MISP(Malware Information Sharing Platform)是一个开源的、免费的威胁情报平台,用于收集、共享和分析关于恶意软件和网络威胁的信息。MISP旨在促进威胁情报和安全事件信息的共享,帮助组织和安全从业人员更好地理解和应对不断演变的网络威胁。
MISP官网:https://www.misp-project.org/
GIthub:https://github.com/MISP/MISP
官方文档:https://misp.github.io/MISP/
之前发布过MISP威胁情报平台的简单试用(通过虚拟机安装)。在正式生产环境中可能会遇到需要打包成容器进行部署的情况。下面分享一下将MISP进行容器化的步骤。
MISP官方有提供docker容器镜像和Dockerfile,有能力的读者可通过链接直接获取:https://www.misp-project.org/download/
如果你也像我一样,访问互联网速度慢,那推荐你以下面的方式将MISP容器化。
一、获取MISP的安装脚本INSTALL.sh
从Github上MISP的最新分支下载安装脚本。链接如下:
https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh二、编辑安装脚本以兼容docker环境
在我尝试编译MISP镜像时,遇到了容器不存在"/dev/tty"导致安装失败的情况,因此我将INSTALL.sh中所有涉及/dev/tty的代码行都进行了替换(如果大佬有更好的方法请留言)。
另外由于我们修改了安装脚本,需要关掉脚本的hash校验,否则会安装失败。
root@desync:/home/misp# diff -u INSTALL.sh INSTALL.sh_new--- INSTALL.sh 2024-01-27 20:15:29.225828099 +0800+++ INSTALL.sh_new 2024-01-27 20:23:25.609950331 +0800@@ -199,7 +199,6 @@SCRIPT_NAME=$0fi- exec &> /dev/ttyspaceecho -e "Please specify what type of ${LBLUE}MISP${NC} setup you want to install."space@@ -819,7 +818,7 @@# Disables sleepdisableSleep () {- debug "Disabling sleep etc if run from a Laptop as the install might take some time…" > /dev/tty+ debug "Disabling sleep etc if run from a Laptop as the install might take some time…"gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0 2> /dev/nullgsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-timeout 0 2> /dev/nullgsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type nothing 2> /dev/null@@ -846,7 +845,7 @@fiwhile [ "$DONE" != "0" ]; dosudo apt-get check 2> /dev/null > /dev/null && DONE=0- echo -e "${LBLUE}apt${NC} is maybe ${RED}locked${NC}, waiting ${RED}$SLEEP${NC} seconds." > /dev/tty+ echo -e "${LBLUE}apt${NC} is maybe ${RED}locked${NC}, waiting ${RED}$SLEEP${NC} seconds."sleep $SLEEPSLEEP=$[$SLEEP+3]done@@ -3003,10 +3002,10 @@# Make sure no alias exists[[ $(type -t debug) == "alias" ]] && unalias debugdebug () {- echo -e "${RED}Next step:${NC} ${GREEN}$1${NC}" > /dev/tty+ echo -e "${RED}Next step:${NC} ${GREEN}$1${NC}"if [[ ! -z ${DEBUG} ]]; thenNO_PROGRESS=1- echo -e "${RED}Debug Mode${NC}, press ${LBLUE}enter${NC} to continue..." > /dev/tty+ echo -e "${RED}Debug Mode${NC}, press ${LBLUE}enter${NC} to continue..."exec 3>&1readelse@@ -3553,7 +3552,7 @@debug "Checking Linux distribution and flavour..."checkFlavourdebug "Checking if we are uptodate and checksums match"-checkInstaller+#checkInstallerspacedebug "Setting MISP variables"
三、编译基础镜像
准备好安装脚本后,我们开始编译基础镜像,创建Dockerfile并build镜像命名为"myMISP:base"
对Base.Dockerfile中关键部分进行解释:
ENV 设置环境变量非交互环境,在安装tzdata时,如果不设置该变量,则会等待用户输入时区,继而整个编译过程卡死。
RUN useradd 安装脚本需要非root权限用户
RUN sed 将ubuntu原始apt源替换成阿里云源
#Base.DockerfileFROM ubuntu:22.04ENV DEBIAN_FRONTEND noninteractiveRUN install -d -m 0755 /srv/mispCOPY INSTALL.sh /tmp/RUN useradd mispRUN sed -i s@/archive.ubuntu.com/@/mirrors.aliyun.com/@g /etc/apt/sources.listRUN sed -i s@/security.ubuntu.com/@/mirrors.aliyun.com/@g /etc/apt/sources.listRUN apt update && apt install -y wget curl net-tools lsb-release sudo tzdataRUN adduser misp sudoRUN echo "misp ALL=(ALL) NOPASSWD: NOPASSWD: ALL" >> /etc/sudoersUSER mispRUN bash /tmp/INSTALL.sh -AWORKDIR /var/www/MISP/appRUN sudo php composer.phar install --no-dev
build镜像:
docker build -t myMISP:base -f ./Base.Dockerfile .四、编译业务镜像
有了基础镜像之后,我们需要写入entrypoint.sh以在容器运行时启动redis服务和apache服务(misp还依赖MySQL服务,但这里使用了外部数据库,因此容器内部不需要启动数据库)
#entrypoint.shln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime/etc/init.d/apache2 start/etc/init.d/redis-server startexec tail -f /dev/null
默认MISP只允许HTTPS访问,所以在使用HTTP的环境中,还需要修改apache的配置文件。
#misp-ssl.conf<VirtualHost *:80>ServerAdmin [email protected]ServerName misp.localDocumentRoot /var/www/MISP/app/webroot<Directory /var/www/MISP/app/webroot>Options -IndexesAllowOverride allRequire all granted</Directory>LogLevel warnErrorLog /var/log/apache2/misp.local_p80_error.logCustomLog /var/log/apache2/misp.local_p80_access.log combinedHeader always unset "X-Powered-By"ServerSignature Off</VirtualHost><!--后面的文件内容未进行修改-->
启用Scheduler,否则在MISP启动后Scheduler任务会启动失败
#config.php......省略......'Scheduler' => array(// Enable or disable delayed job'enabled' => true,......省略......
如果使用外部数据库,需要修改数据库配置
#database.phpclass DATABASE_CONFIG {public $default = array('datasource' => 'Database/Mysql',//'datasource' => 'Database/Postgres','persistent' => false,'host' => '10.1.2.3','login' => 'misp_user','port' => 6865, // MySQL & MariaDB//'port' => 5432, // PostgreSQL'password' => 'misp_password','database' => 'misp','prefix' => '','encoding' => 'utf8',);}
最后编写业务Dockerfile文件并build镜像
#App.Dockerfile:baseUSER rootCOPY entrypoint.sh /srv/misp/COPY database.php /var/www/MISP/app/Config/COPY misp-ssl.conf /etc/apache2/sites-available/COPY config.php /var/www/MISP/app/Plugin/CakeResque/Config/RUN chown www-data:www-data -R /var/www/MISP/appENTRYPOINT ["/srv/misp/entrypoint.sh"]
docker build -t myMISP:app -f ./Base.Dockerfile .编译完成后部署镜像到线上环境即可
原文始发于微信公众号(Desync InfoSec):MISP-容器化部署
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论