-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Scurity][Feature Request] Set "Security.encryption_key" via ENV #106
Labels
Comments
Looks reasonable. @UFOSmuggler is this something you can add next time you work on |
ostefano
added
enhancement
New feature or request
good first issue
Good for newcomers
labels
Aug 8, 2024
@ostefano adding it to (...)
"Security.encryption_key": {
"default_value": "kjldsbnsjkhnamjfgvfn",
"command_args": "-f"
},
(...) |
You might want to move that settings to the envvars file, and test it when the value is empty (gracefully handling when the user does not set it). Then we can merge. |
See attached PR. @Diogo-Rego can I assign you as reviewer to both? |
@ostefano yes |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Out of the box, misp-docker shows this warning in diagnostics:
As this is a commandline-only setting, it would be nice to have it set during initial setup. Preferably provided via an ENV variable.
I agree that this is not a real issue if you use a dedicated database container not exposed to the outside world. But in our setup, we use an AWS AURORA cluster shared with some other services. So this is a nice security in depth control.
I solved this by utilizing the customize_misp.sh and an additional ENV variable. But I think it would be nice to add this functionality to the standard init-scripts. The relevant line is:
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.encryption_key" "${MISP_ENCRYPTION_KEY:=changeEncryptionKey0r1amUseless9}"
The text was updated successfully, but these errors were encountered: