Add MISP-Guard container (#301)

Author: monjiapawne

.github/workflows/release-latest.yml

@@ -11,7 +11,7 @@ jobs:
 
     strategy:
       matrix:
-        target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim]
+        target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim, misp-guard]
 
     permissions:
       contents: read

.github/workflows/test-build-latest.yml

@@ -10,7 +10,7 @@ jobs:
 
     strategy:
       matrix:
-        target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim]
+        target: [misp-core, misp-modules, misp-core-slim, misp-modules-slim, misp-guard]
 
     steps:
       - name: Checkout repository

README.md

@@ -96,6 +96,58 @@ To override these behaviours edit the docker-compose.yml file's misp-core volume
 If it is just a default setting that is meant to be set if not already set by the user, add it in one of the `*.default.json` files.
 If it is a setting controlled by an environment variable which is meant to override whatever is set, add it in one of the `*.envars.json` files (note that you can still specify a default value).
 
+### MISP-Guard (optional)
+
+[MISP-Guard](https://github.com/MISP/misp-guard) is a mitmproxy add-on designed to apply configurable filters that prevent the unintentional leakage of sensitive threat intelligence data while facilitating controlled information sharing.  
+
+It is disabled by default, but can be enabled using compose profiles.
+
+#### Enabling
+
+1. Enable the profile in your `.env` file:
+```bash
+COMPOSE_PROFILES=misp-guard
+```
+2. Ensure `misp-core` is configured to use a proxy:
+```bash
+PROXY_ENABLE=true
+PROXY_HOST=misp-guard
+# this must match GUARD_PORT (DEFAULT=8888)
+PROXY_PORT=8888
+```
+
+#### Configuration
+
+- Rules are defined in `guard/config.json`.
+- The container automatically replaces the `misp-core` IP at runtime using `entrypoint.sh`.
+
+The following format is required to target the misp-core, the IP is replaced with the misp-core container's IP at runtime.
+```json
+{
+    "instances": {
+        "misp_container": {
+            "ip": "placeholder"
+         }
+    }
+}
+```
+
+- After making changes to `guard/config.json` restart the container to apply the changes:
+```bash
+docker compose restart misp-guard
+```
+
+#### Environment Variables
+
+```bash
+# Port for misp-guard to listen on (must match PROXY_PORT)
+# Default: 8888
+GUARD_PORT=8888
+
+# optional: mitmdump misp-guard runtime arguments (space separated, no quotes)
+GUARD_ARGS=--ssl-insecure -v
+```
+
 ### Authentication
 
 #### LDAP Authentication

docker-bake.hcl

@@ -74,6 +74,14 @@ variable "CORE_COMMIT" {
   default = ""
 }
 
+variable "GUARD_TAG" {
+  default = ""
+}
+
+variable "GUARD_COMMIT" {
+  default = ""
+}
+
 variable "PHP_VER" {
   default = null
 }
@@ -84,6 +92,7 @@ group "default" {
     "misp-modules-slim",
     "misp-core",
     "misp-core-slim",
+    "misp-guard",
   ]
 }
 
@@ -160,3 +169,14 @@ target "misp-core-slim" {
   }
   platforms = "${PLATFORMS}"
 }
+
+target "misp-guard" {
+  context = "guard/."
+  dockerfile = "Dockerfile"
+  tags = flatten(["${NAMESPACE}/misp-guard:latest", "${NAMESPACE}/misp-guard:${COMMIT_HASH}", GUARD_TAG != "" ? ["${NAMESPACE}/misp-guard:${GUARD_TAG}"] : []])
+  args = {
+    "GUARD_TAG": "${GUARD_TAG}",
+    "GUARD_COMMIT": "${GUARD_COMMIT}"
+  }
+  platforms = "${PLATFORMS}"
+}

docker-compose.yml

@@ -276,6 +276,31 @@ services:
       - "./custom/export_mod/:/custom/export_mod/:Z"
       - "./custom/import_mod/:/custom/import_mod/:Z"
 
+  misp-guard:
+    profiles:
+      - misp-guard
+    image: ghcr.io/misp/misp-docker/misp-guard:${GUARD_RUNNING_TAG:-latest}
+    build:
+      context: guard/.
+      args:
+        - GUARD_TAG=${GUARD_TAG:?Missing .env file, see README.md for instructions}
+        - GUARD_COMMIT=${GUARD_COMMIT}
+    depends_on:
+      - misp-core
+    ports:
+      - "${GUARD_PORT:-8888}:${GUARD_PORT:-8888}"
+    environment:
+      - "GUARD_PORT=${GUARD_PORT:-8888}"
+      - "GUARD_ARGS=${GUARD_ARGS}"
+    volumes:
+      - ./guard/config.json:/config.json:ro
+    healthcheck:
+      test: "/bin/bash -c '</dev/tcp/localhost/${GUARD_PORT:-8888}'"
+      interval: 2m
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+      
+
 volumes:
     mysql_data:
-

guard/Dockerfile

@@ -0,0 +1,48 @@
+ARG DOCKER_HUB_PROXY=""
+
+FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm" AS python-build
+    ENV DEBIAN_FRONTEND=noninteractive
+    ARG GUARD_TAG
+    ARG GUARD_COMMIT
+
+    RUN <<-EOF
+        apt-get update
+        apt-get install -y --no-install-recommends \
+            ca-certificates \
+            git
+        apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+EOF
+
+    RUN mkdir /wheels
+
+    RUN <<-EOF
+        if [ ! -z ${GUARD_COMMIT} ]; then
+            git clone https://github.com/MISP/misp-guard.git /srv/misp-guard && cd /srv/misp-guard && git checkout ${GUARD_COMMIT}
+        else
+            git clone --branch ${GUARD_TAG} --depth 1 https://github.com/MISP/misp-guard.git /srv/misp-guard
+        fi
+EOF
+
+    WORKDIR /srv/misp-guard/src
+    RUN pip wheel -r requirements.txt --no-cache-dir -w /wheels/
+
+
+
+FROM "${DOCKER_HUB_PROXY}python:3.12-slim-bookworm"
+    ENV DEBIAN_FRONTEND=noninteractive
+
+    RUN <<-EOF
+        apt-get update
+        apt-get install -y --no-install-recommends \
+            jq
+        apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+EOF
+
+    COPY --from=python-build /wheels /wheels
+    RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels
+
+    COPY --from=python-build /srv /srv
+    COPY files/ /
+
+    WORKDIR /srv/misp-guard/src
+    ENTRYPOINT [ "/entrypoint.sh" ]

guard/config.json

@@ -0,0 +1,59 @@
+{
+    "allowlist": {
+        "urls": [],
+        "domains": []
+    },
+    "compartments_rules": {
+        "can_reach": {
+            "compartment_1": [
+                "compartment_1"
+            ]
+        }
+    },
+    "instances": {
+        "misp_container": {
+            "ip": "AUTO_REPLACED_AT_RUNTIME",
+            "host": "local-misp",
+            "port": 443,
+            "compartment_id": "compartment_1",
+            "affiliation": "internal",
+            "taxonomies_rules": {
+                "required_taxonomies": [],
+                "allowed_tags": {},
+                "blocked_tags": [
+                    "tlp:red"
+                ]
+            },
+            "blocked_distribution_levels": [],
+            "blocked_sharing_groups_uuids": [],
+            "blocked_attribute_types": [],
+            "blocked_attribute_categories": [],
+            "blocked_object_types": []
+        },
+        "partner_example": {
+            "ip": "10.0.0.1",
+            "host": "partner.misp.org",
+            "port": 443,
+            "compartment_id": "compartment_1",
+            "affiliation": "partner",
+            "taxonomies_rules": {
+                "required_taxonomies": [],
+                "allowed_tags": {
+                    "tlp": [
+                        "tlp:clear",
+                        "tlp:white",
+                        "tlp:green"
+                    ]
+                },
+                "blocked_tags": [
+                    "tlp:red"
+                ]
+            },
+            "blocked_distribution_levels": [],
+            "blocked_sharing_groups_uuids": [],
+            "blocked_attribute_types": [],
+            "blocked_attribute_categories": [],
+            "blocked_object_types": []
+        }
+    }
+}

guard/files/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Entry point for misp-guard.
+# This ensures MISP-core's IP is set at runtime when misp-guard starts.
+# config.json must reflect this structure to ensure the source container is targeted
+# {
+#   "instances": {
+#     "misp_container": {
+#       "ip": "placeholder"
+#     }
+#   }
+# }
+
+
+set -e
+
+# resolve misp-core from docker dns
+MISP_IP=$(getent hosts misp-core | awk '{print $1}')
+
+# replace runtime ip into config.json
+jq --arg ip "$MISP_IP" \
+   '.instances.misp_container.ip = $ip' \
+   /config.json > /srv/misp-guard/src/config.json
+
+exec mitmdump -s mispguard.py -p ${GUARD_PORT:-8888} ${GUARD_ARGS:+$GUARD_ARGS} --set config=config.json

template.env

@@ -6,6 +6,7 @@ CORE_TAG=v2.5.21
 # CORE_FLAVOR=full
 MODULES_TAG=v3.0.2
 # MODULES_FLAVOR=full
+GUARD_TAG=v1.2
 PHP_VER=20220829
 
 # PYPY_* vars take precedence over MISP's
@@ -26,13 +27,16 @@ PYPI_SUPERVISOR_VERSION="==4.2.5"
 # CORE_COMMIT=0bba3f5
 # MODULES_COMMIT takes precedence over MODULES_TAG
 # MODULES_COMMIT=de69ae3
+# GUARD_COMMIT takes precedence over GUARD_TAG
+# GUARD_COMMIT=370b043
 
 ##
 # Run-time variables
 ##
 
 # CORE_RUNNING_TAG=latest
 # MODULES_RUNNING_TAG=latest
+# GUARD_RUNNING_TAG=latest
 
 # Email/username for user #1, defaults to MISP's default (admin@admin.test)
 ADMIN_EMAIL=
@@ -204,14 +208,28 @@ SYNCSERVERS_1_PULL_RULES=
 # AAD_MISP_SITEADMIN="Misp Site Admins"
 # AAD_CHECK_GROUPS=false
 
-# Enable the use of a Proxy server
+# Enable the use of a Proxy server (MISP-Guard or external)
 # PROXY_ENABLE=true
 # PROXY_HOST=
 # PROXY_PORT=
 # PROXY_METHOD=
 # PROXY_USER=
 # PROXY_PASSWORD=
 
+## MISP-Guard
+# Configure rules in ./guard/config.json.
+# Requires restart of misp-guard container after changes.
+
+# Toggle to enable MISP-Guard container (optional)
+# COMPOSE_PROFILES=misp-guard
+# If you enable MISP-Guard, you must also configure MISP to use it as a proxy:
+# PROXY_PORT must match GUARD_PORT
+
+# MISP-Guard runtime flags (optional)
+# GUARD_PORT=8888
+# mitmdump misp-guard runtime arguments (space separated, no quotes)
+# GUARD_ARGS=--ssl-insecure -v
+
 # Enable debugging
 # ALWAYS SET THIS TO 0 IN PRODUCTION
 # 0 - Debug off (default)