New config variables

Dockerfile

@@ -1,12 +1,13 @@
 # Base image
 ARG BASE_IMAGE=quay.io/centos/centos:stream8
 FROM $BASE_IMAGE as base
+# RHEL ubi image doesn't contain epel-release package
+COPY epel/epel.repo /etc/yum.repos.d/
+COPY epel/RPM-GPG-KEY-EPEL-8 /etc/pki/rpm-gpg/
 
 # Some packages requires building, so use different stage for that
 FROM base as builder
-RUN dnf module enable -y php:7.4 && \
-    dnf install -y epel-release && \
-    dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False gcc ssdeep-devel unzip make rpmdevtools yum-utils && \
+RUN dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False gcc ssdeep-devel unzip make && \
     useradd --create-home --system --user-group build
 # Build su-exec
 COPY su-exec.c /tmp/
@@ -22,30 +23,25 @@ RUN dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False pyth
 # Build PHP extensions
 FROM builder as php-build
 COPY bin/misp_compile_php_extensions.sh /tmp/
-RUN dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False php-devel php-mbstring php-json php-xml brotli-devel && \
+RUN dnf module enable -y php:7.4 && \
+    dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False php-devel php-mbstring php-json php-xml brotli-devel && \
     chmod u+x /tmp/misp_compile_php_extensions.sh && \
     /tmp/misp_compile_php_extensions.sh && \
     dnf history undo -y 0
 
 # Build jobber, that is not released for arm64 arch
 FROM builder as jobber-build
-RUN mkdir /tmp/jobber && \
-    cd /tmp/jobber && \
-    curl --proto '=https' --tlsv1.3 -sSL https://github.com/dshearer/jobber/archive/refs/tags/v1.4.4.tar.gz | tar zx --strip-components=1 && \
-    dnf builddep -y packaging/rpm/*.spec && \
-    make -C packaging/rpm pkg-local "DESTDIR=/tmp/" && \
-    dnf history undo -y 0 && \
-    cd /tmp && \
-    rm -rf /tmp/jobber
+COPY bin/misp_compile_jobber.sh /tmp/
+RUN chmod u+x /tmp/misp_compile_jobber.sh && \
+    /tmp/misp_compile_jobber.sh
 
 # MISP image
 FROM base as misp
 
 # Install required system and Python packages
 COPY packages /tmp/packages
 COPY requirements.txt /tmp/
-RUN dnf install -y --setopt=tsflags=nodocs epel-release && \
-    dnf module -y enable mod_auth_openidc php:7.4 python39 && \
+RUN dnf module -y enable mod_auth_openidc php:7.4 python39 && \
     dnf install --setopt=tsflags=nodocs --setopt=install_weak_deps=False -y $(grep -vE "^\s*#" /tmp/packages | tr "\n" " ") && \
     alternatives --set python3 /usr/bin/python3.9 && \
     pip3 --no-cache-dir install --disable-pip-version-check -r /tmp/requirements.txt && \

README.md

@@ -5,25 +5,38 @@
 This image contains the latest version of MISP and the required dependencies. Image is intended as immutable, which means that it is not possible
 to update MISP from the user interface and instead, an admin should download a newer image.
 
+## Why to use this image?
+
+* ✅ Image is based on CentOS 8 Stream, so perfectly fits your infrastructure if you use CentOS or RHEL as a host system
+* ✅ Modern MISP features are enabled by default (like advanced audit log or storing setting in the database)
+* ✅ Integrated support for OpenID Connect (OIDC) authentication
+* ✅ PHP is by default protected by Snuffleupagus extensions with [rules](snuffleupagus-misp.rules) tailored to MISP
+* ✅ Optional extensions and configurations that will make MISP faster are enabled
+* ✅ Integrated support for logging exceptions to Sentry and forwarding logs to syslog server
+* ✅ Final image is automatically tested, so every release should work as expected
+
 ## Usage
 
+First, you have to install Docker. Follow [these manuals](https://docs.docker.com/engine/install/) how to install Docker on your machine. Windows, macOS, or Linux are supported.
+
 ### Usage for testing
 
-Docker Compose file contains MISP itself, [MISP Modules](https://github.com/NUKIB/misp-modules), MariaDB and Redis, so everything you need to run MISP. Just run:
+Docker Compose file defines MISP itself, [MISP Modules](https://github.com/NUKIB/misp-modules), MariaDB and Redis, so everything you need to run MISP. Just run:
 
     curl --proto '=https' --tlsv1.2 -O https://raw.githubusercontent.com/NUKIB/misp/main/docker-compose.yml
     docker compose up -d
 
-Then you can access MISP in your browser by accessing `localhost:8080`. Default user after installation is `admin@admin.test` with password `admin`.
+Then you can access MISP in your browser by accessing `http://localhost:8080`. Default user after installation is `admin@admin.test` with password `admin`.
 
 ### Updating
 
-When new MISP is released, also new container image is created. For updating MISP and MISP Modules, just download new images and recreate them:
+When a new MISP is released, also new container image is created. For updating MISP and MISP Modules, just run these commands in the folder that contains `docker-compose.yml` file.
+These commands will download the latest images and recreate containers:
 
     docker compose pull
     docker compose up -d
 
-### Usage in production environment
+### Usage in a production environment
 
 For production usage, please:
 * change passwords for MariaDB and Redis,
@@ -33,16 +46,16 @@ For production usage, please:
 
 ### Usage in air-gapped environment
 
-MISP by default do not require access to Internet. So it is possible to use MISP in air-gapped environment or with blocked outgoing connections. Easies way how to
+MISP by default does not require access to Internet. So it is possible to use MISP in air-gapped environment or with blocked outgoing connections. Easies way how to
 do that is export container images to compressed tar and transfer them to air-gapped system.
 
 ### Image building
 
-If you don't trust image build by GitHub Actions and stored in GitHub Container Registry or you want to build different MISP version, you can build this image by yourself:
+If you don't trust image built by GitHub Actions and stored in GitHub Container Registry or you want to build a different MISP version, you can build this image by yourself:
 
     docker build --build-arg MISP_VERSION=v2.4.152 -t ghcr.io/nukib/misp https://github.com/NUKIB/misp.git#main
 
-If you don't like CentOS Stream, you can use as base image different distribution that is compatible with CentOS, like [AlmaLinux](https://hub.docker.com/_/almalinux) or [Rocky Linux](https://hub.docker.com/r/rockylinux/rockylinux):
+If you don't like CentOS Stream, you can use as a base image different distribution that is compatible with CentOS, like [AlmaLinux](https://hub.docker.com/_/almalinux) or [Rocky Linux](https://hub.docker.com/r/rockylinux/rockylinux):
 
     docker build --build-arg BASE_IMAGE=almalinux -t ghcr.io/nukib/misp https://github.com/NUKIB/misp.git#main
 
@@ -59,7 +72,7 @@ Default tasks:
 
 ## Environment variables
 
-By changing or defining these container environment variables, you can change container behaviour.
+By changing or defining these container environment variables, you can change container behavior.
 
 ### Database connection
 
@@ -98,9 +111,9 @@ By default, MISP requires Redis. MISP will connect to Redis defined in `REDIS_HO
 * `GNUPG_PRIVATE_KEY_PASSWORD` (optional, string) - password for PGP key that is used to sign e-mails send by MISP
 * `GNUPG_BODY_ONLY_ENCRYPTED` (optional, boolean, default `false`)
 
-If you want to generate new PGP keys for e-mail singing, you can do it by running this command in container:
+If you want to generate new PGP keys for e-mail signing, you can do it by running this command inside the container:
 
-`gpg --homedir /var/www/MISP/.gnupg --full-generate-key --pinentry-mode=loopback --passphrase "password"`
+    gpg --homedir /var/www/MISP/.gnupg --full-generate-key --pinentry-mode=loopback --passphrase "password"
 
 ### Application
 
@@ -145,7 +158,7 @@ If a request to MISP is made with  `Authorization` header, that contains an auth
 
 #### Inner
 
-You can use a different provider for authentication in MISP. If you don't provide these variables, they will be to set to same as for Apache.
+You can use a different provider for authentication in MISP. If you don't provide these variables, they will be set to the same as for Apache.
 
 * `OIDC_PROVIDER_INNER` (optional, string) - URL for OIDC provider in MISP
 * `OIDC_CLIENT_ID_INNER` (optional, string)
@@ -166,10 +179,14 @@ You can use a different provider for authentication in MISP. If you don't provid
 
 ### PHP config
 
-* `PHP_XDEBUG_ENABLED` (optional, boolean, default `false`) - enable Xdebug PHP extension for debugging purposes (do not enable on production environment)
-* `PHP_XDEBUG_PROFILER_TRIGGER` (optional, string) - secret value for `XDEBUG_PROFILE` GET/POST variable
 * `PHP_SESSIONS_IN_REDIS` (optional, boolean, default `true`) - when enabled, sessions information are stored in Redis. That provides better performance and sessions survives container restart
-* `PHP_SNUFFLEUPAGUS` (optional, boolean, default `true`) - enable PHP hardening by using [Snuffleupagus](https://snuffleupagus.readthedocs.io) PHP extension.
+* `PHP_SNUFFLEUPAGUS` (optional, boolean, default `true`) - enable PHP hardening by using [Snuffleupagus](https://snuffleupagus.readthedocs.io) PHP extension
+* `PHP_TIMEZONE` (optional, string, default `UTC`) - sets [date.timezone](https://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone)
+* `PHP_MEMORY_LIMIT` (optional, string, default `2048M`) - sets [memory_limit](https://www.php.net/manual/en/ini.core.php#ini.memory-limit)
+* `PHP_MAX_EXECUTION_TIME` (optional, int, default `300`) - sets [max_execution_time](https://www.php.net/manual/en/info.configuration.php#ini.max-execution-time) (in seconds)
+* `PHP_UPLOAD_MAX_FILESIZE` (optional, string, default `50M`) - sets [upload_max_filesize](https://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize) and [post_max_size](https://www.php.net/manual/en/ini.core.php#ini.post-max-size)
+* `PHP_XDEBUG_ENABLED` (optional, boolean, default `false`) - enable [Xdebug](https://xdebug.org) PHP extension for debugging purposes (do not enable on production environment)
+* `PHP_XDEBUG_PROFILER_TRIGGER` (optional, string) - secret value for `XDEBUG_PROFILE` GET/POST variable
 
 ### Syslog
 
@@ -179,19 +196,14 @@ If enabled, all logs from the container are forwarded to a defined syslog server
 * `SYSLOG_PORT` (optional, integer, default `601`)
 * `SYSLOG_PROTOCOL` (optional, string, default `tcp`)
 
-## Default timeouts
-
-* PHP timeout: 300 seconds (defined in `/etc/php.ini`)
-* Apache timeout: 310 seconds (defined in `/etc/httpd/conf.d/misp.conf`)
-
 ## Log locations
 
 * `/var/log/messages` - all logs captured by rsyslog (see `rsyslog.conf` for definition)
 * `/var/log/httpd/` - Apache logs
 * `/var/log/php-fpm/` - PHP-FPM logs
 * `/var/www/MISP/app/tmp/logs/` - application logs (PHP)
 
-`X-Request-ID` HTTP header is logged in Apache, PHP-FPM and Sentry logs, so you can use these value to correlate requestes between logs.
+`X-Request-ID` HTTP header is logged in Apache, PHP-FPM and Sentry logs, so you can use this value to correlate requests between logs.
 
 ## Container volumes
 

bin/docker-entrypoint.sh

@@ -15,8 +15,10 @@ if [ "$1" = 'supervisord' ]; then
     chown root:apache /var/www/MISP/app/Config/{config.php,database.php,email.php}
     chmod 440 /var/www/MISP/app/Config/{config.php,database.php,email.php}
 
-    # Check syntax errors in generated config file
+    # Check syntax errors in generated config files
     su-exec apache php -l /var/www/MISP/app/Config/config.php
+    su-exec apache php -l /var/www/MISP/app/Config/database.php
+    su-exec apache php -l /var/www/MISP/app/Config/email.php
 
     # Check if all permissions are OK
     su-exec apache misp_check_permissions.py
@@ -45,6 +47,9 @@ unset MYSQL_PASSWORD
 unset REDIS_PASSWORD
 unset SECURITY_SALT
 unset SECURITY_ENCRYPTION_KEY
+unset OIDC_CLIENT_SECRET_INNER
+unset OIDC_CLIENT_SECRET
+unset OIDC_CLIENT_CRYPTO_PASS
 
 # Create GPG homedir under apache user
 chown -R apache:apache /var/www/MISP/.gnupg

bin/misp_check_permissions.py

@@ -8,7 +8,7 @@
     "/etc/supervisord.d/misp.ini",
     "/etc/rsyslog.conf",
     "/etc/httpd/conf.d/misp.conf",
-    "/etc/php.d/snuffleupagus-default.rules",
+    "/etc/php.d/snuffleupagus-misp.rules",
     "/root/.jobber",
 )
 

bin/misp_compile_jobber.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Copyright (C) 2022 National Cyber and Information Security Agency of the Czech Republic
+set -e
+set -o xtrace
+
+download_and_check () {
+  curl --proto '=https' --tlsv1.3 -sSL -o package.tar.gz $1
+  echo "$2 package.tar.gz" | sha256sum -c
+  tar zxf package.tar.gz --strip-components=1
+  rm -f package.tar.gz
+}
+
+mkdir /tmp/jobber
+cd /tmp/jobber
+
+download_and_check https://github.com/dshearer/jobber/archive/refs/tags/v1.4.4.tar.gz fd88a217a413c5218316664fab5510ace941f4fdb68dcb5428385ff09c68dcc2
+
+dnf install -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False rpmdevtools yum-utils
+dnf builddep -y --setopt=tsflags=nodocs --setopt=install_weak_deps=False packaging/rpm/*.spec
+
+make -C packaging/rpm pkg-local "DESTDIR=/tmp/"
+
+# Cleanup
+dnf history rollback -y last-2
+rm -rf /tmp/jobber