WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1010 2013-01-06 14:06:16Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
		6	# ALCASAR - Portail captif d'accès à l'Internet - Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...]
		7	# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU,
		8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12	# Vous devriez avoir reçu un exemplaire de la Licence Publique Générale GNU avec ce programme ;
976	richard	13	# si ce n'est pas le cas, consultez : <http://www.gnu.org/licenses/>.
959	franck	14
967	franck	15	# team@alcasar.net
959	franck	16
1	root	17	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		18	# This script is distributed under the Gnu General Public License (GPL)
		19
672	richard	20	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	21	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	22	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	23	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	24	#
806	richard	25	# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
1	root	26
		27	# Options :
376	franck	28	# -i or --install
		29	# -u or --uninstall
1	root	30
376	franck	31	# Functions :
29	richard	32	# testing : Tests de connectivité et de téléchargement avant installation
1	root	33	# init : Installation des RPM et des scripts
		34	# network : Paramètrage du réseau
		35	# gestion : Installation de l'interface de gestion
		36	# AC : Initialisation de l'autorité de certification. Création des certificats
		37	# init_db : Création de la base 'radius' sur le serveur MySql
		38	# param_radius : Configuration du serveur d'authentification FreeRadius
		39	# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
		40	# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
		41	# param_squid : Configuration du proxy squid en mode 'cache'
		42	# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479	richard	43	# antivirus : Installation havp + libclamav
1	root	44	# param_awstats : Configuration de l'interface des statistiques de consultation WEB
297	richard	45	# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
308	richard	46	# BL : Configuration de la BlackList
1	root	47	# cron : Mise en place des exports de logs (+ chiffrement)
532	richard	48	# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1	root	53	# ***** Files parameters - paramètres fichiers *******
832	richard	54	DIR_INSTALL=`pwd` # install directory
1	root	55	DIR_CONF="$DIR_INSTALL/conf" # répertoire d'installation contenant les fichiers de configuration
		56	DIR_SCRIPTS="$DIR_INSTALL/scripts" # répertoire d'installation contenant les scripts
806	richard	57	DIR_SAVE="/var/Save" # répertoire de sauvegarde (system_backup, user_db_backup, logs)
316	richard	58	DIR_WEB="/var/www/html" # répertoire racine APACHE
648	richard	59	DIR_DG="/etc/dansguardian" # répertoire de config de DansGuardian
316	richard	60	DIR_ACC="$DIR_WEB/acc" # répertoire du centre de gestion 'ALCASAR Control Center'
1	root	61	DIR_DEST_BIN="/usr/local/bin" # répertoire des scripts
		62	DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin
		63	DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf
628	richard	64	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # fichier de conf d'alcasar
		65	PASSWD_FILE="/root/ALCASAR-passwords.txt" # fichier texte contenant les mots de passe et secrets partagés
1	root	66	# ***** DBMS parameters - paramètres SGBD ******
		67	DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
		68	DB_USER="radius" # nom de l'utilisateur de la base de données
		69	# ***** Network parameters - paramètres réseau *****
503	richard	70	HOSTNAME="alcasar" #
1	root	71	DOMAIN="localdomain" # domaine local
		72	EXTIF="eth0" # ETH0 est l'interface connectée à Internet (Box FAI)
994	franck	73	MTU="1500"
		74	ETHTOOL_OPTS="speed 100 duplex full"
1	root	75	INTIF="eth1" # ETH1 est l'interface connectée au réseau local de consultation
597	richard	76	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1	root	77	# **** Paths - chemin des commandes *****
		78	SED="/bin/sed -i"
		79	# **************** End of global parameters *******************
		80
959	franck	81	license ()
		82	{
		83	if [ $Lang == "fr" ]
967	franck	84	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		85	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	86	fi
975	franck	87	echo "Taper sur Entrée pour continuer !"
		88	echo "Enter to continue."
959	franck	89	read a
		90	}
		91
1	root	92	header_install ()
		93	{
		94	clear
		95	echo "-----------------------------------------------------------------------------"
460	richard	96	echo " ALCASAR V$VERSION Installation"
1	root	97	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		98	echo "-----------------------------------------------------------------------------"
		99	} # End of header_install ()
		100
		101	##################################################################
1005	richard	102	## Function TESTING ##
		103	## - Test of Internet access ##
29	richard	104	##################################################################
		105	testing ()
		106	{
595	richard	107	if [ $Lang == "fr" ]
784	richard	108	then echo -n "Tests des paramètres réseau : "
595	richard	109	else echo -n "Network parameters tests : "
		110	fi
784	richard	111	# We test eth0 config files
		112	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		113	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		114	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		115	then
		116	if [ $Lang == "fr" ]
		117	then
		118	echo "Échec"
		119	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		120	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	121	echo "Appliquez les changements : 'service network restart'"
784	richard	122	else
		123	echo "Failed"
		124	echo "The Internet connected network card ($EXTIF) isn't well configured."
		125	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	126	echo "Apply the new configuration 'service network restart'"
784	richard	127	fi
830	richard	128	echo "DEVICE=$EXTIF"
784	richard	129	echo "IPADDR="
		130	echo "NETMASK="
		131	echo "GATEWAY="
		132	echo "DNS1="
		133	echo "DNS2="
830	richard	134	echo "ONBOOT=yes"
784	richard	135	exit 0
		136	fi
		137	echo -n "."
460	richard	138	# We test the Ethernet links state
29	richard	139	for i in $EXTIF $INTIF
		140	do
294	richard	141	/sbin/ip link set $i up
306	richard	142	sleep 3
808	franck	143	CMD=`/usr/sbin/ethtool $i \|grep Link \| awk '{print $NF}'`
		144	CMD2=`/sbin/mii-tool $i \| grep -i link \| awk '{print $NF}'`
		145	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	146	then
595	richard	147	if [ $Lang == "fr" ]
		148	then
		149	echo "Échec"
		150	echo "Le lien réseau de la carte $i n'est pas actif."
		151	echo "Réglez ce problème puis relancez ce script."
		152	else
		153	echo "Failed"
		154	echo "The link state of $i interface id down."
		155	echo "Resolv this problem, then restart this script."
		156	fi
29	richard	157	exit 0
		158	fi
308	richard	159	echo -n "."
29	richard	160	done
		161	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	162	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	163	if [ $Lang == "fr" ]
		164	then
		165	echo "Échec"
		166	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		167	echo "Réglez ce problème puis relancez ce script."
		168	else
		169	echo "Failed"
		170	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		171	echo "Resolv this problem, then restart this script."
		172	fi
29	richard	173	exit 0
		174	fi
308	richard	175	echo -n "."
978	franck	176	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	177	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	178	if [ $Lang == "fr" ]
		179	then echo "La configuration des cartes réseau va être corrigée."
		180	else echo "The Ethernet card configuration will be corrected."
		181	fi
29	richard	182	/etc/init.d/network stop
		183	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		184	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		185	/etc/init.d/network start
		186	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		187	sleep 2
595	richard	188	if [ $Lang == "fr" ]
		189	then echo "Configuration corrigée"
		190	else echo "Configuration updated"
		191	fi
29	richard	192	sleep 2
595	richard	193	if [ $Lang == "fr" ]
		194	then echo "Vous pouvez relancer ce script."
		195	else echo "You can restart this script."
		196	fi
29	richard	197	exit 0
		198	fi
308	richard	199	echo -n "."
978	franck	200	# On teste le lien vers le routeur par defaut
308	richard	201	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		202	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	203	if [ $(expr $arp_reply) -eq 0 ]
308	richard	204	then
595	richard	205	if [ $Lang == "fr" ]
		206	then
		207	echo "Échec"
		208	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		209	echo "Réglez ce problème puis relancez ce script."
		210	else
		211	echo "Failed"
		212	echo "The Internet gateway doesn't answered"
		213	echo "Resolv this problem, then restart this script."
		214	fi
308	richard	215	exit 0
		216	fi
		217	echo -n "."
421	franck	218	# On teste la connectivité Internet
29	richard	219	rm -rf /tmp/con_ok.html
308	richard	220	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	221	if [ ! -e /tmp/con_ok.html ]
		222	then
595	richard	223	if [ $Lang == "fr" ]
		224	then
		225	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		226	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		227	echo "Vérifiez la validité des adresses IP des DNS."
		228	else
		229	echo "The Internet connection try failed (google.fr)."
		230	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		231	echo "Verify the DNS IP addresses"
		232	fi
29	richard	233	exit 0
		234	fi
		235	rm -rf /tmp/con_ok.html
308	richard	236	echo ". : ok"
302	richard	237	} # end of testing
		238
		239	##################################################################
		240	## Fonction INIT ##
		241	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		242	## - Installation et modification des scripts du portail ##
		243	##################################################################
		244	init ()
		245	{
527	richard	246	if [ "$mode" != "update" ]
302	richard	247	then
		248	# On affecte le nom d'organisme
597	richard	249	header_install
302	richard	250	ORGANISME=!
		251	PTN='^[a-zA-Z0-9-]*$'
580	richard	252	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	253	do
595	richard	254	if [ $Lang == "fr" ]
597	richard	255	then echo -n "Entrez le nom de votre organisme : "
		256	else echo -n "Enter the name of your organism : "
595	richard	257	fi
330	franck	258	read ORGANISME
613	richard	259	if [ "$ORGANISME" == "" ]
330	franck	260	then
		261	ORGANISME=!
		262	fi
		263	done
302	richard	264	fi
1	root	265	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	266	rm -f $PASSWD_FILE
59	richard	267	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	268	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		269	echo "$grubpwd" >> $PASSWD_FILE
59	richard	270	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	271	$SED "/^password.*/d" /boot/grub/menu.lst
		272	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	273	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	274	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	275	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	276	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	277	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	278	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	279	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	280	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		281	echo "$secretuam" >> $PASSWD_FILE
1	root	282	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	283	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		284	echo "$secretradius" >> $PASSWD_FILE
		285	chmod 640 $PASSWD_FILE
977	richard	286	# Scripts and conf files copy
		287	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	288	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	289	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	290	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	291	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	292	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	293	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		294	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	295	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		296	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	297	# generate central conf file
		298	cat <<EOF > $CONF_FILE
612	richard	299	##########################################
		300	## ##
		301	## ALCASAR Parameters ##
		302	## ##
		303	##########################################
1	root	304
612	richard	305	INSTALL_DATE=$DATE
		306	VERSION=$VERSION
		307	ORGANISM=$ORGANISME
923	franck	308	DOMAIN=$DOMAIN
612	richard	309	EOF
628	richard	310	chmod o-rwx $CONF_FILE
1	root	311	} # End of init ()
		312
		313	##################################################################
		314	## Fonction network ##
		315	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	316	## - Nommage DNS du système ##
1	root	317	## - Configuration de l'interface eth1 (réseau de consultation) ##
		318	## - Modification du fichier /etc/hosts ##
		319	## - Configuration du serveur de temps (NTP) ##
		320	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		321	##################################################################
		322	network ()
		323	{
		324	header_install
636	richard	325	if [ "$mode" != "update" ]
		326	then
		327	if [ $Lang == "fr" ]
		328	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		329	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		330	fi
		331	response=0
		332	PTN='^[oOyYnN]$'
		333	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	334	do
595	richard	335	if [ $Lang == "fr" ]
659	richard	336	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	337	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	338	fi
1	root	339	read response
		340	done
636	richard	341	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		342	then
		343	PRIVATE_IP_MASK="0"
		344	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		345	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	346	do
595	richard	347	if [ $Lang == "fr" ]
597	richard	348	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		349	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	350	fi
597	richard	351	read PRIVATE_IP_MASK
1	root	352	done
636	richard	353	else
		354	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		355	fi
595	richard	356	else
637	richard	357	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		358	rm -rf conf/etc/alcasar.conf
1	root	359	fi
861	richard	360	# Define LAN side global parameters
1	root	361	hostname $HOSTNAME
977	richard	362	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		363	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		364	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		365	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		366	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		367	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		368	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		369	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		370	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		371	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	372	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	373	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	374	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	375	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	376	# Define Internet parameters
14	richard	377	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		378	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		379	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	380	DNS1=${DNS1:=208.67.220.220}
		381	DNS2=${DNS2:=208.67.222.222}
597	richard	382	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
784	richard	383	DEFAULT_PUBLIC_NETMASK=`ipcalc -m 192.168.182.2 \| cut -d"=" -f2`
		384	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
		385	PUBLIC_PREFIX=`/bin/ipcalc -p 192.168.182.2 $PUBLIC_NETMASK\|cut -d"=" -f2`
861	richard	386
765	stephane	387	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	388	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	389	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		390	echo "DNS1=$DNS1" >> $CONF_FILE
		391	echo "DNS2=$DNS2" >> $CONF_FILE
		392	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	393	echo "DHCP=full" >> $CONF_FILE
914	franck	394	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		395	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		396	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	397	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	398	# config network
1	root	399	cat <<EOF > /etc/sysconfig/network
		400	NETWORKING=yes
		401	HOSTNAME="$HOSTNAME"
		402	FORWARD_IPV4=true
		403	EOF
841	richard	404	# config /etc/hosts
1	root	405	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		406	cat <<EOF > /etc/hosts
503	richard	407	127.0.0.1 localhost
914	franck	408	$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN
1	root	409	EOF
841	richard	410	# Config eth0 (Internet)
14	richard	411	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		412	DEVICE=$EXTIF
		413	BOOTPROTO=static
597	richard	414	IPADDR=$PUBLIC_IP
		415	NETMASK=$PUBLIC_NETMASK
		416	GATEWAY=$PUBLIC_GATEWAY
14	richard	417	DNS1=127.0.0.1
		418	ONBOOT=yes
		419	METRIC=10
		420	NOZEROCONF=yes
		421	MII_NOT_SUPPORTED=yes
		422	IPV6INIT=no
		423	IPV6TO4INIT=no
		424	ACCOUNTING=no
		425	USERCTL=no
994	franck	426	MTU=$MTU
		427	#ETHTOOL_OPTS=$ETHTOOL_OPTS
14	richard	428	EOF
841	richard	429	# Config eth1 (consultation LAN) in normal mode
		430	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		431	DEVICE=$INTIF
		432	BOOTPROTO=static
		433	ONBOOT=yes
		434	NOZEROCONF=yes
		435	MII_NOT_SUPPORTED=yes
		436	IPV6INIT=no
		437	IPV6TO4INIT=no
		438	ACCOUNTING=no
		439	USERCTL=no
		440	EOF
		441	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	442	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	443	DEVICE=$INTIF
		444	BOOTPROTO=static
		445	IPADDR=$PRIVATE_IP
604	richard	446	NETMASK=$PRIVATE_NETMASK
1	root	447	ONBOOT=yes
		448	METRIC=10
		449	NOZEROCONF=yes
		450	MII_NOT_SUPPORTED=yes
14	richard	451	IPV6INIT=no
		452	IPV6TO4INIT=no
		453	ACCOUNTING=no
		454	USERCTL=no
1	root	455	EOF
440	franck	456	# Mise à l'heure du serveur
		457	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		458	cat <<EOF > /etc/ntp/step-tickers
455	franck	459	0.fr.pool.ntp.org # adapt to your country
		460	1.fr.pool.ntp.org
		461	2.fr.pool.ntp.org
440	franck	462	EOF
		463	# Configuration du serveur de temps (sur lui même)
1	root	464	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		465	cat <<EOF > /etc/ntp.conf
456	franck	466	server 0.fr.pool.ntp.org # adapt to your country
447	franck	467	server 1.fr.pool.ntp.org
		468	server 2.fr.pool.ntp.org
		469	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	470	fudge 127.127.1.0 stratum 10
604	richard	471	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	472	restrict 127.0.0.1
310	richard	473	driftfile /var/lib/ntp/drift
1	root	474	logfile /var/log/ntp.log
		475	EOF
440	franck	476
310	richard	477	chown -R ntp:ntp /var/lib/ntp
1	root	478	# Renseignement des fichiers hosts.allow et hosts.deny
		479	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		480	cat <<EOF > /etc/hosts.allow
		481	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	482	sshd: ALL
1	root	483	ntpd: $PRIVATE_NETWORK_SHORT
		484	EOF
		485	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		486	cat <<EOF > /etc/hosts.deny
		487	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		488	EOF
604	richard	489	# Firewall config
790	richard	490	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		491	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		492	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	493	# create the filter exception file and ip_bloqued file
790	richard	494	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	495	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
		496	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	497	# load conntrack ftp module
		498	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		499	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
860	richard	500	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	501	} # End of network ()
		502
		503	##################################################################
		504	## Fonction gestion ##
		505	## - installation du centre de gestion ##
		506	## - configuration du serveur web (Apache) ##
		507	## - définition du 1er comptes de gestion ##
		508	## - sécurisation des accès ##
		509	##################################################################
		510	gestion()
		511	{
		512	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		513	mkdir $DIR_WEB
		514	# Copie et configuration des fichiers du centre de gestion
316	richard	515	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	516	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	517	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		518	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		519	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		520	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498	richard	521	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316	richard	522	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	523	chown -R apache:apache $DIR_WEB/*
840	richard	524	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	525	do
		526	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		527	done
5	franck	528	chown -R root:apache $DIR_SAVE
71	richard	529	# Configuration et sécurisation php
		530	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	531	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		532	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	533	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		534	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	535	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		536	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		537	# Configuration et sécurisation Apache
790	richard	538	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	539	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580	richard	540	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303	richard	541	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	542	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		543	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		544	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	545	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		546	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		547	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		548	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		549	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	551	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	552	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		553	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		554	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		555	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		556	cat <<EOF > /var/www/error/include/bottom.html
		557	</body>
		558	</html>
		559	EOF
		560	# Définition du premier compte lié au profil 'admin'
509	richard	561	header_install
510	richard	562	if [ "$mode" = "install" ]
		563	then
613	richard	564	admin_portal=!
		565	PTN='^[a-zA-Z0-9-]*$'
		566	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		567	do
		568	header_install
		569	if [ $Lang == "fr" ]
		570	then
		571	echo ""
		572	echo "Définissez un premier compte d'administration du portail :"
		573	echo
		574	echo -n "Nom : "
		575	else
		576	echo ""
		577	echo "Define the first account allow to administrate the portal :"
		578	echo
		579	echo -n "Account : "
		580	fi
		581	read admin_portal
		582	if [ "$admin_portal" == "" ]
		583	then
		584	admin_portal=!
		585	fi
		586	done
1	root	587	# Création du fichier de clés de ce compte dans le profil "admin"
510	richard	588	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		589	mkdir -p $DIR_DEST_ETC/digest
		590	chmod 755 $DIR_DEST_ETC/digest
		591	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		592	do
613	richard	593	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	594	done
		595	$DIR_DEST_SBIN/alcasar-profil.sh --list
595	richard	596	else # mise à jour des versions < 2.1
1010	richard	597	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 1 ])
510	richard	598	then
613	richard	599	if [ $Lang == "fr" ]
		600	then
		601	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		602	echo
		603	echo -n "Nom : "
		604	else
		605	echo "This update need to redefine the first admin account"
		606	echo
		607	echo -n "Account : "
		608	fi
		609	read admin_portal
510	richard	610	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		611	mkdir -p $DIR_DEST_ETC/digest
		612	chmod 755 $DIR_DEST_ETC/digest
		613	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		614	do
613	richard	615	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	616	done
		617	$DIR_DEST_SBIN/alcasar-profil.sh --list
		618	fi
		619	fi
434	richard	620	# synchronisation horaire
		621	ntpd -q -g &
1	root	622	# Sécurisation du centre
988	franck	623	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	624	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	625	<Directory $DIR_ACC>
1	root	626	SSLRequireSSL
		627	AllowOverride None
		628	Order deny,allow
		629	Deny from all
		630	Allow from 127.0.0.1
		631	Allow from $PRIVATE_NETWORK_MASK
990	franck	632	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	633	require valid-user
		634	AuthType digest
		635	AuthName $HOSTNAME
		636	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	637	AuthUserFile $DIR_DEST_ETC/digest/key_all
580	richard	638	ErrorDocument 404 https://$HOSTNAME/
1	root	639	</Directory>
316	richard	640	<Directory $DIR_ACC/admin>
1	root	641	SSLRequireSSL
		642	AllowOverride None
		643	Order deny,allow
		644	Deny from all
		645	Allow from 127.0.0.1
		646	Allow from $PRIVATE_NETWORK_MASK
990	franck	647	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	648	require valid-user
		649	AuthType digest
		650	AuthName $HOSTNAME
		651	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	652	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	653	ErrorDocument 404 https://$HOSTNAME/
1	root	654	</Directory>
344	richard	655	<Directory $DIR_ACC/manager>
1	root	656	SSLRequireSSL
		657	AllowOverride None
		658	Order deny,allow
		659	Deny from all
		660	Allow from 127.0.0.1
		661	Allow from $PRIVATE_NETWORK_MASK
990	franck	662	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	663	require valid-user
		664	AuthType digest
		665	AuthName $HOSTNAME
		666	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	667	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580	richard	668	ErrorDocument 404 https://$HOSTNAME/
1	root	669	</Directory>
316	richard	670	<Directory $DIR_ACC/backup>
		671	SSLRequireSSL
		672	AllowOverride None
		673	Order deny,allow
		674	Deny from all
		675	Allow from 127.0.0.1
		676	Allow from $PRIVATE_NETWORK_MASK
990	franck	677	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	678	require valid-user
		679	AuthType digest
		680	AuthName $HOSTNAME
		681	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	682	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580	richard	683	ErrorDocument 404 https://$HOSTNAME/
316	richard	684	</Directory>
811	richard	685	Alias /save/ "$DIR_SAVE/"
		686	<Directory $DIR_SAVE>
		687	SSLRequireSSL
		688	Options Indexes
		689	Order deny,allow
		690	Deny from all
		691	Allow from 127.0.0.1
		692	Allow from $PRIVATE_NETWORK_MASK
990	franck	693	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	694	require valid-user
		695	AuthType digest
		696	AuthName $HOSTNAME
		697	AuthUserFile $DIR_DEST_ETC/digest/key_backup
		698	ErrorDocument 404 https://$HOSTNAME/
		699	</Directory>
1	root	700	EOF
		701	} # End of gestion ()
		702
		703	##########################################################################################
		704	## Fonction AC() ##
		705	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		706	##########################################################################################
		707	AC ()
		708	{
		709	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	710	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	711	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	712	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		713	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		714	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	715	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	716	chown -R root:apache /etc/pki
1	root	717	chmod -R 750 /etc/pki
		718	} # End AC ()
		719
		720	##########################################################################################
		721	## Fonction init_db() ##
		722	## - Initialisation de la base Mysql ##
		723	## - Affectation du mot de passe de l'administrateur (root) ##
		724	## - Suppression des bases et des utilisateurs superflus ##
		725	## - Création de la base 'radius' ##
		726	## - Installation du schéma de cette base ##
		727	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		728	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		729	##########################################################################################
		730	init_db ()
		731	{
		732	mkdir -p /var/lib/mysql/.tmp
1008	richard	733	chown -R mysql:mysql /var/lib/mysql/
227	franck	734	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	735	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		736	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		737	/etc/init.d/mysqld start
		738	sleep 4
		739	mysqladmin -u root password $mysqlpwd
		740	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	741	# Delete exemple databases if exist
1	root	742	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	743	# Create 'radius' database
1	root	744	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	745	# Add an empty radius database structure
364	franck	746	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	747	# modify the start script in order to close accounting connexion when the system is comming down or up
		748	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		749	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		750	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	751	} # End init_db ()
		752
		753	##########################################################################
		754	## Fonction param_radius ##
		755	## - Paramètrage des fichiers de configuration FreeRadius ##
		756	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		757	## - Modification de fichier de conf pour l'accès à Mysql ##
		758	##########################################################################
		759	param_radius ()
		760	{
		761	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		762	chown -R radius:radius /etc/raddb
		763	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
		764	# paramètrage radius.conf
		765	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		766	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		767	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
		768	# suppression de la fonction proxy
		769	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		770	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654	richard	771	# suppression du module EAP
		772	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1	root	773	# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
		774	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
		775	# prise en compte du module SQL et des compteurs SQL
		776	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		777	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		778	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
		779	# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
		780	rm -f /etc/raddb/sites-enabled/*
		781	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
		782	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		783	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		784	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		785	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	786	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	787	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
		788	# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
		789	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		790	cat << EOF > /etc/raddb/clients.conf
		791	client 127.0.0.1 {
		792	secret = $secretradius
		793	shortname = localhost
		794	}
		795	EOF
		796	# modif sql.conf
		797	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		798	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		799	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		800	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		801	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
		802	# modif dialup.conf
		803	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
		804	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		805	} # End param_radius ()
		806
		807	##########################################################################
		808	## Fonction param_web_radius ##
		809	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		810	## - Création du lien vers la page de changement de mot de passe ##
		811	##########################################################################
		812	param_web_radius ()
		813	{
		814	# copie de l'interface d'origine dans la structure Alcasar
316	richard	815	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		816	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		817	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	818	# copie des fichiers modifiés
		819	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	820	chown -R apache:apache $DIR_ACC/manager/
344	richard	821	# Modification des fichiers de configuration
1	root	822	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	823	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	824	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		825	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		826	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		827	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		828	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		829	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		830	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	831	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	832	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
		833	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	834	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	835	nas1_name: alcasar-$ORGANISME
1	root	836	nas1_model: Portail captif
		837	nas1_ip: $PRIVATE_IP
		838	nas1_port_num: 0
		839	nas1_community: public
		840	EOF
		841	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		842	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
		843	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	844	# Ajout du mappage des attributs chillispot
		845	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
		846	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	847	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
		848	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
		849	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		850	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	851	chown -R apache:apache /etc/freeradius-web
1	root	852	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		853	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	854	<Directory $DIR_WEB/pass>
1	root	855	SSLRequireSSL
		856	AllowOverride None
		857	Order deny,allow
		858	Deny from all
		859	Allow from 127.0.0.1
		860	Allow from $PRIVATE_NETWORK_MASK
580	richard	861	ErrorDocument 404 https://$HOSTNAME
1	root	862	</Directory>
		863	EOF
		864	} # End of param_web_radius ()
		865
799	richard	866	##################################################################################
		867	## Fonction param_chilli ##
		868	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		869	## - Paramètrage de la page d'authentification (intercept.php) ##
		870	##################################################################################
1	root	871	param_chilli ()
		872	{
799	richard	873	# init file creation
461	richard	874	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	875	cat <<EOF > /etc/init.d/chilli
		876	#!/bin/sh
		877	#
		878	# chilli CoovaChilli init
		879	#
		880	# chkconfig: 2345 65 35
		881	# description: CoovaChilli
		882	### BEGIN INIT INFO
		883	# Provides: chilli
		884	# Required-Start: network
		885	# Should-Start:
		886	# Required-Stop: network
		887	# Should-Stop:
		888	# Default-Start: 2 3 5
		889	# Default-Stop:
		890	# Description: CoovaChilli access controller
		891	### END INIT INFO
		892
		893	[ -f /usr/sbin/chilli ] \|\| exit 0
		894	. /etc/init.d/functions
		895	CONFIG=/etc/chilli.conf
		896	pidfile=/var/run/chilli.pid
		897	[ -f \$CONFIG ] \|\| {
		898	echo "\$CONFIG Not found"
		899	exit 0
		900	}
		901	RETVAL=0
		902	prog="chilli"
		903	case \$1 in
		904	start)
		905	if [ -f \$pidfile ] ; then
		906	gprintf "chilli is already running"
		907	else
		908	gprintf "Starting \$prog: "
		909	rm -f /var/run/chilli* # cleaning
		910	/sbin/modprobe tun >/dev/null 2>&1
		911	echo 1 > /proc/sys/net/ipv4/ip_forward
		912	[ -e /dev/net/tun ] \|\| {
		913	(cd /dev;
		914	mkdir net;
		915	cd net;
		916	mknod tun c 10 200)
		917	}
		918	ifconfig eth1 0.0.0.0
		919	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		920	RETVAL=$?
		921	fi
		922	;;
		923
		924	reload)
		925	killall -HUP chilli
		926	;;
		927
		928	restart)
		929	\$0 stop
		930	sleep 2
		931	\$0 start
		932	;;
		933
		934	status)
		935	status chilli
		936	RETVAL=0
		937	;;
		938
		939	stop)
		940	if [ -f \$pidfile ] ; then
		941	gprintf "Shutting down \$prog: "
		942	killproc /usr/sbin/chilli
		943	RETVAL=\$?
		944	[ \$RETVAL = 0 ] && rm -f $pidfile
		945	else
		946	gprintf "chilli is not running"
		947	fi
		948	;;
		949
		950	*)
		951	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		952	exit 1
		953	esac
		954	echo
		955	EOF
		956
		957	# conf file creation
346	richard	958	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		959	cat <<EOF > /etc/chilli.conf
		960	# coova config for ALCASAR
		961	cmdsocket /var/run/chilli.sock
		962	unixipc chilli.eth1.ipc
		963	pidfile /var/run/chilli.eth1.pid
		964	net $PRIVATE_NETWORK_MASK
595	richard	965	dhcpif $INTIF
841	richard	966	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	967	#nodynip
865	richard	968	#statip
		969	dynip $PRIVATE_NETWORK_MASK
346	richard	970	domain localdomain
355	richard	971	dns1 $PRIVATE_IP
		972	dns2 $PRIVATE_IP
346	richard	973	uamlisten $PRIVATE_IP
503	richard	974	uamport 3990
837	richard	975	macauth
		976	macpasswd password
346	richard	977	locationname $HOSTNAME
		978	radiusserver1 127.0.0.1
		979	radiusserver2 127.0.0.1
		980	radiussecret $secretradius
		981	radiusauthport 1812
		982	radiusacctport 1813
467	richard	983	uamserver https://$HOSTNAME/intercept.php
346	richard	984	radiusnasid $HOSTNAME
		985	uamsecret $secretuam
793	richard	986	uamallowed alcasar
346	richard	987	coaport 3799
503	richard	988	include $DIR_DEST_ETC/alcasar-uamallowed
		989	include $DIR_DEST_ETC/alcasar-uamdomain
917	franck	990	#dhcpgateway
		991	#dhcprelayagent
		992	#dhcpgatewayport
346	richard	993	EOF
977	richard	994	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		995	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	996	# create files for trusted domains and urls
		997	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	998	chown root:apache $DIR_DEST_ETC/alcasar-*
		999	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1000	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1001	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1002	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1003	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1004	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1005	if [ "$chilli_exist" == "1" ]
		1006	then
		1007	userdel -r chilli 2>/dev/null
		1008	fi
		1009	groupadd -f chilli
		1010	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1011	} # End of param_chilli ()
		1012
		1013	##########################################################
		1014	## Fonction param_squid ##
		1015	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1016	## - Initialisation de la base de données ##
		1017	##########################################################
		1018	param_squid ()
		1019	{
		1020	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1021	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1022	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1023	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1024	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1025	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1026	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1027	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1028	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1029	# mode 'proxy transparent local'
595	richard	1030	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1031	# Configuration du cache local
749	franck	1032	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
405	franck	1033	# emplacement et formatage standard des logs
419	franck	1034	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
749	franck	1035	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
405	franck	1036	echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1	root	1037	# compatibilité des logs avec awstats
315	richard	1038	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
749	franck	1039	echo "half_closed_clients off" >> /etc/squid/squid.conf
		1040	echo "server_persistent_connections off" >> /etc/squid/squid.conf
		1041	echo "client_persistent_connections on" >> /etc/squid/squid.conf
		1042	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
		1043	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
		1044	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
726	franck	1045	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
749	franck	1046	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
		1047	echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf
835	richard	1048	# anonymisation of squid version
813	richard	1049	echo "via off" >> /etc/squid/squid.conf
835	richard	1050	# remove the 'X_forwarded' http option
812	richard	1051	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1052	# linked squid output in HAVP input
		1053	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1054	echo "never_direct allow all" >> /etc/squid/squid.conf
		1055	# avoid error messages on network interfaces state changes
313	richard	1056	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1057	# reduce squid shutdown time (100 to 50)
		1058	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1059
835	richard	1060	# Squid cache init
1	root	1061	/usr/sbin/squid -z
		1062	} # End of param_squid ()
		1063
		1064	##################################################################
		1065	## Fonction param_dansguardian ##
		1066	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1067	##################################################################
		1068	param_dansguardian ()
		1069	{
		1070	mkdir /var/dansguardian
		1071	chown dansguardian /var/dansguardian
497	richard	1072	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307	richard	1073	# Le filtrage est désactivé par défaut
497	richard	1074	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1	root	1075	# la page d'interception est en français
497	richard	1076	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1	root	1077	# on limite l'écoute de Dansguardian côté LAN
497	richard	1078	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835	richard	1079	# on chaîne Dansguardian au proxy cache SQUID
		1080	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1	root	1081	# on remplace la page d'interception (template)
		1082	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1083	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
		1084	# on ne loggue que les deny (pour le reste, on a squid)
497	richard	1085	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659	richard	1086	# lauch of 10 daemons (20 in largest server)
		1087	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1088	# on désactive par défaut le controle de contenu des pages html
497	richard	1089	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1090	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1091	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1092	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1093	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1094	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1095	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1096	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1097	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1098	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1099	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1100	touch $DIR_DG/lists/bannedextensionlist
		1101	touch $DIR_DG/lists/bannedmimetypelist
		1102	# 'Safesearch' regex actualisation
498	richard	1103	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1104	# empty LAN IP list that won't be WEB filtered
		1105	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1106	touch $DIR_DG/lists/exceptioniplist
		1107	# Keep a copy of URL & domain filter configuration files
		1108	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1109	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1110	} # End of param_dansguardian ()
		1111
71	richard	1112	##################################################################
		1113	## Fonction antivirus ##
479	richard	1114	## - configuration havp + libclamav ##
71	richard	1115	##################################################################
		1116	antivirus ()
		1117	{
288	richard	1118	# création de l'usager 'havp'
		1119	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1120	if [ "$havp_exist" == "1" ]
288	richard	1121	then
478	richard	1122	userdel -r havp 2>/dev/null
894	richard	1123	groupdel havp 2>/dev/null
288	richard	1124	fi
307	richard	1125	groupadd -f havp
796	richard	1126	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1127	mkdir -p /var/tmp/havp /var/log/havp
		1128	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1129	# configuration d'HAVP
		1130	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1131	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1132	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1133	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1134	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1135	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1136	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1137	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1138	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1139	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1140	# skip checking of youtube flow (too heavy load / risk too low)
		1141	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1142	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1143	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1144	# remplacement du fichier d'initialisation
335	richard	1145	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1146	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1147	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1148	# on remplace la page d'interception (template)
		1149	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1150	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1151	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1152	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1153	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1154	# Virus database update
		1155	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1156	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1157	/usr/bin/freshclam
71	richard	1158	}
		1159
1	root	1160	##################################################################################
476	richard	1161	## param_ulogd function ##
		1162	## - Ulog config for multi-log files ##
		1163	##################################################################################
		1164	param_ulogd ()
		1165	{
		1166	# Three instances of ulogd (three different logfiles)
		1167	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1168	nl=1
		1169	for log_type in tracability ssh ext-access
		1170	do
		1171	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1172	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1173	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1174	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1175	cat << EOF >> /etc/ulogd-$log_type.conf
		1176	[LOGEMU]
		1177	file="/var/log/firewall/$log_type.log"
		1178	sync=1
		1179	EOF
		1180	nl=`expr $nl + 1`
		1181	done
476	richard	1182	chown -R root:apache /var/log/firewall
		1183	chmod 750 /var/log/firewall
		1184	chmod 640 /var/log/firewall/*
		1185	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1186	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1187	} # End of param_ulogd ()
		1188
		1189	##################################################################################
1	root	1190	## Fonction param_awstats ##
		1191	## - configuration de l'interface des logs de consultation WEB (AWSTAT) ##
		1192	##################################################################################
		1193	param_awstats()
		1194	{
316	richard	1195	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
		1196	chown -R apache:apache $DIR_ACC/awstats
1	root	1197	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
		1198	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
		1199	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
		1200	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
		1201	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
		1202	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
344	richard	1203	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
		1204	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1	root	1205	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
		1206	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
59	richard	1207	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
580	richard	1208	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
		1209	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1210	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1211	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
		1212	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
		1213	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
		1214	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
		1215	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
		1216	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
		1217	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
		1218	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
		1219	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
		1220	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
		1221	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
		1222	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
		1223
1	root	1224	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	1225	<Directory $DIR_ACC/awstats>
1	root	1226	SSLRequireSSL
		1227	Options ExecCGI
		1228	AddHandler cgi-script .pl
		1229	DirectoryIndex awstats.pl
		1230	Order deny,allow
		1231	Deny from all
		1232	Allow from 127.0.0.1
		1233	Allow from $PRIVATE_NETWORK_MASK
990	franck	1234	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	1235	require valid-user
		1236	AuthType digest
		1237	AuthName $HOSTNAME
		1238	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	1239	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	1240	ErrorDocument 404 https://$HOSTNAME/
1	root	1241	</Directory>
		1242	SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
		1243	EOF
		1244	} # End of param_awstats ()
		1245
		1246	##########################################################
235	richard	1247	## Fonction param_dnsmasq ##
1	root	1248	##########################################################
219	jeremy	1249	param_dnsmasq ()
		1250	{
		1251	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1252	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1253	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1254	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1255	cat << EOF > /etc/dnsmasq.conf
520	richard	1256	# Configuration file for "dnsmasq in forward mode"
503	richard	1257	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1258	listen-address=$PRIVATE_IP
		1259	listen-address=127.0.0.1
286	richard	1260	no-dhcp-interface=$INTIF
259	richard	1261	bind-interfaces
		1262	cache-size=256
		1263	domain=$DOMAIN
		1264	domain-needed
		1265	expand-hosts
		1266	bogus-priv
		1267	filterwin2k
		1268	server=$DNS1
		1269	server=$DNS2
498	richard	1270	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1271	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1272	dhcp-option=option:router,$PRIVATE_IP
259	richard	1273	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1274
291	franck	1275	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1276	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1277	EOF
520	richard	1278	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1279	cat << EOF > /etc/dnsmasq-blackhole.conf
		1280	# Configuration file for "dnsmasq with blackhole"
		1281	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
		1282	conf-dir=$DIR_DEST_ETC/alcasar-dnsfilter-enabled
503	richard	1283	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1284	listen-address=$PRIVATE_IP
		1285	port=54
		1286	no-dhcp-interface=$INTIF
		1287	bind-interfaces
		1288	cache-size=256
		1289	domain=$DOMAIN
		1290	domain-needed
		1291	expand-hosts
		1292	bogus-priv
		1293	filterwin2k
		1294	server=$DNS1
		1295	server=$DNS2
		1296	EOF
718	franck	1297
800	richard	1298	# Init file modification
503	richard	1299	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1300	# Start and stop a 2nd process for the "DNS blackhole"
520	richard	1301	$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503	richard	1302	$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800	richard	1303	# Start after chilli (65) which create tun0
		1304	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1305	# Optionnellement on pré-active les logs DNS des clients
786	richard	1306	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
933	franck	1307	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1308	# Optionnellement, exemple de configuration avec un A.D.
975	franck	1309	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.2"' >> /etc/sysconfig/dnsmasq
308	richard	1310	} # End dnsmasq
		1311
		1312	##########################################################
		1313	## Fonction BL (BlackList) ##
		1314	##########################################################
		1315	BL ()
		1316	{
		1317	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1318	rm -rf $DIR_DG/lists/blacklists
		1319	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1320	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1321	mkdir $DIR_DG/lists/blacklists/ossi
		1322	touch $DIR_DG/lists/blacklists/ossi/domains
		1323	touch $DIR_DG/lists/blacklists/ossi/urls
309	richard	1324	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1325	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1326	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1327	touch $DIR_DG/lists/exceptionsitelist
		1328	touch $DIR_DG/lists/exceptionurllist
311	richard	1329	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1330	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1331	# Dansguardian filter config for ALCASAR
		1332	EOF
648	richard	1333	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1334	# Dansguardian domain filter config for ALCASAR
		1335	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1336	#**
		1337	# block all SSL and CONNECT tunnels
		1338	**s
		1339	# block all SSL and CONNECT tunnels specified only as an IP
		1340	*ips
		1341	# block all sites specified only by an IP
		1342	*ip
		1343	EOF
1000	richard	1344	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1345	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1346	# Bing - add 'adlt=strict'
		1347	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1348	# Youtube - add 'edufilter=your_ID'
885	richard	1349	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1350	EOF
1000	richard	1351	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1352	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1353	chown -R dansguardian:apache $DIR_DG
		1354	chmod -R g+rw $DIR_DG
304	richard	1355	# On crée la structure du DNS-blackhole :
503	richard	1356	mkdir $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
		1357	chown -R 770 $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
		1358	chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
786	richard	1359	# On adapte la BL de Toulouse à notre structure
654	richard	1360	if [ "$mode" != "update" ]; then
		1361	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1362	fi
308	richard	1363	}
219	jeremy	1364
1	root	1365	##########################################################
		1366	## Fonction cron ##
		1367	## - Mise en place des différents fichiers de cron ##
		1368	##########################################################
		1369	cron ()
		1370	{
		1371	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1372	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1373	cat <<EOF > /etc/crontab
		1374	SHELL=/bin/bash
		1375	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1376	MAILTO=root
		1377	HOME=/
		1378
		1379	# run-parts
		1380	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1381	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1382	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1383	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1384	EOF
		1385	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1386	cat <<EOF >> /etc/anacrontab
667	franck	1387	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1388	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1389	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1390	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1391	EOF
667	franck	1392	cat <<EOF > /etc/cron.d/alcasar-clean_log
713	franck	1393	# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
865	richard	1394	30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1	root	1395	EOF
811	richard	1396	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1397	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1398	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1399	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1400	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1401	EOF
667	franck	1402	cat <<EOF > /etc/cron.d/alcasar-export_log
713	franck	1403	# export des log squid, firewall et apache (tous les lundi à 5h00)
865	richard	1404	00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1	root	1405	EOF
952	franck	1406	cat <<EOF > /etc/cron.d/alcasar-archive
		1407	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1408	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1409	EOF
1	root	1410	cat << EOF > /etc/cron.d/awstats
713	franck	1411	# mise à jour des stats de consultation WEB toutes les 30'
419	franck	1412	/30 * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1	root	1413	EOF
667	franck	1414	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1415	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1416	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1417	EOF
722	franck	1418	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1419	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1420	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1421	EOF
1	root	1422	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1423	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1424	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1425	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1426	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1427	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1428	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1429	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1430	rm -f /etc/cron.daily/freeradius-web
		1431	rm -f /etc/cron.monthly/freeradius-web
		1432	cat << EOF > /etc/cron.d/freeradius-web
		1433	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1434	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1435	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1436	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1437	EOF
671	franck	1438	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1439	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1440	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1441	EOF
808	franck	1442	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1443	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1444	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1445	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1446	EOF
522	richard	1447	# suppression des crons usagers
		1448	rm -f /var/spool/cron/*
1	root	1449	} # End cron
		1450
		1451	##################################################################
		1452	## Fonction post_install ##
		1453	## - Modification des bannières (locales et ssh) et des prompts ##
		1454	## - Installation de la structure de chiffrement pour root ##
		1455	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1456	## - Mise en place du la rotation des logs ##
5	franck	1457	## - Configuration dans le cas d'une mise à jour ##
1	root	1458	##################################################################
		1459	post_install()
		1460	{
		1461	# adaptation du script "chien de garde" (watchdog)
376	franck	1462	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1463	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1464	# création de la bannière locale
1007	richard	1465	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1466	cp -f $DIR_CONF/banner /etc/mageia-release
		1467	echo " V$VERSION" >> /etc/mageia-release
1	root	1468	# création de la bannière SSH
1007	richard	1469	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1470	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1471	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1472	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1473	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1474	# postfix banner anonymisation
		1475	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1476	# sshd écoute côté LAN et WAN
1	root	1477	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1478	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1479	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1480	echo "SSH=off" >> $CONF_FILE
694	franck	1481	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
628	richard	1482	echo "QOS=off" >> $CONF_FILE
		1483	echo "LDAP=off" >> $CONF_FILE
786	richard	1484	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1485	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1486	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1487	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1488	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1	root	1489	# Coloration des prompts
		1490	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1491	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1492	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1493	# Droits d'exécution pour utilisateur apache et sysadmin
		1494	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1495	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1496	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1497	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1498	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1499	chmod 644 /etc/logrotate.d/*
714	franck	1500	# rectification sur versions précédentes de la compression des logs
706	franck	1501	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1502	# actualisation des fichiers logs compressés
714	franck	1503	for dir in firewall squid dansguardian httpd
706	franck	1504	do
714	franck	1505	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1506	done
		1507	# export des logs en 'retard' dans /var/Save/logs
865	richard	1508	/usr/local/bin/alcasar-log.sh --export
1	root	1509	# processus lancés par défaut au démarrage
796	richard	1510	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1	root	1511	do
		1512	/sbin/chkconfig --add $i
		1513	done
1005	richard	1514
		1515	# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
		1516	# cat << EOF > /etc/rc.local
953	franck	1517	#!/bin/sh
		1518	#
		1519	### BEGIN INIT INFO
		1520	# Provides: rc.local
		1521	# X-Mandriva-Compat-Mode
		1522	# Default-Start: 2 3 4 5
		1523	# Short-Description: Local initialization script
		1524	# Description: This script will be executed after all the other init scripts.
		1525	# You can put your own initialization stuff in here if you don't
		1526	# want to do the full Sys V style init stuff.
		1527	### END INIT INFO
1005	richard	1528	#
		1529	#/etc/init.d/mysqld restart
		1530	#sleep 1
		1531	#/etc/init.d/radiusd restart
		1532	#
		1533	#touch /var/lock/subsys/local
		1534	#EOF
953	franck	1535
1005	richard	1536	# On applique les préconisations ANSSI
		1537	# Apply French Security Agency rules
568	richard	1538	# ignorer les broadcast ICMP. (attaque smurf)
		1539	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
		1540	# ignorer les erreurs ICMP bogus
		1541	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1542	# désactiver l'envoi et la réponse aux ICMP redirects
679	richard	1543	sysctl -w net.ipv4.conf.all.accept_redirects=0
568	richard	1544	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
		1545	if [ "$accept_redirect" == "0" ]
		1546	then
679	richard	1547	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1548	else
		1549	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1550	fi
679	richard	1551	sysctl -w net.ipv4.conf.all.send_redirects=0
568	richard	1552	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
		1553	if [ "$send_redirect" == "0" ]
		1554	then
679	richard	1555	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1556	else
		1557	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1558	fi
		1559	# activer les SYN Cookies (attaque syn flood)
679	richard	1560	sysctl -w net.ipv4.tcp_syncookies=1
568	richard	1561	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
		1562	if [ "$tcp_syncookies" == "0" ]
		1563	then
679	richard	1564	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1565	else
		1566	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1567	fi
595	richard	1568	# activer l'antispoofing niveau Noyau
568	richard	1569	sysctl -w net.ipv4.conf.all.rp_filter=1
		1570	# ignorer le source routing
679	richard	1571	sysctl -w net.ipv4.conf.all.accept_source_route=0
568	richard	1572	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
		1573	if [ "$accept_source_route" == "0" ]
		1574	then
679	richard	1575	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1576	else
		1577	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1578	fi
679	richard	1579	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
		1580	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1581	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
		1582	if [ "$timeout_established" == "0" ]
		1583	then
		1584	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1585	else
793	richard	1586	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1587	fi
		1588	# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
568	richard	1589	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1590	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1591	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
59	richard	1592	# modification /etc/inittab
		1593	[ -e /etc/inittab.default ] \|\| cp /etc/inittab /etc/inittab.default
1003	richard	1594	# We keep only 3 TTYs
59	richard	1595	$SED "s?^4.*?#&?g" /etc/inittab
		1596	$SED "s?^5.*?#&?g" /etc/inittab
		1597	$SED "s?^6.*?#&?g" /etc/inittab
1003	richard	1598	# switch to multi-users runlevel (instead of x11)
		1599	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
		1600	$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1005	richard	1601	# GRUB modifications
		1602	# limit wait time to 3s
		1603	# create an alcasar entry instead of linux-nonfb
		1604	# change display to 1024*768 (vga791)
470	richard	1605	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1005	richard	1606	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1607	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1608	$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
1007	richard	1609	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1005	richard	1610
1003	richard	1611	# Remove unused services and users
1007	richard	1612	for old_svc in alsa sound dm
532	richard	1613	do
1007	richard	1614	/sbin/chkconfig --del $old_svc
532	richard	1615	done
1008	richard	1616	for svc in snmpd.service sshd.service
1007	richard	1617	do
1008	richard	1618	/bin/systemctl disable $svc
1007	richard	1619	done
532	richard	1620	for rm_users in avahi-autoipd avahi icapd
		1621	do
		1622	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1623	if [ "$user" == "$rm_users" ]
		1624	then
		1625	/usr/sbin/userdel -f $rm_users
		1626	fi
		1627	done
628	richard	1628	# Load and update the previous conf file
5	franck	1629	if [ "$mode" = "update" ]
		1630	then
389	franck	1631	$DIR_DEST_BIN/alcasar-conf.sh --load
628	richard	1632	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1633	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5	franck	1634	fi
595	richard	1635	rm -f /tmp/alcasar-conf*
434	richard	1636	chown -R root:apache $DIR_DEST_ETC/*
512	richard	1637	chmod -R 660 $DIR_DEST_ETC/*
434	richard	1638	chmod ug+x $DIR_DEST_ETC/digest $DIR_DEST_ETC/alcasar-dnsfilter*
1	root	1639	cd $DIR_INSTALL
5	franck	1640	echo ""
1	root	1641	echo "#############################################################################"
638	richard	1642	if [ $Lang == "fr" ]
		1643	then
		1644	echo "# Fin d'installation d'ALCASAR #"
		1645	echo "# #"
		1646	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1647	echo "# des Accès au Réseau ( ALCASAR ) #"
		1648	echo "# #"
		1649	echo "#############################################################################"
		1650	echo
		1651	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1652	echo
		1653	echo "- Lisez attentivement la documentation d'exploitation"
		1654	echo
		1655	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1656	echo
		1657	echo " Appuyez sur 'Entrée' pour continuer"
		1658	else
		1659	echo "# Enf of ALCASAR install process #"
		1660	echo "# #"
		1661	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1662	echo "# des Accès au Réseau ( ALCASAR ) #"
		1663	echo "# #"
		1664	echo "#############################################################################"
		1665	echo
		1666	echo "- The system will be rebooted in order to operate ALCASAR"
		1667	echo
		1668	echo "- Read the exploitation documentation"
		1669	echo
		1670	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1671	echo
		1672	echo " Hit 'Enter' to continue"
		1673	fi
815	richard	1674	sleep 2
		1675	if [ "$mode" != "update" ]
820	richard	1676	then
815	richard	1677	read a
		1678	fi
774	richard	1679	clear
		1680	# Apply and save the firewall rules
490	richard	1681	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1682	sleep 2
1	root	1683	reboot
		1684	} # End post_install ()
		1685
		1686	#################################
1005	richard	1687	# Main Install loop #
1	root	1688	#################################
832	richard	1689	dir_exec=`dirname "$0"`
		1690	if [ $dir_exec != "." ]
		1691	then
		1692	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1693	echo "Launch this program from the ALCASAR archive directory"
		1694	exit 0
		1695	fi
		1696	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1697	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1698	nb_args=$#
		1699	args=$1
		1700	if [ $nb_args -eq 0 ]
		1701	then
		1702	nb_args=1
		1703	args="-h"
		1704	fi
		1705	case $args in
		1706	-\? \| -h* \| --h*)
		1707	echo "$usage"
		1708	exit 0
		1709	;;
291	franck	1710	-i \| --install)
959	franck	1711	license
5	franck	1712	header_install
29	richard	1713	testing
597	richard	1714	# Test if ALCASAR is already installed
5	franck	1715	if [ -e $DIR_WEB/VERSION ]
1	root	1716	then
460	richard	1717	actual_version=`cat $DIR_WEB/VERSION`
595	richard	1718	if [ $Lang == "fr" ]
		1719	then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
		1720	else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
		1721	fi
5	franck	1722	response=0
460	richard	1723	PTN='^[oOnNyY]$'
580	richard	1724	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1725	do
595	richard	1726	if [ $Lang == "fr" ]
		1727	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1728	else echo -n "Do you want to update (Y/n)?";
		1729	fi
5	franck	1730	read response
		1731	done
597	richard	1732	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1733	then
597	richard	1734	rm -f /tmp/alcasar-conf*
		1735	else
636	richard	1736	# Create a backup of running version importants files
5	franck	1737	chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
389	franck	1738	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1739	mode="update"
5	franck	1740	fi
1	root	1741	fi
595	richard	1742	# RPMs install
		1743	$DIR_SCRIPTS/alcasar-urpmi.sh
		1744	if [ "$?" != "0" ]
1	root	1745	then
595	richard	1746	exit 0
		1747	fi
		1748	if [ -e $DIR_WEB/VERSION ]
		1749	then
597	richard	1750	# Uninstall the running version
532	richard	1751	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1752	fi
636	richard	1753	# Test if manual update
597	richard	1754	if [ -e /tmp/alcasar-conf.tar.gz ] && [ "$mode" != "update" ]
595	richard	1755	then
636	richard	1756	header_install
595	richard	1757	if [ $Lang == "fr" ]
636	richard	1758	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1759	else echo "The configuration file of an old version has been found";
595	richard	1760	fi
597	richard	1761	response=0
		1762	PTN='^[oOnNyY]$'
		1763	until [[ $(expr $response : $PTN) -gt 0 ]]
		1764	do
		1765	if [ $Lang == "fr" ]
		1766	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1767	else echo -n "Do you want to use it (Y/n)?";
		1768	fi
		1769	read response
		1770	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1771	then rm -f /tmp/alcasar-conf*
		1772	fi
		1773	done
		1774	fi
636	richard	1775	# Test if update
597	richard	1776	if [ -e /tmp/alcasar-conf.tar.gz ]
		1777	then
		1778	if [ $Lang == "fr" ]
		1779	then echo "#### Installation avec mise à jour ####";
		1780	else echo "#### Installation with update ####";
		1781	fi
636	richard	1782	# Extract the central configuration file
637	richard	1783	tar -xf /tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
		1784	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1785	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1786	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1787	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1788	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1789	mode="update"
		1790	else
		1791	mode="install"
1	root	1792	fi
604	richard	1793	for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
5	franck	1794	do
		1795	$func
1007	richard	1796	# echo "* 'debug' : end of function $func *"; read a
14	richard	1797	done
5	franck	1798	;;
291	franck	1799	-u \| --uninstall)
5	franck	1800	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1801	then
597	richard	1802	if [ $Lang == "fr" ]
		1803	then echo "ALCASAR n'est pas installé!";
		1804	else echo "ALCASAR isn't installed!";
		1805	fi
1	root	1806	exit 0
		1807	fi
5	franck	1808	response=0
		1809	PTN='^[oOnN]$'
580	richard	1810	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1811	do
597	richard	1812	if [ $Lang == "fr" ]
		1813	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1814	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1815	fi
5	franck	1816	read response
		1817	done
597	richard	1818	if [ "$reponse" = "o" ] \|\| [ "$reponse" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1819	then
389	franck	1820	$DIR_SCRIPT/alcasar-conf.sh --create
498	richard	1821	else
		1822	rm -f /tmp/alcasar-conf*
1	root	1823	fi
597	richard	1824	# Uninstall the running version
65	richard	1825	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1826	;;
		1827	*)
		1828	echo "Argument inconnu :$1";
460	richard	1829	echo "Unknown argument :$1";
1	root	1830	echo "$usage"
		1831	exit 1
		1832	;;
		1833	esac
10	franck	1834	# end of script
366	franck	1835

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1010