Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Installation Guide
- If you are interested in checking out OpenFISMA really quickly and you do not want to go through the process of installing it or do not have a free server to try it out on, consider using our online demo site (currently inactive). The demo site gives you full administrator access to a working OpenFISMA application. Feel free to try anything. The demo server is wiped once each day so any changes you make will be lost.
- Overview
- The installation is fairly complicated because there are a lot of different ways to customize your installation, and each Linux distribution may have slightly different tools, file paths, and usernames. It may not be possible for us to document every possible permutation of these variations, but in this document we have tried to be as comprehensive as possible. You will need moderate Linux sysadmin experience to use the advanced install procedure. If you do run into any trouble or if you have any feedback on these instructions or the installation process overall.
- Standards and Conventions
- Throughout the documentation, filenames, daemons and executables are indicated with a courier font. Command line options and keywords will also be printed with the courier font. Command line options may or may not include the command line prompt and output text from the results of the command. Below is an example running of the Unix pwd command.
- # pwd
- /usr/share/openfisma (OpenSUSE 12.1)
- /var/www/html/openfisma (CentOS 6.5)
- Caveats
- Please note that the goal of this guide is to get you up and running with OpenFISMA! As such, we have skipped over some of the security hardening that you would ordinarily want to perform in a production environment. We also won't delve into any performance tuning in this guide.
- Before You Get Started
- This installation process will take several hours, although there are steps that can run unattended for a while so you don't have to be glued to your screen for the next 2 hours.
- Here are the items you will need:
- • A Linux server. (OpenFISMA runs fine in a VMWare guest.)
- • Apache is already installed and you have verified that it works.
- • MySQL is already installed and you have verified that it works.
- If you are using CentOS 6.5, you will have to configure SELinux:
- # Install SELinux config tool.
- $ sudo yum install -y policycoreutils-python
- # Cehck the current SELinux status
- $ sudo sestatus
- # Add Solr port (8983) to SELinux policy
- $ sudo semanage port –a –t http_port –p tcp 8983
- $ reboot
- Note1: If your server doesn’t have any swap (e.g. like AWS Linux distro), you may have an error. Make swap and configure SELinux again.
- Note2: On CentOS (Red Hat), you may need to configure a firewall for http/https.
- Placeholders
- In order to simplify the installation across different Linux distributions, we will often use placeholders in this document. Placeholders are words wrapped in angle brackets, like this: <user>. When you see a placeholder, you'll need to replace it with the value of that placeholder which makes sense for your system.
- All of the placeholders used in this document are defined in the table below.
- Placeholder Fedora / Red Hat / CentOS Debian / Ubuntu OpenSUSE
- <group> apache www-data www
- <user> apache www-data wwwrun
- Step 1 - Get OpenFISMA
- Go to the OpenFISMA website and click on the "Download" link on our home page. You'll need to log in to access the download links. Copy the URL for the release you want to download. In this example, I'm going to use "http://openfisma.org/sites/default/files/OpenFISMA-3.3.0.tgz" as my download URL.
- $ cd
- $ wget https://bitbucket.org/openfisma-ondemand/openfisma/downloads/OpenFISMA-3.3.0.tgz
- $ tar -xzf OpenFISMA-3.3.0.tgz
- # OpenSUSE
- $ sudo mv openfisma-3.3.0/ /usr/share/openfisma
- # CentOS (Red Hat)
- $ sudo mv openfisma-3.3.0 /var/www/html/openfisma
- (If you install a different directory, you may need to add the location to SELinux policy)
- You can put your installation in a different place if you really want to, but this document is going to assume that you've put it in /usr/share/openfisma.
- Step 2 - Configure OpenFISMA environment
- OpenFISMA provides search functionality throughout the application. Under the hood, this search functionality is powered by Solr. Solr is an open source search engine created by the Apache Foundation, the same non-profit organization that created the very popular Apache web server. Along with the Solr extension, the OpenFISMA requires a list of extensions installed, described in the PHP Configuration section, to function properly.
- Install PHP 5.3.x and Extension Packages
- Install the PHP5 extension packages used by OpenFISMA:
- # OpenSUSE
- $ sudo zypper install -f php5.3.x
- $ sudo zypper install php-bcmath php-ctype php-curl php-devel php-dom php-enchant php-fileinfo php-iconv php-json php-ldap php-mbstring php-mysql php-openssl php-pdo php-pear php-sqlite php-tokenizer php-xmlreader php-xmlwriter php-zip php-zlib
- # CentOS (Red Hat)
- $ sudo yum install php
- $ sudo yum install php-bcmath php-ctype php-curl php-devel php-dom php-enchant php-fileinfo php-iconv php-json php-ldap php-mbstring php-mysql php-openssl php-pdo php-pear php-sqlite php-tokenizer php-xmlreader php-xmlwriter php-zip php-zlib
- Install libs
- # OpenSUSE
- $ sudo zypper install gcc
- $ sudo zypper install libcurl libcurl-devel pear libxml2-devel pcre-devel
- # CentOS (Red Hat)
- $ sudo yum install gcc
- $ sudo yum install libcurl libcurl-devel pear libxml2-devel pcre-devel
- Install JDK
- # OpenSUSE
- $ sudo zypper install java-1.8.0-openjdk java-1.8.0-openjdk-devel
- # CentOS (Red Hat)
- $ sudo yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel
- Application Configuration
- PHP Configuration
- Make sure below modules are installed:
- php5-mysql, php5-fileinfo, php5-bcmath, php5-imagick, php5-mbstring, php5-ldap, php5-zip, php5-zlib, php5-xmlwriter, php5-xmlreader, php5-tokenizer, php5-openssl, php5-pdo, php5-sqlite, php5-ctype, php5-dom, php5-hash, php5-iconvi
- For CentOS, by running the php install commands above, we capture all of the php modules we need.
- Apache2 Configuration
- # Enable PHP and rewrite modules
- $ sudo a2enmod php5
- $ sudo a2enmod rewrite
- MySQL Configuration
- # Add below for forcing to UTF8. It will be a cause of a sql import error.
- [mysqld]
- init_connect='SET collation_connection = utf8_unicode_ci'
- init_connect='SET NAMES utf8'
- character-set-server=utf8
- collation-server=utf8_unicode_ci
- skip-character-set-client-handshake
- Create an account and database for OpenFISMA
- $ mysql –h localhost –u root
- mysql> create database openfisma;
- mysql> create user ‘openfisma’@’localhost’ identified by ‘<StrongPassword>’;
- mysql> grant all on *.* TO 'openfisma'@localhost with grant option;
- mysql> flush privileges;
- mysql> exit;
- Install APC extension for PHP
- # OpenSUSE
- $ sudo pear install pecl/APC
- (answer: all as "no")
- $ sudo touch /etc/php5/conf.d/apc.ini
- $ sudo vi /etc/php5/conf.d/apc.ini
- #Add below
- extension=apc.so
- apc.shm_size=128M
- apc.stat=0
- apc.rfc1867=1
- apc.write_lock=1
- apc.slam_defense=0
- # CentOS (Red Hat)
- $ pecl install APC-3.1.6
- (Answer no to all the question or add -a option)
- $ sudo touch /etc/php.d/apc.ini
- $ sudo vi /etc/php.d/apc.ini
- #Add below
- extension=apc.so
- apc.shm_size=128M
- apc.stat=0
- apc.rfc1867=1
- apc.write_lock=1
- apc.slam_defense=0
- Install solr extension for PHP
- # OpenSUSE
- $ sudo pear install pecl/solr
- (answer: /usr/local)
- $ sudo touch /etc/php5/conf.d
- $ sudo vi /etc/php5/conf.d
- # Add below
- extension=solr.so
- # CentOS (Red Hat)
- $ sudo pear install pecl/solr
- (answer: /usr/local)
- $ sudo touch /etc/php.d/solr.ini
- $ sudo vi /etc/php.d/solr.ini
- extension=solr.so
- Configure openfisma_solr
- # OpenSUSE
- # Copy Solr module
- $ sudo cp /usr/share/openfisma/scripts/rpm/openfima_solr_suse /etc/init.d/openfisma_solr
- $ sudo vi /etc/init.d/openfisma_solr
- LOG_FILE="/usr/share/openfisma/data/logs/solr.log"
- $ sudo chmod u+x /etc/init.d/openfisma_solr
- $ sudo systemctl apache2 start
- $ sudo systemctl mysql start
- $ sudo systemctl openfisma_solr start
- (status, restart and stop are available)
- # CentOS (Red Hat)
- # Copy Solr module
- $ sudo cp /var/www/html/openfisma/scripts/rpm/openfisma_solr_rhel /etc/init.d/openfisma_solr
- $ sudo vi /etc/init.d/openfisma_solr
- SOLR_DIR=/var/www/html/openfisma/library/Solr
- LOG_FILE=/var/www/html/openfisma/data/logs/solr.log
- $ sudo chmod +x /etc/init.d/openfisma_solr
- # Start apache2, MySQL and openfisma_solr
- $ sudo service apache2 start
- $ sudo service mysql start
- $ sudo service openfisma_solr start
- (status, restart and stop are available)
- Step 3 - Configure OpenFISMA
- This guide assumes you are using MySQL and that it is already installed and working properly. If you have just installed mysql, you should set a password for the root account.
- Next we need to create the configuration file renaming the database.ini.template to application.ini and editing it.
- # OpenSUSE
- $ cd /usr/share/openfisma/application/config/
- $ cp database.ini.template database.ini
- $ vi database.ini
- # Edit below section
- db.adapter = mysql
- db.host = localhost
- db.port = 3306
- db.username = openfisma
- db.password = <StrongPassword>
- db.schema = openfisma
- # CentOS
- $ cd /var/www/html/openfisma/application/config
- $ cd database.ini.template database.ini
- $ vi database.ini
- # Edit below section
- db.adapter = mysql
- db.host = localhost
- db.port = 3306
- db.username = openfisma
- db.password = <StrongPassword>
- db.schema = openfisma
- Several files and directories need to be writeable for OpenFISMA to function properly. To accomplish this we will run the following commands.
- # OpenSUSE
- $ sudo chown -R wwwrun:www /usr/share/openfisma
- $ sudo find /usr/share/openfisma -type d -exec chmod 775 {} \;
- $ sudo find /usr/share/openfisma -type f -exec chmod 775 {} \;
- # CentOS (Red Hat)
- $ sudo chown -R apache:apache /usr/share/openfisma
- $ sudo find /var/www/html/openfisma -type d -exec chmod 775 {} \;
- $ sudo find /var/www/html/openfisma -type f -exec chmod 775 {} \;
- Now we should be ready to build the database. This command will create the database and all the tables as well as create the administrator (``root``) account in the system:
- # OpenSUSE
- $> sudo -u wwwrun php /usr/share/openfisma/scripts/bin/doctrine.php –b
- # CentOS (Red Hat)
- $> sudo –u apache php /var/www/html/openfisma/scripts/bin/doctrine.php -b
- Or, if you would like to have OpenFISMA populate the application with some sample data, run this command instead:
- # OpenSUSE
- $ sudo -u wwwrun php /usr/share/openfisma/scripts/bin/doctrine.php –bs
- # CentOS (Red Hat)
- $ sudo –u apache php /var/www/html/openfisma/scripts/bin/doctrine.php –bs
- If you need an additional sample data. You can use below commands.
- # OpenSUSE
- $ sudo -u wwwrun /usr/share/openfisma/scripts/bin/generate-users.php -n 100
- $ sudo -u wwwrun /usr/share/openfisma/scripts/bin/generate-systems.php -n 100
- $ sudo -u wwwrun /usr/share/openfisma/scripts/bin/generate-findings.php -n 100
- $ sudo -u wwwrun /usr/share/openfisma/scripts/bin/generate-incidents.php -n 100
- $ sudo -u wwwrun /usr/share/openfisma/scripts/bin/generate-vulnerabilities.php -n 100
- # CentOS (Red Hat)
- $ sudo -u apache /var/www/html/openfisma/scripts/bin/generate-users.php -n 100
- $ sudo -u apache /var/www/html/openfisma/scripts/bin/generate-systems.php -n 100
- $ sudo -u apache /var/www/html/openfisma/scripts/bin/generate-findings.php -n 100
- $ sudo -u apache /var/www/html/openfisma/scripts/bin/generate-incidents.php -n 100
- $ sudo -u apache /var/www/html/openfisma/scripts/bin/generate-vulnerabilities.php -n 100
- To rebuild index, you can use below command. –a: means all
- # OpenSUSE
- #sudo -u wwwrun /usr/share/scripts/bin/rebuild-index.php -a
- # CentOS (Red Hat)
- #sudo -u apache /var/www/html/scripts/bin/rebuild-index.php -a
- Or rebuild index seperately:
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Asset
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Finding
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Incident
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m IrSubCategory
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m IrWorkflowDef
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Network
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Organization
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m OrganizationType
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Product
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Role
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m SecurityControl
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m SecurityControlCatal
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Source
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m System
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m SystemDocument
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m SystemType
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m User
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m Vulnerability
- sudo -u wwwrun ./scripts/bin/rebuild-index.php -m VulnerabilityResolut
- Step 4 - Configure the Webserver
- FIPS 140-2 Compliance
- SSL configuration for OpenFISMA is outside the scope of this installation manual. If your installation needs to comply with FIPS 140-2, the following directive must be added to your global Apache configuration:
- SSLCipherSuite -ALL:DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:DHA-RSA-AES128-SH
- For OpenFISMA to function correctly the apache rewrite module must be enabled. Enabling the rewrite module varies on each linux operating system, the commands below are known to work for Debian, Ubuntu, OpenSUSE, SLES, and Fedora. Apache will need to be restarted before this change will take effect.
- # a2enmod rewrite
- # /etc/init.d/apache2 restart OR /etc/init.d/httpd restart [Depending on OS Version]
- Next you will need to provide Apache a configuration file for OpenFISMA. Configuration files vary from operating system, some versions of apache have a conf.d directory while others have a vhost directory. You will need to figure out the correct placement of this file for your operating system. The binary installation method will take care of this for you. We have provided an example configuration file for you below.
- Example Apache Configuration File
- # Virtual Host for serving access to OpenFISMA
- <VirtualHost *:80>
- # EDIT THIS ENTRY!
- # Hostname and port that the server uses to identify itself
- # ServerName fully-qualified-domain-name[:port]
- ServerName openfisma.example.gov
- # Instructs apache to remove Trace and Track messages from the
- # header response.
- RewriteEngine on
- RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
- RewriteRule .* - [F]
- TraceEnable off
- UseCanonicalName On
- # Sets the Document Root for apache to serve files
- DocumentRoot "/usr/share/openfisma/public"
- # Sets the permissions on the document root directory
- <Directory "/usr/share/openfisma/public">
- <LimitExcept GET POST>
- deny from all
- </LimitExcept>
- Order allow,deny
- allow from all
- # Allow Options and php_admin flags to be specified in .htaccess
- # files which override any settings defined here
- AllowOverride FileInfo Options Indexes
- # Instructs Apache to (1) follow symbolic links if owners match
- # (required for RewriteEngine), (2) not list directory contents,
- # (3) not follow symbolic links, (4) disables server side includes,
- # (5) disables content negotiation, and (6) disables execution of
- # CGI scripts
- </Directory>
- <IfModule mod_php5.c>
- # Disables allow_url_fopen
- php_admin_flag allow_url_fopen Off
- # Disables allow_url_include
- php_admin_flag allow_url_include Off
- # Enable PHP stealth mode
- php_admin_flag expose_php Off
- </IfModule>
- </VirtualHost>
- For CentOS 6.5 if you want to running SSL….
- CentOS puts files into /etc/httpd, including the conf directory which contains httpd.conf, conf.d which contains ssl.conf, logs, modules, and run.
- If you need to install a self-signed certificate (necessary for an OpenFISMA server using a private IP), following the steps on this website:
- http://wiki.centos.org/HowTos/Https
- Unless you are running selinux, stop after copying the files into their appropriate directories.
- Otherwise, if you already have the appropriate certificate files, adjust the appropriate entries in the ssl.conf file below, and make sure they are placed in the /etc/pki/tls directories, according to type:
- .pem goes into /etc/pki/tls
- .crt goes into /etc/pki/tls/certs
- .key goes into /etc/pki/tls
- .csr goes into /etc/pki/tls/private
- In the /etc/httpd/conf/httpd.conf file, you will need to change the ServerName, and under the first <Directory /> in the file make sure it’s like this:
- <Directory />
- AllowOverride None FileInfo Options Indexes
- Options +SymLinksIfOwnerMatch -Indexes -FollowSymLinks -Includes -Multiviews -ExecCGI
- <LimitExcept GET POST>
- deny from all
- </LimitExcept>
- </Directory>
- Make sure to remove any other references to AllowOverride, and Options. The above should be the only ones in the httpd.conf file. For example, there are the default Directory settings (first in the httpd.conf file) and then after that Directory settings for /var/www/html. At least make them consistent. If you attempt to log in later to OpenFISMA and get an error of something like “path not found: /auth/login” these settings are the problem.
- In the /etc/httpd/conf.d/ssl.conf file, for <VirtualHost default:443> make sure it includes this:
- DocumentRoot "/var/www/html/openfisma/public"
- ServerName yourserver.domain.com:443
- RewriteEngine on
- RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
- RewriteRule .* - [F]
- UseCanonicalName On
- <IfModule mod_php5.c>
- # Disables allow_url_fopen
- php_admin_flag allow_url_fopen Off
- # Disables allow_url_include
- php_admin_flag allow_url_include Off
- # Enable PHP stealth mode
- php_admin_flag expose_php Off
- </IfModule>
- Then restart httpd:
- $ sudo service httpd restart
- SSL Configuration
- We strongly urge you to configure SSL on your server. In fact, OpenFISMA prevents you from logging in over an insecure (non-SSL connection). However, if you do not configure SSL on your server, then you will need to edit the following line in your OpenFISMA application/conf/application.ini file:
- resources.session.cookie_secure = false
- The default value is "true", but by changing it to "false" you are telling OpenFISMA to let users log in over unsecure connections.
- Step 5 - Re-Index Content
- Whenever you change backends, you will need to re-index all of your content. You should shut down your web server while you do this to prevent conflict with any users. Re-indexing can take several hours depending on the amount of data you have.
- OpenFISMA includes two tools for modifying indexes from the command line under openfisma/scripts/bin directory:
- 1. delete-index.php
- 2. rebuild-index.php
- Step 6 - Configure Cron
- OpenFISMA requires two cron jobs to be run on different intervals for Email notifications, caching, and indexing.
- To edit your crontab file run:
- # OpenSUE
- $ sudo -u wwwrun crontab –e
- # CentOS (Red Hat)
- $ sudo –u apache crontab -e
- This will launch your default editor upon your crontab file (creating it if necessary). When you save the file and quit your editor it will be installed into the system unless it is found to contain errors. Now enter the following:
- # Flush email notification queue once every minute
- * * * * * php /usr/share/openfisma/scripts/bin/notify.php >> /var/log/openfisma.log
- # Enable OpenFISMA Overdue alerts daily
- @daily php /usr/share/openfisma/scripts/bin/ecd_notifier.php >> /var/log/openfisma.log
- NOTE: Be sure the change the directory to the correct location of the files, for example you may have OpenFISMA installed in another directory.
- Specific Notes for Version 3.1.x
- In this release of OpenFISMA we've consolidated all cron jobs into one background task which will run every minute and spawn all additional processes. We recommend editing your existing cron job to run the new background task every minute. We've included a new cron job for you in /scripts/rpm/ named openfisma_cron. You may either copy this file over to your cron directory or edit your crontab manually.
- # remove existing crontab
- $ sudo crontab -u wwwrun -r
- # copy new cron configuration for openfisma
- $ cp /usr/share/openfisma/scripts/rpm/openfisma_cron /etc/cron.d/openfisma
- Step 7 - Log into OpenFISMA
- If you use CenOS (Red Hat), you need to replace a hardcoded path below files.
- /var/www/html/openfisma/application/Bootstrap.php:
- 264: 'File' => array('basePath' => '/usr/share/openfisma'),
- /var/www/html/openfisma/public/.htaccess:
- 83: php_flag error_log /usr/share/openfisma/data/logs/php_error.log
- /var/www/html/openfisma/public/minGenerator.sh: (This is for production mode)
- 6: cd /usr/share/openfisma/public/
- You should now be able to log in to OpenFISMA. User account is below. If you install sample data, you can find out a couple user account and password from below file.
- # OpenSUSE
- $ cat /usr/share/openfisma/application/doctrine/data/sample/User.yml
- # CentOS (Red Hat)
- $ cat /usr/share/openfisma/application/doctrine/data/sample/User.yml
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement