melicertes / csp Goto Github PK

There is probably an interpretation problem in the web interface with the control code output on the shell which colorizes the word 'done'. It shows the output as error.

Even if it's unused (as I hope it is), please don't directly include outdated versions of PyMISP. We generally recommend to submodule other projects found on github.

For more information on how submodules work:
https://git-scm.com/docs/git-submodule

1.2. You registered for a CSP installation to the central CSP authority

1.1. You received the hardware requirements for the CSP installation

at least v4.0.0 or newer

Thanks a lot for looking into making the MELiCERTES MISP installation usable via MISP-to-MISP synchronisation setups. However, I have some questions:

What is that secret key? Is this a built in backdoor or some funky way of authenticating all sync requests with a built in user as opposed to the normal paradigm?

Could you also point us to the various issues we've raised during the training that don't have to do with having actual connectivity but rather potential information leakage when missing MISP sharing groups and MELiCERTES trust circles?

Thank you in advance.

The default CSP uses an old version of MISP 2.4.107. Can you push an update to the MISP module to have the latest version 2.4.113?

Could you allow the default update mechanism (from MISP UI) to work? It will allow users of the CSP to keep their MISP up-to-date without waiting for the release of a module by the third-party.

Thank you.

As indicated in github issue #8, I downloaded the yml file from https://github.com/melicertes/csp/blob/develop/deployment/docker/central/docker-compose.yml and did the necessary steps to the best of my knowledge:

$ docker-compose up
ERROR: Network installer_net declared as external, but could not be found. Please create the network manually using `docker network create installer_net` and try again.

$ docker network create installer_net
1b2ca72243e887b484cc55c6151637c45996cc2fae91621095a899eb26075d81

$ docker-compose up
Pulling sa-cfg (csp-java8:1.0)...
ERROR: The image for the service you're trying to recreate has been removed. If you continue, volume data could be lost. Consider backing up your data before continuing.

Continue with the new image? [yN]y
Pulling sa-cfg (csp-java8:1.0)...
ERROR: pull access denied for csp-java8, repository does not exist or may require 'docker login'

When a user is not create in the CSP and want to access any of the module (you have a page with Forbidden). It would be great to have a meaningful message to help user.

Even if it's unused (as I hope it is), please don't directly include outdated versions of MISP. We generally recommend to submodule other projects found on github.

For more information on how submodules work:
https://git-scm.com/docs/git-submodule

In contrast to page 23 of the installation manual, the SMTP settings are not required/mandatory, but should be.
"""
This form is protected against incomplete submission. A warning will be displayed if the Save button is clicked without completing all the required fields.
"""

The SMTP settings are mandatory for successful installation/startup of the services.

This should be made mandatory in the config wizard.

The installation manual is classified as TLP::AMBER.

https://github.com/melicertes/csp/blob/develop/documentation/CSP_Installation_Manual_v4.0.6.pdf

The double colon should be replaced with a single colon.

When fixed, the file should probably not TLP:AMBER at all if distributed via the Internet.

Considering that these settings are basically mandatory, why does a user have to configure it manually, leading to frustration and potential miscofigurations?

1.2.a. You sent the required data and point of contact details

CSP users - can they be assigned different roles through the single sign on system to assign different MISP user roles to the various different users?

Hi,

Could you please not try to connect to google.com:443 for "internet connectivity" testing ?
That seems to be pretty absurd for a controlled production environment, even more as the node already requires connectivity to the central.
Checking for connectivity to the central should be enough.

Required tags have to be generated manually - why?

https://github.com/melicertes/csp/blob/master/csp-apps/misp/misp-adapter-emitter/src/main/java/com/intrasoft/csp/misp/service/impl/MispTcSyncServiceImpl.java#L164

This is extremely worrying. Organisations that are not in the list of melicertes teams are absolutely normal and should not be flagged in any way. The comment that deletion is not an option for now is concerning - it shows a misunderstanding of what an organisation is in MISP and the purpose of having them.

1. You cannot have sharing groups without having the organisation objects on your instance for anyone you want to share with. Meaning if orgx is not in the melicertes team list, I need to have it known for my instance to include them in any sharing.
2. Organisation objects are shared automatically. Unless we want to restrict the pulling of any feeds in MISP format, fetching from any other non melicertes MISP instances, pushing any non melicertes team created data to MISP, we will get those organisation objects on our instance.
3. Many CERTs operate MISP instances that are interconnected with other organisations. Sharing Groups handle the distribution of data that is not meant for all participants of an instance, but without giving access to other organisations, synchronisation is not feasible. This means that any interconnections with other organisations would be flagged as orphaned organisations.

Status after successful install with successful startup of all services.

cspvm [/etc]# docker stats --all --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}" --no-stream | sort
NAME CPU % MEM USAGE / LIMIT
csp-activemq 0.10% 96.46MiB / 11.63GiB
csp-anon 0.15% 175.2MiB / 11.63GiB
csp-apache 0.00% 0B / 0B
csp-apache-crl 0.00% 3.5MiB / 11.63GiB
csp-es 1.42% 4.661GiB / 11.63GiB
csp-filebeat 0.03% 5.969MiB / 11.63GiB
csp-il 0.24% 159.1MiB / 11.63GiB
csp-imq 0.00% 0B / 0B
csp-intelmq_adapter 0.09% 305.6MiB / 11.63GiB
csp-jitsi 0.36% 343.7MiB / 11.63GiB
csp-kibana 0.56% 76.54MiB / 11.63GiB
csp-kibana_logs 0.59% 72.45MiB / 11.63GiB
csp-logstash 7.41% 551.8MiB / 11.63GiB
csp-misp 0.20% 21.3MiB / 11.63GiB
csp-misp-filebeat 0.04% 2.969MiB / 11.63GiB
csp-misp-logstash 7.13% 489.1MiB / 11.63GiB
csp-misp_adapter 0.11% 3.121MiB / 11.63GiB
csp-mock 0.00% 6.703MiB / 11.63GiB
csp-mysql 0.07% 36.43MiB / 11.63GiB
csp-oam 0.38% 702.3MiB / 11.63GiB
csp-oam-filebeat 0.08% 4.727MiB / 11.63GiB
csp-oam-logstash 7.13% 548.5MiB / 11.63GiB
csp-oc 0.00% 40.29MiB / 11.63GiB
csp-ocdb 0.07% 39.64MiB / 11.63GiB
csp-ocredis 0.08% 5.023MiB / 11.63GiB
csp-postgres 0.74% 7.508MiB / 11.63GiB
csp-redis 0.08% 2.461MiB / 11.63GiB
csp-regrep 0.07% 378MiB / 11.63GiB
csp-rt 0.01% 156.7MiB / 11.63GiB
csp-rt_adapter 0.21% 123.4MiB / 11.63GiB
csp-tc 0.03% 15.14MiB / 11.63GiB
csp-tc-dsl 0.02% 3.32MiB / 11.63GiB
csp-vcb_admin 0.14% 459MiB / 11.63GiB
csp-vcb_teleconf 0.19% 447.4MiB / 11.63GiB
csp-viper 0.33% 4.082MiB / 11.63GiB

netstat -napt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2533/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 3180/docker-proxy
tcp 0 0 127.0.0.1:18080 0.0.0.0:* LISTEN 2852/java
tcp 0 0 :::8083 :::* LISTEN 17902/docker-proxy
tcp 0 0 :::4243 :::* LISTEN 2209/dockerd
tcp 0 0 :::22 :::* LISTEN 2533/sshd
tcp 0 0 :::4443 :::* LISTEN 16536/docker-proxy
tcp 0 0 :::32768 :::* LISTEN 3327/docker-proxy
tcp 0 0 :::32770 :::* LISTEN 15301/docker-proxy

This is a violation of MISP's distribution model. MISP will always choose the most restrictive option in the inherited distributions. For example:

Event [distribution: your organisation only]
Attribute [distribution:all communities]

The attribute above is NOT cleared for synchronisation, the container's distribution level overrides that of the contents.

The videoconf admin application has time by default to Europe/Athens. It can be confusing for CSPs in other timezones.

In a sharing environment where org A and org B are present.
org B has a ticket with UUID X, which is private (not shared)
org A has a ticket and sets it to UUID X.
The non-shared org B ticket is being modified.

Noticed several issues with the exchange via CSP to MISP:

• Events arrive unpublished, meaning that my partners are not protected using my shared data. This also encourages tampering with shared data to get them published
• Occasionally data doesn't get synchronised / updated. We could not figure out what triggers the behaviour during the training.
• Revocations are not synchronised
• Sharing groups get partially synchronised
• We had cases where sharing groups were synchronised to instances that were not eligible for the contents via CSP

While looking at the overview diagram, I see there is a ContactDB module.

Can you point me in the repository where the code for ContactDB is? In the documentation, I see some references to contact management but I'm sure if this is the same application/module in MeliCERTes.

Thank you very much

The installation manual is not text, just a collection of pictures.

https://github.com/melicertes/csp/blob/develop/documentation/CSP_Installation_Manual_v4.0.6.pdf

Searching within the document is not straightforward.

There is a new csp-vulnerability MISP object:

https://github.com/melicertes/csp/blob/ca16e155ba2b0172e5a5e3e5afb6e4f681641df3/deployment/docker/base-images/misp-image/csp-misp-objects/csp-vulnerability/definition.json

The definition seems very close to the default MISP vulnerability object:

https://github.com/MISP/misp-objects/blob/master/objects/vulnerability/definition.json

A simple improvement would be to use the default one. Maybe there is a specific reason to not use the default? if yes, we could incorporate the changes in the default vulnerability object template.

For testing and standalone installation reasons, where can one download the ova for Melicertes?
Or the installation instructions?

As nodes can decide to update components, can we check the versions of the individual CSP components run by our partners to sever the exchange in case they run vulnerable software versions?

Can I include organisations that do not have CSP? The trust circles get propagated to MISP, if we have an incident involving non CSP organisations, how can we facilitate the exchange with them?

[Fri Jul 19 08:18:01.780631 2019] [ssl:error] [pid 8:tid 139924841396096] AH02578: Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]

Passphrase is not requested and stored during install (good).
It is not mentioned not to use a passphrase afaik (good).

Proposal: Since the startup of the services is a manual action, also the passphrase could be requested without issue.

As per the installation manual (v4.0.6 according to the file, v4.0.5 according to the archive name) the generated X.509 private key will have 2048 bits.
4096 bits is not only recommended, but also industry standard since years.

1.2.d. How to assign the domain as required in d?

c.i.c.c.c.s.ExternalProcessService : Unable to find image 'frolvlad/alpine-oraclejdk8:slim' locally
c.i.c.c.c.s.ExternalProcessService : docker: Error response from daemon: pull access denied for frolvlad/alpine-oraclejdk8, repository does not exist or may require 'docker login'.
c.i.c.c.c.s.ExternalProcessService : See 'docker run --help'.

in file: first-time.sh
line: docker run -d --rm -v SSLDatavolume:/ssl_data frolvlad/alpine-oraclejdk8:slim sh -c "mkdir -p /ssl_data/crl"

When changing the UUID custom field in an RT/RTIR event, the synchronisation mechanism is messed up. New events are being created and the original is not updated

1.2.b. Where to send the IP (which?) address to?

1.2.c. how to enter the CSP trust circles?

Steps to reproduce:

(- Get any sharing group via the issue described in the previous MISP sync issue) => possibly not needed

• replace your organisation's UUID with that of the organisation you wish to spoof
• MISP's protection against this sort of spoofing is circumvented by CSP
• CSP will check the current state of the organisations to decide whether data can be propagated to the node

The status page of the management interface on port 18080 does not show the actual status of the modules (running/stopped), but rather the last action.

So it is not a status page, but a list of modules with their last action performed on them

when adding a comment to an incident ticket, it is not displayed in the ticket afterwards.
It is also not synchronized

The edit button just reloads the page

Time will drift easily on VM installation

The readme should provide information regarding the project, documentation, license, and how to collaborate.

Many services are connected to the CSP through REST API.
Is the CSP also exposing a REST API?

Show the actual versions of the modules instead of the melicertes rebranded version.

We'd like to be able to ensure that we don't end up installing outdated / vulnerable versions before the fact.

from /tmp/console.log:

2019-07-16 23:44:31.904  INFO 3082 --- [ool-20-thread-7] c.i.c.c.c.s.ExternalProcessService       :   "mail": {
2019-07-16 23:44:31.904  INFO 3082 --- [ool-20-thread-7] c.i.c.c.c.s.ExternalProcessService       :     "host": "localhost",
2019-07-16 23:44:31.905  INFO 3082 --- [ool-20-thread-7] c.i.c.c.c.s.ExternalProcessService       :     "port": "25",
2019-07-16 23:44:31.905  INFO 3082 --- [ool-20-thread-7] c.i.c.c.c.s.ExternalProcessService       :     "username": "username",
2019-07-16 23:44:31.906  INFO 3082 --- [ool-20-thread-7] c.i.c.c.c.s.ExternalProcessService       :     "password": "password",
[...]

The module installation screen gives you the wrong impression that you can pick and choose the modules you would like to install. In reality some modules depend on the installation of other modules.

There is no guidance on which module depends on which other module and the current installation procedure is highly reminiscent of the famous "Dinky Island Woods" in Monkey Island 2.

User is named [email protected] and needs to be configured to a hard coded integration user. Why does the user have to do this manually instead of having this pre-configured?

Is this on purpose? Or has it been forgotten to add a sharing policy field to ticket type investigation?