Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility of MISP/Auth configuration using the commands #1447

Open
wants to merge 3 commits into
base: develop-th4
Choose a base branch
from
Open

Possibility of MISP/Auth configuration using the commands #1447

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9cf758a
added MISP config
kahla-sec Jul 22, 2020
187b95a
fixed max-age option
kahla-sec Jul 23, 2020
8d0f6e8
Added Auth config
kahla-sec Jul 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
239 changes: 239 additions & 0 deletions package/docker/entrypoint
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,15 @@ test "${TH_NO_CONFIG}" == 1
CONFIG=$?
CONFIG_FILE=${TH_CONFIG_FILE:-/etc/thehive/application.conf}
CORTEX_KEYS=${TH_CORTEX_KEYS}
CONFIG_MISP=0
MISP_HOSTNAMES="misp"
MISP_PROTO="http"
MISP_PORT="80"
# Default values for Auth part
CONFIG_AUTH=0
AUTH_USERHEADER="TheHiveAuth"
AUTH_SSL="false"
AUTH_AUTHHEADER="Bearer "
function usage {
cat <<- _EOF_
Available options:
Expand All @@ -41,6 +50,43 @@ function usage {
--cortex-port <port> | define port to connect to Cortex (default: 9001)
--cortex-hostname <host>,<host>,... | resolve this hostname to find Cortex instances
--cortex-keys <key>,<key>,... | define Cortex key
--config-misp | Enable adding MISP configuration
--misp-hostnames <host>,<host>, ... | Resolve this hostname to find MISP instances (default: misp)
--misp-proto <proto> | Define protocol to connect to MISP (default: http)
--misp-port <port> | Define port to connect to MISP ( default: 80)
--misp-keys <key>,<key>, ... | Define MISP key
--misp-template <template-name> | Name of the case template in TheHive that shall be used to import MISP events as cases by default (Optional)
--misp-tags <tag>,<tag>, ... | Optional tags to add to each observable imported from an event (Optional)
--misp-max-age <number> | Maximum age of the last publish date of event to be imported in TheHive in days (Optional)
--misp-exc-orgs <org>,<org>, ... | List of MISP organisation from which event will not be imported (Optional)
--misp-exc-tags <tag>,<tag>, ... | Don't import MISP events which have one of these tags (Optional)
--misp-wh-tags <tag>,<tag>, ... | Import only MISP events which have one of these tags (Optional)
--config-auth | Enable adding authentication configuration
--auth-header | Enable header authentication module
--auth-ad | Enable Active Directory authentication module
--auth-ldap | Enable LDAP authentication module
--auth-oauth | Enable Oauth2 authentication module
--auth-userheader <Header Name> | The name of the header that contain the user login (default: TheHiveAuth)
--auth-windomain <Win Domain Name> | The Windows domain name (ex: MYDOMAIN)
--auth-dnsdomain <DNS> | The Windows domain name in DNS format (ex: mydomain.local)
--auth-ssl <boolean> | Indicate if SSL must be used to connect to Domain Dontroller/LDAP server (default: false)
--auth-ad-hosts <host>,<host>, ... | The addresses of the domain controllers. If missing, the dnsDomain is used.
--auth-binddn <BindDN> | DN of the service account in LDAP. This account is used to search the user.
--auth-bindpw <BindPW> | Password of the service account.
--auth-basedn <BaseDN> | DN where the users are located in.
--auth-filter <filter> | Filter used to search the user. "{0}" is replaced by the user login. A valid filter is: (&(uid={0})(objectClass=posixAccount))
--auth-ldap-hosts <host>,<host>, ... | The addresses of the LDAP servers.
--auth-clientid <ClientID> | Client ID in the OAuth2 server.
--auth-clientsecret <ClientSecret> | Client secret in the OAuth2 server.
--thehive-url <URL> | Url or domain of TheHive (ex: http://www.thehive.com)
--auth-url <URL> | The url of the OAuth2 server.
--auth-authheader <AuthHeader> | Prefix of the authorization header to get user info: Bearer, token, .. (default: Bearer)
--token-url <URL> | The token url of the OAuth2 server.
--user-url <URL> | The url to get user information in OAuth2 server.
--auth-scope <scope>,<scope>, ... | List of scope
--auth-userid <UserID> | The field that contains the id of the user in user info
--auth-org <Org> | The field that contains the organisation name in user info (Optional)
--auth-deforg <Org> | The default organisation used to login if not present on user info (Optional)
_EOF_
exit 1
}
Expand Down Expand Up @@ -68,6 +114,43 @@ do
"--cortex-port") shift; CORTEX_PORT=$1 ;;
"--cortex-hostnames") shift; CORTEX_HOSTNAMES=$1 ;;
"--cortex-keys") shift; CORTEX_KEYS=$1 ;;
"--config-misp") CONFIG_MISP=1 ;;
"--misp-hostnames") shift; MISP_HOSTNAMES=$1 ;;
"--misp-proto") shift; MISP_PROTO=$1 ;;
"--misp-port") shift; MISP_PORT=$1 ;;
"--misp-keys") shift; MISP_KEYS=$1 ;;
"--misp-template") shift; MISP_TEMPLATE=$1 ;;
"--misp-tags") shift; MISP_TAGS=$1 ;;
"--misp-max-age") shift; MISP_AGE=$1 ;;
"--misp-exc-orgs") shift; MISP_EXC_ORG=$1 ;;
"--misp-exc-tags") shift; MISP_EXC_TAGS=$1 ;;
"--misp-wh-tags") shift; MISP_WH_TAGS=$1 ;;
"--config-auth") CONFIG_AUTH=1 ;;
"--auth-header") AUTH_HEADER=1 ;;
"--auth-ad") AUTH_AD=1 ;;
"--auth-ldap") AUTH_LDAP ;;
"--auth-oauth") AUTH_OAUTH=1 ;;
"--auth-userheader") shift; AUTH_USERHEADER=$1 ;;
"--auth-windomain") shift; AUTH_WINDOMAIN=$1 ;;
"--auth-dnsdomain") shift; AUTH_DNSDOMAIN=$1 ;;
"--auth-ssl") shift; AUTH_SSL=$1 ;;
"--auth-ad-hosts") shift; AUTH_AD_HOSTS=$1 ;;
"--auth-binddn") shift; AUTH_BINDDN=$1 ;;
"--auth-bindpw") shift; AUTH_BINDPW=$1 ;;
"--auth-basedn") shift; AUTH_BASEDN=$1 ;;
"--auth-filter") shift; AUTH_FILTER=$1 ;;
"--auth-ldap-hosts") shift; AUTH_LDAP_HOSTS=$1 ;;
"--auth-clientid") shift; AUTH_CLIENTID=$1 ;;
"--auth-clientsecret") shift; AUTH_CLIENTSECRET=$1 ;;
"--thehive-url") shift; THEHIVE_URL=$1 ;;
"--auth-url") shift; AUTH_URL=$1 ;;
"--auth-authheader") shift; AUTH_AUTHHEADER=$1 ;;
"--token-url") shift; TOKEN_URL=$1 ;;
"--user-url") shift; USER_URL=$1 ;;
"--auth-scope") shift; AUTH_SCOPE=$1 ;;
"--auth-userid") shift; AUTH_USERID=$1 ;;
"--auth-org") shift; AUTH_ORG=$1 ;;
"--auth-deforg") shift; AUTH_DEFORG=$1 ;;
"--") STOP=1;;
*) usage
esac
Expand Down Expand Up @@ -122,6 +205,90 @@ then
echo "}" >> ${CONFIG_FILE}
fi

## Auth Config ##
if [[ $CONFIG_AUTH -eq 1 ]];then
echo "auth.providers = [" >> ${CONFIG_FILE}
echo "{name: session}" >> ${CONFIG_FILE}
echo "{name: basic, realm: thehive}" >> ${CONFIG_FILE}
echo "{name: local}" >> ${CONFIG_FILE}
echo "{name: key}" >> ${CONFIG_FILE}
if [[ $AUTH_HEADER -eq 1 ]];then
echo "{" >> ${CONFIG_FILE}
echo "name = header" >> ${CONFIG_FILE}
echo "Setting Header Authentication and the HeaderName=${AUTH_HEADER}"
echo "userHeader = \"${AUTH_USERHEADER}\"" >> ${CONFIG_FILE}
echo "}" >> ${CONFIG_FILE}
fi
if [[ $AUTH_AD -eq 1 ]];then
echo "{" >> ${CONFIG_FILE}
echo "name = ad" >> ${CONFIG_FILE}
echo "winDomain = \"${AUTH_WINDOMAIN}\"" >> ${CONFIG_FILE}
echo "dnsDomain = \"${AUTH_DNSDOMAIN}\"" >> ${CONFIG_FILE}
echo "useSSL = ${AUTH_SSL}" >> ${CONFIG_FILE}
echo "Using AD Authentication with the domain ${AUTH_WINDOMAIN}"
# Converting hosts to list of strings #
IFS="," read -r -a authhosts <<<"${AUTH_AD_HOSTS}"
if [[ ${#authhosts[@]} -gt 0 ]];then
for host in ${authhosts[@]};do
ahosts="${ahosts}\"${host}\","
done
echo "hosts = [${ahosts:0:${#ahosts}-1}]" >> ${CONFIG_FILE}
fi
echo "}" >> ${CONFIG_FILE}
fi
if [[ $AUTH_LDAP -eq 1 ]];then
echo "{" >> ${CONFIG_FILE}
echo "name = ldap" >> ${CONFIG_FILE}
echo "bindDN = \"${AUTH_BINDDN}\"" >> ${CONFIG_FILE}
echo "bindPW = \"${AUTH_BINDPW}\"" >> ${CONFIG_FILE}
echo "baseDN = \"${AUTH_BASEDN}\"" >> ${CONFIG_FILE}
echo "filter = \"${AUTH_FILTER}\"" >> ${CONFIG_FILE}
echo "useSSL = ${AUTH_SSL}" >> ${CONFIG_FILE}
# Converting hosts to list of strings #
IFS="," read -r -a authhosts <<<"${AUTH_LDAP_HOSTS}"
if [[ ${#authhosts[@]} -gt 0 ]];then
for host in ${authhosts[@]};do
ahosts="${ahosts}\"${host}\","
done
echo "hosts = [${ahosts:0:${#ahosts}-1}]" >> ${CONFIG_FILE}
fi
echo "}" >> ${CONFIG_FILE}
fi
if [[ $AUTH_OAUTH -eq 1 ]];then
echo "{" >> ${CONFIG_FILE}
echo "name = oauth2" >> ${CONFIG_FILE}
echo "clientId = \"${AUTH_CLIENTID}\"" >> ${CONFIG_FILE}
echo "clientSecret = \"${AUTH_CLIENTSECRET}\"" >> ${CONFIG_FILE}
echo "redirectUri = \"${THEHIVE_URL}/api/ssoLogin\"" >> ${CONFIG_FILE}
echo "responseType = \"code\"" >> ${CONFIG_FILE}
echo "grantType = \"authorization_code\"" >> ${CONFIG_FILE}
echo "authorizationUrl = \"${AUTH_URL}\"" >> ${CONFIG_FILE}
echo "tokenUrl = \"${TOKEN_URL}\"" >> ${CONFIG_FILE}
echo "userUrl = \"${USER_URL}\"" >> ${CONFIG_FILE}
echo "authorizationHeader = \"${AUTH_AUTHHEADER}\"" >> ${CONFIG_FILE}
# Converting scopes to list of strings #
IFS="," read -r -a authscope <<<"${AUTH_SCOPE}"
if [[ ${#authscope[@]} -gt 0 ]];then
for scope in ${authscope[@]};do
scopes="${scopes}\"${scope}\","
done
echo "scope = [${scopes:0:${#scopes}-1}]" >> ${CONFIG_FILE}
fi
###
echo "userIdField = \"${AUTH_USERID}\"" >> ${CONFIG_FILE}
if [[ -n $AUTH_ORG ]];then
echo "organisationField = \"${AUTH_ORG}\"" >> ${CONFIG_FILE}
fi
if [[ -n $AUTH_DEFORG ]];then
echo "defaultOrganisation = \"${AUTH_DEFORG}\"" >> ${CONFIG_FILE}
fi
echo "}" >> ${CONFIG_FILE}
fi

echo "]" >> ${CONFIG_FILE}
fi
#####

if test "${CONFIG_STORAGE}" = 1
then
echo "storage {" >> ${CONFIG_FILE}
Expand Down Expand Up @@ -174,6 +341,78 @@ then
fi
fi

if [[ $CONFIG_MISP -eq 1 ]];then
declare -a MISP_URLS
IFS=',' read -r -a MH <<< "${MISP_HOSTNAMES}"
IFS=',' read -r -a MK <<< "${MISP_KEYS}"
for M in "${MH[@]}";do
test -n "${M}" && MISP_URLS+=("${MISP_PROTO}://${M}:${MISP_PORT}")
done
if [[ ${#MISP_URLS[@]} -gt 0 ]];then
echo "play.modules.enabled += org.thp.thehive.connector.misp.MispModule" >> ${CONFIG_FILE}
echo "misp.interval = 1 hour" >> ${CONFIG_FILE}
echo "misp.servers = [">> ${CONFIG_FILE}
i=0
for M in ${MISP_URLS[@]};do
echo "Add MISP n${i} : ${M}"
echo "{" >> ${CONFIG_FILE}
echo "name = \"MISP${i}\"" >> ${CONFIG_FILE}
echo "url = \"${M}\"" >> ${CONFIG_FILE}
echo "auth {" >> ${CONFIG_FILE}
echo "type = key" >> ${CONFIG_FILE}
echo "key = \"${MK[$i]}\"" >> ${CONFIG_FILE}
echo "}" >> ${CONFIG_FILE}
echo "wsConfig {}" >> ${CONFIG_FILE}

# Optional Config #
# MISP Template #
if [[ -n $MISP_TEMPLATE ]];then
echo "caseTemplate = \"${MISP_TEMPLATE}\"" >> ${CONFIG_FILE}
fi
# MISP Tags #
IFS=',' read -r -a MT <<< ${MISP_TAGS}
if [[ ${#MT[@]} -gt 0 ]];then
for tag in ${MT[@]};do
tags="${tags}\"${tag}\","
done
echo "tags = [${tags:0:$((${#tags}-1))}]" >> ${CONFIG_FILE}
fi

# MISP Max-Age #
if [[ -n $MISP_AGE ]];then
echo "max-age = ${MISP_AGE} days" >> ${CONFIG_FILE}
fi

# MISP Exclusion #
IFS=',' read -r -a MEO <<< ${MISP_EXC_ORG}
if [[ ${#MEO[@]} -gt 0 ]];then
for org in ${MEO[@]};do
orgs="${orgs}\"${org}\","
done
echo "exclusion.organisation = [${orgs:0:$((${#orgs}-1))}]" >> ${CONFIG_FILE}
fi
IFS=',' read -r -a MET <<< ${MISP_EXC_TAGS}
if [[ ${#MET[@]} -gt 0 ]];then
for tag in ${MET[@]};do
etags="${etags}\"${tag}\","
done
echo "exclusion.tags = [${etags:0:$((${#etags}-1))}]" >> ${CONFIG_FILE}
fi
# MISP Whitelist #
IFS=',' read -r -a MWT <<< ${MISP_WH_TAGS}
if [[ ${#MWT[@]} -gt 0 ]];then
for tag in ${MWT[@]};do
wtags="${wtags}\"${tag}\","
done
echo "whitelist.tags = [${wtags:0:$((${#wtags}-1))}]" >> ${CONFIG_FILE}
fi
echo "}" >> ${CONFIG_FILE}
i=$((${i}+1))
done
echo "]" >> ${CONFIG_FILE}
fi
fi

echo "include file(\"secret.conf\")" >> ${CONFIG_FILE}
fi

Expand Down