Air gap

AIR-GAP.md

@@ -0,0 +1,65 @@
+# How to use MISP in air-gap environment
+
+MISP by default does not require access to the Internet. So it is possible to use MISP in an air-gapped environment or
+an environment with blocked outgoing connections. Easies way how to do that is to export container images to compressed tar
+and transfer them to an air-gapped system.
+
+Both machines can be any system that is supported by Docker, so Windows, macOS, or Linux are supported.
+
+## Installation
+
+### On machine connected to the internet
+
+* [Install Docker](https://docs.docker.com/get-docker/)
+* Create a new working directory like `misp`
+* Download [docker-compose.yml](docker-compose.yml) file to the working directory:
+
+  `curl --proto '=https' --tlsv1.2 -O https://raw.githubusercontent.com/NUKIB/misp/main/docker-compose.yml`
+
+* In a working directory, pull all images defined in `docker-compose.yml`:
+
+  `docker compose pull`
+
+* Export all images to files:
+    * `docker save -o mariadb.tar mariadb:10.7`
+    * `docker save -o redis.tar redis:6.2`
+    * `docker save -o misp-modules.tar ghcr.io/nukib/misp-modules:latest`
+    * `docker save -o misp.tar ghcr.io/nukib/misp:latest`
+
+* Transfer whole directory (tar files and `docker-compose.yml` file) to air gapped system
+
+### On a machine without internet connection
+
+* [Install Docker](https://docs.docker.com/get-docker/)
+* In a working directory transferred from previous machine, import images
+    * `docker load -i mariadb.tar`
+    * `docker load -i redis.tar`
+    * `docker load -i misp-modules.tar`
+    * `docker load -i misp.tar`
+* Start all containers:
+
+  `docker compose up -d`
+* MISP should be ready and accessible from `http://localhost:8080`.
+
+## Updating
+
+### On machine connected to the internet
+
+* In a working directory, pull new images defined in `docker-compose.yml`:
+
+  `docker compose pull`
+
+* Export new images to files:
+    * `docker save -o misp-modules.tar ghcr.io/nukib/misp-modules:latest`
+    * `docker save -o misp.tar ghcr.io/nukib/misp:latest`
+* Transfer these files to air gapped system
+
+### On a machine without internet connection
+
+* In a working directory transferred from the previous machine, import images
+    * `docker load -i misp-modules.tar`
+    * `docker load -i misp.tar`
+* Recreate changed containers:
+
+  `docker compose up -d`
+* New MISP should be ready and accessible from `http://localhost:8080`.

Config/config.php

@@ -134,6 +134,7 @@
   array (
     'force_https' => {{ 'true' if MISP_BASEURL.startswith('https://') else 'false' }},
     'csp_enforce' => true,
+    'require_password_confirmation' => true,
     'syslog' => true,
     'syslog_to_stderr' => false,
     'syslog_ident' => 'misp-audit',

Dockerfile

@@ -24,7 +24,7 @@ RUN dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False pyth
 FROM builder as php-build
 COPY bin/misp_compile_php_extensions.sh /build/
 RUN --mount=type=tmpfs,target=/tmp dnf module enable -y php:7.4 && \
-    dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False php-devel php-mbstring php-json php-xml brotli-devel diffutils && \
+    dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False php-devel php-mbstring php-json php-xml brotli-devel diffutils file libzstd-devel && \
     chmod u+x /build/misp_compile_php_extensions.sh && \
     /build/misp_compile_php_extensions.sh && \
     dnf history undo -y 0

README.md

@@ -47,8 +47,7 @@ For production usage, please:
 
 ### Usage in air-gapped environment
 
-MISP by default does not require access to Internet. So it is possible to use MISP in air-gapped environment or an environment with blocked outgoing connections. Easies way how to
-do that is export container images to compressed tar and transfer them to air-gapped system.
+MISP by default does not require access to Internet. So it is possible to use MISP in air-gapped environment or an environment with blocked outgoing connections. Check [AIR-GAP.md](AIR-GAP.md) for more information.
 
 ### Image building
 

bin/misp_compile_php_extensions.sh

@@ -23,12 +23,24 @@ make -j2
 make install # `make install` is necessary, so redis extension can be compiled with `--enable-redis-igbinary`
 mv modules/*.so /build/php-modules/
 
+# Compile zstd library and zstd extension
+mkdir /tmp/zstd
+cd /tmp/zstd
+download_and_check https://github.com/kjdev/php-ext-zstd/archive/bf7931996aac9d14ba550783c12070442445d6f2.tar.gz 64d8000c6580ea97d675fc43db6a2a1229e9ad06185c24c60fd4b07e73852fce
+cd zstd
+download_and_check https://github.com/facebook/zstd/archive/refs/tags/v1.5.1.tar.gz dc05773342b28f11658604381afd22cb0a13e8ba17ff2bd7516df377060c18dd
+cd ..
+phpize
+./configure --silent
+make --silent -j2
+mv modules/*.so /build/php-modules/
+
 # Compile redis
 mkdir /tmp/redis
 cd /tmp/redis
 download_and_check https://github.com/phpredis/phpredis/archive/refs/tags/5.3.5.tar.gz 88d8c7e93bfd9576fb5a51e28e8f9cc62e3515af5a3bca5486a76e70657213f2
 phpize
-./configure --silent --enable-redis-igbinary
+./configure --silent --enable-redis-igbinary --enable-redis-zstd
 make -j2
 mv modules/*.so /build/php-modules/
 
@@ -59,3 +71,6 @@ phpize
 ./configure --silent --enable-snuffleupagus
 make -j2
 mv modules/*.so /build/php-modules/
+
+# Remove debug from binaries
+strip /build/php-modules/*.so

bin/misp_install.sh

@@ -7,6 +7,7 @@ set -o xtrace
 
 # PHP custom build extensions configuration
 echo 'extension = brotli.so' > /etc/php.d/40-brotli.ini
+echo 'extension = zstd.so' > /etc/php.d/40-zstd.ini
 echo 'extension = igbinary.so' > /etc/php.d/40-igbinary.ini
 echo 'extension = ssdeep.so' > /etc/php.d/40-ssdeep.ini
 echo "extension = redis.so