
37 | describe port(3306) do
38 | it { should be_listening }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/redis_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe process("redis-server") do
7 | it { should be_running }
8 | end
9 |
10 | describe service('redis-server'), :if => os[:family] == 'ubuntu' || os[:family] == 'debian' do
11 | it { should be_enabled }
12 | it { should be_running }
13 | end
14 | describe service('redis'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
15 | it { should be_enabled }
16 | end
17 | describe service('redis'), :if => os[:family] == 'redhat' do
18 | it { should be_running }
19 | end
20 | describe port(6379) do
21 | it { should be_listening.with('tcp') }
22 | end
23 |
24 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'debian' do
25 | its(:size) { should > 0 }
26 | its(:content) { should match /Configuration loaded/ }
27 | its(:content) { should_not match /bind: Cannot assign requested address/ }
28 | end
29 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
30 | its(:size) { should > 0 }
31 | its(:content) { should match /Configuration loaded/ }
32 | its(:content) { should_not match /bind: Cannot assign requested address/ }
33 | end
34 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
35 | its(:size) { should > 0 }
36 | its(:content) { should match /Server started, Redis version/ }
37 | its(:content) { should match /The server is now ready to accept connections on port/ }
38 | its(:content) { should_not match /bind: Cannot assign requested address/ }
39 | end
40 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '7' do
41 | its(:size) { should > 0 }
42 | its(:content) { should match /Server started, Redis version/ }
43 | its(:content) { should match /The server is now ready to accept connections on port/ }
44 | its(:content) { should_not match /bind: Cannot assign requested address/ }
45 | end
46 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '8' do
47 | its(:size) { should > 0 }
48 | its(:content) { should match /Server initialized/ }
49 | its(:content) { should match /# Redis version=5\./ }
50 | its(:content) { should match /Ready to accept connections/ }
51 | its(:content) { should_not match /bind: Cannot assign requested address/ }
52 | end
53 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/run-local-tests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh -x
2 | ## get consistent ruby2+bundler env on each distribution
3 |
4 | location=`dirname "$0"`
5 | cd $location
6 | v=2.4
7 |
8 | ## docker environment in travis missing few utils
9 | [ -f /etc/debian_version ] && apt-get install -y curl
10 | [ -f /etc/redhat-release ] && yum -y install which
11 |
12 | curl -sSL https://get.rvm.io | bash
13 | #[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
14 | #[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
15 |
16 | ## troubleshoot
17 | type rvm | head -1
18 | env
19 |
20 | #export PATH=/usr/local/rvm/bin:$PATH
21 |
22 | bash -l -c "rvm install $v"
23 | bash -l -c "rvm use $v"
24 | bash -l -c "rvm use $v --default"
25 | bash -l -c "gem install bundler"
26 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle install --path ./gems"
27 | if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
28 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
29 | else
30 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle exec rake spec"
31 | fi
32 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/snuffleupagus_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe file('/var/log/apache2/misp.local_error.log') do
7 | its(:content) { should_not match /PHP Fatal error:/ }
8 | its(:content) { should_not match /PHP Fatal error: \[snuffleupagus\]\[config\] Invalid configuration file/ }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/supervisor.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe service('supervisor') do
7 | it { should be_enabled }
8 | it { should be_running }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/default-HEAD/serverspec/webserver_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('httpd'), :if => os[:family] == 'redhat' do
8 | it { should be_installed }
9 | end
10 |
11 | describe package('apache2'), :if => os[:family] == 'ubuntu' do
12 | it { should be_installed }
13 | end
14 |
15 | describe service('httpd'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
16 | it { should be_enabled }
17 | end
18 | describe service('httpd'), :if => os[:family] == 'redhat' do
19 | it { should be_running }
20 | end
21 |
22 | describe service('apache2'), :if => os[:family] == 'ubuntu' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
28 | it { should be_enabled }
29 | it { should be_running }
30 | end
31 |
32 | describe port(443) do
33 | it { should be_listening }
34 | end
35 |
36 | describe file('/var/log/audit/audit.log'), :if => os[:family] == 'redhat' do
37 | # its(:size) { should > 0 }
38 | its(:content) { should_not match /denied { write } for .* comm="httpd" / }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/bats/idempotency.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 | #
3 |
4 | #
5 | # Idempotence test
6 | # from https://github.com/neillturner/kitchen-ansible/issues/92
7 | #
8 |
9 | @test "Second run should change nothing" {
10 | skip "not compliant: rng-tools service start, pip install from url"
11 | run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
12 | [ "$status" -eq 0 ]
13 | }
14 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/bats/process.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 |
3 | setup() {
4 | apt-get install -y curl >/dev/null || yum -y install curl >/dev/null; true
5 | }
6 |
7 | @test "MISP url should be accessible" {
8 | run curl -sSqLk https://localhost/
9 | [ "$status" -eq 0 ]
10 | [[ "$output" =~ "Users - MISP" ]]
11 | }
12 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/default.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Test playbook - nosnuffle
4 | hosts: all
5 | vars:
6 | misp_pymisp_validation_fatal: false
7 | # need pymisp
8 | misp_enable_feeds: []
9 | misp_webusers_list: []
10 | misp_testing: false
11 | misp_testing_user: _misp
12 | misp_testing_user_home: "/home/{{ misp_testing_user }}"
13 | misp_testing_key_file: "{{ misp_key_file }}"
14 | # misp_testing_key_file: "{{ misp_testing_user_home }}/build/key.txt"
15 | misp_base_url: https://localhost
16 | misp_base_ip: 127.0.0.1
17 | misp_base_port: 443
18 | misp_no_log: false
19 | hardenwebserver_enable_defaultssl: false
20 | harden_php_allow_url_fopen: On
21 | harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_get_status,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
22 | misp_php_snuffleupagus_enable: false
23 | harden_php7_snuffleupagus: false
24 | harden_apache_php_variants: ['apache2']
25 | pre_tasks:
26 | - name: Php-cli hardening for Composer
27 | ansible.builtin.set_fact:
28 | harden_php_allow_url_fopen: On
29 | harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
30 | when: ansible_os_family == "RedHat" and ansible_distribution_version.split('.')[0] == '7'
31 | - name: Bionic | set Lief version without compilation for test speed
32 | ansible.builtin.set_fact:
33 | misp_lief_version: 0.12.1
34 | when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int == 18
35 | roles:
36 | # - geerlingguy.apache
37 | - juju4.harden_apache
38 | - juju4.faup
39 | - juju4.misp
40 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 |
3 | gem 'serverspec'
4 | gem 'rake'
5 | ## for junit output and jenkins support
6 | ## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
7 | #gem 'yarjuf'
8 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/Rakefile:
--------------------------------------------------------------------------------
1 | require 'rake'
2 | require 'rspec/core/rake_task'
3 |
4 | task :spec => 'spec:all'
5 | task :default => :spec
6 |
7 | namespace :spec do
8 | targets = [ 'localhost' ]
9 |
10 | task :all => targets
11 | task :default => :all
12 |
13 | targets.each do |target|
14 | original_target = target == "_default" ? target[1..-1] : target
15 | desc "Run serverspec tests to #{original_target}"
16 | RSpec::Core::RakeTask.new(target.to_sym) do |t|
17 | ENV['TARGET_HOST'] = original_target
18 | # t.pattern = "spec/#{original_target}/*_spec.rb"
19 | t.pattern = "test/integration/default/serverspec/*_spec.rb"
20 | end
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/gpg_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | describe file("#{misp_rootdir}/.gnupg/pubring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
8 | it { should be_file }
9 | it { should exist }
10 | it { should be_readable.by('owner') }
11 | it { should_not be_readable.by('others') }
12 | its(:content) { should_not be_empty }
13 | end
14 |
15 | describe file("#{misp_rootdir}/.gnupg/secring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
16 | it { should be_file }
17 | it { should exist }
18 | it { should be_readable.by('owner') }
19 | it { should_not be_readable.by('others') }
20 | # its(:content) { should_not be_empty }
21 | end
22 |
23 | describe file("#{misp_rootdir}/app/webroot/gpg.asc") do
24 | it { should be_file }
25 | it { should exist }
26 | it { should be_readable.by('owner') }
27 | it { should be_readable.by('group') }
28 | it { should be_readable.by('others') }
29 | its(:content) { should_not be_empty }
30 | end
31 |
32 | describe command("gpg --homedir #{misp_rootdir}/.gnupg --list-keys") do
33 | its(:stdout) { should match /MISP Service \(generated by ansible\)/}
34 | its(:stdout) { should_not match /Error/}
35 | its(:exit_status) { should eq 0 }
36 | let(:sudo_options) { '-u www-data -H' }
37 | end
38 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/misp2_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | misp_virtualenv = '/var/www/_MISP/venv'
8 |
9 | describe command("cd #{misp_rootdir}/tests && ./curl_tests.sh `cat /var/www/_MISP/MISP/.ht_key` | tee /tmp/curl_tests.out") do
10 | ## FIXME! is it normal first run get 'HTTP/1.1 500 Internal Server Error', second run: 'HTTP/1.1 100 Continue' + 'HTTP/1.1 302 Found'
11 | ## not like https://travis-ci.org/MISP/MISP/jobs/128166085
12 | # its(:stdout) { should match /548847db-060c-4275-a0c7-15bb950d210b/}
13 | its(:stdout) { should_not match /HTTP\/1.1 500 Internal Server Error/}
14 | # its(:stderr) { should match /diff compare.csv 1.csv/}
15 | its(:stderr) { should_not match /error/}
16 | its(:exit_status) { should eq 0 }
17 | let(:sudo_options) { '-u _misp -H' }
18 | end
19 |
20 | ## FIXME!
21 | #describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/nosetests --with-coverage --cover-package=pymisp tests/test_offline.py 2>&1 | tee /tmp/nosetests.out") do
22 | # its(:stdout) { should match /TOTAL/}
23 | # its(:stdout) { should match /OK/}
24 | # its(:stdout) { should_not match /FAILED/}
25 | # its(:exit_status) { should eq 0 }
26 | # let(:sudo_options) { '-u _misp -H' }
27 | #end
28 |
29 | describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/python tests/test.py | tee /tmp/tests.out") do
30 | its(:exit_status) { should eq 0 }
31 | let(:sudo_options) { '-u _misp -H' }
32 | end
33 |
34 | #describe command("cd #{misp_rootdir}/PyMISP/examples/events && #{misp_virtualenv}/bin/python ./create_massive_dummy_events.py -l 5 -a 30") do
35 | # its(:stdout) { should_not match /500 Server Error: Internal Server Error/}
36 | # its(:exit_status) { should eq 0 }
37 | # let(:sudo_options) { '-u _misp -H' }
38 | #end
39 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/misp_log_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 |
8 | describe file("#{misp_rootdir}/app/tmp/logs/error.log") do
9 | # its(:size) { should > 0 }
10 | # its(:content) { should_not match /Error:/ }
11 | its(:content) { should_not match /Warning:/ }
12 | end
13 |
14 | #describe file("#{misp_rootdir}/app/tmp/logs/resque-worker-error.log") do
15 | # its(:size) { should > 0 }
16 | #end
17 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/misp_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | #describe process('python') do
7 | # it { should be_running }
8 | # its(:args) { should match /manage.py runserver\b/ }
9 | # it "is listening on port 8000" do
10 | # expect(port(8000)).to be_listening
11 | # end
12 | #end
13 |
14 | curl_args='-sSvLk'
15 | #misp_url = 'http://localhost'
16 | misp_url = 'https://localhost'
17 |
18 | describe command("curl #{curl_args} #{misp_url}") do
19 | its(:stdout) { should match /Users - MISP/ }
20 | end
21 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/mispapi_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | ## API test: need to retrieve API key???
7 | #curl -i -H "Accept: application/xml" -H "content-type: text/xml" -H "Authorization: ABCDEF" --data "@input/event.xml" -X POST https:///events
8 |
9 | curl_args='-sSvLk'
10 | #misp_url = 'http://localhost'
11 | misp_url = 'https://localhost'
12 | misp_rootdir = '/var/www/_MISP/MISP'
13 |
14 | ## any content in default/pristine db?
15 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/events/xml/download.json") do
16 | # its(:stdout) { should match /{"request": {/ }
17 | its(:stdout) { should_not match /Error: <\/strong>/ }
18 | its(:stdout) { should_not match /{"name":"Not Found"/ }
19 | # its(:stdout) { should_not match /Either specify the search terms in the url/ }
20 | end
21 | describe command("curl #{curl_args} -X POST -H 'Accept: application/xml' -H 'Content-Type: application/xml' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download") do
22 | # its(:stdout) { should match // }
23 | its(:stdout) { should_not match /Error: <\/strong>/ }
24 | # its(:stdout) { should_not match /Not Found<\/name>/ }
25 | end
26 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download.json") do
27 | # its(:stdout) { should match /{"request": {/ }
28 | its(:stdout) { should_not match /Error: <\/strong>/ }
29 | # its(:stdout) { should_not match /{"name":"Not Found"/ }
30 | end
31 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/attributes/text/download/md5") do
32 | # its(:stdout) { should match /{"request": {/ }
33 | its(:stdout) { should_not match /Error: <\/strong>/ }
34 | its(:stdout) { should_not match /{"name":"Not Found"/ }
35 | end
36 |
37 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/sharing_groups/index.json") do
38 | # its(:stdout) { should match /"response": \[\]/ }
39 | its(:stdout) { should_not match /Error: <\/strong>/ }
40 | its(:stdout) { should_not match /{"name":"Not Found"/ }
41 | end
42 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/admin/users") do
43 | # its(:stdout) { should match /"User": {/ }
44 | # its(:stdout) { should match /"id": "1",/ }
45 | its(:stdout) { should_not match /Error: <\/strong>/ }
46 | its(:stdout) { should_not match /{"name":"Not Found"/ }
47 | end
48 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/mispmodules_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | set :path, '/usr/local/bin:$PATH'
7 |
8 | misp_rootdir = '/var/www/_MISP/MISP'
9 | misp_virtualenv = '/var/www/_MISP/venv'
10 |
11 | describe command("#{misp_virtualenv}/bin/pip freeze") do
12 | its(:stdout) { should match /cybox/ }
13 | its(:stdout) { should match /pymisp/ }
14 | its(:stdout) { should match /stix/ }
15 | end
16 |
17 | ## any content in default/pristine db?
18 | describe command("curl -s http://127.0.0.1:6666/modules | jq .") do
19 | its(:stdout) { should_not match /"name": "passivetotal",/ }
20 | its(:stdout) { should_not match /Error: <\/strong>/ }
21 | its(:stdout) { should_not match /{"name":"Not Found"/ }
22 | end
23 |
24 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'ubuntu' do
25 | its(:stderr) { should_not match /Error/ }
26 | its(:stderr) { should_not match /Failed/ }
27 | its(:exit_status) { should eq 0 }
28 | end
29 |
30 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'ubuntu' do
31 | its(:stderr) { should_not match /Error/ }
32 | its(:stderr) { should_not match /Failed/ }
33 | its(:exit_status) { should eq 0 }
34 | end
35 |
36 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
37 | its(:stderr) { should_not match /Error/ }
38 | its(:stderr) { should_not match /Failed/ }
39 | its(:exit_status) { should eq 0 }
40 | end
41 |
42 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
43 | its(:stderr) { should_not match /Error/ }
44 | its(:stderr) { should_not match /Failed/ }
45 | its(:exit_status) { should eq 0 }
46 | end
47 |
48 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
49 | its(:stdout) { should_not match /ERROR/ }
50 | # its(:stdout) { should_not match /WARNING/ }
51 | let(:sudo_options) { '-u www-data -H' }
52 | end
53 |
54 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
55 | its(:stdout) { should_not match /ERROR/ }
56 | # its(:stdout) { should_not match /WARNING/ }
57 | let(:sudo_options) { '-u www-data -H' }
58 | end
59 |
60 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '7' do
61 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
62 | its(:stdout) { should_not match /ERROR/ }
63 | its(:stdout) { should_not match /WARNING/ }
64 | let(:sudo_options) { '-u www-data -H' }
65 | end
66 |
67 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '8' do
68 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
69 | its(:stdout) { should_not match /ERROR/ }
70 | # its(:stdout) { should_not match /WARNING/ }
71 | let(:sudo_options) { '-u www-data -H' }
72 | end
73 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/mysql_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('mariadb-server'), :if => os[:family] == 'redhat' && os[:release] == '7' do
8 | it { should be_installed }
9 | end
10 | describe package('mysql-server'), :if => os[:family] == 'redhat' && os[:release] == '6' do
11 | it { should be_installed }
12 | end
13 |
14 | describe package('mysql-server'), :if => os[:family] == 'ubuntu' do
15 | it { should be_installed }
16 | end
17 |
18 | describe service('mariadb'), :if => os[:family] == 'redhat' && os[:release] == '7' do
19 | it { should be_enabled }
20 | it { should be_running }
21 | end
22 | describe service('mysqld'), :if => os[:family] == 'redhat' && os[:release] == '6' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | #describe service('mysql-server'), :if => os[:family] == 'ubuntu' do
28 | # it { should be_enabled }
29 | # it { should be_running }
30 | #end
31 |
32 | #describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
33 | # it { should be_enabled }
34 | # it { should be_running }
35 | #end
36 |
37 | describe port(3306) do
38 | it { should be_listening }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/redis_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe process("redis-server") do
7 | it { should be_running }
8 | end
9 |
10 | describe service('redis-server'), :if => os[:family] == 'ubuntu' || os[:family] == 'debian' do
11 | it { should be_enabled }
12 | it { should be_running }
13 | end
14 | describe service('redis'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
15 | it { should be_enabled }
16 | end
17 | describe service('redis'), :if => os[:family] == 'redhat' do
18 | it { should be_running }
19 | end
20 | describe port(6379) do
21 | it { should be_listening.with('tcp') }
22 | end
23 |
24 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'debian' do
25 | its(:size) { should > 0 }
26 | its(:content) { should match /Configuration loaded/ }
27 | its(:content) { should_not match /bind: Cannot assign requested address/ }
28 | end
29 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
30 | its(:size) { should > 0 }
31 | its(:content) { should match /Configuration loaded/ }
32 | its(:content) { should_not match /bind: Cannot assign requested address/ }
33 | end
34 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
35 | its(:size) { should > 0 }
36 | its(:content) { should match /Server started, Redis version/ }
37 | its(:content) { should match /The server is now ready to accept connections on port/ }
38 | its(:content) { should_not match /bind: Cannot assign requested address/ }
39 | end
40 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '7' do
41 | its(:size) { should > 0 }
42 | its(:content) { should match /Server started, Redis version/ }
43 | its(:content) { should match /The server is now ready to accept connections on port/ }
44 | its(:content) { should_not match /bind: Cannot assign requested address/ }
45 | end
46 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '8' do
47 | its(:size) { should > 0 }
48 | its(:content) { should match /Server initialized/ }
49 | its(:content) { should match /# Redis version=5\./ }
50 | its(:content) { should match /Ready to accept connections/ }
51 | its(:content) { should_not match /bind: Cannot assign requested address/ }
52 | end
53 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/run-local-tests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh -x
2 | ## get consistent ruby2+bundler env on each distribution
3 |
4 | location=`dirname "$0"`
5 | cd $location
6 | v=2.4
7 |
8 | ## docker environment in travis missing few utils
9 | [ -f /etc/debian_version ] && apt-get install -y curl
10 | [ -f /etc/redhat-release ] && yum -y install which
11 |
12 | curl -sSL https://get.rvm.io | bash
13 | #[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
14 | #[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
15 |
16 | ## troubleshoot
17 | type rvm | head -1
18 | env
19 |
20 | #export PATH=/usr/local/rvm/bin:$PATH
21 |
22 | bash -l -c "rvm install $v"
23 | bash -l -c "rvm use $v"
24 | bash -l -c "rvm use $v --default"
25 | bash -l -c "gem install bundler"
26 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle install --path ./gems"
27 | if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
28 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
29 | else
30 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle exec rake spec"
31 | fi
32 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/supervisor.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe service('supervisor') do
7 | it { should be_enabled }
8 | it { should be_running }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/default-nosnuffle/serverspec/webserver_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('httpd'), :if => os[:family] == 'redhat' do
8 | it { should be_installed }
9 | end
10 |
11 | describe package('apache2'), :if => os[:family] == 'ubuntu' do
12 | it { should be_installed }
13 | end
14 |
15 | describe service('httpd'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
16 | it { should be_enabled }
17 | end
18 | describe service('httpd'), :if => os[:family] == 'redhat' do
19 | it { should be_running }
20 | end
21 |
22 | describe service('apache2'), :if => os[:family] == 'ubuntu' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
28 | it { should be_enabled }
29 | it { should be_running }
30 | end
31 |
32 | describe port(443) do
33 | it { should be_listening }
34 | end
35 |
36 | describe file('/var/log/audit/audit.log'), :if => os[:family] == 'redhat' do
37 | # its(:size) { should > 0 }
38 | its(:content) { should_not match /denied { write } for .* comm="httpd" / }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/default/bats/idempotency.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 | #
3 |
4 | #
5 | # Idempotence test
6 | # from https://github.com/neillturner/kitchen-ansible/issues/92
7 | #
8 |
9 | @test "Second run should change nothing" {
10 | skip "not compliant: rng-tools service start, pip install from url"
11 | run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
12 | [ "$status" -eq 0 ]
13 | }
14 |
--------------------------------------------------------------------------------
/test/integration/default/bats/process.bats:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bats
2 |
3 | setup() {
4 | apt-get install -y curl >/dev/null || yum -y install curl >/dev/null; true
5 | }
6 |
7 | @test "MISP url should be accessible" {
8 | run curl -sSqLk https://localhost/
9 | [ "$status" -eq 0 ]
10 | [[ "$output" =~ "Users - MISP" ]]
11 | }
12 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 |
3 | gem 'serverspec'
4 | gem 'rake'
5 | ## for junit output and jenkins support
6 | ## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
7 | #gem 'yarjuf'
8 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/Rakefile:
--------------------------------------------------------------------------------
1 | require 'rake'
2 | require 'rspec/core/rake_task'
3 |
4 | task :spec => 'spec:all'
5 | task :default => :spec
6 |
7 | namespace :spec do
8 | targets = [ 'localhost' ]
9 |
10 | task :all => targets
11 | task :default => :all
12 |
13 | targets.each do |target|
14 | original_target = target == "_default" ? target[1..-1] : target
15 | desc "Run serverspec tests to #{original_target}"
16 | RSpec::Core::RakeTask.new(target.to_sym) do |t|
17 | ENV['TARGET_HOST'] = original_target
18 | # t.pattern = "spec/#{original_target}/*_spec.rb"
19 | t.pattern = "test/integration/default/serverspec/*_spec.rb"
20 | end
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/gpg_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | describe file("#{misp_rootdir}/.gnupg/pubring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
8 | it { should be_file }
9 | it { should exist }
10 | it { should be_readable.by('owner') }
11 | it { should_not be_readable.by('others') }
12 | its(:content) { should_not be_empty }
13 | end
14 |
15 | describe file("#{misp_rootdir}/.gnupg/secring.gpg"), :if => (os[:family] == 'ubuntu' && (os[:release] == '14.04' || os[:release] == '16.04') || (os[:family] == 'redhat' && os[:release] == '7')) do
16 | it { should be_file }
17 | it { should exist }
18 | it { should be_readable.by('owner') }
19 | it { should_not be_readable.by('others') }
20 | # its(:content) { should_not be_empty }
21 | end
22 |
23 | describe file("#{misp_rootdir}/app/webroot/gpg.asc") do
24 | it { should be_file }
25 | it { should exist }
26 | it { should be_readable.by('owner') }
27 | it { should be_readable.by('group') }
28 | it { should be_readable.by('others') }
29 | its(:content) { should_not be_empty }
30 | end
31 |
32 | describe command("gpg --homedir #{misp_rootdir}/.gnupg --list-keys") do
33 | its(:stdout) { should match /MISP Service \(generated by ansible\)/}
34 | its(:stdout) { should_not match /Error/}
35 | its(:exit_status) { should eq 0 }
36 | let(:sudo_options) { '-u www-data -H' }
37 | end
38 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/misp2_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | misp_rootdir = '/var/www/_MISP/MISP'
7 | misp_virtualenv = '/var/www/_MISP/venv'
8 |
9 | describe command("cd #{misp_rootdir}/tests && ./curl_tests.sh `cat /var/www/_MISP/MISP/.ht_key` | tee /tmp/curl_tests.out") do
10 | ## FIXME! is it normal first run get 'HTTP/1.1 500 Internal Server Error', second run: 'HTTP/1.1 100 Continue' + 'HTTP/1.1 302 Found'
11 | ## not like https://travis-ci.org/MISP/MISP/jobs/128166085
12 | # its(:stdout) { should match /548847db-060c-4275-a0c7-15bb950d210b/}
13 | its(:stdout) { should_not match /HTTP\/1.1 500 Internal Server Error/}
14 | # its(:stderr) { should match /diff compare.csv 1.csv/}
15 | its(:stderr) { should_not match /error/}
16 | its(:exit_status) { should eq 0 }
17 | let(:sudo_options) { '-u _misp -H' }
18 | end
19 |
20 | ## FIXME!
21 | #describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/nosetests --with-coverage --cover-package=pymisp tests/test_offline.py 2>&1 | tee /tmp/nosetests.out") do
22 | # its(:stdout) { should match /TOTAL/}
23 | # its(:stdout) { should match /OK/}
24 | # its(:stdout) { should_not match /FAILED/}
25 | # its(:exit_status) { should eq 0 }
26 | # let(:sudo_options) { '-u _misp -H' }
27 | #end
28 |
29 | describe command("cd #{misp_rootdir}/PyMISP && #{misp_virtualenv}/bin/python tests/test.py | tee /tmp/tests.out") do
30 | its(:exit_status) { should eq 0 }
31 | let(:sudo_options) { '-u _misp -H' }
32 | end
33 |
34 | #describe command("cd #{misp_rootdir}/PyMISP/examples/events && #{misp_virtualenv}/bin/python ./create_massive_dummy_events.py -l 5 -a 30") do
35 | # its(:stdout) { should_not match /500 Server Error: Internal Server Error/}
36 | # its(:exit_status) { should eq 0 }
37 | # let(:sudo_options) { '-u _misp -H' }
38 | #end
39 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/misp_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | #describe process('python') do
7 | # it { should be_running }
8 | # its(:args) { should match /manage.py runserver\b/ }
9 | # it "is listening on port 8000" do
10 | # expect(port(8000)).to be_listening
11 | # end
12 | #end
13 |
14 | curl_args='-sSvLk'
15 | #misp_url = 'http://localhost'
16 | misp_url = 'https://localhost'
17 |
18 | describe command("curl #{curl_args} #{misp_url}") do
19 | its(:stdout) { should match /Users - MISP/ }
20 | end
21 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/mispapi_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | ## API test: need to retrieve API key???
7 | #curl -i -H "Accept: application/xml" -H "content-type: text/xml" -H "Authorization: ABCDEF" --data "@input/event.xml" -X POST https:///events
8 |
9 | curl_args='-sSvLk'
10 | #misp_url = 'http://localhost'
11 | misp_url = 'https://localhost'
12 | misp_rootdir = '/var/www/_MISP/MISP'
13 |
14 | ## any content in default/pristine db?
15 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/events/xml/download.json") do
16 | # its(:stdout) { should match /{"request": {/ }
17 | its(:stdout) { should_not match /Error: <\/strong>/ }
18 | its(:stdout) { should_not match /{"name":"Not Found"/ }
19 | # its(:stdout) { should_not match /Either specify the search terms in the url/ }
20 | end
21 | describe command("curl #{curl_args} -X POST -H 'Accept: application/xml' -H 'Content-Type: application/xml' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download") do
22 | # its(:stdout) { should match // }
23 | its(:stdout) { should_not match /Error: <\/strong>/ }
24 | # its(:stdout) { should_not match /Not Found<\/name>/ }
25 | end
26 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/stix/download.json") do
27 | # its(:stdout) { should match /{"request": {/ }
28 | its(:stdout) { should_not match /Error: <\/strong>/ }
29 | # its(:stdout) { should_not match /{"name":"Not Found"/ }
30 | end
31 | describe command("curl #{curl_args} -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/attributes/text/download/md5") do
32 | # its(:stdout) { should match /{"request": {/ }
33 | its(:stdout) { should_not match /Error: <\/strong>/ }
34 | its(:stdout) { should_not match /{"name":"Not Found"/ }
35 | end
36 |
37 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/sharing_groups/index.json") do
38 | # its(:stdout) { should match /"response": \[\]/ }
39 | its(:stdout) { should_not match /Error: <\/strong>/ }
40 | its(:stdout) { should_not match /{"name":"Not Found"/ }
41 | end
42 | describe command("curl #{curl_args} -X GET -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'Authorization: '`cat #{misp_rootdir}/.ht_key` #{misp_url}/admin/users") do
43 | # its(:stdout) { should match /"User": {/ }
44 | # its(:stdout) { should match /"id": "1",/ }
45 | its(:stdout) { should_not match /Error: <\/strong>/ }
46 | its(:stdout) { should_not match /{"name":"Not Found"/ }
47 | end
48 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/mispmodules_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | set :path, '/usr/local/bin:$PATH'
7 |
8 | misp_rootdir = '/var/www/_MISP/MISP'
9 | misp_virtualenv = '/var/www/_MISP/venv'
10 |
11 | describe command("#{misp_virtualenv}/bin/pip freeze") do
12 | its(:stdout) { should match /cybox/ }
13 | its(:stdout) { should match /pymisp/ }
14 | its(:stdout) { should match /stix/ }
15 | end
16 |
17 | ## any content in default/pristine db?
18 | describe command("curl -s http://127.0.0.1:6666/modules | jq .") do
19 | its(:stdout) { should_not match /"name": "passivetotal",/ }
20 | its(:stdout) { should_not match /Error: <\/strong>/ }
21 | its(:stdout) { should_not match /{"name":"Not Found"/ }
22 | end
23 |
24 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'ubuntu' && os[:release] != '22.04' do
25 | its(:stderr) { should_not match /Error/ }
26 | its(:stderr) { should_not match /Failed/ }
27 | its(:exit_status) { should eq 0 }
28 | end
29 |
30 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'ubuntu' && os[:release] != '22.04' do
31 | its(:stderr) { should_not match /Error/ }
32 | its(:stderr) { should_not match /Failed/ }
33 | its(:exit_status) { should eq 0 }
34 | end
35 |
36 | describe command("#{misp_virtualenv}/bin/python -c 'import yara'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
37 | its(:stderr) { should_not match /Error/ }
38 | its(:stderr) { should_not match /Failed/ }
39 | its(:exit_status) { should eq 0 }
40 | end
41 |
42 | describe command("#{misp_virtualenv}/bin/python -c 'import sigma'"), :if => os[:family] == 'redhat' && os[:release] == '7' do
43 | its(:stderr) { should_not match /Error/ }
44 | its(:stderr) { should_not match /Failed/ }
45 | its(:exit_status) { should eq 0 }
46 | end
47 |
48 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
49 | its(:stdout) { should_not match /ERROR/ }
50 | # its(:stdout) { should_not match /WARNING/ }
51 | let(:sudo_options) { '-u www-data -H' }
52 | end
53 |
54 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
55 | its(:stdout) { should_not match /ERROR/ }
56 | # its(:stdout) { should_not match /WARNING/ }
57 | let(:sudo_options) { '-u www-data -H' }
58 | end
59 |
60 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '7' do
61 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
62 | its(:stdout) { should_not match /ERROR/ }
63 | its(:stdout) { should_not match /WARNING/ }
64 | let(:sudo_options) { '-u www-data -H' }
65 | end
66 |
67 | describe command("#{misp_virtualenv}/bin/misp-modules -t"), :if => os[:family] == 'redhat' && os[:release] == '8' do
68 | let(:pre_command) { 'export LANG=C LC_ALL=C' }
69 | its(:stdout) { should_not match /ERROR/ }
70 | # its(:stdout) { should_not match /WARNING/ }
71 | let(:sudo_options) { '-u www-data -H' }
72 | end
73 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/mysql_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('mariadb-server'), :if => os[:family] == 'redhat' && os[:release] == '7' do
8 | it { should be_installed }
9 | end
10 | describe package('mysql-server'), :if => os[:family] == 'redhat' && os[:release] == '6' do
11 | it { should be_installed }
12 | end
13 |
14 | describe package('mysql-server'), :if => os[:family] == 'ubuntu' do
15 | it { should be_installed }
16 | end
17 |
18 | describe service('mariadb'), :if => os[:family] == 'redhat' && os[:release] == '7' do
19 | it { should be_enabled }
20 | it { should be_running }
21 | end
22 | describe service('mysqld'), :if => os[:family] == 'redhat' && os[:release] == '6' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | #describe service('mysql-server'), :if => os[:family] == 'ubuntu' do
28 | # it { should be_enabled }
29 | # it { should be_running }
30 | #end
31 |
32 | #describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
33 | # it { should be_enabled }
34 | # it { should be_running }
35 | #end
36 |
37 | describe port(3306) do
38 | it { should be_listening }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/redis_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe process("redis-server") do
7 | it { should be_running }
8 | end
9 |
10 | describe service('redis-server'), :if => os[:family] == 'ubuntu' || os[:family] == 'debian' do
11 | it { should be_enabled }
12 | it { should be_running }
13 | end
14 | describe service('redis'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
15 | it { should be_enabled }
16 | end
17 | describe service('redis'), :if => os[:family] == 'redhat' do
18 | it { should be_running }
19 | end
20 | describe port(6379) do
21 | it { should be_listening.with('tcp') }
22 | end
23 |
24 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'debian' do
25 | its(:size) { should > 0 }
26 | its(:content) { should match /Configuration loaded/ }
27 | its(:content) { should_not match /bind: Cannot assign requested address/ }
28 | end
29 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '18.04' do
30 | its(:size) { should > 0 }
31 | its(:content) { should match /Configuration loaded/ }
32 | its(:content) { should_not match /bind: Cannot assign requested address/ }
33 | end
34 | describe file('/var/log/redis/redis-server.log'), :if => os[:family] == 'ubuntu' && os[:release] == '16.04' do
35 | its(:size) { should > 0 }
36 | its(:content) { should match /Server started, Redis version/ }
37 | its(:content) { should match /The server is now ready to accept connections on port/ }
38 | its(:content) { should_not match /bind: Cannot assign requested address/ }
39 | end
40 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '7' do
41 | its(:size) { should > 0 }
42 | its(:content) { should match /Server started, Redis version/ }
43 | its(:content) { should match /The server is now ready to accept connections on port/ }
44 | its(:content) { should_not match /bind: Cannot assign requested address/ }
45 | end
46 | describe file('/var/log/redis/redis.log'), :if => os[:family] == 'redhat' && os[:release] == '8' do
47 | its(:size) { should > 0 }
48 | its(:content) { should match /Server initialized/ }
49 | its(:content) { should match /# Redis version=5\./ }
50 | its(:content) { should match /Ready to accept connections/ }
51 | its(:content) { should_not match /bind: Cannot assign requested address/ }
52 | end
53 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/run-local-tests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh -x
2 | ## get consistent ruby2+bundler env on each distribution
3 |
4 | location=`dirname "$0"`
5 | cd $location
6 | v=2.4
7 |
8 | ## docker environment in travis missing few utils
9 | [ -f /etc/debian_version ] && apt-get install -y curl
10 | [ -f /etc/redhat-release ] && yum -y install which
11 |
12 | curl -sSL https://get.rvm.io | bash
13 | #[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
14 | #[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
15 |
16 | ## troubleshoot
17 | type rvm | head -1
18 | env
19 |
20 | #export PATH=/usr/local/rvm/bin:$PATH
21 |
22 | bash -l -c "rvm install $v"
23 | bash -l -c "rvm use $v"
24 | bash -l -c "rvm use $v --default"
25 | bash -l -c "gem install bundler"
26 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle install --path ./gems"
27 | if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
28 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
29 | else
30 | bash -l -c "env rvmsudo_secure_path=1 rvmsudo -u nobody bundle exec rake spec"
31 | fi
32 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/snuffleupagus_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe file('/var/log/apache2/misp.local_error.log') do
7 | its(:content) { should_not match /PHP Fatal error:/ }
8 | its(:content) { should_not match /PHP Fatal error: \[snuffleupagus\]\[config\] Invalid configuration file/ }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/supervisor.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe service('supervisor') do
7 | it { should be_enabled }
8 | it { should be_running }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/default/serverspec/webserver_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('httpd'), :if => os[:family] == 'redhat' do
8 | it { should be_installed }
9 | end
10 |
11 | describe package('apache2'), :if => os[:family] == 'ubuntu' do
12 | it { should be_installed }
13 | end
14 |
15 | describe service('httpd'), :if => os[:family] == 'redhat' && host_inventory['virtualization'][:system] != 'docker' do
16 | it { should be_enabled }
17 | end
18 | describe service('httpd'), :if => os[:family] == 'redhat' do
19 | it { should be_running }
20 | end
21 |
22 | describe service('apache2'), :if => os[:family] == 'ubuntu' do
23 | it { should be_enabled }
24 | it { should be_running }
25 | end
26 |
27 | describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
28 | it { should be_enabled }
29 | it { should be_running }
30 | end
31 |
32 | describe port(443) do
33 | it { should be_listening }
34 | end
35 |
36 | describe file('/var/log/audit/audit.log'), :if => os[:family] == 'redhat' do
37 | # its(:size) { should > 0 }
38 | its(:content) { should_not match /denied { write } for .* comm="httpd" / }
39 | end
40 |
--------------------------------------------------------------------------------
/test/integration/nginx/default.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Test integration playbook
4 | hosts: all
5 | vars:
6 | misp_webserver: 'nginx'
7 | misp_testing: true
8 | misp_testing_user: _misp
9 | misp_testing_user_home: "/home/{{ misp_testing_user }}"
10 | misp_testing_key_file: "{{ misp_testing_user_home }}/build/key.txt"
11 | misp_base_url: http://localhost
12 | misp_webusers_list:
13 | - { u: dupont@admin.test, p: dupont_passphrase. }
14 | - { u: dupond@admin.test, p: dupond_passphrase. }
15 | roles:
16 | # - geerlingguy.apache
17 | - juju4.misp
18 | - juju4.harden_nginx
19 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/Rakefile:
--------------------------------------------------------------------------------
1 | require 'rake'
2 | require 'rspec/core/rake_task'
3 |
4 | task :spec => 'spec:all'
5 | task :default => :spec
6 |
7 | namespace :spec do
8 | targets = [ 'localhost' ]
9 |
10 | task :all => targets
11 | task :default => :all
12 |
13 | targets.each do |target|
14 | original_target = target == "_default" ? target[1..-1] : target
15 | desc "Run serverspec tests to #{original_target}"
16 | RSpec::Core::RakeTask.new(target.to_sym) do |t|
17 | ENV['TARGET_HOST'] = original_target
18 | # t.pattern = "spec/#{original_target}/*_spec.rb"
19 | t.pattern = "test/integration/default/serverspec/*_spec.rb"
20 | end
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/misp2_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe command('cd /var/www/MISP/tests && ./curl_tests.sh `cat $HOME/build/key.txt` | tee /tmp/curl_tests.out') do
7 | ## FIXME! is it normal first run get 'HTTP/1.1 500 Internal Server Error', second run: 'HTTP/1.1 100 Continue' + 'HTTP/1.1 302 Found'
8 | ## not like https://travis-ci.org/MISP/MISP/jobs/128166085
9 | its(:stdout) { should match /548847db-060c-4275-a0c7-15bb950d210b/}
10 | its(:stdout) { should_not match /HTTP\/1.1 500 Internal Server Error/}
11 | its(:exit_status) { should eq 0 }
12 | let(:sudo_options) { '-u _misp -H' }
13 | end
14 |
15 | ## FIXME!
16 | #describe command('cd /var/www/MISP/PyMISP && /var/www/MISP/venv/bin/nosetests --with-coverage --cover-package=pymisp tests/test_offline.py 2>&1 | tee /tmp/nosetests.out') do
17 | # its(:stdout) { should match /TOTAL/}
18 | # its(:stdout) { should match /OK/}
19 | # its(:stdout) { should_not match /FAILED/}
20 | # its(:exit_status) { should eq 0 }
21 | # let(:sudo_options) { '-u _misp -H' }
22 | #end
23 |
24 | describe command('cd /var/www/MISP/PyMISP && /var/www/MISP/venv/bin/python tests/test.py | tee /tmp/tests.out') do
25 | its(:exit_status) { should eq 0 }
26 | let(:sudo_options) { '-u _misp -H' }
27 | end
28 |
29 | #describe command('cd /var/www/MISP/PyMISP/examples/events && /var/www/MISP/venv/bin/python ./create_massive_dummy_events.py -l 5 -a 30') do
30 | # its(:stdout) { should_not match /500 Server Error: Internal Server Error/}
31 | # its(:exit_status) { should eq 0 }
32 | # let(:sudo_options) { '-u _misp -H' }
33 | #end
34 |
35 | ## FIXME!
36 | ## nginx-centos7: fail
37 | describe command('cd /var/www/MISP/PyMISP && /var/www/MISP/venv/bin/coverage run setup.py test 2>&1 | tee /tmp/coverage.out'), :if => os[:release] != '14.04' && os[:release] != '6' do
38 | its(:stdout) { should match /version/ }
39 | ## nginx-centos7 output is pretty print, while other are not
40 | # its(:stdout) { should match /{u'Event': {u'info': u'This is a test'/ }
41 | its(:stdout) { should match /This is a test/ }
42 | # its(:stdout) { should match /OK/}
43 | its(:stdout) { should_not match /FAILED \(errors=.*\)/}
44 | its(:stdout) { should_not match /HTTPError: 500 Server Error: Internal Server Error for url/}
45 | its(:exit_status) { should eq 0 }
46 | let(:sudo_options) { '-u _misp -H' }
47 | end
48 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/misp_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | #describe process('python') do
7 | # it { should be_running }
8 | # its(:args) { should match /manage.py runserver\b/ }
9 | # it "is listening on port 8000" do
10 | # expect(port(8000)).to be_listening
11 | # end
12 | #end
13 |
14 | describe command('wget -O - http://localhost') do
15 | its(:stdout) { should match /Users - MISP/ }
16 | end
17 |
18 | ## API test: need to retrieve API key???
19 | #curl -i -H "Accept: application/xml" -H "content-type: text/xml" -H "Authorization: ABCDEF" --data "@input/event.xml" -X POST https:///events
20 | #describe command('wget -O - http://localhost/events/xml/download.json') do
21 | # its(:stdout) { should match /{"request": {/ }
22 | #end
23 | #describe command('wget -O - http://localhost/stix/download') do
24 | # its(:stdout) { should match // }
25 | #end
26 | #describe command('wget -O - http://localhost/stix/download.json') do
27 | # its(:stdout) { should match /{"request": {/ }
28 | #end
29 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/mysql_spec.rb:
--------------------------------------------------------------------------------
1 | #require 'spec_helper'
2 | require 'serverspec'
3 |
4 | # Required by serverspec
5 | set :backend, :exec
6 |
7 | describe package('mariadb-server'), :if => os[:family] == 'redhat' do
8 | it { should be_installed }
9 | end
10 |
11 | describe package('mysql-server'), :if => os[:family] == 'ubuntu' do
12 | it { should be_installed }
13 | end
14 |
15 | describe service('mariadb'), :if => os[:family] == 'redhat' do
16 | it { should be_enabled }
17 | it { should be_running }
18 | end
19 |
20 | #describe service('mysql-server'), :if => os[:family] == 'ubuntu' do
21 | # it { should be_enabled }
22 | # it { should be_running }
23 | #end
24 |
25 | #describe service('org.apache.httpd'), :if => os[:family] == 'darwin' do
26 | # it { should be_enabled }
27 | # it { should be_running }
28 | #end
29 |
30 | describe port(3306) do
31 | it { should be_listening }
32 | end
33 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/supervisor.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe service('supervisor') do
7 | it { should be_enabled }
8 | it { should be_running }
9 | end
10 |
--------------------------------------------------------------------------------
/test/integration/nginx/serverspec/webserver_spec.rb:
--------------------------------------------------------------------------------
1 | require 'serverspec'
2 |
3 | # Required by serverspec
4 | set :backend, :exec
5 |
6 | describe package('nginx'), :if => os[:family] == 'redhat' do
7 | it { should be_installed }
8 | end
9 |
10 | describe package('nginx'), :if => os[:family] == 'ubuntu' do
11 | it { should be_installed }
12 | end
13 |
14 | describe service('nginx'), :if => os[:family] == 'redhat' do
15 | it { should be_enabled }
16 | it { should be_running }
17 | end
18 |
19 | describe service('nginx'), :if => os[:family] == 'ubuntu' do
20 | it { should be_enabled }
21 | it { should be_running }
22 | end
23 |
24 | describe service('org.nginx.httpd'), :if => os[:family] == 'darwin' do
25 | it { should be_enabled }
26 | it { should be_running }
27 | end
28 |
29 | describe port(80) do
30 | it { should be_listening }
31 | end
32 |
33 | #describe port(443) do
34 | # it { should be_listening }
35 | #end
36 |
37 | #describe file('/etc/nginx/harden-nginx-common') do
38 | # it { should be_file }
39 | #end
40 | #describe file('/etc/nginx/harden-nginx-https') do
41 | # it { should be_file }
42 | #end
43 | #describe file('/etc/nginx/sites-enabled/https'), :if => os[:family] == 'ubuntu' do
44 | # it { should be_file }
45 | #end
46 |
47 | #describe command('openssl s_client -connect localhost:443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin') do
48 | # its(:stdout) { should match /sha256/ }
49 | # its(:stdout) { should match /Public-Key: \(2048 bit\)/ }
50 | #end
51 | ## enumerate ciphers? multiple openssl s_client, nmap, sslscan, ...
52 | #http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
53 |
--------------------------------------------------------------------------------
/test/lxd/centos-ssh-image.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # add ssh to default lxd image
3 |
4 | if [ "X$1" = "X9" -o "X$1" = "X9-Stream" ]; then
5 | image=centos-9-Stream
6 | elif [ "X$1" = "X8" -o "X$1" = "X8-Stream" ]; then
7 | image=centos-8-Stream
8 | else
9 | image=centos-7
10 | fi
11 | guest=default-$image
12 | template="$image"-nossh
13 | publishalias="$image"
14 |
15 | lxc init $template $guest
16 | lxc start $guest
17 | openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root
18 |
19 | lxc exec $guest -- dhclient eth0
20 | lxc exec $guest -- ping -c 1 8.8.8.8
21 | if [ "X$1" = "X8" -o "X$1" = "X8-Stream" -o "X$1" = "X9-Stream" ]; then
22 | lxc exec $guest -- dnf -y upgrade
23 | lxc exec $guest -- dnf install -y openssh-server sudo ruby yum-utils
24 | lxc exec $guest -- dnf install -y python3 python3-pip openssl-devel python36-devel libffi-devel "@Development tools"
25 | lxc exec $guest -- pip3 install ansible
26 | lxc exec $guest -- ln -s /usr/bin/pip3 /usr/bin/pip
27 | else
28 | lxc exec $guest -- yum -y upgrade
29 | lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils
30 | fi
31 | lxc exec $guest -- systemctl enable sshd
32 | lxc exec $guest -- systemctl start sshd
33 | lxc exec $guest -- mkdir /root/.ssh || true
34 | lxc exec $guest -- gem install busser
35 |
36 | lxc stop $guest --force
37 | lxc publish $guest --alias $publishalias
38 | lxc delete $guest
39 |
--------------------------------------------------------------------------------
/test/lxd/debian-ssh-image.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # add ssh to default lxd debian image
3 |
4 | image="debian-$1"
5 | guest=default-$image
6 | template="$image"-nossh
7 | publishalias="$image"
8 |
9 | lxc init $template $guest
10 | lxc start $guest
11 | openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root
12 |
13 | lxc exec $guest -- dhclient eth0
14 | lxc exec $guest -- ping -c 1 8.8.8.8
15 | lxc exec $guest -- apt-get -y update
16 | lxc exec $guest -- apt-get -y upgrade
17 | lxc exec $guest -- apt-get install -y openssh-server sudo python3-pip ruby curl wget
18 | lxc exec $guest -- pip3 install ansible
19 | lxc exec $guest -- which ansible
20 | lxc exec $guest -- ansible --version
21 | lxc exec $guest -- mkdir /root/.ssh || true
22 | lxc exec $guest -- gem install busser
23 |
24 | lxc stop $guest --force
25 | lxc publish $guest --alias $publishalias
26 | lxc delete $guest
27 |
--------------------------------------------------------------------------------
/test/vagrant/Vagrantfile:
--------------------------------------------------------------------------------
1 | # -*- mode: ruby -*-
2 | # vi: set ft=ruby :
3 |
4 | VAGRANTFILE_API_VERSION = "2"
5 | ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox'
6 |
7 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
8 | config.vm.box = "ubuntu/jammy64"
9 | #config.vm.box = "generic/centos9s"
10 |
11 | config.vm.provision :ansible do |ansible|
12 | ansible.playbook = "site.yml"
13 | #ansible.verbose = "vvvv"
14 | #ansible.host_key_checking = false
15 | #ansible.limit = 'all'
16 | ansible.become = true
17 | ansible.extra_vars = { ansible_ssh_user: 'vagrant', misp_base_url: 'http://127.0.0.1:8888' }
18 | ansible.groups = {
19 | "myrole" => ["vhost" ],
20 | }
21 | end
22 |
23 | config.vm.define "vhost" do |vhost|
24 | vhost.vm.hostname = "vhost"
25 | vhost.vm.provider "virtualbox" do |v|
26 | v.memory = 1024
27 | end
28 | vhost.vm.network "forwarded_port", guest: 8888, host: 8888
29 | end
30 |
31 | end
32 |
--------------------------------------------------------------------------------
/test/vagrant/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | callbacks_enabled = profile_tasks, timer
3 | roles_path = ../../../
4 | # https://github.com/ansible/ansible/issues/43884
5 | gather_timeout=20
6 | interpreter_python = auto
7 |
--------------------------------------------------------------------------------
/test/vagrant/site.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Test vagrant playbook
4 | hosts: all
5 | roles:
6 | - juju4.misp
7 |
--------------------------------------------------------------------------------
/vars/Debian-11.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mariadb-server
6 | - php
7 | - php-mysql
8 | - php-mbstring
9 | - php7.4-opcache
10 | - php-readline
11 | - php-mbstring
12 | - php-zip
13 | - php-redis
14 | - php-gnupg
15 | - php-intl
16 | - php-bcmath
17 | - php-gd
18 | - postfix
19 | - gcc
20 | - zip
21 | - git
22 | - redis-server
23 | - make
24 | - python3-dev
25 | - python3-pip
26 | - python3-virtualenv
27 | - python3-setuptools
28 | - libxml2-dev
29 | - libxslt1-dev
30 | - libgl1-mesa-glx
31 | - libzbar0
32 | - zlib1g-dev
33 | - php-dev
34 | - curl
35 | - gnupg
36 | #
37 | - php-redis
38 | - python3-mysqldb
39 | # rng-tools-debian or rng-tools5 per https://packages.debian.org/bullseye/rng-tools-debian
40 | - rng-tools-debian
41 | # misp-modules
42 | - python3
43 | - libpq5
44 | - acl
45 | - sudo
46 | - cron
47 | ## pillow
48 | - libtiff5-dev
49 | - libjpeg-dev
50 | - zlib1g-dev
51 | - libfreetype6-dev
52 | ## if pyzmq?
53 | # - libczmq-dev
54 | - openssl
55 | - libfuzzy-dev
56 | - ruby-pygments.rb
57 | - ruby-dev
58 | - libsm6
59 | - libzbar0
60 | - libzbar-dev
61 | - tesseract-ocr
62 | - libpoppler-cpp-dev
63 | - imagemagick
64 | - libxrender1
65 |
66 | misp_gem_list:
67 | - { name: public_suffix, v: 4.0.7 }
68 | - { name: asciidoctor-pdf, v: 2.3.2 }
69 |
70 | python3_bin: python3
71 | python3_pip: pip3
72 |
73 | mysql_svc: mysql
74 | rng_svc: rng-tools-debian
75 | redis_svc: redis
76 | redis_conf: /etc/redis/redis.conf
77 | misp_services:
78 | - "{{ apache_svc }}"
79 | - "{{ mysql_svc }}"
80 | - "{{ rng_svc }}"
81 |
82 | misp_services_nginx:
83 | - "{{ apache_svc }}"
84 | - "{{ mysql_svc }}"
85 | - "{{ rng_svc }}"
86 | - php7.4-fpm
87 |
88 | misp_testing_pkg:
89 | - ruby
90 | - rake
91 |
92 | misp_webserver_apache2:
93 | - apache2
94 | - libapache2-mod-php
95 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
96 | # - libapache2-mod-fastcgi
97 |
98 | misp_webserver_nginx:
99 | - nginx
100 | - php-fpm
101 |
102 | php_confdir: /etc/php/7.4/mods-available
103 | php_confext: ini
104 | php_ini: /etc/php/7.4/apache2/php.ini
105 | php_ini_nginx: /etc/php/7.4/fpm/php.ini
106 | php_confenable: /etc/php/7.4/apache2/conf.d
107 | php_bin: /usr/bin/php7.4
108 | nginx_sock: /run/php/php7.4-fpm.sock
109 | fpm_user: www-data
110 |
111 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg/private-keys-v1.d"
112 |
113 | mispmodules_libyarapath: /usr/local/lib/python3.6/dist-packages/usr/lib
114 |
115 | apacheetc: /etc/apache2
116 | ssl_user: ssl-cert
117 | ssl_dir: /etc/ssl/certs
118 | ssl_privatedir: /etc/ssl/private
119 |
120 | supervisor_conf: /etc/supervisor/supervisord.conf
121 | supervisor_confdir: /etc/supervisor/conf.d
122 | supervisor_ext: conf
123 | supervisor_service: supervisor
124 |
--------------------------------------------------------------------------------
/vars/RedHat-6.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - httpd
6 | - mysql
7 | - mysql-server
8 | - MySQL-python
9 | - php
10 | - php-mysql
11 | - php-mbstring
12 | - php-devel
13 | - php-redis
14 | # - php56
15 | # - php56-php-mysqlnd
16 | # - php56-php-mbstring
17 | # - php56-php-devel
18 | # - php56-php-redis
19 | - postfix
20 | - "@Development tools"
21 | - zip
22 | - git
23 | - redis
24 | - make
25 | - python-devel
26 | - python-pip
27 | - libxml2-devel
28 | - libxslt-devel
29 | - zlib-devel
30 | - curl
31 | - gnupg
32 | #
33 | - rng-tools
34 | - wget
35 | # misp-modules
36 | # - python34
37 | ## http://stackoverflow.com/questions/32618686/how-to-install-pip-in-centos-7
38 | # - python3-pip
39 | - acl
40 | - sudo
41 | - crontabs
42 | ## pillow? not needed
43 | # - libjpeg-turbo-devel
44 | - openssl
45 | - ruby-devel
46 |
47 | python3_bin: python3?
48 |
49 | misp_webserver_apache2:
50 | - httpd
51 |
52 | misp_webserver_nginx:
53 | - nginx
54 | - php-fpm
55 |
56 | mysql_svc: mysqld
57 | rng_svc: rngd
58 | redis_svc: redis
59 | redis_conf: /etc/redis.conf
60 | misp_services:
61 | - "{{ apache_svc }}"
62 | - "{{ mysql_svc }}"
63 | - "{{ rng_svc }}"
64 | - php-fpm
65 |
66 | misp_testing_pkg:
67 | - rubygem-rake
68 |
69 | nginx_sock: /var/run/php-fpm/php-fpm.sock
70 | php_confdir: /etc/php.d
71 | php_confext: conf
72 | php_ini: /etc/php.ini
73 |
74 | fpm_user: nobody
75 |
76 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
77 |
78 | apacheetc: /etc/httpd
79 | ssl_user: root
80 | ssl_dir: /etc/pki/tls/certs
81 | ssl_privatedir: /etc/pki/tls/private
82 |
--------------------------------------------------------------------------------
/vars/RedHat-7.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - httpd
6 | - mariadb
7 | - mariadb-server
8 | - MySQL-python
9 | - php
10 | - php-mysql
11 | - php-mbstring
12 | - php-devel
13 | - php-redis
14 | - php-opcache
15 | - php-xml
16 | - php-gd
17 | - postfix
18 | - "@Development tools"
19 | - zip
20 | - git
21 | - redis
22 | - make
23 | - python-devel
24 | - python-pip
25 | - libxml2-devel
26 | - libxslt-devel
27 | - zlib-devel
28 | - curl
29 | - gnupg
30 | #
31 | - rng-tools
32 | - wget
33 | # misp-modules
34 | - python36
35 | - python36-devel
36 | ## http://stackoverflow.com/questions/32618686/how-to-install-pip-in-centos-7
37 | # - python3-pip
38 | - python36-setuptools
39 | - python-virtualenv
40 | # - python36-six
41 | # FIXME! not available
42 | # - libpq5
43 | ## misc
44 | - acl
45 | - sudo
46 | - crontabs
47 | ## pillow? not needed
48 | # - libjpeg-turbo-devel
49 | - openssl
50 | - policycoreutils-python
51 | ## kitchen/ss
52 | - iproute
53 | - ssdeep-devel
54 | - ssdeep-libs
55 | - openjpeg-devel
56 | - rubygem-rouge
57 | - rubygem-asciidoctor
58 | - libSM
59 | - zbar
60 | - poppler-cpp-devel
61 | - libXrender
62 | - ruby-devel
63 |
64 | python3_bin: python3.6
65 | python3_pip: /usr/local/bin/pip3
66 |
67 | misp_webserver_apache2:
68 | - httpd
69 |
70 | misp_webserver_nginx:
71 | - nginx
72 | - php-fpm
73 |
74 | mysql_svc: mariadb
75 | rng_svc: rngd
76 | redis_svc: redis
77 | redis_conf: /etc/redis.conf
78 | misp_services:
79 | - "{{ apache_svc }}"
80 | - "{{ mysql_svc }}"
81 | - "{{ rng_svc }}"
82 | - php-fpm
83 |
84 | misp_testing_pkg:
85 | - rubygem-rake
86 |
87 | nginx_sock: /var/run/php-fpm/php-fpm.sock
88 | php_confdir: /etc/php.d
89 | php_confext: ini
90 | php_ini: /etc/php.ini
91 | php_remi_version: 72
92 | fpm_user: nobody
93 |
94 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
95 |
96 | apacheetc: /etc/httpd
97 | ssl_user: root
98 | ssl_dir: /etc/pki/tls/certs
99 | ssl_privatedir: /etc/pki/tls/private
100 |
101 | supervisor_confdir: /etc/supervisord.d
102 | supervisor_ext: ini
103 | supervisor_service: supervisord
104 |
--------------------------------------------------------------------------------
/vars/RedHat-8.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - httpd
6 | - mariadb
7 | - mariadb-server
8 | - php
9 | - php-mysqlnd
10 | - php-mbstring
11 | - php-devel
12 | - php-pear
13 | - php-fpm
14 | # php-pecl-* from remi repository
15 | - php-pecl-redis
16 | - php-pecl-ssdeep
17 | - php-pecl-gnupg
18 | - php-opcache
19 | - php-xml
20 | - php-gd
21 | - php-json
22 | - php-zip
23 | - postfix
24 | - "@Development tools"
25 | - zip
26 | - git
27 | - redis
28 | - make
29 | - python3-devel
30 | - python3-pip
31 | - python3-virtualenv
32 | - python3-policycoreutils
33 | - policycoreutils-python-utils
34 | - libxml2-devel
35 | - libxslt-devel
36 | - zlib-devel
37 | - curl
38 | - gnupg
39 | #
40 | - "{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8) and ansible_virtualization_type is defined %}haveged{% else %}rng-tools{% endif %}"
41 | - wget
42 | # misp-modules
43 | - python36
44 | - python36-devel
45 | - python3-PyMySQL
46 | - libpq
47 | ## misc
48 | - acl
49 | - sudo
50 | - crontabs
51 | - libjpeg-turbo-devel
52 | - openssl
53 | - hostname
54 | ## kitchen/ss
55 | - iproute
56 | - ssdeep-devel
57 | - ssdeep-libs
58 | # - openjpeg-devel
59 | # - rubygem-rouge
60 | # - rubygem-asciidoctor
61 | - libSM
62 | # - zbar
63 | - libXrender
64 | ## CentOS PowerTools x86_64
65 | - poppler-cpp-devel
66 | - ruby-devel
67 |
68 | python3_bin: python3.6
69 | python3_pip: /usr/local/bin/pip3
70 |
71 | misp_webserver_apache2:
72 | - httpd
73 |
74 | misp_webserver_nginx:
75 | - nginx
76 | - php-fpm
77 |
78 | mysql_svc: mariadb
79 | rng_svc: "{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8) and ansible_virtualization_type is defined %}haveged{% else %}rngd{% endif %}"
80 | redis_svc: redis
81 | redis_conf: /etc/redis.conf
82 | misp_services:
83 | - "{{ apache_svc }}"
84 | - "{{ mysql_svc }}"
85 | - "{{ rng_svc }}"
86 | - php-fpm
87 |
88 | misp_testing_pkg:
89 | - rubygem-rake
90 |
91 | nginx_sock: /var/run/php-fpm/php-fpm.sock
92 | php_confdir: /etc/php.d
93 | php_confext: ini
94 | php_ini: /etc/php.ini
95 | php_remi_version: 74
96 | fpm_user: nobody
97 |
98 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
99 |
100 | apacheetc: /etc/httpd
101 | ssl_user: root
102 | ssl_dir: /etc/pki/tls/certs
103 | ssl_privatedir: /etc/pki/tls/private
104 |
105 | supervisor_conf: /etc/supervisord.conf
106 | supervisor_confdir: /etc/supervisord.d
107 | supervisor_ext: ini
108 | supervisor_service: supervisord
109 |
--------------------------------------------------------------------------------
/vars/RedHat-9.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - httpd
6 | - mariadb
7 | - mariadb-server
8 | - php
9 | - php-mysqlnd
10 | - php-mbstring
11 | - php-devel
12 | - php-pear
13 | - php-fpm
14 | # php-pecl-* from remi repository
15 | - php-pecl-redis
16 | - php-pecl-ssdeep
17 | - php-pecl-gnupg
18 | - php-opcache
19 | - php-xml
20 | - php-gd
21 | - php-json
22 | - php-zip
23 | - postfix
24 | - "@Development tools"
25 | - zip
26 | - git
27 | - redis
28 | - make
29 | - python3-devel
30 | - python3-pip
31 | - python3-virtualenv
32 | - python3-policycoreutils
33 | - policycoreutils-python-utils
34 | - libxml2-devel
35 | - libxslt-devel
36 | - zlib-devel
37 | - curl
38 | - gnupg
39 | #
40 | - "{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8) and ansible_virtualization_type is defined %}haveged{% else %}rng-tools{% endif %}"
41 | - wget
42 | # misp-modules
43 | - python3
44 | - python3-devel
45 | - python3-PyMySQL
46 | - libpq
47 | ## misc
48 | - acl
49 | - sudo
50 | - crontabs
51 | - libjpeg-turbo-devel
52 | - openssl
53 | - hostname
54 | ## kitchen/ss
55 | - iproute
56 | - ssdeep-devel
57 | - ssdeep-libs
58 | # - openjpeg-devel
59 | # - rubygem-rouge
60 | # - rubygem-asciidoctor
61 | - libSM
62 | # - zbar
63 | - libXrender
64 | ## CentOS PowerTools x86_64
65 | - poppler-cpp-devel
66 | - ruby-devel
67 |
68 | python3_bin: python3
69 | python3_pip: /usr/bin/pip3
70 |
71 | misp_webserver_apache2:
72 | - httpd
73 |
74 | misp_webserver_nginx:
75 | - nginx
76 | - php-fpm
77 |
78 | mysql_svc: mariadb
79 | rng_svc: "{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int >= 8) and ansible_virtualization_type is defined %}haveged{% else %}rngd{% endif %}"
80 | redis_svc: redis
81 | redis_conf: /etc/redis/redis.conf
82 | misp_services:
83 | - "{{ apache_svc }}"
84 | - "{{ mysql_svc }}"
85 | - "{{ rng_svc }}"
86 | - php-fpm
87 |
88 | misp_testing_pkg:
89 | - rubygem-rake
90 |
91 | nginx_sock: /var/run/php-fpm/php-fpm.sock
92 | php_confdir: /etc/php.d
93 | php_confext: ini
94 | php_ini: /etc/php.ini
95 | php_remi_version: 74
96 | fpm_user: nobody
97 |
98 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
99 |
100 | apacheetc: /etc/httpd
101 | ssl_user: root
102 | ssl_dir: /etc/pki/tls/certs
103 | ssl_privatedir: /etc/pki/tls/private
104 |
105 | supervisor_conf: /etc/supervisord.conf
106 | supervisor_confdir: /etc/supervisord.d
107 | supervisor_ext: ini
108 | supervisor_service: supervisord
109 |
--------------------------------------------------------------------------------
/vars/Ubuntu-12.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | - php5
7 | - php5-mysql
8 | # - php5-mbstring
9 | - postfix
10 | - gcc
11 | - zip
12 | - git
13 | - redis-server
14 | - make
15 | - python-dev
16 | - python-pip
17 | - python-virtualenv
18 | - python-setuptools
19 | - libxml2-dev
20 | - libxslt1-dev
21 | - zlib1g-dev
22 | - php5-dev
23 | - curl
24 | - gnupg
25 | #
26 | # - php5-redis
27 | - python-mysqldb
28 | - rng-tools
29 | # misp-modules
30 | - python3
31 | # - python3-pip
32 | # available ?
33 | - libpq5
34 | - acl
35 | - sudo
36 | ## pillow? not needed
37 | # - libtiff4-dev
38 | # - libjpeg8-dev
39 | # - zlib1g-dev
40 | # - libfreetype6-dev
41 | ## if pyzmq?
42 | # - libczmq-dev
43 | - openssl
44 | - libsm6
45 |
46 | python3_bin: python3
47 |
48 | mysql_svc: mysql
49 | rng_svc: rng-tools
50 | redis_conf: /etc/redis/redis.conf
51 | misp_services:
52 | - "{{ apache_svc }}"
53 | - "{{ mysql_svc }}"
54 | # - "{{ rng_svc }}"
55 |
56 | misp_services_nginx:
57 | - "{{ apache_svc }}"
58 | - "{{ mysql_svc }}"
59 | - "{{ rng_svc }}"
60 | - php5-fpm
61 |
62 | misp_testing_pkg:
63 | - ruby2.0
64 | - rake
65 |
66 | misp_webserver_apache2:
67 | - apache2
68 | - libapache2-mod-php5
69 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
70 | # - libapache2-mod-fastcgi
71 |
72 | misp_webserver_nginx:
73 | - nginx
74 | - php5-fpm
75 |
76 | php_confdir: /etc/php5/mods-available
77 | php_confext: ini
78 | php_ini: /etc/php5/apache2/php.ini
79 | php_ini_nginx: /etc/php5/fpm/php.ini
80 | php_confenable: /etc/php5/apache2/conf.d
81 | nginx_sock: /var/run/php5-fpm.sock
82 | fpm_user: www-data
83 |
84 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
85 |
86 | apacheetc: /etc/apache2
87 | ssl_user: ssl-cert
88 | ssl_dir: /etc/ssl
89 | ssl_privatedir: /etc/ssl/private
90 |
--------------------------------------------------------------------------------
/vars/Ubuntu-14.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | - php5
7 | - php5-mysql
8 | - postfix
9 | - gcc
10 | - zip
11 | - git
12 | - redis-server
13 | - make
14 | - python-dev
15 | - python-pip
16 | - python-virtualenv
17 | - python-setuptools
18 | - libxml2-dev
19 | - libxslt1-dev
20 | - zlib1g-dev
21 | - php5-dev
22 | - curl
23 | - gnupg
24 | #
25 | - php5-redis
26 | - python-mysqldb
27 | - rng-tools
28 | # misp-modules
29 | - python3
30 | - python3-pip
31 | - libpq5
32 | - libjpeg-dev
33 | - acl
34 | - sudo
35 | ## pillow? not needed
36 | # - libtiff4-dev
37 | # - libjpeg8-dev
38 | # - zlib1g-dev
39 | # - libfreetype6-dev
40 | ## if pyzmq?
41 | # - libczmq-dev
42 | - openssl
43 | - libfuzzy-dev
44 | - libsm6
45 |
46 | python3_bin: python3
47 |
48 | mysql_svc: mysql
49 | rng_svc: rng-tools
50 | redis_svc: redis-server
51 | redis_conf: /etc/redis/redis.conf
52 | misp_services:
53 | - "{{ apache_svc }}"
54 | - "{{ mysql_svc }}"
55 | - "{{ rng_svc }}"
56 |
57 | misp_services_nginx:
58 | - "{{ apache_svc }}"
59 | - "{{ mysql_svc }}"
60 | - "{{ rng_svc }}"
61 | - php5-fpm
62 |
63 | misp_testing_pkg:
64 | - ruby2.0
65 | - rake
66 |
67 | misp_webserver_apache2:
68 | - apache2
69 | - libapache2-mod-php5
70 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
71 | # - libapache2-mod-fastcgi
72 |
73 | misp_webserver_nginx:
74 | - nginx
75 | - php5-fpm
76 |
77 | php_confdir: /etc/php5/mods-available
78 | php_confext: ini
79 | php_ini: /etc/php5/apache2/php.ini
80 | php_ini_nginx: /etc/php5/fpm/php.ini
81 | php_confenable: /etc/php5/apache2/conf.d
82 | nginx_sock: /var/run/php5-fpm.sock
83 | fpm_user: www-data
84 |
85 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
86 |
87 | apacheetc: /etc/apache2
88 | ssl_user: ssl-cert
89 | ssl_dir: /etc/ssl
90 | ssl_privatedir: /etc/ssl/private
91 |
--------------------------------------------------------------------------------
/vars/Ubuntu-16.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | - php
7 | - php-mysql
8 | - php-mbstring
9 | - postfix
10 | - gcc
11 | - zip
12 | - git
13 | - redis-server
14 | - make
15 | - python-dev
16 | - python-pip
17 | - python-virtualenv
18 | - python-setuptools
19 | - libxml2-dev
20 | - libxslt1-dev
21 | - zlib1g-dev
22 | - php-dev
23 | - curl
24 | - gnupg
25 | #
26 | - php-redis
27 | - python-mysqldb
28 | - rng-tools
29 | # misp-modules
30 | - python3
31 | - python3-pip
32 | - libpq5
33 | - acl
34 | - sudo
35 | ## pillow
36 | - libtiff5-dev
37 | - libjpeg8-dev
38 | - zlib1g-dev
39 | - libfreetype6-dev
40 | ## if pyzmq?
41 | # - libczmq-dev
42 | - openssl
43 | - libfuzzy-dev
44 | - libsm6
45 | - libzbar0
46 | - libpoppler-cpp-dev
47 | - libxrender1
48 |
49 | python3_bin: python3
50 | python3_pip: pip3
51 |
52 | mysql_svc: mysql
53 | rng_svc: rng-tools
54 | redis_svc: redis
55 | redis_conf: /etc/redis/redis.conf
56 | misp_services:
57 | - "{{ apache_svc }}"
58 | - "{{ mysql_svc }}"
59 | - "{{ rng_svc }}"
60 |
61 | misp_services_nginx:
62 | - "{{ apache_svc }}"
63 | - "{{ mysql_svc }}"
64 | - "{{ rng_svc }}"
65 | - php7.0-fpm
66 |
67 | misp_testing_pkg:
68 | - ruby2.3
69 | - rake
70 |
71 | misp_webserver_apache2:
72 | - apache2
73 | - libapache2-mod-php
74 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
75 | # - libapache2-mod-fastcgi
76 |
77 | misp_webserver_nginx:
78 | - nginx
79 | - php-fpm
80 |
81 | php_confdir: /etc/php/7.0/mods-available
82 | php_confext: ini
83 | php_ini: /etc/php/7.0/apache2/php.ini
84 | php_ini_nginx: /etc/php/7.0/fpm/php.ini
85 | php_confenable: /etc/php/7.0/apache2/conf.d
86 | nginx_sock: /run/php/php7.0-fpm.sock
87 | fpm_user: www-data
88 |
89 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg"
90 |
91 | mispmodules_libyarapath: /usr/local/lib/python3.5/dist-packages/usr/lib
92 |
93 | apacheetc: /etc/apache2
94 | ssl_user: ssl-cert
95 | ssl_dir: /etc/ssl
96 | ssl_privatedir: /etc/ssl/private
97 |
--------------------------------------------------------------------------------
/vars/Ubuntu-18.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | - php
7 | - php-mysql
8 | - php-mbstring
9 | - php7.2-opcache
10 | - php-readline
11 | - php-mbstring
12 | - php-zip
13 | - php-redis
14 | - php-gnupg
15 | - php-intl
16 | - php-bcmath
17 | - php-gd
18 | - postfix
19 | - gcc
20 | - zip
21 | - git
22 | - redis-server
23 | - make
24 | - python-dev
25 | - python-pip
26 | - python-virtualenv
27 | - python-setuptools
28 | - libxml2-dev
29 | - libxslt1-dev
30 | - libgl1-mesa-glx
31 | - libzbar0
32 | - zlib1g-dev
33 | - php-dev
34 | - curl
35 | - gnupg
36 | #
37 | - php-redis
38 | - python-mysqldb
39 | - rng-tools
40 | # misp-modules
41 | - python3
42 | - python3-pip
43 | - python3-mysqldb
44 | - libpq5
45 | - acl
46 | - sudo
47 | - cron
48 | ## pillow
49 | - libtiff5-dev
50 | - libjpeg8-dev
51 | - zlib1g-dev
52 | - libfreetype6-dev
53 | ## if pyzmq?
54 | # - libczmq-dev
55 | - openssl
56 | - libfuzzy-dev
57 | - ruby-pygments.rb
58 | - libsm6
59 | - libzbar0
60 | - libpoppler-cpp-dev
61 | - libxrender1
62 |
63 | misp_gem_list:
64 | - { name: public_suffix, v: 4.0.7 }
65 | - { name: asciidoctor-pdf, v: 2.3.2 }
66 |
67 | python3_bin: python3
68 | python3_pip: pip3
69 |
70 | mysql_svc: mysql
71 | rng_svc: rng-tools
72 | redis_svc: redis
73 | redis_conf: /etc/redis/redis.conf
74 | misp_services:
75 | - "{{ apache_svc }}"
76 | - "{{ mysql_svc }}"
77 | - "{{ rng_svc }}"
78 |
79 | misp_services_nginx:
80 | - "{{ apache_svc }}"
81 | - "{{ mysql_svc }}"
82 | - "{{ rng_svc }}"
83 | - php7.2-fpm
84 |
85 | misp_testing_pkg:
86 | - ruby2.5
87 | - rake
88 |
89 | misp_webserver_apache2:
90 | - apache2
91 | - libapache2-mod-php
92 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
93 | # - libapache2-mod-fastcgi
94 |
95 | misp_webserver_nginx:
96 | - nginx
97 | - php-fpm
98 |
99 | php_confdir: /etc/php/7.2/mods-available
100 | php_confext: ini
101 | php_ini: /etc/php/7.2/apache2/php.ini
102 | php_ini_nginx: /etc/php/7.2/fpm/php.ini
103 | php_confenable: /etc/php/7.2/apache2/conf.d
104 | php_bin: /usr/bin/php7.2
105 | nginx_sock: /run/php/php7.2-fpm.sock
106 | fpm_user: www-data
107 |
108 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg/private-keys-v1.d"
109 |
110 | mispmodules_libyarapath: /usr/local/lib/python3.6/dist-packages/usr/lib
111 |
112 | apacheetc: /etc/apache2
113 | ssl_user: ssl-cert
114 | ssl_dir: /etc/ssl/certs
115 | ssl_privatedir: /etc/ssl/private
116 |
117 | supervisor_conf: /etc/supervisor/supervisord.conf
118 | supervisor_confdir: /etc/supervisor/conf.d
119 | supervisor_ext: conf
120 | supervisor_service: supervisor
121 |
--------------------------------------------------------------------------------
/vars/Ubuntu-20.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | - php
7 | - php-mysql
8 | - php-mbstring
9 | - php7.4-opcache
10 | - php-readline
11 | - php-mbstring
12 | - php-zip
13 | - php-redis
14 | - php-gnupg
15 | - php-intl
16 | - php-bcmath
17 | - php-gd
18 | - php-curl
19 | - postfix
20 | - gcc
21 | - zip
22 | - git
23 | - redis-server
24 | - make
25 | - python3-dev
26 | - python3-pip
27 | - python3-virtualenv
28 | - python3-setuptools
29 | - libxml2-dev
30 | - libxslt1-dev
31 | - libgl1-mesa-glx
32 | - libzbar0
33 | - zlib1g-dev
34 | - php-dev
35 | - curl
36 | - gnupg
37 | #
38 | - php-redis
39 | - python3-mysqldb
40 | - rng-tools
41 | # misp-modules
42 | - python3
43 | - libpq5
44 | - acl
45 | - sudo
46 | - cron
47 | ## pillow
48 | - libtiff5-dev
49 | - libjpeg8-dev
50 | - zlib1g-dev
51 | - libfreetype6-dev
52 | ## if pyzmq?
53 | # - libczmq-dev
54 | - openssl
55 | - libfuzzy-dev
56 | - ruby-pygments.rb
57 | - ruby-dev
58 | - libsm6
59 | - libzbar0
60 | - libzbar-dev
61 | - tesseract-ocr
62 | - libpoppler-cpp-dev
63 | - imagemagick
64 | - libxrender1
65 |
66 | misp_gem_list:
67 | - { name: public_suffix, v: 5.1.1 }
68 | - { name: css_parser, v: 1.17.1 }
69 | - { name: asciidoctor-pdf, v: 2.3.2 }
70 |
71 | python3_bin: python3
72 | python3_pip: pip3
73 |
74 | mysql_svc: mysql
75 | rng_svc: rng-tools
76 | redis_svc: redis
77 | redis_conf: /etc/redis/redis.conf
78 | misp_services:
79 | - "{{ apache_svc }}"
80 | - "{{ mysql_svc }}"
81 | - "{{ rng_svc }}"
82 |
83 | misp_services_nginx:
84 | - "{{ apache_svc }}"
85 | - "{{ mysql_svc }}"
86 | - "{{ rng_svc }}"
87 | - php7.4-fpm
88 |
89 | misp_testing_pkg:
90 | - ruby
91 | - rake
92 |
93 | misp_webserver_apache2:
94 | - apache2
95 | - libapache2-mod-php
96 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
97 | # - libapache2-mod-fastcgi
98 |
99 | misp_webserver_nginx:
100 | - nginx
101 | - php-fpm
102 |
103 | php_confdir: /etc/php/7.4/mods-available
104 | php_confext: ini
105 | php_ini: /etc/php/7.4/apache2/php.ini
106 | php_ini_nginx: /etc/php/7.4/fpm/php.ini
107 | php_confenable: /etc/php/7.4/apache2/conf.d
108 | php_bin: /usr/bin/php7.4
109 | nginx_sock: /run/php/php7.4-fpm.sock
110 | fpm_user: www-data
111 |
112 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg/private-keys-v1.d"
113 |
114 | mispmodules_libyarapath: /usr/local/lib/python3.6/dist-packages/usr/lib
115 |
116 | apacheetc: /etc/apache2
117 | ssl_user: ssl-cert
118 | ssl_dir: /etc/ssl/certs
119 | ssl_privatedir: /etc/ssl/private
120 |
121 | supervisor_conf: /etc/supervisor/supervisord.conf
122 | supervisor_confdir: /etc/supervisor/conf.d
123 | supervisor_ext: conf
124 | supervisor_service: supervisor
125 |
--------------------------------------------------------------------------------
/vars/Ubuntu-22.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | # MISP only supports PHP 7 on oct 2022
7 | - php7.4
8 | - php7.4-dev
9 | - php7.4-dom
10 | - php7.4-curl
11 | - php7.4-mysql
12 | - php7.4-mbstring
13 | - php7.4-opcache
14 | - php7.4-readline
15 | - php7.4-mbstring
16 | - php7.4-zip
17 | - php7.4-redis
18 | - php7.4-gnupg
19 | - php7.4-intl
20 | - php7.4-bcmath
21 | - php7.4-gd
22 | - php7.4-simplexml
23 | - php7.4-xml
24 | - postfix
25 | - gcc
26 | - zip
27 | - git
28 | - redis-server
29 | - make
30 | - python3-dev
31 | - python3-pip
32 | - python3-virtualenv
33 | - python3-setuptools
34 | - libxml2-dev
35 | - libxslt1-dev
36 | - libgl1-mesa-glx
37 | - libzbar0
38 | - zlib1g-dev
39 | - curl
40 | - gnupg
41 | #
42 | - python3-mysqldb
43 | - rng-tools5
44 | # misp-modules
45 | - python3
46 | - libpq5
47 | - acl
48 | - sudo
49 | - cron
50 | ## pillow
51 | - libtiff5-dev
52 | - libjpeg8-dev
53 | - zlib1g-dev
54 | - libfreetype6-dev
55 | ## if pyzmq?
56 | # - libczmq-dev
57 | - openssl
58 | - libfuzzy-dev
59 | - ruby-pygments.rb
60 | - ruby-rubygems
61 | - ruby-dev
62 | - libsm6
63 | - libzbar0
64 | - libzbar-dev
65 | - tesseract-ocr
66 | - libpoppler-cpp-dev
67 | - imagemagick
68 | - libxrender1
69 | # for numpy
70 | - libopenblas-dev
71 | - libopenblas-base
72 | - libatlas-base-dev
73 | - libatlas3-base
74 |
75 | misp_gem_list:
76 | - { name: asciidoctor-pdf, v: 2.3.2 }
77 |
78 | python3_bin: python3
79 | python3_pip: pip3
80 |
81 | mysql_svc: mysql
82 | rng_svc: rngd
83 | redis_svc: redis
84 | redis_conf: /etc/redis/redis.conf
85 | misp_services:
86 | - "{{ apache_svc }}"
87 | - "{{ mysql_svc }}"
88 | - "{{ rng_svc }}"
89 |
90 | misp_services_nginx:
91 | - "{{ apache_svc }}"
92 | - "{{ mysql_svc }}"
93 | - "{{ rng_svc }}"
94 | - php7.4-fpm
95 |
96 | misp_testing_pkg:
97 | - ruby
98 | - rake
99 |
100 | misp_webserver_apache2:
101 | - apache2
102 | - libapache2-mod-php7.4
103 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
104 | # - libapache2-mod-fastcgi
105 |
106 | misp_webserver_nginx:
107 | - nginx
108 | - php-fpm
109 |
110 | php_confdir: /etc/php/7.4/mods-available
111 | php_confext: ini
112 | php_ini: /etc/php/7.4/apache2/php.ini
113 | php_ini_nginx: /etc/php/7.4/fpm/php.ini
114 | php_confenable: /etc/php/7.4/apache2/conf.d
115 | php_bin: /usr/bin/php7.4
116 | nginx_sock: /run/php/php7.4-fpm.sock
117 | fpm_user: www-data
118 |
119 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg/private-keys-v1.d"
120 |
121 | mispmodules_libyarapath: /usr/local/lib/python3.10/dist-packages/usr/lib
122 |
123 | apacheetc: /etc/apache2
124 | ssl_user: ssl-cert
125 | ssl_dir: /etc/ssl/certs
126 | ssl_privatedir: /etc/ssl/private
127 |
128 | supervisor_conf: /etc/supervisor/supervisord.conf
129 | supervisor_confdir: /etc/supervisor/conf.d
130 | supervisor_ext: conf
131 | supervisor_service: supervisor
132 |
--------------------------------------------------------------------------------
/vars/Ubuntu-24.04.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_pkg_list:
4 | - openssh-server
5 | - mysql-server
6 | # MISP only supports PHP 7 on oct 2022
7 | - php8.3
8 | - php8.3-cli
9 | - php8.3-dev
10 | - php8.3-dom
11 | - php8.3-curl
12 | - php8.3-mysql
13 | - php8.3-mbstring
14 | - php8.3-opcache
15 | - php8.3-readline
16 | - php8.3-mbstring
17 | - php8.3-zip
18 | - php8.3-redis
19 | - php8.3-gnupg
20 | - php8.3-apcu
21 | - php8.3-intl
22 | - php8.3-bcmath
23 | - php8.3-gd
24 | - php8.3-simplexml
25 | - php8.3-xml
26 | - postfix
27 | - gcc
28 | - zip
29 | - git
30 | - redis-server
31 | - make
32 | - python3-dev
33 | - python3-pip
34 | - python3-virtualenv
35 | - python3-setuptools
36 | - libxml2-dev
37 | - libxslt1-dev
38 | - libzbar0
39 | - zlib1g-dev
40 | - curl
41 | - gnupg
42 | #
43 | - python3-mysqldb
44 | - rng-tools5
45 | # misp-modules
46 | - python3
47 | - libpq5
48 | - acl
49 | - sudo
50 | - cron
51 | - libgl1
52 | ## pillow
53 | - libtiff5-dev
54 | - libjpeg8-dev
55 | - zlib1g-dev
56 | - libfreetype6-dev
57 | ## if pyzmq?
58 | # - libczmq-dev
59 | - openssl
60 | - supervisor
61 | - libfuzzy-dev
62 | - ruby-pygments.rb
63 | - ruby-rubygems
64 | - ruby-dev
65 | - libsm6
66 | - libzbar0
67 | - libzbar-dev
68 | - tesseract-ocr
69 | - libpoppler-cpp-dev
70 | - imagemagick
71 | - libxrender1
72 | # for numpy
73 | - libopenblas-dev
74 | - libatlas-base-dev
75 | - libatlas3-base
76 | # attachment scan
77 | - clamav-daemon
78 |
79 | misp_gem_list:
80 | - { name: asciidoctor-pdf, v: 2.3.2 }
81 |
82 | python3_bin: python3
83 | python3_pip: pip3
84 |
85 | mysql_svc: mysql
86 | rng_svc: rngd
87 | redis_svc: redis
88 | redis_conf: /etc/redis/redis.conf
89 | misp_services:
90 | - "{{ apache_svc }}"
91 | - "{{ mysql_svc }}"
92 | - "{{ rng_svc }}"
93 |
94 | misp_services_nginx:
95 | - "{{ apache_svc }}"
96 | - "{{ mysql_svc }}"
97 | - "{{ rng_svc }}"
98 | - php8.3-fpm
99 |
100 | misp_testing_pkg:
101 | - ruby
102 | - rake
103 |
104 | misp_webserver_apache2:
105 | - apache2
106 | - libapache2-mod-php8.3
107 | ## travis: "No package matching 'libapache2-mod-fastcgi' is available"
108 | # - libapache2-mod-fastcgi
109 |
110 | misp_webserver_nginx:
111 | - nginx
112 | - php-fpm
113 |
114 | php_confdir: /etc/php/8.3/mods-available
115 | php_confext: ini
116 | php_ini: /etc/php/8.3/apache2/php.ini
117 | php_ini_nginx: /etc/php/8.3/fpm/php.ini
118 | php_confenable: /etc/php/8.3/apache2/conf.d
119 | php_bin: /usr/bin/php8.3
120 | nginx_sock: /run/php/php8.3-fpm.sock
121 | fpm_user: www-data
122 |
123 | gnupg_privdir: "{{ misp_rootdir }}/.gnupg/private-keys-v1.d"
124 |
125 | mispmodules_libyarapath: /usr/local/lib/python3.10/dist-packages/usr/lib
126 |
127 | apacheetc: /etc/apache2
128 | ssl_user: ssl-cert
129 | ssl_dir: /etc/ssl/certs
130 | ssl_privatedir: /etc/ssl/private
131 |
132 | supervisor_conf: /etc/supervisor/supervisord.conf
133 | supervisor_confdir: /etc/supervisor/conf.d
134 | supervisor_ext: conf
135 | supervisor_service: supervisor
136 |
--------------------------------------------------------------------------------
/vars/apache2-CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | www_user: apache
4 | apache_svc: httpd
5 | apache_confdir: /etc/httpd/conf.d
6 | apache_sitedir: /etc/httpd/conf.d
7 | apachesslconf: /etc/apache2/sites-enabled/default-ssl.conf
8 | apache_logs: /var/log/httpd
9 | modsecurity_conf: /etc/httpd/conf.d/mod_security.conf
10 | modsecurity_active: /etc/httpd/modsecurity.d/activated_rules
11 | php_ini: /etc/php.ini
12 |
13 | webserver: "{{ misp_webserver_apache2 }}"
14 |
15 | misp_services:
16 | - "{{ apache_svc }}"
17 | - "{{ mysql_svc }}"
18 | - "{{ rng_svc }}"
19 |
--------------------------------------------------------------------------------
/vars/apache2-Debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | www_user: www-data
4 | apache_svc: apache2
5 | apache_confdir: /etc/apache2/conf-available
6 | apache_sitedir: /etc/apache2/sites-available
7 | apachesslconf: /etc/apache2/sites-enabled/default-ssl.conf
8 | apache_logs: /var/log/apache2
9 | modsecurity_conf: /etc/modsecurity/modsecurity.conf
10 | modsecurity_active: /usr/share/modsecurity-crs/activated_rules
11 |
12 | webserver: "{{ misp_webserver_apache2 }}"
13 |
--------------------------------------------------------------------------------
/vars/apache2-RedHat.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | www_user: apache
4 | apache_svc: httpd
5 | apache_confdir: /etc/httpd/conf.d
6 | apache_sitedir: /etc/httpd/conf.d
7 | apachesslconf: /etc/apache2/sites-enabled/default-ssl.conf
8 | apache_logs: /var/log/httpd
9 | modsecurity_conf: /etc/httpd/conf.d/mod_security.conf
10 | modsecurity_active: /etc/httpd/modsecurity.d/activated_rules
11 | php_ini: /etc/php.ini
12 |
13 | webserver: "{{ misp_webserver_apache2 }}"
14 |
15 | misp_services:
16 | - "{{ apache_svc }}"
17 | - "{{ mysql_svc }}"
18 | - "{{ rng_svc }}"
19 |
--------------------------------------------------------------------------------
/vars/apache2-Rocky.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | www_user: apache
4 | apache_svc: httpd
5 | apache_confdir: /etc/httpd/conf.d
6 | apache_sitedir: /etc/httpd/conf.d
7 | apachesslconf: /etc/apache2/sites-enabled/default-ssl.conf
8 | apache_logs: /var/log/httpd
9 | modsecurity_conf: /etc/httpd/conf.d/mod_security.conf
10 | modsecurity_active: /etc/httpd/modsecurity.d/activated_rules
11 | php_ini: /etc/php.ini
12 |
13 | webserver: "{{ misp_webserver_apache2 }}"
14 |
15 | misp_services:
16 | - "{{ apache_svc }}"
17 | - "{{ mysql_svc }}"
18 | - "{{ rng_svc }}"
19 |
--------------------------------------------------------------------------------
/vars/apache2-Ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | www_user: www-data
4 | apache_svc: apache2
5 | apache_confdir: /etc/apache2/conf-available
6 | apache_sitedir: /etc/apache2/sites-available
7 | apachesslconf: /etc/apache2/sites-enabled/default-ssl.conf
8 | apache_logs: /var/log/apache2
9 | modsecurity_conf: /etc/modsecurity/modsecurity.conf
10 | modsecurity_active: /usr/share/modsecurity-crs/activated_rules
11 |
12 | webserver: "{{ misp_webserver_apache2 }}"
13 |
--------------------------------------------------------------------------------
/vars/misp24.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_php_harden_patches:
4 | - { s: patch-cakephp-snuffleupagus-strict, b: "{{ misp_rootdir }}/app/Lib" }
5 | - { s: patch-app-Lib-cakephp-lib-Cake-Model-Datasource-Database, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" }
6 | - { s: patch-app-Lib-Cackephp-lib-Cake-Core-Configure_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Core" }
7 | - { s: patch-app-Lib-Cackephp-lib-Cake-Network-CakeRequest_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Network" }
8 | - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-Database-Mysql_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource/Database" }
9 | - { s: patch-app-Lib-Cackephp-lib-Cake-Model-Datasource-DboSource_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" }
10 | - { s: patch-app-Lib-Cackephp-lib-cakephp-lib-Cake-Model-Datasource-CakeSession_php, b: "{{ misp_rootdir }}/app/Lib/cakephp/lib/Cake/Model/Datasource" }
11 | misp_curl_tests: "{{ misp_rootdir }}/tests/curl_tests_GH.sh"
12 |
13 | misp_config_src: "{{ misp_rootdir }}/INSTALL/setup/config.php"
14 | misp_config_dest: "{{ misp_rootdir }}/app/Plugin/CakeResque/Config/config.php"
15 |
--------------------------------------------------------------------------------
/vars/misp25.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | misp_curl_tests: "{{ misp_rootdir }}/tests/curl_tests_GH.sh"
4 |
5 | misp_config_src: "{{ misp_rootdir }}/app/Config/config.default.php"
6 | misp_config_dest: "{{ misp_rootdir }}/app/Config/config.php"
7 |
--------------------------------------------------------------------------------
/vars/nginx-CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | webserver: "{{ misp_webserver_nginx }}"
4 |
5 | www_user: nginx
6 | apache_svc: nginx
7 |
8 | apache_sitedir: /etc/nginx/conf.d
9 | php_ini: /etc/php.ini
10 | fpm_user: nginx
11 |
--------------------------------------------------------------------------------
/vars/nginx-RedHat.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | webserver: "{{ misp_webserver_nginx }}"
4 |
5 | apache_svc: nginx
6 | www_user: nginx
7 |
8 | apache_sitedir: /etc/nginx/conf.d
9 | php_ini: /etc/php.ini
10 | fpm_user: nginx
11 |
--------------------------------------------------------------------------------
/vars/nginx-Ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | webserver: "{{ misp_webserver_nginx }}"
4 | apache_svc: nginx
5 | www_user: www-data
6 |
7 | apache_sitedir: /etc/nginx/sites-available
8 |
9 | misp_services: "{{ misp_services_nginx }}"
10 |
11 | php_ini: "{{ php_ini_nginx }}"
12 |
--------------------------------------------------------------------------------