MISP container (Docker) image focused on high performance and security based on AlmaLinux, ready for production.
This image contains the latest version of MISP and the required dependencies. Image is intended as immutable, which means that it is not possible to update MISP from the user interface and instead, an admin should download a newer image.
- 🎩 Image is based on AlmaLinux, so perfectly fits your infrastructure if you use CentOS or RHEL as a host system
- ✅ Modern MISP features are enabled by default (like advanced audit log or storing settings in the database)
- 👩💻 Integrated support for OpenID Connect (OIDC) authentication
- 🔒️ PHP is by default protected by Snuffleupagus extensions with rules tailored to MISP
- 🚀 Optional extensions and configurations that will make MISP faster are enabled
- 📓 Integrated support for logging into ECS format, exceptions to Sentry and forwarding logs to syslog server
- 🧪 The final image is automatically tested, so every release should work as expected
- 🏛 Build for amd64 (x86_64) and arm64 (aarch64)
First, you have to install Docker. Follow these manuals how to install Docker on your machine. Windows, macOS, or Linux are supported.
For Linux, you also need to install Docker Compose V2, on macOS or Windows is already included in Docker itself.
Or you can use Docker Compose V1, but then you have to use all commands with a dash (so docker-compose
instead of docker compose
).
Docker Compose file defines MISP itself, MISP Modules, MariaDB and Redis, so everything you need to run MISP. Just run:
curl --proto '=https' --tlsv1.2 -O https://raw.githubusercontent.com/NUKIB/misp/main/docker-compose.yml
docker compose up -d
Then you can access MISP in your browser by accessing http://localhost:8080
. The default user after installation is [email protected]
with the password admin
.
To delete all volumes after testing, run:
docker-compose down -v
When a new MISP is released, also new container image is created. For updating MISP and MISP Modules, just run these commands in the folder that contains docker-compose.yml
file.
These commands will download the latest images and recreate containers. All data will be preserved.
docker compose pull
docker compose up -d
For production usage, please:
- change passwords for MariaDB and Redis,
- modify environment variables to requested values,
- deploy reverse proxy (for example
nginx
) before MISP to handle HTTPS connections.- do not forget to send proper
X-Forwared-For
header
- do not forget to send proper
MISP by default does not require access to Internet. So it is possible to use MISP in air-gapped environment or an environment with blocked outgoing connections. Check AIR-GAP.md for more information.
If you don't trust image built by GitHub Actions and stored in GitHub Container Registry or you want to build a different MISP version, you can build this image by yourself:
docker build --build-arg MISP_VERSION=v2.4.152 -t ghcr.io/nukib/misp https://github.com/NUKIB/misp.git#main
If you don't like AlmaLinux, you can use as a base image different distribution that is compatible with AlmaLinux 8, like CentOS Stream or Rocky Linux:
docker build --build-arg BASE_IMAGE=quay.io/centos/centos:stream8 -t ghcr.io/nukib/misp https://github.com/NUKIB/misp.git#main
Logging is important to keep your MISP secure and in good condition. Check detailed manual how to configure logging
By changing or defining these container environment variables, you can change container behavior.
MISP requires MySQL or MariaDB database.
MYSQL_HOST
(required, string) - hostname or IP addressMYSQL_PORT
(optional, int, default3306
)MYSQL_LOGIN
(required, string) - database userMYSQL_PASSWORD
(optional, string)MYSQL_DATABASE
(required, string) - database name
By default, MISP requires Redis. MISP will connect to Redis defined in REDIS_HOST
variable on port 6379
. Redis alternative Dragonfly is also supported.
REDIS_HOST
(required, string) - hostname or IP addressREDIS_PASSWORD
(optional, string) - password used to connect password-protected Redis instanceREDIS_USE_TLS
(optional, bool) - enable encrypted communication
10
- ZeroMQ connector11
- SimpleBackgroundJobs12
- session data ifPHP_SESSIONS_IN_REDIS
is enabled13
- MISP app
MISP_BASEURL
(required, string) - full URL with https:// or http://MISP_UUID
(required, string) - MISP instance UUID (can be generated byuuidgen
command)MISP_ORG
(required, string) - MISP default organisation nameMISP_HOST_ORG_ID
(optional, int, default1
) - MISP default organisation IDMISP_MODULE_URL
(optional, string) - full URL to MISP modulesMISP_DEBUG
(optional, boolean, defaultfalse
) - enable debug mode (do not enable on production environment)MISP_OUTPUT_COMPRESSION
(optional, boolean, defaulttrue
) - enable or disable gzip or brotli output compression
Check more variables that allow MISP customization.
SMTP_HOST
(optional, string) - SMTP server that will be used for sending emails. SMTP server must support STARTTLS.SMTP_PORT
(optional, int, default25
) - the TCP port for the SMTP host. Must support STARTTLS.SMTP_USERNAME
(optional, string)SMTP_PASSWORD
(optional, string)MISP_EMAIL
(required, string) - the email address that MISP should use for all notificationsMISP_EMAIL_REPLY_TO
(optional, string) - the email address that will be used inReply-To
headerMISP_DEFAULT_PUBLISH_ALERT
(optional, bool, defaultfalse
) - if sending event alert emails should be enabled by default to newly created usersSUPPORT_EMAIL
(optional, string) - the email address that will be included in Apache error pages
GNUPG_SIGN
(optional, boolean, defaultfalse
) - sign outgoing emails by PGPGNUPG_PRIVATE_KEY
(optional, string) - private key used to sign emails sent by MISPGNUPG_PRIVATE_KEY_PASSWORD
(optional, string) - password for PGP private key used to sign emails sent by MISPGNUPG_BODY_ONLY_ENCRYPTED
(optional, boolean, defaultfalse
)
Alternatively, if you want to generate new PGP keys for email signing instead of
providing a key using GNUPG_PRIVATE_KEY
, you can do it by running this command
inside the container:
gpg --homedir /var/www/MISP/.gnupg --full-generate-key --pinentry-mode=loopback --passphrase "password"
SECURITY_SALT
(required, string) - random string (recommended at least 32 chars) used for salting hashed values (you can useopenssl rand -base64 32
output as value)SECURITY_ADVANCED_AUTHKEYS
(optional, boolean, defaultfalse
) - enable advanced auth keys supportSECURITY_HIDE_ORGS
(optional, boolean, defaultfalse
) - hide org names for normal usersSECURITY_ENCRYPTION_KEY
(optional, string) - encryption key with at least 32 chars that will be used to encrypt sensitive information stored in database WARNING: Never change this value after deployment!SECURITY_CRYPTO_POLICY
(optional, string, defaultDEFAULT:NO-SHA1
) - set container wide crypto policies. More details. Use an empty string to keep container default value.SECURITY_REST_CLIENT_ENABLE_ARBITRARY_URLS
(optional, boolean, defaultfalse
) - enable to query any arbitrary URL via rest client (required for Workflows Webhook).
For pulling events from another MISP or fetching feeds MISP requires access to Internet. Set these variables to use HTTP proxy for outgoing connections from MISP.
PROXY_HOST
(optional, string) - The hostname of an HTTP proxy for outgoing sync requests. Leave empty to not use a proxy.PROXY_PORT
(optional, int, default3128
) - The TCP port for the HTTP proxy.PROXY_METHOD
(optional, string) - The authentication method for the HTTP proxy. Currently, supported are Basic or Digest. Leave empty for no proxy authentication.PROXY_USER
(optional, string) - The authentication username for the HTTP proxy.PROXY_PASSWORD
(optional, string) - The authentication password for the HTTP proxy.
Check detailed manual how to configure OIDC login
ZEROMQ_ENABLED
(optional, boolean, defaultfalse
) - enable ZeroMQ integration, server will listen at*:50000
ZEROMQ_USERNAME
(optional, string) - ZeroMQ server usernameZEROMQ_PASSWORD
(optional, string) - ZeroMQ server password
PHP_SESSIONS_IN_REDIS
(optional, boolean, defaulttrue
) - when enabled, sessions are stored in Redis. That provides better performance and sessions survive container restartPHP_SESSIONS_COOKIE_SAMESITE
(optional, string, defaultLax
) - sets session.cookie_samesite, can beStrict
orLax
.PHP_SNUFFLEUPAGUS
(optional, boolean, defaulttrue
) - enable PHP hardening by using Snuffleupagus PHP extension with rules tailored to MISPPHP_TIMEZONE
(optional, string, defaultUTC
) - sets date.timezonePHP_MEMORY_LIMIT
(optional, string, default2048M
) - sets memory_limitPHP_MAX_EXECUTION_TIME
(optional, int, default300
) - sets max_execution_time (in seconds)PHP_UPLOAD_MAX_FILESIZE
(optional, string, default50M
) - sets upload_max_filesize and post_max_sizePHP_XDEBUG_ENABLED
(optional, boolean, defaultfalse
) - enable Xdebug PHP extension for debugging purposes (do not enable on production environment)PHP_XDEBUG_PROFILER_TRIGGER
(optional, string) - secret value forXDEBUG_PROFILE
GET/POST variable that will enable profiling
Automation tasks are run by jobber application, which is managed by supervisor
. Check .jobber
file for tasks definition.
You can change default configuration by modifying these environment variables:
JOBBER_USER_ID
(optional, int, default1
) - MISP user ID which is used in scheduled tasks by Jobber (1 is the user ID of the initial created [email protected] user)JOBBER_CACHE_FEEDS_TIME
(optional, string, default0 R0-10 6,8,10,12,14,16,18
) - Jobber time string for cache feeds task schedulingJOBBER_FETCH_FEEDS_TIME
(optional, string, default0 R0-10 6,8,10,12,14,16,18
) - Jobber time string for fetch feeds task schedulingJOBBER_PULL_SERVERS_TIME
(optional, string, default0 R0-10 6,10,15
) - Jobber time string for pull servers task schedulingJOBBER_CACHE_SERVERS_TIME
(optional, string, default0 R0-10 6,10,15
) - Jobber time string for cache servers task schedulingJOBBER_SCAN_ATTACHMENT_TIME
(optional, string, default0 R0-10 6
) - Jobber time string for scan attachment task schedulingJOBBER_LOG_ROTATE_TIME
(optional, string, default0 0 5
) - Jobber time string for log rotate task schedulingJOBBER_USER_CHECK_VALIDITY_TIME
(optional, string, default0 0 5
) - Jobber time string for updating user role and org or blocking invalid users (makes sense only ifOIDC_OFFLINE_ACCESS
andOIDC_CHECK_USER_VALIDITY
is set)JOBBER_SEND_PERIODIC_SUMMARY
(optional, string, default0 0 6 * * 1-5
) - Jobber time string for sending periodic summary for users (must be just once per day)
If provided time string is empty, job will be disabled.
Supervisor is used to run all processes within the container, you can adjust the amount of workers that should be started by modifying these variables:
DEFAULT_WORKERS
(optional, int, default1
) - number of default workers to startEMAIL_WORKERS
(optional, int, default3
) - number of email workers to startCACHE_WORKERS
(optional, int, default1
) - number of cache workers to startPRIO_WORKERS
(optional, int, default3
) - number of prio workers to startUPDATE_WORKERS
(optional, int, default1
) - number of update workers to start
If one of the variables is set to 0
, no workers will be started.
ECS_
,SYSLOG_
andSENTRY_
are documented in LOGGING.mdOIDC_
are documented in OIDC.md
/var/www/MISP/app/tmp/logs/
- application logs/var/www/MISP/app/files/certs/
- uploaded certificates used for accessing remote feeds and servers/var/www/MISP/app/attachments/
- uploaded attachments and malware samples/var/www/MISP/.gnupg/
- GPG homedir
This software is licensed under GNU General Public License version 3. MISP is licensed under GNU Affero General Public License version 3.
- Copyright (C) 2022-2024 National Cyber and Information Security Agency of the Czech Republic (NÚKIB) 🇨🇿