diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 13e7b64f..683480fe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -51,3 +51,4 @@ include: - '2.4.97-debian/.gitlab-ci.yml' - '2.4.98-debian/.gitlab-ci.yml' - '2.4.99-debian/.gitlab-ci.yml' + - '2.4.100-debian/.gitlab-ci.yml' diff --git a/.travis.yml b/.travis.yml index 8a3e2561..17cf27f3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,6 +22,7 @@ env: - VERSION=2.4.97-debian - VERSION=2.4.98-debian - VERSION=2.4.99-debian + - VERSION=2.4.100-debian - VERSION=2.4.nightly-ubuntu before_install: diff --git a/2.4.100-debian/.gitlab-ci.yml b/2.4.100-debian/.gitlab-ci.yml new file mode 100644 index 00000000..43d33465 --- /dev/null +++ b/2.4.100-debian/.gitlab-ci.yml @@ -0,0 +1,14 @@ +build 2.4.100-debian: + extends: .build + variables: + VERSION: "2.4.100-debian" + + +test 2.4.100-debian: + extends: .test + variables: + VERSION: "2.4.100-debian" + only: + changes: + - 2.4.100-debian/* + \ No newline at end of file diff --git a/2.4.100-debian/Dockerfile b/2.4.100-debian/Dockerfile new file mode 100644 index 00000000..b487b97c --- /dev/null +++ b/2.4.100-debian/Dockerfile @@ -0,0 +1,444 @@ +FROM debian:stretch-slim + + +# Variables for Labels: +ARG VENDOR="DCSO GmbH" +ARG COMPONENT="server" +ARG BUILD_DATE +ARG GIT_REPO +ARG VCS_REF +ARG VERSION +ARG MISP_TAG=${VERSION} +ARG RELEASE_DATE +ARG NAME="MISP-dockerized-${COMPONENT}" +ARG DESCRIPTION="This docker container is part of the DCSO MISP dockerized environment." +ARG DOCUMENTATION="https://github.com/DCSO/MISP-dockerized" +ARG AUTHOR="DCSO MISP Docker Team " +ARG LICENSE="BSD-3-Clause" +# END Variables + +######################################### +LABEL org.label-schema.build-date="${BUILD_DATE}" \ + org.label-schema.name="${NAME}" \ + org.label-schema.description="${DESCRIPTION}" \ + org.label-schema.vcs-ref="${VCS_REF}" \ + org.label-schema.vcs-url="${GIT_REPO}" \ + org.label-schema.url="${GIT_REPO}" \ + org.label-schema.vendor="${VENDOR}" \ + org.label-schema.version="${VERSION}" \ + org.label-schema.usage="${DOCUMENTATION}" \ + org.label-schema.schema-version="1.0.0-rc1" + +LABEL org.opencontainers.image.created="${BUILD_DATE}" \ + org.opencontainers.image.url="${GIT_REPO}" \ + org.opencontainers.image.source="${GIT_REPO}" \ + org.opencontainers.image.version="${VERSION}" \ + org.opencontainers.image.revision="${VCS_REF}" \ + org.opencontainers.image.vendor="${VENDOR}" \ + org.opencontainers.image.title="${NAME}" \ + org.opencontainers.image.description="${DESCRIPTION}" \ + org.opencontainers.image.documentation="${DOCUMENTATION}" \ + org.opencontainers.image.authors="${AUTHOR}" \ + org.opencontainers.image.licenses="${LICENSE}" +######################################### + + +# Start of MISP Config Part + +# Install core components +ENV DEBIAN_FRONTEND noninteractive +#RUN apt-get install -y software-properties- && apt-get autoremove -y && apt-get clean -y + +# DCSO Required Software +RUN apt-get update; apt-get install -y \ +locales \ +iputils-ping \ +net-tools \ +supervisor \ +gosu \ +wget \ +#syslog-ng \ +rsyslog \ +&& apt-get autoremove -y && apt-get clean -y + + + +# Set locals +ARG LANG=en_US.UTF-8 +RUN locale-gen ${LANG} +ENV LANG ${LANG} +ENV LC_ALL ${LANG} +ENV LANGUAGE=en_US:en +#ENV LC_ALL ${LANG} + +######################### START MISP Guide + +# 1/ Minimal Ubuntu install +# ------------------------- + # Upgrade System + RUN apt-get update -y && apt-get upgrade -y && apt-get autoremove -y && apt-get clean -y + + + # Install Postfix dependency + RUN apt-get update -y && apt-get install postfix -y && apt-get autoremove -y && apt-get clean -y + + + # 2/ Install LAMP & dependencies + # ------------------------------ + # Install required software + ## Installation of libfuzzy-dev is required for pydeep + + RUN apt-get install -y \ + curl gcc git gnupg-agent make python3 openssl sudo vim zip \ + redis-server \ + libyara-dev \ + && apt-get autoremove -y && apt-get clean -y + + RUN apt-get install -y \ + python3-setuptools python3-dev python3-pip python3-yara python3-redis python3-zmq virtualenv \ + libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \ + && apt-get autoremove -y && apt-get clean -y + + RUN apt-get install -y \ + python-pip jq jupyter-notebook imagemagick tesseract-ocr \ + libxml2-dev libxslt1-dev zlib1g-dev \ + && apt-get autoremove -y && apt-get clean -y + + + # Install MariaDB (a MySQL fork/alternative) | Server has its own container!!! + RUN apt-get install -y \ + mariadb-client \ + mariadb-server \ + && apt-get autoremove -y && apt-get clean -y + + + # Install Apache + RUN apt-get install -y \ + apache2 \ + apache2-doc \ + apache2-utils \ + && apt-get autoremove -y && apt-get clean -y + + # ATTENTION the part about a2enmod/a2dismod, a2ensite/a2dissite is moved to step 7. + + # Install PHP and depedencies + RUN apt-get install -y \ + libapache2-mod-php \ + php \ + php-cli \ + php-mbstring \ + php-dev \ + php-json \ + php-xml \ + php-mysql \ + php-opcache \ + php-readline \ + php-redis \ + php-gnupg \ + && apt-get autoremove -y && apt-get clean -y + + # ATTENTION restart is not required. + + + + + + +# 3/ MISP code +# ------------ + # Download MISP using git in the /var/www/ directory. + # Attention: we replaced the fixed tag with a variable + RUN mkdir /var/www/MISP; chown www-data:www-data /var/www/MISP; + RUN git clone https://github.com/MISP/MISP.git /var/www/MISP; cd /var/www/MISP; git checkout tags/v${MISP_TAG}; + + # Make git ignore filesystem permission differences + RUN cd /var/www/MISP; git config core.filemode false; + + # CakePHP and a lot of other things is included as a submodule of MISP, execute the following commands to let git fetch it: + RUN cd /var/www/MISP; git submodule update --init --recursive; + # Make git ignore filesystem permission differences for submodules + RUN cd /var/www/MISP; git submodule foreach --recursive git config core.filemode false + + # install Mitre's STIX and its dependencies by running the following commands: + RUN apt-get install -y python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev python-setuptools + # Upgrade + #RUN pip3 install setuptools --upgrade; + # install mixbox to accomodate the new STIX dependencies: + RUN cd /var/www/MISP/app/files/scripts; \ + git clone https://github.com/CybOXProject/mixbox.git; \ + cd mixbox; python3 setup.py install; + # install python-maec + RUN cd /var/www/MISP/app/files/scripts; \ + git clone https://github.com/MAECProject/python-maec.git; \ + cd python-maec; python3 setup.py install; + # install python-cybox + RUN cd /var/www/MISP/app/files/scripts; \ + git clone https://github.com/CybOXProject/python-cybox.git; \ + cd python-cybox; python3 setup.py install; + # install python stix + RUN cd /var/www/MISP/app/files/scripts; \ + git clone https://github.com/STIXProject/python-stix.git; \ + cd python-stix; python3 setup.py install; + + # install STIX2.0 library to support STIX 2.0 export: + RUN cd /var/www/MISP/; \ + cd cti-python-stix2; python3 setup.py install; + + # install PyMISP + RUN cd /var/www/MISP/; \ + cd PyMISP; python3 setup.py install; + + # # install support for STIX 2.0 (Python 3 is required) + # RUN pip3 install stix2 + + + +# 4/ CakePHP +# ------------ + # Once done, install CakeResque along with its dependencies if you intend to use the built in background jobs: + RUN cd /var/www/MISP/app; \ + php composer.phar require kamisama/cake-resque:4.1.2; \ + php composer.phar config vendor-dir Vendor; \ + php composer.phar install; + + # Enable CakeResque with php-redis + RUN phpenmod redis + + # Enable CakeResque with php-gnupgp + RUN phpenmod gnupg + + # To use the scheduler worker for scheduled tasks, do the following: + RUN cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php + # If you have multiple MISP instances on the same system, don't forget to have a different Redis per MISP instance for the CakeResque workers + # The default Redis port can be updated in Plugin/CakeResque/Config/config.php + + + + +# 5/ Set the permissions +# ---------------------- + # Check if the permissions are set correctly using the following commands: + RUN chown -R www-data:www-data /var/www/MISP; \ + chmod -R 750 /var/www/MISP; \ + chmod -R g+ws /var/www/MISP/app/tmp; \ + chmod -R g+ws /var/www/MISP/app/files; \ + chmod -R g+ws /var/www/MISP/app/files/scripts/tmp; + + + + + + +# 6/ Create a database and user +# ----------------------------- + # At the moment this will be done via entypoint_mariadb.sh script + + +# 7 Configure Apache +# ------------------ + # add HTTP MISP Config + RUN rm /etc/apache2/sites-enabled/*; + COPY files/etc/apache2/sites-enabled/* /etc/apache2/sites-enabled/ + COPY files/etc/apache2/ports.conf /etc/apache2/ports.conf + RUN chmod 640 /etc/apache2/ports.conf; \ + chown root.root /etc/apache2/ports.conf; \ + chmod 640 /etc/apache2/sites-available/*; \ + chown root.root /etc/apache2/sites-available/* + # Configure Apache + RUN sudo a2dismod status; \ + sudo a2enmod ssl; \ + sudo a2enmod rewrite; \ + sudo a2enmod headers; + + + + +### 8/ Log rotation + # MISP saves the stdout and stderr of its workers in /var/www/MISP/app/tmp/logs + # To rotate these logs install the supplied logrotate script: + RUN sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp + + + + + + +### 9/ MISP configuration + # There are 4 sample configuration files in /var/www/MISP/app/Config that need to be copied + # RUN sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap.default.php /var/www/MISP/app/Config/bootstrap.php + # RUN sudo -u www-data cp -a /var/www/MISP/app/Config/database.default.php /var/www/MISP/app/Config/database.php + # RUN sudo -u www-data cp -a /var/www/MISP/app/Config/core.default.php /var/www/MISP/app/Config/core.php + # RUN sudo -u www-data cp -a /var/www/MISP/app/Config/config.default.php /var/www/MISP/app/Config/config.php + #### WILL BE DONE IN MISP_ROBOT + + + + + +### 5/ Set the permissions + # Check if the permissions are set correctly using the following commands: + RUN chown -R www-data:www-data /var/www/MISP; \ + chmod -R 750 /var/www/MISP; \ + chmod -R g+ws /var/www/MISP/app/tmp; \ + chmod -R g+ws /var/www/MISP/app/files; \ + chmod -R g+ws /var/www/MISP/app/files/scripts/tmp; + + + + + + + +# END of MISP Config Part +######################################### + +# ADD additionall modules + # MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following command + # ZeroMQ depends on the Python client for Redis + RUN pip3 install pyzmq; \ + pip3 install redis; + RUN pip install pyzmq; \ + pip install redis; + + + # For the experimental ssdeep correlations, run the following installation: + # installing ssdeep + RUN cd /usr/local/src/; \ + wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz; \ + tar zxvf ssdeep-2.13.tar.gz; \ + cd ssdeep-2.13; \ + ./configure; \ + make; \ + sudo make install; \ + ssdeep -h; # test + + #installing ssdeep_php + RUN sudo pecl install ssdeep; + + # 7.0 if your PHP 7.0 and you know what to do if you have a different version + RUN for FILE in $(ls /etc/php/); \ + do echo "extension=ssdeep.so" > /etc/php/$FILE/mods-available/ssdeep.ini; \ + phpenmod ssdeep; \ + done; + + + + RUN \ + # pymisp:… Please install pymisp: pip install pymisp + pip install pymisp \ + # #pydeep:… Please install pydeep: pip install git+https://github.com/kbandla/pydeep.git + pip install git+https://github.com/kbandla/pydeep.git; \ + # #magic:… Please install python-magic: pip install python-magic. + pip install python-magic; \ + # #lief:… Please install lief, documentation here: https://github.com/lief-project/LIEF + pip install setuptools --upgrade; \ + pip install lief; \ + # # Install maec libraries for STIX + pip install maec + + + + RUN \ + # pymisp:… Please install pymisp: pip install pymisp + pip3 install pymisp; \ + # #pydeep:… Please install pydeep: pip install git+https://github.com/kbandla/pydeep.git + pip3 install git+https://github.com/kbandla/pydeep.git; \ + # #magic:… Please install python-magic: pip install python-magic. + pip3 install python-magic; \ + # #lief:… Please install lief, documentation here: https://github.com/lief-project/LIEF + pip3 install setuptools --upgrade; \ + pip3 install lief; \ + # # Install maec libraries for STIX + pip3 install maec + + +######################################### +# Start of DCSO MISP Config Part + +# for S/MIME +RUN sudo -u www-data mkdir /var/www/MISP/.smime; \ + sudo -u www-data chmod 500 /var/www/MISP/.smime; +# for PGP +RUN sudo -u www-data mkdir /var/www/MISP/.gnupg; \ + sudo -u www-data chmod 700 /var/www/MISP/.gnupg; + +# for local MySQL Server: + # delete all config files +RUN rm -Rf /var/lib/mysql/*; + + # add own mysql config +COPY files/etc/mysql/mariadb.conf.d/DCSO.cnf /etc/mysql/mariadb.conf.d/ +RUN chmod -R 644 /etc/mysql/mariadb.conf.d/ + +# Copy patch File for MISP Events Page with additional Analyse Column +COPY files/var/www/MISP/app/View/Elements/Events/eventIndexTable.patch / + +# Syslog Server & rsyslog +COPY files/etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf +COPY files/etc/rsyslog.d/rsyslog_custom.conf /etc/rsyslog.d/ + +# HTML5 File uploader from http://www.matlus.com/html5-file-upload-with-progress/#codeListing6 +#COPY files/ssl_upload.html /var/www/MISP/app/webconfig/ + +# Postfix +# Copy files to postfix container +COPY files/etc/postfix/* /etc/postfix/ + +# I create this empty file to decide is the configuration completely new or not in the entrypoint_apache.sh +RUN touch "/var/www/MISP/app/Config/NOT_CONFIGURED" + +# Environment Variables + # CMD + ENV CMD_MYSQL mysqld + ENV CMD_APACHE none + ENV CMD_REDIS "redis-server --appendonly yes" + # Version + Name + ENV NAME ${NAME} + ENV VERSION ${VERSION} + ENV RELEASE_DATE ${RELEASE_DATE} + # Environment Variable for Proxy + ENV HTTP_PROXY="" + ENV HTTPS_PROXY="" + ENV NO_PROXY="0.0.0.0" + # MYSQL Vars + ENV MYSQL_HOST="localhost" + ENV MYSQL_DATABASE="misp" + ENV MYSQL_USER="misp" + + # POSTFIX + # Hostname for the Mailserver + ENV HOSTNAME=misp + # Domain for Outgoing Mail + ENV DOMAIN=example.com + # Sender for local postfix outgoing Mails + ENV SENDER_ADDRESS=admin@example.com + # Relahost to Send Mails + ENV RELAYHOST=smtp.example.local:587 + # RELAY User and Password + ENV RELAY_USER=misp + ENV RELAY_PASSWORD=ChangeMe + # Allow only MISP Docker Container Access + ENV DOCKER_NETWORK=192.168.47.0/28 + # You need to get more postfix output for a specified host normally the relayhost or misp-server + ENV DEBUG_PEER=none + + + + +# Entrypoints + # CMD + COPY files/entrypoint*.sh files/healthcheck.sh files/update_misp.sh / + RUN chmod +x /*.sh + +# Supervisord + # Copy Supervisord config + COPY files/etc/supervisord/supervisord.conf /etc/supervisor/supervisord.conf + # Execute Supervisord after start: + CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf + +# Add Healthcheck Config +HEALTHCHECK --interval=1m --timeout=45s --retries=3 CMD ["/healthcheck.sh"] + + +# End of DCSO MISP Config Part +######################################### diff --git a/2.4.100-debian/configuration.sh b/2.4.100-debian/configuration.sh new file mode 100644 index 00000000..fab61cf4 --- /dev/null +++ b/2.4.100-debian/configuration.sh @@ -0,0 +1,6 @@ +################################################## +# Build Arguments +BUILD_ARGS=" + --build-arg RELEASE_DATE=2018-12 +" +################################################## diff --git a/2.4.100-debian/files/entrypoint_apache.sh b/2.4.100-debian/files/entrypoint_apache.sh new file mode 100644 index 00000000..93eae93d --- /dev/null +++ b/2.4.100-debian/files/entrypoint_apache.sh @@ -0,0 +1,450 @@ +#!/bin/bash +set -e +export DEBIAN_FRONTEND=noninteractive + +STARTMSG="[ENTRYPOINT_APACHE]" + +MISP_BASE_PATH=/var/www/MISP +MISP_APP_PATH=/var/www/MISP/app +MISP_APP_CONFIG_PATH=$MISP_APP_PATH/Config +MISP_CONFIG=$MISP_APP_CONFIG_PATH/config.php +DATABASE_CONFIG=$MISP_APP_CONFIG_PATH/database.php +EMAIL_CONFIG=$MISP_APP_CONFIG_PATH/email.php +SSL_CERT="/etc/apache2/ssl/cert.pem" +SSL_KEY="/etc/apache2/ssl/key.pem" +SSL_DH_FILE="/etc/apache2/ssl/dhparams.pem" +FOLDER_with_VERSIONS="/var/www/MISP/app/tmp /var/www/MISP/app/files /var/www/MISP/app/Plugin/CakeResque/Config /var/www/MISP/app/Config /var/www/MISP/.gnupg /var/www/MISP/.smime /etc/apache2/ssl" +PID_CERT_CREATER="/etc/apache2/ssl/SSL_create.pid" + +# defaults + +[ -z $MISP_URL -a -z $MISP_FQDN ] && echo "Please set 'MISP_FQDN' or 'MISP_URL' environment variable in docker-compose.override.yml file for misp-server!!!" && exit +[ -z $MISP_URL -a ! -z $MISP_FQDN ] && export MISP_URL="https://$(echo $MISP_FQDN|cut -d '/' -f 3)" +[ -z $PGP_ENABLE ] && export PGP_ENABLE=0 +[ -z $SMIME_ENABLE ] && export SMIME_ENABLE=0 +[ -z $MYSQL_HOST ] && export MYSQL_HOST=localhost +[ -z $MYSQL_USER ] && export MYSQL_USER=misp +[ -z $SENDER_ADDRESS ] && export SENDER_ADDRESS="no-reply@$MISP_FQDN" +[ -z $MISP_SALT ] && export MISP_SALT="$( /var/www/MISP/app/webroot/gpg.asc" +} + +function init_smime(){ + echo "$STARTMSG ###### S/MIME Cert exists and copy it to MISP webroot #######" + ### Set permissions + chown www-data:www-data /var/www/MISP/.smime + chmod 500 /var/www/MISP/.smime + ## Export the public certificate (for Encipherment) to the webroot + sudo -u www-data sh -c "cp /var/www/MISP/.smime/cert.pem /var/www/MISP/app/webroot/public_certificate.pem" + #Due to this action, the MISP users will be able to download your public certificate (for Encipherment) by clicking on the footer + ### Set permissions + #chown www-data:www-data /var/www/MISP/app/webroot/public_certificate.pem + sudo -u www-data sh -c "chmod 440 /var/www/MISP/app/webroot/public_certificate.pem" +} + +function start_workers(){ + # start Workers for MISP + su -s /bin/bash -c "/var/www/MISP/app/Console/worker/start.sh" www-data +} + +function init_apache() { + # Apache gets grumpy about PID files pre-existing + rm -f /run/apache2/apache2.pid + # execute APACHE2 + /usr/sbin/apache2ctl -DFOREGROUND $1 +} + +function add_analyze_column(){ + ORIG_FILE="/var/www/MISP/app/View/Elements/Events/eventIndexTable.ctp" + PATCH_FILE="/eventIndexTable.patch" + + # Backup Orig File + cp $ORIG_FILE ${ORIG_FILE}.bak + # Patch file + patch $ORIG_FILE < $PATCH_FILE +} + +function change_php_vars(){ + [ -z ${PHP_MEMORY} ] && PHP_MEMORY=512 + for FILE in $(ls /etc/php/*/apache2/php.ini) + do + sed -i "s/memory_limit = .*/memory_limit = ${PHP_MEMORY}M/" $FILE + sed -i "s/max_execution_time = .*/max_execution_time = 300/" $FILE + sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" $FILE + sed -i "s/post_max_size = .*/post_max_size = 50M/" $FILE + done +} + +function init_misp_config(){ + echo "$STARTMSG Configure MISP | Copy MISP default configuration files" + + [ -f $MISP_APP_CONFIG_PATH/bootstrap.php ] || cp $MISP_APP_CONFIG_PATH/bootstrap.default.php $MISP_APP_CONFIG_PATH/bootstrap.php + [ -f $DATABASE_CONFIG ] || cp $MISP_APP_CONFIG_PATH/database.default.php $DATABASE_CONFIG + [ -f $MISP_APP_CONFIG_PATH/core.php ] || cp $MISP_APP_CONFIG_PATH/core.default.php $MISP_APP_CONFIG_PATH/core.php + [ -f $MISP_CONFIG ] || cp $MISP_APP_CONFIG_PATH/config.default.php $MISP_CONFIG + + echo "$STARTMSG Configure MISP | Set DB User, Password and Host in database.php" + sed -i "s/localhost/$MYSQL_HOST/" $DATABASE_CONFIG + sed -i "s/db\s*login/$MYSQL_USER/" $DATABASE_CONFIG + sed -i "s/8889/3306/" $DATABASE_CONFIG + sed -i "s/db\s*password/$MYSQL_PASSWORD/" $DATABASE_CONFIG + + echo "$STARTMSG Configure MISP | Set MISP-Url in config.php" + sed -i "s_.*baseurl.*=>.*_ \'baseurl\' => \'$MISP_URL\',_" $MISP_CONFIG + sudo $CAKE baseurl "$MISP_URL" + + echo "$STARTMSG Configure MISP | Set Email in config.php" + sed -i "s/email@address.com/$SENDER_ADDRESS/" $MISP_CONFIG + + echo "$STARTMSG Configure MISP | Set Admin Email in config.php" + sed -i "s/admin@misp.example.com/$SENDER_ADDRESS/" $MISP_CONFIG + + # echo "Configure MISP | Set GNUPG Homedir in config.php" + # sed -i "s,'homedir' => '/',homedir' => '/var/www/MISP/.gnupg'," $MISP_CONFIG + + echo "$STARTMSG Configure MISP | Change Salt in config.php" + sed -i "s/'salt'\\s*=>\\s*''/'salt' => '$MISP_SALT'/" $MISP_CONFIG + + echo "$STARTMSG Configure MISP | Change Mail type from phpmailer to smtp" + sed -i "s/'transport'\\s*=>\\s*''/'transport' => 'Smtp'/" $EMAIL_CONFIG + + echo # add an echo command because if no command is done busybox (alpine sh) won't continue the script +} + +function setup_via_cake_cli(){ + # Initialize user and fetch Auth Key + #sudo -E $CAKE userInit -q + #AUTH_KEY=$(mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -h $MYSQL_HOST $MYSQL_DATABASE -e "SELECT authkey FROM users;" | head -2| tail -1) + # Setup some more MISP default via cake CLI + sudo $CAKE baseurl "$MISP_URL" + # Tune global time outs + sudo $CAKE Admin setSetting "Session.autoRegenerate" 0 + sudo $CAKE Admin setSetting "Session.timeout" 600 + sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600 + # Enable GnuPG + sudo $CAKE Admin setSetting "GnuPG.email" "$SENDER_ADDRESS" + sudo $CAKE Admin setSetting "GnuPG.homedir" "$MISP_BASE_PATH/.gnupg" + #sudo $CAKE Admin setSetting "GnuPG.password" "" + # Enable Enrichment set better timeouts + sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true + sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true + sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300 + sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150 + sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true + sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true + sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://misp-modules" + sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666 + # Enable Import modules set better timout + sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true + sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://misp-modules" + sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666 + sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300 + sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true + sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true + # Enable Export modules set better timout + sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true + sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://misp-modules" + sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666 + sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300 + sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true + # Enable installer org and tune some configurables + sudo $CAKE Admin setSetting "MISP.host_org_id" 1 + sudo $CAKE Admin setSetting "MISP.email" "$SENDER_ADDRESS" + sudo $CAKE Admin setSetting "MISP.disable_emailing" true + sudo $CAKE Admin setSetting "MISP.contact" "$SENDER_ADDRESS" + # sudo $CAKE Admin setSetting "MISP.disablerestalert" true + # sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true + # Provisional Cortex tunes + sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000 + # sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120 + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1" + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000 + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120 + # sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" "" + # sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false + # sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false + # sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true + # Various plugin sightings settings + # sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0 + # sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false + # sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365 + # Plugin CustomAuth tuneable + # sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false + # RPZ Plugin settings + # sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP" + # sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1" + # sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00" + # sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h" + # sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m" + # sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d" + # sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h" + # sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w" + # sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost." + # sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" "" + # sudo $CAKE Admin setSetting "Plugin.RPZ_email" "$SENDER_ADDRESS" + # Force defaults to make MISP Server Settings less RED + sudo $CAKE Admin setSetting "MISP.language" "eng" + #sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false + # Redis block + sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1" + sudo $CAKE Admin setSetting "MISP.redis_port" 6379 + sudo $CAKE Admin setSetting "MISP.redis_database" 13 + sudo $CAKE Admin setSetting "MISP.redis_password" "" + # Force defaults to make MISP Server Settings less YELLOW + # sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40 + # sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false + # sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4 + # sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" + # sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team" + # sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true + # sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true + # sudo $CAKE Admin setSetting "MISP.log_client_ip" false + # sudo $CAKE Admin setSetting "MISP.log_auth" false + # sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false + # sudo $CAKE Admin setSetting "MISP.block_event_alert" false + # sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\"" + # sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false + # sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" "" + # sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false + # sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install" + # sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly" + # sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure" + # sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings" + + # Force defaults to make MISP Server Settings less GREEN + # sudo $CAKE Admin setSetting "Security.password_policy_length" 16 + # sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/' + # Tune global time outs + sudo $CAKE Admin setSetting "Session.autoRegenerate" 0 + sudo $CAKE Admin setSetting "Session.timeout" 600 + sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600 + # Set MISP Live + # sudo $CAKE Live 1 + # Update the galaxies… + #sudo $CAKE Admin updateGalaxies + # Updating the taxonomies… + #sudo $CAKE Admin updateTaxonomies + # Updating the warning lists… + #sudo $CAKE Admin updateWarningLists + # Updating the notice lists… + # sudo $CAKE Admin updateNoticeLists + #curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update + + # Updating the object templates… + # sudo $CAKE Admin updateObjectTemplates + #curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update +} + +function create_ssl_cert(){ + # If a valid SSL certificate is not already created for the server, create a self-signed certificate: + while [ -f $PID_CERT_CREATER.proxy ] + do + echo "$STARTMSG `date +%T` - misp-proxy container create currently the certificate. misp-server wait until misp-proxy is finish." + sleep 2 + done + [ ! -f $SSL_CERT -a ! -f $SSL_KEY ] && touch ${PID_CERT_CREATER}.server && echo "$STARTMSG Create SSL Certificate..." && openssl req -x509 -newkey rsa:4096 -keyout $SSL_KEY -out $SSL_CERT -days 365 -sha256 -subj "/CN=${HOSTNAME}" -nodes && rm ${PID_CERT_CREATER}.server + echo # add an echo command because if no command is done busybox (alpine sh) won't continue the script +} + +function SSL_generate_DH(){ + while [ -f $PID_CERT_CREATER.proxy ] + do + echo "$STARTMSG `date +%T` - misp-proxy container create currently the certificate. misp-server wait until misp-proxy is finish." + sleep 2 + done + [ ! -f $SSL_DH_FILE ] && touch ${PID_CERT_CREATER}.server && echo "$STARTMSG Create DH params - This can take a long time, so take a break and enjoy a cup of tea or coffee." && openssl dhparam -out $SSL_DH_FILE 2048 && rm ${PID_CERT_CREATER}.server + echo # add an echo command because if no command is done busybox (alpine sh) won't continue the script +} + +function check_mysql(){ + # Test when MySQL is ready + + while (true) + do + [ -z "$(mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -h $MYSQL_HOST -e 'select 1;'|tail -1|grep ERROR)" ] && break; + echo "$STARTMSG Wait for MySQL..." + sleep 2 + done +} + +function check_redis(){ + # Test when Redis is ready + + # if no host is give default localhost + [ -z $REDIS_HOST ] && REDIS_HOST=localhost + while (true) + do + [ "$(redis-cli -h $REDIS_HOST ping)" == "PONG" ] && break; + echo "$STARTMSG Wait for Redis..." + sleep 2 + done +} + +function upgrade(){ + for i in $FOLDER_with_VERSIONS + do + if [ ! -f $i/${NAME} ] + then + # File not exist and now it will be created + echo ${VERSION} > $i/${NAME} + elif [ ! -f $i/${NAME} -a -z "$(cat $i/${NAME})" ] + then + # File exists, but is empty + echo ${VERSION} > $i/${NAME} + elif [ "$VERSION" == "$(cat $i/${NAME})" ] + then + # File exists and the volume is the current version + echo "$STARTMSG Folder $i is on the newest version." + else + # upgrade + echo "$STARTMSG Folder $i should be updated." + case $(echo $i/$NAME) in + 2.4.92) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.92 ####" + ;; + 2.4.93) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.93 ####" + ;; + 2.4.94) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.94 ####" + ;; + 2.4.95) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.95 ####" + ;; + 2.4.96) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.96 ####" + ;; + 2.4.97) + # Tasks todo in 2.4.92 + echo "$STARTMSG #### Upgrade Volumes from 2.4.97 ####" + ;; + *) + echo "$STARTMSG Unknown Version, upgrade not possible." + exit + ;; + esac + ############ DO ANY!!! + fi + done +} + +############## MAIN ################# +echo "$STARTMSG wait 30 seconds for DB" && sleep 30 + + +# If a customer needs a analze column in misp +echo "$STARTMSG check if analyze column should be added..." + [ "$ADD_ANALYZE_COLUMN" == "yes" ] && add_analyze_column + +# Change PHP VARS +echo "$STARTMSG check if PHP values should be changed..." + change_php_vars + +##### PGP configs ##### +echo "$STARTMSG check if PGP should be enabled...." + [ -z $PGP_ENABLE ] && PGP_ENABLE=0 # false + [ $PGP_ENABLE == "y" ] && PGP_ENABLE=1 && init_pgp + # if secring.pgp exists execute init_pgp + [ -f "/var/www/MISP/.gnupgp/public.key" ] && init_pgp + +echo "$STARTMSG check if SMIME should be enabled..." + [ -z $SMIME_ENABLE ] && SMIME_ENABLE=0 # false + [ $SMIME_ENABLE == "y" ] && SMIME_ENABLE=1 && init_smime + # If certificate exists execute init_smime + [ -f "/var/www/MISP/.smime/cert.pem" ] && init_smime + +##### create a cert if it is required +echo "$STARTMSG check if a cert is required..." + create_ssl_cert + +# check if DH file is required to generate +echo "$STARTMSG check if a dh file is required" + SSL_generate_DH + +##### enable https config and disable http config #### +echo "$STARTMSG check if HTTPS MISP config should be enabled..." + [ -f /etc/apache2/ssl/cert.pem -a ! -f /etc/apache2/sites-enabled/misp.ssl.conf ] && mv /etc/apache2/sites-enabled/misp.ssl /etc/apache2/sites-enabled/misp.ssl.conf + +echo "$STARTMSG check if HTTP MISP config should be disabled..." + [ -f /etc/apache2/ssl/cert.pem -a ! -f /etc/apache2/sites-enabled/misp.http ] && mv /etc/apache2/sites-enabled/misp.conf /etc/apache2/sites-enabled/misp.http + +##### check MySQL +echo "$STARTMSG check if MySQL is ready..." && check_mysql + +##### check MySQL +echo "$STARTMSG check if Redis is ready..." && check_redis + + +##### initialize MISP-SERVER +echo "$STARTMSG initialize misp base config..." + init_misp_config + +##### check if setup is new: - in the dockerfile i create on this path a empty file to decide is the configuration completely new or not +echo "$STARTMSG check if cake setup should be initialized..." + [ -f "/var/www/MISP/app/Config/NOT_CONFIGURED" -a -f "/var/www/MISP/app/Config/database.php" ] && setup_via_cake_cli + +##### Delete the initial decision file & reboot misp-server +echo "$STARTMSG check if misp-server is configured and file /var/www/MISP/app/Config/NOT_CONFIGURED exist" + [ -f /var/www/MISP/app/Config/NOT_CONFIGURED ] && echo "$STARTMSG delete init config file and reboot" && rm "/var/www/MISP/app/Config/NOT_CONFIGURED" + +######################################################## +# check volumes and upgrade if it is required +echo "$STARTMSG upgrade if it is required..." && upgrade + +##### Check permissions ##### + echo "$STARTMSG Configure MISP | Check permissions" + chown -R www-data.www-data /var/www/MISP + chmod -R 0750 /var/www/MISP + chmod -R g+ws /var/www/MISP/app/tmp + chmod -R g+ws /var/www/MISP/app/files + chmod -R g+ws /var/www/MISP/app/files/scripts/tmp + +# start workers +start_workers + + + + + +# START APACHE2 +echo "$STARTMSG #################################### started Apache2 with cmd: '$CMD_APACHE' ####################################" + +##### Display tips +echo +echo +cat <<__WELCOME__ +" ########### MISP environment is ready ###########" +" Please go to: ${MYSQL_HOST}" +" Login credentials:" +" Username: admin@admin.test" +" Password: admin" + +" Do not forget to change your SSL certificate with: make change-ssl" +" ##########################################################" +Congratulations! +Your MISP-dockerized server has been successfully booted. +__WELCOME__ + + +##### execute apache +[ "$CMD_APACHE" != "none" ] && init_apache $CMD_APACHE +[ "$CMD_APACHE" == "none" ] && init_apache diff --git a/2.4.100-debian/files/entrypoint_cron.sh b/2.4.100-debian/files/entrypoint_cron.sh new file mode 100644 index 00000000..9fca9f86 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_cron.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +set -e + +STARTMSG="[ENTRYPOINT_CRON]" +CAKE="/var/www/MISP/app/Console/cake" + + + +# SLEEP 1h +sleep 3600 + +[ -z $AUTH_KEY ] && export AUTH_KEY=$(mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE -e "SELECT authkey FROM users;" | head -2|tail -1) + +# Wait until database is ready then test +while(true) +do + [ -z "$(mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -h $MYSQL_HOST -e 'select 1;'|tail -1|grep ERROR)" ] && [ ! -z "$($CAKE Admin getSetting MISP.baseurl|grep value)" ] && break; + sleep 3 +done + +# Administering MISP via the CLI + # Certain administrative tasks are exposed to the API, these help with maintaining and configuring MISP in an automated way / via external tools.: + # GetSettings: MISP/app/Console/cake Admin getSetting [setting] + # SetSettings: MISP/app/Console/cake Admin getSetting [setting] [value] + # GetAuthkey: MISP/app/Console/cake Admin getauthkey [email] + # SetBaseurl: MISP/app/Console/cake Baseurl setbaseurl [baseurl] + # ChangePassword: MISP/app/Console/cake Password [email] [new_password] + +# Automating certain console tasks + # If you would like to automate tasks such as caching feeds or pulling from server instances, you can do it using the following command line tools. Simply execute the given commands via the command line / create cron jobs easily out of them.: + # Pull: MISP/app/Console/cake Server pull [user_id] [server_id] [full|update] + # Push: MISP/app/Console/cake Server push [user_id] [server_id] + # CacheFeed: MISP/app/Console/cake Server cacheFeed [user_id] [feed_id|all|csv|text|misp] + # FetchFeed: MISP/app/Console/cake Server fetchFeed [user_id] [feed_id|all|csv|text|misp] + # Enrichment: MISP/app/Console/cake Event enrichEvent [user_id] [event_id] [json_encoded_module_list] + +while(true) +do + # START the SCRIPT + COUNTER="`date +%Y-%m-%d_%H:%M`" + echo "$STARTMSG [ $COUNTER ] Start MISP-dockerized Cronjob at `date +%Y-%m-%d_%H:%M`... " + + + #If you would like to automate tasks such as caching feeds or pulling from server instances, you can do it using the following command line tools. Simply execute the given commands via the command line / create cron jobs easily out of them.: + #Pull: MISP/app/Console/cake Server pull [user_id] [server_id] [full|update] + + echo "$STARTMSG $CAKE Server pull 1 update..." && $CAKE Server pull 1 update + + # CacheFeed: MISP/app/Console/cake Server cacheFeed [user_id] [feed_id|all|csv|text|misp] + echo "$STARTMSG $CAKE Server cacheFeed 1 all..." && $CAKE Server cacheFeed 1 all + + #FetchFeed: MISP/app/Console/cake Server fetchFeed [user_id] [feed_id|all|csv|text|misp] + echo "$STARTMSG $CAKE Server fetchFeed 1 all..." && $CAKE Server fetchFeed 1 all + # Finished + echo "$STARTMSG [ $COUNTER ] Finished MISP-dockerized Cronjob at `date +%Y-%m-%d_%H:%M`... " + sleep 3600 +done \ No newline at end of file diff --git a/2.4.100-debian/files/entrypoint_local_mariadb.sh b/2.4.100-debian/files/entrypoint_local_mariadb.sh new file mode 100644 index 00000000..a23a9c99 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_local_mariadb.sh @@ -0,0 +1,158 @@ +#!/bin/bash +set -e + +STARTMSG="[ENTRYPOINT_LOCAL_MARIADB]" +DATADIR="/var/lib/mysql" +FOLDER_with_VERSIONS="/var/lib/mysql" + +[ -z $MYSQL_DATABASE ] && export MYSQL_DATABASE=misp +[ -z $MYSQL_HOST ] && export MYSQL_HOST=localhost +[ -z "$MYSQL_ROOT_PASSWORD" ] && echo "$STARTMSG No MYSQL_ROOT_PASSWORD is set. Exit now." && exit 1 + + +function upgrade(){ + for i in $FOLDER_with_VERSIONS + do + if [ ! -f $i/${NAME} ] + then + # File not exist and now it will be created + echo ${VERSION} > $i/${NAME} + elif [ ! -f $i/${NAME} -a -z "$(cat $i/${NAME})" ] + then + # File exists, but is empty + echo ${VERSION} > $i/${NAME} + elif [ "$VERSION" == "$(cat $i/${NAME})" ] + then + # File exists and the volume is the current version + echo "$STARTMSG Folder $i is on the newest version." + else + # upgrade + echo "$STARTMSG Folder $i should be updated." + + ############ DO ANY!!! + fi + done +} + +function start_mysql(){ + if [ -z "$@" ]; then + gosu mysql mysqld + else + gosu mysql $@ + fi +} + +function init_mysql(){ + +echo "$STARTMSG Initializing database" +echo "$STARTMSG mkdir -p $DATADIR/mysql" && mkdir -p $DATADIR/mysql +echo "$STARTMSG chown -R mysql.mysql $DATADIR/*" && chown -R mysql.mysql $DATADIR/* +# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) +gosu mysql mysql_install_db --datadir="$DATADIR" --rpm "${@:2}" +echo "$STARTMSG Database initialized" + +echo "$STARTMSG Start mysqld to setup" +#"$@" --skip-networking --socket="${SOCKET}" & +start_mysql & +pid="$!" +sleep 2 +# test if mysqld is ready +i=0 +while(true) +do + [ -z "$(mysql -uroot -h $MYSQL_HOST -e 'select 1;'|tail -1|grep ERROR)" ] && break; + echo "$STARTMSG not ready..." + sleep 3 + i+=1 + [ "$i" >= 10 ] && echo "can't start DB" && exit 1 +done +######################################################## + +mysql -uroot -h localhost << EOF +-- What's done in this file shouldn't be replicated +-- or products like mysql-fabric won't work +SET @@SESSION.SQL_LOG_BIN=0; + +-- Delete all Users except root +DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost', '$HOSTNAME') ; +-- Set Password +UPDATE mysql.user SET Password=PASSWORD('$MYSQL_ROOT_PASSWORD') WHERE User='root' ; +--SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ; + +-- Create Root User with % +CREATE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ; + +-- Grant Permissions +GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ; +GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ; + +-- Create MISP DB +CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ; + +-- Create MISP DB User +CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ; +GRANT ALL ON \`$MYSQL_DATABASE\`.* TO '$MYSQL_USER'@'%' ; + +DROP DATABASE IF EXISTS test ; +FLUSH PRIVILEGES ; +EOF + +######################################################## +# import MISP DB Scheme +echo "$STARTMSG Import MySQL scheme" +mysql -u$MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE < /var/www/MISP/INSTALL/MYSQL.sql + +######################################################## +# create debian.cnf +debian_conf=/etc/mysql/debian.cnf + +# add debian.cnf File +cat << EOF > $debian_conf +# MYSQL Configuration from DCSO +[client] +host = localhost +user = root +password = $(echo $MYSQL_ROOT_PASSWORD) +socket = /var/run/mysqld/mysqld.sock +[mysql_upgrade] +#host = localhost +user = root +password = $(echo $MYSQL_ROOT_PASSWORD) +socket = /var/run/mysqld/mysqld.sock +basedir = /usr + +EOF + ######################################################## + +} + + +######################################################## +######################################################## +######################################################## +# START MAIN +######################################################## +######################################################## +######################################################## + + +# create socket folder if not exists +[ ! -d "/var/run/mysqld" ] && mkdir -p /var/run/mysqld && chown -R mysql.mysql /var/run/mysqld +######################################################## +# Initialize mysql daemon +[ ! -d "$DATADIR/mysql" ] && init_mysql +######################################################## +# check volumes and upgrade if it is required +echo "$STARTMSG upgrade if it is required..." && upgrade +######################################################## +# Stop existing mysql deamon +echo "$STARTMSG stopping mysql..." && service mysql stop +######################################################## +# Own the directory +echo "$STARTMSG chown -R mysql.mysql $DATADIR/*" && chown -R mysql.mysql $DATADIR/* +######################################################## +# CHMOD the configuration files +echo "$STARTMSG chmod -R 644 /etc/mysql/*" && chmod -R 644 /etc/mysql/* +######################################################## +# start mysql deamon +echo "$STARTMSG start longtime mysql..." && start_mysql diff --git a/2.4.100-debian/files/entrypoint_monitoring.sh b/2.4.100-debian/files/entrypoint_monitoring.sh new file mode 100644 index 00000000..352adfa2 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_monitoring.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -ex + +function init_netdata(){ + + CONFIG_FILE="/etc/netdata/netdata.conf" + + sed -i "s/.*# hostname.*/hostname = $(hostname)/" $CONFIG_FILE + #sed -i "s,.*# error log.*,error log = /dev/stderr," $CONFIG_FILE + #sed -i "s,.*# access log.*,access log = /dev/stdout," $CONFIG_FILE + sed -i "s/.*# memory mode.*/memory mode = ram/" $CONFIG_FILE + + /usr/sbin/netdata -D + +} + +function start_monitoring(){ + # Init and start Netdata as monitoring solution + #init_netdata +} + + +##### MAIN ##### +start_monitoring \ No newline at end of file diff --git a/2.4.100-debian/files/entrypoint_postfix.sh b/2.4.100-debian/files/entrypoint_postfix.sh new file mode 100644 index 00000000..97040b47 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_postfix.sh @@ -0,0 +1,49 @@ +#!/bin/bash +set -e + +STARTMSG="[ENTRYPOINT_POSTFIX]" +POSTFIX_PATH="/etc/postfix" +POSTFIX_CONFIG="$POSTFIX_PATH/main.cf" +SMTP_AUTH="$POSTFIX_PATH/smtp_auth" +GENERIC="$POSTFIX_PATH/generic_misp" + +# Set Environment Variables in Config + postconf myhostname=$HOSTNAME +# Domain for Outgoing Mail + postconf mydomain=$DOMAIN +# Relahost to Send Mails + postconf relayhost=$RELAYHOST +# Allow only MISP Docker Container Access + postconf mynetworks="127.0.0.1/32 [::1]/128 $DOCKER_NETWORK" +# If you need to get more postfix output for a specified host normally the relayhost or misp-server + # if DEBUG_PEER isn't none set debug peer: + [ "$DEBUG_PEER" == "none" ] || postconf debug_peer_list=$DEBUG_PEER + + +# Sender for local postfix outgoing Mails +#mysed SENDER_ADDRESS $SENDER_ADDRESS $GENERIC +echo "root $SENDER_ADDRESS" > $GENERIC +echo "@$DOMAIN $SENDER_ADDRESS" >> $GENERIC + + +# RELAY User and Password +echo -e "$RELAYHOST $RELAY_USER:$RELAY_PASSWORD" > $SMTP_AUTH + + +# Start Postfix +postmap $SMTP_AUTH +postmap $GENERIC +/usr/lib/postfix/sbin/post-install meta_directory=/etc/postfix create-missing +/usr/lib/postfix/sbin/master + + +# Check Postfix configuration +postconf -c /etc/postfix/ + +if [[ $? != 0 ]]; then + echo "$STARTMS GPostfix configuration error, refusing to start." + exit 1 +else + echo "$STARTMSG Start Postfix..." && postfix -c /etc/postfix/ start + sleep 126144000 +fi \ No newline at end of file diff --git a/2.4.100-debian/files/entrypoint_redis.sh b/2.4.100-debian/files/entrypoint_redis.sh new file mode 100644 index 00000000..4bdf1ff8 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_redis.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -e + +STARTMSG="[ENTRYPOINT_REDIS]" + +function init_redis() { + # allow the container to be started with `--user` + [ -d "/redis_data_dir" ] || mkdir -p /redis_data_dir + # change directory + pushd /redis_data_dir + # check if script is started as user redis if not do it! + if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then + chown -R redis . + exec gosu redis "$0" "$@" + fi + + echo -e "$STARTMSG ############### started REDIS with cmd: '$CMD_REDIS' #############" + exec "$@" +} + +init_redis $CMD_REDIS \ No newline at end of file diff --git a/2.4.100-debian/files/entrypoint_rsyslog.sh b/2.4.100-debian/files/entrypoint_rsyslog.sh new file mode 100644 index 00000000..aeefcac3 --- /dev/null +++ b/2.4.100-debian/files/entrypoint_rsyslog.sh @@ -0,0 +1,10 @@ +#!/bin/bash +set -e + +STARTMSG="[ENTRYPOINT_RSYSLOG]" + +# delete old logs +[ -z "$DELETE_LOG" ] && export DELETE_LOG="yes" +[ "$DELETE_LOG" = "yes" ] && echo "$STARTMSG delete old MISP logs: rm -f /var/www/MISP/app/tmp/logs/*" && rm -f /var/www/MISP/app/tmp/logs/* + +rsyslogd -n \ No newline at end of file diff --git a/2.4.100-debian/files/entrypoint_syslog-ng.sh b/2.4.100-debian/files/entrypoint_syslog-ng.sh new file mode 100644 index 00000000..df768d8e --- /dev/null +++ b/2.4.100-debian/files/entrypoint_syslog-ng.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/sbin/syslog-ng --foreground --no-caps diff --git a/2.4.100-debian/files/etc/apache2/ports.conf b/2.4.100-debian/files/etc/apache2/ports.conf new file mode 100644 index 00000000..80afbb9f --- /dev/null +++ b/2.4.100-debian/files/etc/apache2/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 80 + + + Listen 443 + + + + Listen 443 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet \ No newline at end of file diff --git a/2.4.100-debian/files/etc/apache2/sites-enabled/misp.conf b/2.4.100-debian/files/etc/apache2/sites-enabled/misp.conf new file mode 100644 index 00000000..9c4db2f7 --- /dev/null +++ b/2.4.100-debian/files/etc/apache2/sites-enabled/misp.conf @@ -0,0 +1,19 @@ + + ServerName misp-server + DocumentRoot /var/www/MISP/app/webroot + + Options -Indexes + AllowOverride all + Require all granted + + + + LogLevel warn + + ErrorLog /var/log/apache2/error.log + CustomLog /var/log/apache2/access.log combined + + ServerSignature Off + Header set X-Content-Type-Options nosniff + Header set X-Frame-Options DENY + diff --git a/2.4.100-debian/files/etc/apache2/sites-enabled/misp.ssl b/2.4.100-debian/files/etc/apache2/sites-enabled/misp.ssl new file mode 100644 index 00000000..d7215877 --- /dev/null +++ b/2.4.100-debian/files/etc/apache2/sites-enabled/misp.ssl @@ -0,0 +1,29 @@ + + ServerName misp-server + DocumentRoot /var/www/MISP/app/webroot + + Options -Indexes + AllowOverride all + Order allow,deny + allow from all + + + SSLEngine On + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + SSLHonorCipherOrder on + SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparams.pem" + + SSLCertificateFile /etc/apache2/ssl/cert.pem + SSLCertificateKeyFile /etc/apache2/ssl/key.pem + #SSLCertificateChainFile /etc/ssl/private/chain.pem + + LogLevel warn + + ErrorLog /var/log/apache2/error.log + CustomLog /var/log/apache2/access.log combined + + ServerSignature Off + #Header set X-Content-Type-Options nosniff + #Header set X-Frame-Options DENY + diff --git a/2.4.100-debian/files/etc/mysql/mariadb.conf.d/DCSO.cnf b/2.4.100-debian/files/etc/mysql/mariadb.conf.d/DCSO.cnf new file mode 100644 index 00000000..09c00b51 --- /dev/null +++ b/2.4.100-debian/files/etc/mysql/mariadb.conf.d/DCSO.cnf @@ -0,0 +1,101 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql/ +# + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# +key_buffer_size = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +general_log_file = /dev/stdout +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /dev/stderr +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /dev/stdout +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /dev/stdout +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name + +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! + + +# +# * Character setschown -R 644 $DATADIR/*chown -R 644 $DATADIR/* +# +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +# +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] diff --git a/2.4.100-debian/files/etc/postfix/generic_misp b/2.4.100-debian/files/etc/postfix/generic_misp new file mode 100644 index 00000000..6a68cc10 --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/generic_misp @@ -0,0 +1 @@ +root {SENDER_ADDRESS} \ No newline at end of file diff --git a/2.4.100-debian/files/etc/postfix/main.cf b/2.4.100-debian/files/etc/postfix/main.cf new file mode 100644 index 00000000..21735057 --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/main.cf @@ -0,0 +1,145 @@ +############### +# General +############### + +# Main domain and hostname +mydomain = {DOMAIN} +myhostname = {HOSTNAME} +myorigin = $mydomain + +# SMTP Banner +smtpd_banner = $myhostname ESMTP MISP-dockerized +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# Relayed networks +mynetworks = 127.0.0.1/32 [::1]/128 {DOCKER_NETWORK} + +# Empty alias list to override the configuration variable and disable NIS +alias_maps = +smtp_generic_maps = hash:/etc/postfix/generic_misp + +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all + + +# Accept no Mails +mydestination = + +# Relayhost if any is configured +relayhost = {RELAYHOST} + + +############### +# TLS +############### + +# General TLS configuration +tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA +tls_preempt_cipherlist = yes +tls_ssl_options = NO_COMPRESSION + +# Outgoing TLS is more flexible because 1. not all receiving servers will +# support TLS, 2. not all will have and up-to-date TLS stack. +smtp_tls_security_level = may +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_protocols =!SSLv2,!SSLv3 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth +smtp_sasl_security_options = noanonymous + +############### +# Restrictions +############### + +# Delay all rejects until all information can be logged +smtpd_delay_reject = yes + +smtpd_recipient_restrictions = + permit_mynetworks, + reject_non_fqdn_sender, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unverified_recipient, + permit + + +############### +# Extra Settings +############### + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 2 + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix/sbin/ + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain \ No newline at end of file diff --git a/2.4.100-debian/files/etc/postfix/main.cf.orig b/2.4.100-debian/files/etc/postfix/main.cf.orig new file mode 100644 index 00000000..45dbefff --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/main.cf.orig @@ -0,0 +1,678 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 2 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this does works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix/readme +inet_protocols = ipv4 +meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix \ No newline at end of file diff --git a/2.4.100-debian/files/etc/postfix/master.cf b/2.4.100-debian/files/etc/postfix/master.cf new file mode 100644 index 00000000..d77c147a --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/master.cf @@ -0,0 +1,26 @@ +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) + +# Exposed SMTP service +smtp inet n - n - - smtpd + +# Internal postfix services +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache \ No newline at end of file diff --git a/2.4.100-debian/files/etc/postfix/master.cf.orig b/2.4.100-debian/files/etc/postfix/master.cf.orig new file mode 100644 index 00000000..9a2cb837 --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/master.cf.orig @@ -0,0 +1,131 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - n - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} \ No newline at end of file diff --git a/2.4.100-debian/files/etc/postfix/smtp_auth b/2.4.100-debian/files/etc/postfix/smtp_auth new file mode 100644 index 00000000..c02f99d8 --- /dev/null +++ b/2.4.100-debian/files/etc/postfix/smtp_auth @@ -0,0 +1 @@ +{RELAYHOST} {RELAY_USER}:{RELAY_PASSWORD} \ No newline at end of file diff --git a/2.4.100-debian/files/etc/rsyslog.d/rsyslog_custom.conf b/2.4.100-debian/files/etc/rsyslog.d/rsyslog_custom.conf new file mode 100644 index 00000000..cac6f880 --- /dev/null +++ b/2.4.100-debian/files/etc/rsyslog.d/rsyslog_custom.conf @@ -0,0 +1,30 @@ +# https://www.slideshare.net/rainergerhards1/using-wildcards-with-rsyslogs-file-monitor-imfile +module(load="imfile") +# Apache2 +input (type="imfile" tag="apache.info" file="/var/log/apache2/access.log") +input (type="imfile" tag="apache.info" file="/var/log/apache2/other_vhosts_access.log") +input (type="imfile" tag="apache.error" file="/var/log/apache2/error.log") +# MISP +input (type="imfile" tag="misp.error" file="/var/www/MISP/app/tmp/logs/error.log") +# Cake +input (type="imfile" tag="worker.error" file="/var/www/MISP/app/tmp/logs/resque-worker-error.log") +input (type="imfile" tag="scheduler.error" file="/var/www/MISP/app/tmp/logs/resque-scheduler-error.log") +input (type="imfile" tag="resque.debug" file="/var/www/MISP/app/tmp/logs/resque-*.log") +# ZeroMQ +input (type="imfile" tag="mispzmq.info" file="/var/www/MISP/app/tmp/logs/mispzmq.log") +input (type="imfile" tag="mispzmq.error" file="/var/www/MISP/app/tmp/logs/mispzmq.error.log") + + +# all info and debug tagged messages to stdout +*.info;\ + *.debug /dev/stdout + +# all error and emerg tagged messages to stderr +*.error;\ + *.emerg /dev/stderr + +# discard all other: +& stop + +# all other +*.* /dev/stdout diff --git a/2.4.100-debian/files/etc/supervisord/supervisord.conf b/2.4.100-debian/files/etc/supervisord/supervisord.conf new file mode 100644 index 00000000..ebda719e --- /dev/null +++ b/2.4.100-debian/files/etc/supervisord/supervisord.conf @@ -0,0 +1,63 @@ +[supervisord] +nodaemon=true +user=root + +[program:db] +command=/entrypoint_local_mariadb.sh +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[program:apache2] +command=/entrypoint_apache.sh +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[program:redis] +command=/entrypoint_redis.sh +autorestart=true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +# [program:monitoring] +# command=/entrypoint_monitoring.sh +# autorestart=true +# stdout_logfile=/dev/stdout +# stdout_logfile_maxbytes=0 +# stderr_logfile=/dev/stderr +# stderr_logfile_maxbytes=0 + +# [program:syslog-ng] +# command=/entrypoint_syslog-ng.sh +# stdout_logfile=/dev/stdout +# stdout_logfile_maxbytes=0 +# stderr_logfile=/dev/stderr +# stderr_logfile_maxbytes=0 +# autostart=true + +[program:cron] +command=/entrypoint_cron.sh +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autostart=true + +[program:rsyslog] +command=/entrypoint_rsyslog.sh +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +autostart=true + +[program:postfix] +command=/entrypoint_postfix.sh +autorestart=true \ No newline at end of file diff --git a/2.4.100-debian/files/etc/syslog-ng/syslog-ng.conf b/2.4.100-debian/files/etc/syslog-ng/syslog-ng.conf new file mode 100644 index 00000000..9ce3cd5d --- /dev/null +++ b/2.4.100-debian/files/etc/syslog-ng/syslog-ng.conf @@ -0,0 +1,84 @@ +@version: 3.9 +# general options +options { + chain_hostnames(off); + flush_lines(0); + use_dns(no); + use_fqdn(no); + owner("root"); + group("adm"); + perm(0640); + stats_freq(0); + bad_hostname("^gconfd$"); +}; + +# Define Sources for Logs +source s_src { + # standard Linux log source (this is the default place for the syslog() function to send logs to) + unix-stream("/dev/log"); + unix-dgram("/dev/log"); + # from syslog itself + internal(); +}; + + +source s_myaccess { + #file("/var/log/netdata/access.log" follow-freq(1)); + file("/var/log/apache2/access.log" follow-freq(1)); + file("/var/log/apache2/other_vhosts_access.log" follow-freq(1)); + wildcard-file( + base-dir("/var/www/MISP/app/tmp/logs") + filename-pattern("resque-*") + recursive(no) + follow-freq(1) + ); +}; + +# source s_mydebug { +# file("/var/log/netdata/debug.log"); +# }; + +source s_myerror { + #file("/var/log/netdata/error.log" follow-freq(1)); + file("/var/log/apache2/error.log" follow-freq(1)); + #file("/var/log/mysql/error.log" follow-freq(1)); + file("/var/www/MISP/app/tmp/logs/error.log" follow-freq(1)); + file("/var/www/MISP/app/tmp/logs/resque-worker-error.log" follow-freq(1)); + file("/var/www/MISP/app/tmp/logs/resque-scheduler-error.log" follow-freq(1)); +}; + +# Define Destinations to save the logs +destination d_stdout { pipe("/dev/stdout"); }; +destination d_stderr { pipe("/dev/stderr"); }; +destination df_mail { file("/var/log/mail.log"); }; +destination mailinfo { file("/var/log/mail.info"); }; +destination mailwarn { file("/var/log/mail.warn"); }; +destination mailerr { file("/var/log/mail.err"); }; + +# Define Filter +filter f_mail { facility(mail); }; +filter f_skip_local { not facility (local0, local1, local2, local3, local4, local5, local6, local7); }; +filter f_emergency { level(emerg); }; +filter f_info { level(info); }; +filter f_notice { level(notice); }; +filter f_warn { level(warn); }; +filter f_crit { level(crit); }; +filter f_err { level(err); }; +filter f_higher_than_warning { not level (info,debug,notice); }; + + +# Define log output +# for Mail: +log { source(s_src); filter(f_mail); filter(f_info); destination(d_stdout); destination(mailinfo); }; +log { source(s_src); filter(f_mail); filter(f_warn); destination(d_stderr); destination(mailwarn); }; +log { source(s_src); filter(f_mail); filter(f_err); destination(d_stderr); destination(mailerr); }; +# for all other: +log { source(s_src); filter(f_higher_than_warning); destination(d_stderr);}; +log { source(s_src); destination(d_stdout); }; + +# logging access +log { source(s_myaccess); destination(d_stdout); }; +# logging debug +#log { source(s_mydebug); destination(d_stdout); }; +# logging error +log { source(s_myerror); destination(d_stderr); }; \ No newline at end of file diff --git a/2.4.100-debian/files/healthcheck.sh b/2.4.100-debian/files/healthcheck.sh new file mode 100644 index 00000000..09feb1db --- /dev/null +++ b/2.4.100-debian/files/healthcheck.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +function check_apache(){ + curl -fk https://localhost/ || exit 1 +} + +function check_mysql(){ + # if no host is give default localhost + [ -z $MYSQL_HOST ] && MYSQL_HOST=localhost + # exit with error if no databases are exists + [ ! "$(mysql -u $MYSQL_USER -h $MYSQL_HOST -p$MYSQL_PASSWORD --execute 'show databases;'|grep $MYSQL_DATABASE)" == $MYSQL_DATABASE ] && exit 1 +} + +function check_redis(){ + # if no host is give default localhost + [ -z $REDIS_HOST ] && REDIS_HOST=localhost + [ "$(redis-cli -h $REDIS_HOST ping)" == "PONG" ] || exit 1 +} + +function check_worker(){ + # Check worker intances process. This is no check if the worker are working! + for i in default cache prio email + do + [ -z "$(ps ax|grep QUEUE=\'$i\')" ] && exit 1 + done +} + +# execute Funtions +check_apache +check_mysql +check_redis +check_worker +exit 0 \ No newline at end of file diff --git a/2.4.100-debian/files/ssl_upload.html b/2.4.100-debian/files/ssl_upload.html new file mode 100644 index 00000000..913abaa0 --- /dev/null +++ b/2.4.100-debian/files/ssl_upload.html @@ -0,0 +1,73 @@ + + + + Upload Files using XMLHttpRequest - Minimal + + + + +
+
+
+ +
+
+
+
+
+ +
+
+
+ + \ No newline at end of file diff --git a/2.4.100-debian/files/update_misp.sh b/2.4.100-debian/files/update_misp.sh new file mode 100644 index 00000000..19627a84 --- /dev/null +++ b/2.4.100-debian/files/update_misp.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +set -ex + + +STARTMSG="[UPDATE_MISP]" + +[ -z $CAKE ] && export CAKE="$MISP_APP_PATH/Console/cake" + +# Init MISP and create user +while true +do + # copy auth_key + export AUTH_KEY=$(docker exec misp-server bash -c 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE -e "SELECT authkey FROM users;" | head -2|tail -1') + + # initial user if all is good auth_key is return + [ -z $AUTH_KEY ] && export AUTH_KEY=$(docker exec misp-server bash -c "sudo -E /var/www/MISP/app/Console/cake userInit -q") && echo "new Auth_Key: $AUTH_KEY" + + # if user is initalized but mysql is not ready continue + [ "$AUTH_KEY" == "Script aborted: MISP instance already initialised." ] && continue + + # if the auth_key is save go out + [ -z $AUTH_KEY ] || break + + # wait 5 seconds + sleep 5 +done + + + +# Update the galaxies… +echo "$STARTMSG Update Galaxies..." && sudo $CAKE Admin updateGalaxies +# Updating the taxonomies… +echo "$STARTMSG Update Taxonomies..." && sudo $CAKE Admin updateTaxonomies +# Updating the warning lists… +echo "$STARTMSG Update WarningLists..." && sudo $CAKE Admin updateWarningLists +# Updating the notice lists… +echo "$STARTMSG Update NoticeLists..." && sudo $CAKE Admin updateNoticeLists +#curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update + +# Updating the object templates… +echo "$STARTMSG Update Object Templates..." && sudo $CAKE Admin updateObjectTemplates +#curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update + +exit \ No newline at end of file diff --git a/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable.patch b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable.patch new file mode 100644 index 00000000..9ef5aee9 --- /dev/null +++ b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable.patch @@ -0,0 +1,12 @@ +55a56,60 +> +> +> Paginator->sort('analysis');?> +> +> +203a209,213 +> +> '"> +>   +> +> diff --git a/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_orig.ctp b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_orig.ctp new file mode 100644 index 00000000..ae076641 --- /dev/null +++ b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_orig.ctp @@ -0,0 +1,240 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + > + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+   +   + Paginator->sort('published');?> + Paginator->sort('Org', 'Source org'); ?>Paginator->sort('Org', 'Member org'); ?>Paginator->sort('Org'); ?>Paginator->sort('owner org');?>Paginator->sort('id', null, array('direction' => 'desc'));?>Paginator->sort('attribute_count', '#Attr.');?>Paginator->sort('user_id', 'Email');?>Paginator->sort('date', null, array('direction' => 'desc'));?>Paginator->sort('info');?> + Paginator->sort('distribution');?> + Actions
+ + '"> + + " class = "icon-ok" title = ""> + + " class = "icon-remove" title = ""> +   + '"> + OrgImg->getOrgImg(array('name' => $event['Orgc']['name'], 'id' => $event['Orgc']['id'], 'size' => 24)); + ?> +   + '"> + OrgImg->getOrgImg(array('name' => $event['Org']['name'], 'id' => $event['Org']['id'], 'size' => 24)); + ?> +   + + "> + + $cluster['value'], 'id' => $cluster['id'], 'tag_id' => $cluster['tag_id']); + endforeach; + endif; + $first = true; + foreach ($clusterList as $galaxy_id => $clusters): + if (!$first) { + echo '
'; + } else { + $first = false; + } + ?> + : + +
+ +   + + + +   + 		+ + + + '"> +   + '" title=""> +   + '" title=""> +   + '" title=""> +   + '" title=""> + ' . __('NEW') . ')'; + } + } else { + $post_count = ''; + } + ?> +   + '"> +   + '"> +   + '"> +   + + + + + + Form->postLink('', array('action' => 'alert', $event['Event']['id']), array('class' => 'icon-download-alt', 'title' => __('Publish Event'), __('Are you sure this event is complete and everyone should be informed?'))); + else if (0 == $event['Event']['published']) echo __('Not published'); + + if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['orgc_id'] == $me['org_id'])): + ?> + ' class = "icon-edit" title = ""> + Form->postLink('', array('action' => 'delete', $event['Event']['id']), array('class' => 'icon-trash', 'title' => __('Delete')), __('Are you sure you want to delete # %s?', $event['Event']['id'])); + endif; + ?> + ' class = "icon-list-alt" title = ""> +
+ diff --git a/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_patched.ctp b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_patched.ctp new file mode 100644 index 00000000..925e1977 --- /dev/null +++ b/2.4.100-debian/files/var/www/MISP/app/View/Elements/Events/eventIndexTable_patched.ctp @@ -0,0 +1,250 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + > + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+   +   + Paginator->sort('published');?> + Paginator->sort('Org', 'Source org'); ?>Paginator->sort('Org', 'Member org'); ?>Paginator->sort('Org'); ?>Paginator->sort('owner org');?>Paginator->sort('id', null, array('direction' => 'desc'));?>Paginator->sort('attribute_count', '#Attr.');?>Paginator->sort('user_id', 'Email');?>Paginator->sort('date', null, array('direction' => 'desc'));?> + Paginator->sort('analysis');?> + Paginator->sort('info');?> + Paginator->sort('distribution');?> + Actions
+ + '"> + + " class = "icon-ok" title = ""> + + " class = "icon-remove" title = ""> +   + '"> + OrgImg->getOrgImg(array('name' => $event['Orgc']['name'], 'id' => $event['Orgc']['id'], 'size' => 24)); + ?> +   + '"> + OrgImg->getOrgImg(array('name' => $event['Org']['name'], 'id' => $event['Org']['id'], 'size' => 24)); + ?> +   + + "> + + $cluster['value'], 'id' => $cluster['id'], 'tag_id' => $cluster['tag_id']); + endforeach; + endif; + $first = true; + foreach ($clusterList as $galaxy_id => $clusters): + if (!$first) { + echo '
'; + } else { + $first = false; + } + ?> + : + +
+ +   + + + +   + 		+ + + + '"> +   + '" title=""> +   + '" title=""> +   + '" title=""> +   + '" title=""> + ' . __('NEW') . ')'; + } + } else { + $post_count = ''; + } + ?> +   + '"> +   + '"> +   + '"> +   + '"> +   + + + + + + Form->postLink('', array('action' => 'alert', $event['Event']['id']), array('class' => 'icon-download-alt', 'title' => __('Publish Event'), __('Are you sure this event is complete and everyone should be informed?'))); + else if (0 == $event['Event']['published']) echo __('Not published'); + + if ($isSiteAdmin || ($isAclModify && $event['Event']['user_id'] == $me['id']) || ($isAclModifyOrg && $event['Event']['orgc_id'] == $me['org_id'])): + ?> + ' class = "icon-edit" title = ""> + Form->postLink('', array('action' => 'delete', $event['Event']['id']), array('class' => 'icon-trash', 'title' => __('Delete')), __('Are you sure you want to delete # %s?', $event['Event']['id'])); + endif; + ?> + ' class = "icon-list-alt" title = ""> +
+ diff --git a/2.4.97-debian/files/entrypoint_apache.sh b/2.4.97-debian/files/entrypoint_apache.sh index 66430ab2..93eae93d 100644 --- a/2.4.97-debian/files/entrypoint_apache.sh +++ b/2.4.97-debian/files/entrypoint_apache.sh @@ -18,7 +18,7 @@ PID_CERT_CREATER="/etc/apache2/ssl/SSL_create.pid" # defaults -[ -z $MISP_URL -a -z $MISP_FQDN ] && echo "Please set 'MISP_FQDN' environment variable in docker-compose.override.yml file for misp-server!!!" && exit +[ -z $MISP_URL -a -z $MISP_FQDN ] && echo "Please set 'MISP_FQDN' or 'MISP_URL' environment variable in docker-compose.override.yml file for misp-server!!!" && exit [ -z $MISP_URL -a ! -z $MISP_FQDN ] && export MISP_URL="https://$(echo $MISP_FQDN|cut -d '/' -f 3)" [ -z $PGP_ENABLE ] && export PGP_ENABLE=0 [ -z $SMIME_ENABLE ] && export SMIME_ENABLE=0 @@ -432,8 +432,6 @@ echo "$STARTMSG #################################### started Apache2 with cmd: echo echo cat <<__WELCOME__ -Congratulations! -Your MISP docker has been successfully booted for the first time. " ########### MISP environment is ready ###########" " Please go to: ${MYSQL_HOST}" " Login credentials:" @@ -443,7 +441,7 @@ Your MISP docker has been successfully booted for the first time. " Do not forget to change your SSL certificate with: make change-ssl" " ##########################################################" Congratulations! -Your MISP docker has been successfully booted for the first time. +Your MISP-dockerized server has been successfully booted. __WELCOME__ diff --git a/2.4.98-debian/files/entrypoint_apache.sh b/2.4.98-debian/files/entrypoint_apache.sh index 66430ab2..93eae93d 100644 --- a/2.4.98-debian/files/entrypoint_apache.sh +++ b/2.4.98-debian/files/entrypoint_apache.sh @@ -18,7 +18,7 @@ PID_CERT_CREATER="/etc/apache2/ssl/SSL_create.pid" # defaults -[ -z $MISP_URL -a -z $MISP_FQDN ] && echo "Please set 'MISP_FQDN' environment variable in docker-compose.override.yml file for misp-server!!!" && exit +[ -z $MISP_URL -a -z $MISP_FQDN ] && echo "Please set 'MISP_FQDN' or 'MISP_URL' environment variable in docker-compose.override.yml file for misp-server!!!" && exit [ -z $MISP_URL -a ! -z $MISP_FQDN ] && export MISP_URL="https://$(echo $MISP_FQDN|cut -d '/' -f 3)" [ -z $PGP_ENABLE ] && export PGP_ENABLE=0 [ -z $SMIME_ENABLE ] && export SMIME_ENABLE=0 @@ -432,8 +432,6 @@ echo "$STARTMSG #################################### started Apache2 with cmd: echo echo cat <<__WELCOME__ -Congratulations! -Your MISP docker has been successfully booted for the first time. " ########### MISP environment is ready ###########" " Please go to: ${MYSQL_HOST}" " Login credentials:" @@ -443,7 +441,7 @@ Your MISP docker has been successfully booted for the first time. " Do not forget to change your SSL certificate with: make change-ssl" " ##########################################################" Congratulations! -Your MISP docker has been successfully booted for the first time. +Your MISP-dockerized server has been successfully booted. __WELCOME__ diff --git a/2.4.99-debian/.gitlab-ci.yml b/2.4.99-debian/.gitlab-ci.yml index 8a576337..237180c6 100644 --- a/2.4.99-debian/.gitlab-ci.yml +++ b/2.4.99-debian/.gitlab-ci.yml @@ -10,4 +10,5 @@ test 2.4.99-debian: VERSION: "2.4.99-debian" only: changes: - - 2.4.99-debian/* \ No newline at end of file + - 2.4.99-debian/* + \ No newline at end of file