WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1031 2013-02-17 11:07:29Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
		6	# ALCASAR - Portail captif d'accès à l'Internet - Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...]
		7	# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU,
		8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12	# Vous devriez avoir reçu un exemplaire de la Licence Publique Générale GNU avec ce programme ;
976	richard	13	# si ce n'est pas le cas, consultez : <http://www.gnu.org/licenses/>.
959	franck	14
967	franck	15	# team@alcasar.net
959	franck	16
1	root	17	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		18	# This script is distributed under the Gnu General Public License (GPL)
		19
672	richard	20	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	21	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	22	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	23	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	24	#
806	richard	25	# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
1	root	26
		27	# Options :
376	franck	28	# -i or --install
		29	# -u or --uninstall
1	root	30
376	franck	31	# Functions :
29	richard	32	# testing : Tests de connectivité et de téléchargement avant installation
1	root	33	# init : Installation des RPM et des scripts
		34	# network : Paramètrage du réseau
		35	# gestion : Installation de l'interface de gestion
		36	# AC : Initialisation de l'autorité de certification. Création des certificats
		37	# init_db : Création de la base 'radius' sur le serveur MySql
		38	# param_radius : Configuration du serveur d'authentification FreeRadius
		39	# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
		40	# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
		41	# param_squid : Configuration du proxy squid en mode 'cache'
		42	# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479	richard	43	# antivirus : Installation havp + libclamav
1	root	44	# param_awstats : Configuration de l'interface des statistiques de consultation WEB
297	richard	45	# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
308	richard	46	# BL : Configuration de la BlackList
1	root	47	# cron : Mise en place des exports de logs (+ chiffrement)
532	richard	48	# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1	root	53	# ***** Files parameters - paramètres fichiers *******
1015	richard	54	DIR_INSTALL=`pwd` # current directory
		55	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		56	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		57	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		58	DIR_WEB="/var/www/html" # directory of APACHE
		59	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		60	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		61	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		62	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		63	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		64	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		65	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		66	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	67	# ***** DBMS parameters - paramètres SGBD ******
		68	DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
		69	DB_USER="radius" # nom de l'utilisateur de la base de données
		70	# ***** Network parameters - paramètres réseau *****
503	richard	71	HOSTNAME="alcasar" #
1	root	72	DOMAIN="localdomain" # domaine local
		73	EXTIF="eth0" # ETH0 est l'interface connectée à Internet (Box FAI)
994	franck	74	MTU="1500"
		75	ETHTOOL_OPTS="speed 100 duplex full"
1	root	76	INTIF="eth1" # ETH1 est l'interface connectée au réseau local de consultation
597	richard	77	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1	root	78	# **** Paths - chemin des commandes *****
		79	SED="/bin/sed -i"
		80	# **************** End of global parameters *******************
		81
959	franck	82	license ()
		83	{
		84	if [ $Lang == "fr" ]
967	franck	85	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		86	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	87	fi
975	franck	88	echo "Taper sur Entrée pour continuer !"
		89	echo "Enter to continue."
959	franck	90	read a
		91	}
		92
1	root	93	header_install ()
		94	{
		95	clear
		96	echo "-----------------------------------------------------------------------------"
460	richard	97	echo " ALCASAR V$VERSION Installation"
1	root	98	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		99	echo "-----------------------------------------------------------------------------"
		100	} # End of header_install ()
		101
		102	##################################################################
1005	richard	103	## Function TESTING ##
		104	## - Test of Internet access ##
29	richard	105	##################################################################
		106	testing ()
		107	{
595	richard	108	if [ $Lang == "fr" ]
784	richard	109	then echo -n "Tests des paramètres réseau : "
595	richard	110	else echo -n "Network parameters tests : "
		111	fi
784	richard	112	# We test eth0 config files
		113	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		114	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		115	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		116	then
		117	if [ $Lang == "fr" ]
		118	then
		119	echo "Échec"
		120	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		121	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	122	echo "Appliquez les changements : 'service network restart'"
784	richard	123	else
		124	echo "Failed"
		125	echo "The Internet connected network card ($EXTIF) isn't well configured."
		126	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	127	echo "Apply the new configuration 'service network restart'"
784	richard	128	fi
830	richard	129	echo "DEVICE=$EXTIF"
784	richard	130	echo "IPADDR="
		131	echo "NETMASK="
		132	echo "GATEWAY="
		133	echo "DNS1="
		134	echo "DNS2="
830	richard	135	echo "ONBOOT=yes"
784	richard	136	exit 0
		137	fi
		138	echo -n "."
460	richard	139	# We test the Ethernet links state
29	richard	140	for i in $EXTIF $INTIF
		141	do
294	richard	142	/sbin/ip link set $i up
306	richard	143	sleep 3
1031	richard	144	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		145	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	146	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	147	then
595	richard	148	if [ $Lang == "fr" ]
		149	then
		150	echo "Échec"
		151	echo "Le lien réseau de la carte $i n'est pas actif."
		152	echo "Réglez ce problème puis relancez ce script."
		153	else
		154	echo "Failed"
		155	echo "The link state of $i interface id down."
		156	echo "Resolv this problem, then restart this script."
		157	fi
29	richard	158	exit 0
		159	fi
308	richard	160	echo -n "."
29	richard	161	done
		162	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	163	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	164	if [ $Lang == "fr" ]
		165	then
		166	echo "Échec"
		167	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		168	echo "Réglez ce problème puis relancez ce script."
		169	else
		170	echo "Failed"
		171	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		172	echo "Resolv this problem, then restart this script."
		173	fi
29	richard	174	exit 0
		175	fi
308	richard	176	echo -n "."
978	franck	177	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	178	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	179	if [ $Lang == "fr" ]
		180	then echo "La configuration des cartes réseau va être corrigée."
		181	else echo "The Ethernet card configuration will be corrected."
		182	fi
29	richard	183	/etc/init.d/network stop
		184	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		185	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		186	/etc/init.d/network start
		187	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		188	sleep 2
595	richard	189	if [ $Lang == "fr" ]
		190	then echo "Configuration corrigée"
		191	else echo "Configuration updated"
		192	fi
29	richard	193	sleep 2
595	richard	194	if [ $Lang == "fr" ]
		195	then echo "Vous pouvez relancer ce script."
		196	else echo "You can restart this script."
		197	fi
29	richard	198	exit 0
		199	fi
308	richard	200	echo -n "."
978	franck	201	# On teste le lien vers le routeur par defaut
308	richard	202	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		203	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	204	if [ $(expr $arp_reply) -eq 0 ]
308	richard	205	then
595	richard	206	if [ $Lang == "fr" ]
		207	then
		208	echo "Échec"
		209	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		210	echo "Réglez ce problème puis relancez ce script."
		211	else
		212	echo "Failed"
		213	echo "The Internet gateway doesn't answered"
		214	echo "Resolv this problem, then restart this script."
		215	fi
308	richard	216	exit 0
		217	fi
		218	echo -n "."
421	franck	219	# On teste la connectivité Internet
29	richard	220	rm -rf /tmp/con_ok.html
308	richard	221	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	222	if [ ! -e /tmp/con_ok.html ]
		223	then
595	richard	224	if [ $Lang == "fr" ]
		225	then
		226	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		227	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		228	echo "Vérifiez la validité des adresses IP des DNS."
		229	else
		230	echo "The Internet connection try failed (google.fr)."
		231	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		232	echo "Verify the DNS IP addresses"
		233	fi
29	richard	234	exit 0
		235	fi
		236	rm -rf /tmp/con_ok.html
308	richard	237	echo ". : ok"
302	richard	238	} # end of testing
		239
		240	##################################################################
		241	## Fonction INIT ##
		242	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		243	## - Installation et modification des scripts du portail ##
		244	##################################################################
		245	init ()
		246	{
527	richard	247	if [ "$mode" != "update" ]
302	richard	248	then
		249	# On affecte le nom d'organisme
597	richard	250	header_install
302	richard	251	ORGANISME=!
		252	PTN='^[a-zA-Z0-9-]*$'
580	richard	253	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	254	do
595	richard	255	if [ $Lang == "fr" ]
597	richard	256	then echo -n "Entrez le nom de votre organisme : "
		257	else echo -n "Enter the name of your organism : "
595	richard	258	fi
330	franck	259	read ORGANISME
613	richard	260	if [ "$ORGANISME" == "" ]
330	franck	261	then
		262	ORGANISME=!
		263	fi
		264	done
302	richard	265	fi
1	root	266	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	267	rm -f $PASSWD_FILE
59	richard	268	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	269	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		270	echo "$grubpwd" >> $PASSWD_FILE
59	richard	271	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	272	$SED "/^password.*/d" /boot/grub/menu.lst
		273	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	274	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	275	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	276	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	277	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	278	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	279	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	280	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	281	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		282	echo "$secretuam" >> $PASSWD_FILE
1	root	283	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	284	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		285	echo "$secretradius" >> $PASSWD_FILE
		286	chmod 640 $PASSWD_FILE
977	richard	287	# Scripts and conf files copy
		288	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	289	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	290	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	291	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	292	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	293	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	294	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		295	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	296	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		297	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	298	# generate central conf file
		299	cat <<EOF > $CONF_FILE
612	richard	300	##########################################
		301	## ##
		302	## ALCASAR Parameters ##
		303	## ##
		304	##########################################
1	root	305
612	richard	306	INSTALL_DATE=$DATE
		307	VERSION=$VERSION
		308	ORGANISM=$ORGANISME
923	franck	309	DOMAIN=$DOMAIN
612	richard	310	EOF
628	richard	311	chmod o-rwx $CONF_FILE
1	root	312	} # End of init ()
		313
		314	##################################################################
		315	## Fonction network ##
		316	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	317	## - Nommage DNS du système ##
1	root	318	## - Configuration de l'interface eth1 (réseau de consultation) ##
		319	## - Modification du fichier /etc/hosts ##
		320	## - Configuration du serveur de temps (NTP) ##
		321	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		322	##################################################################
		323	network ()
		324	{
		325	header_install
636	richard	326	if [ "$mode" != "update" ]
		327	then
		328	if [ $Lang == "fr" ]
		329	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		330	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		331	fi
		332	response=0
		333	PTN='^[oOyYnN]$'
		334	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	335	do
595	richard	336	if [ $Lang == "fr" ]
659	richard	337	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	338	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	339	fi
1	root	340	read response
		341	done
636	richard	342	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		343	then
		344	PRIVATE_IP_MASK="0"
		345	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		346	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	347	do
595	richard	348	if [ $Lang == "fr" ]
597	richard	349	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		350	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	351	fi
597	richard	352	read PRIVATE_IP_MASK
1	root	353	done
636	richard	354	else
		355	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		356	fi
595	richard	357	else
637	richard	358	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		359	rm -rf conf/etc/alcasar.conf
1	root	360	fi
861	richard	361	# Define LAN side global parameters
1	root	362	hostname $HOSTNAME
977	richard	363	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		364	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		365	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		366	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		367	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		368	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		369	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		370	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		371	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		372	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	373	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	374	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	375	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	376	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	377	# Define Internet parameters
14	richard	378	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		379	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		380	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	381	DNS1=${DNS1:=208.67.220.220}
		382	DNS2=${DNS2:=208.67.222.222}
597	richard	383	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
784	richard	384	DEFAULT_PUBLIC_NETMASK=`ipcalc -m 192.168.182.2 \| cut -d"=" -f2`
		385	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
		386	PUBLIC_PREFIX=`/bin/ipcalc -p 192.168.182.2 $PUBLIC_NETMASK\|cut -d"=" -f2`
861	richard	387
765	stephane	388	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	389	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	390	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		391	echo "DNS1=$DNS1" >> $CONF_FILE
		392	echo "DNS2=$DNS2" >> $CONF_FILE
		393	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	394	echo "DHCP=full" >> $CONF_FILE
914	franck	395	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		396	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		397	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	398	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	399	# config network
1	root	400	cat <<EOF > /etc/sysconfig/network
		401	NETWORKING=yes
		402	HOSTNAME="$HOSTNAME"
		403	FORWARD_IPV4=true
		404	EOF
841	richard	405	# config /etc/hosts
1	root	406	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		407	cat <<EOF > /etc/hosts
503	richard	408	127.0.0.1 localhost
914	franck	409	$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN
1	root	410	EOF
841	richard	411	# Config eth0 (Internet)
14	richard	412	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		413	DEVICE=$EXTIF
		414	BOOTPROTO=static
597	richard	415	IPADDR=$PUBLIC_IP
		416	NETMASK=$PUBLIC_NETMASK
		417	GATEWAY=$PUBLIC_GATEWAY
14	richard	418	DNS1=127.0.0.1
		419	ONBOOT=yes
		420	METRIC=10
		421	NOZEROCONF=yes
		422	MII_NOT_SUPPORTED=yes
		423	IPV6INIT=no
		424	IPV6TO4INIT=no
		425	ACCOUNTING=no
		426	USERCTL=no
994	franck	427	MTU=$MTU
		428	#ETHTOOL_OPTS=$ETHTOOL_OPTS
14	richard	429	EOF
841	richard	430	# Config eth1 (consultation LAN) in normal mode
		431	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		432	DEVICE=$INTIF
		433	BOOTPROTO=static
		434	ONBOOT=yes
		435	NOZEROCONF=yes
		436	MII_NOT_SUPPORTED=yes
		437	IPV6INIT=no
		438	IPV6TO4INIT=no
		439	ACCOUNTING=no
		440	USERCTL=no
		441	EOF
		442	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	443	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	444	DEVICE=$INTIF
		445	BOOTPROTO=static
		446	IPADDR=$PRIVATE_IP
604	richard	447	NETMASK=$PRIVATE_NETMASK
1	root	448	ONBOOT=yes
		449	METRIC=10
		450	NOZEROCONF=yes
		451	MII_NOT_SUPPORTED=yes
14	richard	452	IPV6INIT=no
		453	IPV6TO4INIT=no
		454	ACCOUNTING=no
		455	USERCTL=no
1	root	456	EOF
440	franck	457	# Mise à l'heure du serveur
		458	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		459	cat <<EOF > /etc/ntp/step-tickers
455	franck	460	0.fr.pool.ntp.org # adapt to your country
		461	1.fr.pool.ntp.org
		462	2.fr.pool.ntp.org
440	franck	463	EOF
		464	# Configuration du serveur de temps (sur lui même)
1	root	465	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		466	cat <<EOF > /etc/ntp.conf
456	franck	467	server 0.fr.pool.ntp.org # adapt to your country
447	franck	468	server 1.fr.pool.ntp.org
		469	server 2.fr.pool.ntp.org
		470	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	471	fudge 127.127.1.0 stratum 10
604	richard	472	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	473	restrict 127.0.0.1
310	richard	474	driftfile /var/lib/ntp/drift
1	root	475	logfile /var/log/ntp.log
		476	EOF
440	franck	477
310	richard	478	chown -R ntp:ntp /var/lib/ntp
1	root	479	# Renseignement des fichiers hosts.allow et hosts.deny
		480	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		481	cat <<EOF > /etc/hosts.allow
		482	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	483	sshd: ALL
1	root	484	ntpd: $PRIVATE_NETWORK_SHORT
		485	EOF
		486	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		487	cat <<EOF > /etc/hosts.deny
		488	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		489	EOF
604	richard	490	# Firewall config
790	richard	491	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		492	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		493	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	494	# create the filter exception file and ip_bloqued file
790	richard	495	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	496	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
		497	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	498	# load conntrack ftp module
		499	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		500	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
860	richard	501	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	502	} # End of network ()
		503
		504	##################################################################
		505	## Fonction gestion ##
		506	## - installation du centre de gestion ##
		507	## - configuration du serveur web (Apache) ##
		508	## - définition du 1er comptes de gestion ##
		509	## - sécurisation des accès ##
		510	##################################################################
		511	gestion()
		512	{
		513	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		514	mkdir $DIR_WEB
		515	# Copie et configuration des fichiers du centre de gestion
316	richard	516	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	517	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	518	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		519	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		520	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		521	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498	richard	522	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316	richard	523	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	524	chown -R apache:apache $DIR_WEB/*
840	richard	525	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	526	do
		527	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		528	done
5	franck	529	chown -R root:apache $DIR_SAVE
71	richard	530	# Configuration et sécurisation php
		531	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	532	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		533	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	534	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		535	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	536	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		537	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		538	# Configuration et sécurisation Apache
790	richard	539	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	540	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580	richard	541	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303	richard	542	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	543	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		544	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		545	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	546	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		547	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		548	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		549	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		551	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	552	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	553	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		554	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		555	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		556	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		557	cat <<EOF > /var/www/error/include/bottom.html
		558	</body>
		559	</html>
		560	EOF
		561	# Définition du premier compte lié au profil 'admin'
509	richard	562	header_install
510	richard	563	if [ "$mode" = "install" ]
		564	then
613	richard	565	admin_portal=!
		566	PTN='^[a-zA-Z0-9-]*$'
		567	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		568	do
		569	header_install
		570	if [ $Lang == "fr" ]
		571	then
		572	echo ""
		573	echo "Définissez un premier compte d'administration du portail :"
		574	echo
		575	echo -n "Nom : "
		576	else
		577	echo ""
		578	echo "Define the first account allow to administrate the portal :"
		579	echo
		580	echo -n "Account : "
		581	fi
		582	read admin_portal
		583	if [ "$admin_portal" == "" ]
		584	then
		585	admin_portal=!
		586	fi
		587	done
1	root	588	# Création du fichier de clés de ce compte dans le profil "admin"
510	richard	589	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		590	mkdir -p $DIR_DEST_ETC/digest
		591	chmod 755 $DIR_DEST_ETC/digest
		592	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		593	do
613	richard	594	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	595	done
		596	$DIR_DEST_SBIN/alcasar-profil.sh --list
595	richard	597	else # mise à jour des versions < 2.1
1010	richard	598	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 1 ])
510	richard	599	then
613	richard	600	if [ $Lang == "fr" ]
		601	then
		602	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		603	echo
		604	echo -n "Nom : "
		605	else
		606	echo "This update need to redefine the first admin account"
		607	echo
		608	echo -n "Account : "
		609	fi
		610	read admin_portal
510	richard	611	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		612	mkdir -p $DIR_DEST_ETC/digest
		613	chmod 755 $DIR_DEST_ETC/digest
		614	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		615	do
613	richard	616	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	617	done
		618	$DIR_DEST_SBIN/alcasar-profil.sh --list
		619	fi
		620	fi
434	richard	621	# synchronisation horaire
		622	ntpd -q -g &
1	root	623	# Sécurisation du centre
988	franck	624	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	625	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	626	<Directory $DIR_ACC>
1	root	627	SSLRequireSSL
		628	AllowOverride None
		629	Order deny,allow
		630	Deny from all
		631	Allow from 127.0.0.1
		632	Allow from $PRIVATE_NETWORK_MASK
990	franck	633	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	634	require valid-user
		635	AuthType digest
		636	AuthName $HOSTNAME
		637	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	638	AuthUserFile $DIR_DEST_ETC/digest/key_all
580	richard	639	ErrorDocument 404 https://$HOSTNAME/
1	root	640	</Directory>
316	richard	641	<Directory $DIR_ACC/admin>
1	root	642	SSLRequireSSL
		643	AllowOverride None
		644	Order deny,allow
		645	Deny from all
		646	Allow from 127.0.0.1
		647	Allow from $PRIVATE_NETWORK_MASK
990	franck	648	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	649	require valid-user
		650	AuthType digest
		651	AuthName $HOSTNAME
		652	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	653	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	654	ErrorDocument 404 https://$HOSTNAME/
1	root	655	</Directory>
344	richard	656	<Directory $DIR_ACC/manager>
1	root	657	SSLRequireSSL
		658	AllowOverride None
		659	Order deny,allow
		660	Deny from all
		661	Allow from 127.0.0.1
		662	Allow from $PRIVATE_NETWORK_MASK
990	franck	663	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	664	require valid-user
		665	AuthType digest
		666	AuthName $HOSTNAME
		667	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	668	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580	richard	669	ErrorDocument 404 https://$HOSTNAME/
1	root	670	</Directory>
316	richard	671	<Directory $DIR_ACC/backup>
		672	SSLRequireSSL
		673	AllowOverride None
		674	Order deny,allow
		675	Deny from all
		676	Allow from 127.0.0.1
		677	Allow from $PRIVATE_NETWORK_MASK
990	franck	678	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	679	require valid-user
		680	AuthType digest
		681	AuthName $HOSTNAME
		682	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	683	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580	richard	684	ErrorDocument 404 https://$HOSTNAME/
316	richard	685	</Directory>
811	richard	686	Alias /save/ "$DIR_SAVE/"
		687	<Directory $DIR_SAVE>
		688	SSLRequireSSL
		689	Options Indexes
		690	Order deny,allow
		691	Deny from all
		692	Allow from 127.0.0.1
		693	Allow from $PRIVATE_NETWORK_MASK
990	franck	694	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	695	require valid-user
		696	AuthType digest
		697	AuthName $HOSTNAME
		698	AuthUserFile $DIR_DEST_ETC/digest/key_backup
		699	ErrorDocument 404 https://$HOSTNAME/
		700	</Directory>
1	root	701	EOF
		702	} # End of gestion ()
		703
		704	##########################################################################################
		705	## Fonction AC() ##
		706	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		707	##########################################################################################
		708	AC ()
		709	{
		710	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	711	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	712	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	713	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		714	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		715	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	716	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	717	chown -R root:apache /etc/pki
1	root	718	chmod -R 750 /etc/pki
		719	} # End AC ()
		720
		721	##########################################################################################
		722	## Fonction init_db() ##
		723	## - Initialisation de la base Mysql ##
		724	## - Affectation du mot de passe de l'administrateur (root) ##
		725	## - Suppression des bases et des utilisateurs superflus ##
		726	## - Création de la base 'radius' ##
		727	## - Installation du schéma de cette base ##
		728	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		729	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		730	##########################################################################################
		731	init_db ()
		732	{
		733	mkdir -p /var/lib/mysql/.tmp
1008	richard	734	chown -R mysql:mysql /var/lib/mysql/
227	franck	735	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	736	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		737	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		738	/etc/init.d/mysqld start
		739	sleep 4
		740	mysqladmin -u root password $mysqlpwd
		741	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	742	# Delete exemple databases if exist
1	root	743	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	744	# Create 'radius' database
1	root	745	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	746	# Add an empty radius database structure
364	franck	747	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	748	# modify the start script in order to close accounting connexion when the system is comming down or up
		749	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		750	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		751	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	752	} # End init_db ()
		753
		754	##########################################################################
		755	## Fonction param_radius ##
		756	## - Paramètrage des fichiers de configuration FreeRadius ##
		757	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		758	## - Modification de fichier de conf pour l'accès à Mysql ##
		759	##########################################################################
		760	param_radius ()
		761	{
		762	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		763	chown -R radius:radius /etc/raddb
		764	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
		765	# paramètrage radius.conf
		766	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		767	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		768	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
		769	# suppression de la fonction proxy
		770	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		771	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654	richard	772	# suppression du module EAP
		773	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1	root	774	# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
		775	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
		776	# prise en compte du module SQL et des compteurs SQL
		777	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		778	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		779	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
		780	# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
		781	rm -f /etc/raddb/sites-enabled/*
		782	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
		783	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		784	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		785	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		786	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	787	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	788	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
		789	# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
		790	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		791	cat << EOF > /etc/raddb/clients.conf
		792	client 127.0.0.1 {
		793	secret = $secretradius
		794	shortname = localhost
		795	}
		796	EOF
		797	# modif sql.conf
		798	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		799	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		800	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		801	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		802	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
		803	# modif dialup.conf
		804	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
		805	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		806	} # End param_radius ()
		807
		808	##########################################################################
		809	## Fonction param_web_radius ##
		810	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		811	## - Création du lien vers la page de changement de mot de passe ##
		812	##########################################################################
		813	param_web_radius ()
		814	{
		815	# copie de l'interface d'origine dans la structure Alcasar
316	richard	816	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		817	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		818	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	819	# copie des fichiers modifiés
		820	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	821	chown -R apache:apache $DIR_ACC/manager/
344	richard	822	# Modification des fichiers de configuration
1	root	823	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	824	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	825	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		826	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		827	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		828	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		829	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		830	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		831	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	832	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	833	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
		834	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	835	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	836	nas1_name: alcasar-$ORGANISME
1	root	837	nas1_model: Portail captif
		838	nas1_ip: $PRIVATE_IP
		839	nas1_port_num: 0
		840	nas1_community: public
		841	EOF
		842	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		843	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
		844	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	845	# Ajout du mappage des attributs chillispot
		846	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
		847	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	848	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
		849	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
		850	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		851	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	852	chown -R apache:apache /etc/freeradius-web
1	root	853	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		854	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	855	<Directory $DIR_WEB/pass>
1	root	856	SSLRequireSSL
		857	AllowOverride None
		858	Order deny,allow
		859	Deny from all
		860	Allow from 127.0.0.1
		861	Allow from $PRIVATE_NETWORK_MASK
580	richard	862	ErrorDocument 404 https://$HOSTNAME
1	root	863	</Directory>
		864	EOF
		865	} # End of param_web_radius ()
		866
799	richard	867	##################################################################################
		868	## Fonction param_chilli ##
		869	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		870	## - Paramètrage de la page d'authentification (intercept.php) ##
		871	##################################################################################
1	root	872	param_chilli ()
		873	{
799	richard	874	# init file creation
461	richard	875	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	876	cat <<EOF > /etc/init.d/chilli
		877	#!/bin/sh
		878	#
		879	# chilli CoovaChilli init
		880	#
		881	# chkconfig: 2345 65 35
		882	# description: CoovaChilli
		883	### BEGIN INIT INFO
		884	# Provides: chilli
		885	# Required-Start: network
		886	# Should-Start:
		887	# Required-Stop: network
		888	# Should-Stop:
		889	# Default-Start: 2 3 5
		890	# Default-Stop:
		891	# Description: CoovaChilli access controller
		892	### END INIT INFO
		893
		894	[ -f /usr/sbin/chilli ] \|\| exit 0
		895	. /etc/init.d/functions
		896	CONFIG=/etc/chilli.conf
		897	pidfile=/var/run/chilli.pid
		898	[ -f \$CONFIG ] \|\| {
		899	echo "\$CONFIG Not found"
		900	exit 0
		901	}
		902	RETVAL=0
		903	prog="chilli"
		904	case \$1 in
		905	start)
		906	if [ -f \$pidfile ] ; then
		907	gprintf "chilli is already running"
		908	else
		909	gprintf "Starting \$prog: "
		910	rm -f /var/run/chilli* # cleaning
		911	/sbin/modprobe tun >/dev/null 2>&1
		912	echo 1 > /proc/sys/net/ipv4/ip_forward
		913	[ -e /dev/net/tun ] \|\| {
		914	(cd /dev;
		915	mkdir net;
		916	cd net;
		917	mknod tun c 10 200)
		918	}
		919	ifconfig eth1 0.0.0.0
		920	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		921	RETVAL=$?
		922	fi
		923	;;
		924
		925	reload)
		926	killall -HUP chilli
		927	;;
		928
		929	restart)
		930	\$0 stop
		931	sleep 2
		932	\$0 start
		933	;;
		934
		935	status)
		936	status chilli
		937	RETVAL=0
		938	;;
		939
		940	stop)
		941	if [ -f \$pidfile ] ; then
		942	gprintf "Shutting down \$prog: "
		943	killproc /usr/sbin/chilli
		944	RETVAL=\$?
		945	[ \$RETVAL = 0 ] && rm -f $pidfile
		946	else
		947	gprintf "chilli is not running"
		948	fi
		949	;;
		950
		951	*)
		952	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		953	exit 1
		954	esac
		955	echo
		956	EOF
		957
		958	# conf file creation
346	richard	959	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		960	cat <<EOF > /etc/chilli.conf
		961	# coova config for ALCASAR
		962	cmdsocket /var/run/chilli.sock
		963	unixipc chilli.eth1.ipc
		964	pidfile /var/run/chilli.eth1.pid
		965	net $PRIVATE_NETWORK_MASK
595	richard	966	dhcpif $INTIF
841	richard	967	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	968	#nodynip
865	richard	969	#statip
		970	dynip $PRIVATE_NETWORK_MASK
346	richard	971	domain localdomain
355	richard	972	dns1 $PRIVATE_IP
		973	dns2 $PRIVATE_IP
346	richard	974	uamlisten $PRIVATE_IP
503	richard	975	uamport 3990
837	richard	976	macauth
		977	macpasswd password
346	richard	978	locationname $HOSTNAME
		979	radiusserver1 127.0.0.1
		980	radiusserver2 127.0.0.1
		981	radiussecret $secretradius
		982	radiusauthport 1812
		983	radiusacctport 1813
467	richard	984	uamserver https://$HOSTNAME/intercept.php
346	richard	985	radiusnasid $HOSTNAME
		986	uamsecret $secretuam
793	richard	987	uamallowed alcasar
346	richard	988	coaport 3799
503	richard	989	include $DIR_DEST_ETC/alcasar-uamallowed
		990	include $DIR_DEST_ETC/alcasar-uamdomain
917	franck	991	#dhcpgateway
		992	#dhcprelayagent
		993	#dhcpgatewayport
346	richard	994	EOF
977	richard	995	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		996	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	997	# create files for trusted domains and urls
		998	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	999	chown root:apache $DIR_DEST_ETC/alcasar-*
		1000	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1001	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1002	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1003	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1004	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1005	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1006	if [ "$chilli_exist" == "1" ]
		1007	then
		1008	userdel -r chilli 2>/dev/null
		1009	fi
		1010	groupadd -f chilli
		1011	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1012	} # End of param_chilli ()
		1013
		1014	##########################################################
		1015	## Fonction param_squid ##
		1016	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1017	## - Initialisation de la base de données ##
		1018	##########################################################
		1019	param_squid ()
		1020	{
		1021	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1022	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1023	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1024	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1025	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1026	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1027	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1028	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1029	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1030	# mode 'proxy transparent local'
595	richard	1031	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1032	# Configuration du cache local
749	franck	1033	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
405	franck	1034	# emplacement et formatage standard des logs
419	franck	1035	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
749	franck	1036	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
405	franck	1037	echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1	root	1038	# compatibilité des logs avec awstats
315	richard	1039	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
749	franck	1040	echo "half_closed_clients off" >> /etc/squid/squid.conf
		1041	echo "server_persistent_connections off" >> /etc/squid/squid.conf
		1042	echo "client_persistent_connections on" >> /etc/squid/squid.conf
		1043	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
		1044	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
		1045	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
726	franck	1046	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
749	franck	1047	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
		1048	echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf
835	richard	1049	# anonymisation of squid version
813	richard	1050	echo "via off" >> /etc/squid/squid.conf
835	richard	1051	# remove the 'X_forwarded' http option
812	richard	1052	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1053	# linked squid output in HAVP input
		1054	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1055	echo "never_direct allow all" >> /etc/squid/squid.conf
		1056	# avoid error messages on network interfaces state changes
313	richard	1057	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1058	# reduce squid shutdown time (100 to 50)
		1059	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1060
835	richard	1061	# Squid cache init
1	root	1062	/usr/sbin/squid -z
		1063	} # End of param_squid ()
		1064
		1065	##################################################################
		1066	## Fonction param_dansguardian ##
		1067	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1068	##################################################################
		1069	param_dansguardian ()
		1070	{
		1071	mkdir /var/dansguardian
		1072	chown dansguardian /var/dansguardian
497	richard	1073	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307	richard	1074	# Le filtrage est désactivé par défaut
497	richard	1075	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1	root	1076	# la page d'interception est en français
497	richard	1077	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1	root	1078	# on limite l'écoute de Dansguardian côté LAN
497	richard	1079	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835	richard	1080	# on chaîne Dansguardian au proxy cache SQUID
		1081	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1	root	1082	# on remplace la page d'interception (template)
		1083	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1084	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
		1085	# on ne loggue que les deny (pour le reste, on a squid)
497	richard	1086	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659	richard	1087	# lauch of 10 daemons (20 in largest server)
		1088	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1089	# on désactive par défaut le controle de contenu des pages html
497	richard	1090	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1091	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1092	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1093	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1094	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1095	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1096	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1097	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1098	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1099	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1100	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1101	touch $DIR_DG/lists/bannedextensionlist
		1102	touch $DIR_DG/lists/bannedmimetypelist
		1103	# 'Safesearch' regex actualisation
498	richard	1104	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1105	# empty LAN IP list that won't be WEB filtered
		1106	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1107	touch $DIR_DG/lists/exceptioniplist
		1108	# Keep a copy of URL & domain filter configuration files
		1109	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1110	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1111	} # End of param_dansguardian ()
		1112
71	richard	1113	##################################################################
		1114	## Fonction antivirus ##
479	richard	1115	## - configuration havp + libclamav ##
71	richard	1116	##################################################################
		1117	antivirus ()
		1118	{
288	richard	1119	# création de l'usager 'havp'
		1120	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1121	if [ "$havp_exist" == "1" ]
288	richard	1122	then
478	richard	1123	userdel -r havp 2>/dev/null
894	richard	1124	groupdel havp 2>/dev/null
288	richard	1125	fi
307	richard	1126	groupadd -f havp
796	richard	1127	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1128	mkdir -p /var/tmp/havp /var/log/havp
		1129	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1130	# configuration d'HAVP
		1131	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1132	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1133	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1134	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1135	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1136	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1137	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1138	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1139	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1140	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1141	# skip checking of youtube flow (too heavy load / risk too low)
		1142	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1143	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1144	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1145	# remplacement du fichier d'initialisation
335	richard	1146	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1147	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1148	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1149	# on remplace la page d'interception (template)
		1150	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1151	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1152	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1153	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1154	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1155	# Virus database update
		1156	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1157	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1158	/usr/bin/freshclam
71	richard	1159	}
		1160
1	root	1161	##################################################################################
476	richard	1162	## param_ulogd function ##
		1163	## - Ulog config for multi-log files ##
		1164	##################################################################################
		1165	param_ulogd ()
		1166	{
		1167	# Three instances of ulogd (three different logfiles)
		1168	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1169	nl=1
		1170	for log_type in tracability ssh ext-access
		1171	do
		1172	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1173	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1174	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1175	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1176	cat << EOF >> /etc/ulogd-$log_type.conf
		1177	[LOGEMU]
		1178	file="/var/log/firewall/$log_type.log"
		1179	sync=1
		1180	EOF
		1181	nl=`expr $nl + 1`
		1182	done
476	richard	1183	chown -R root:apache /var/log/firewall
		1184	chmod 750 /var/log/firewall
		1185	chmod 640 /var/log/firewall/*
		1186	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1187	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1188	} # End of param_ulogd ()
		1189
		1190	##################################################################################
1	root	1191	## Fonction param_awstats ##
		1192	## - configuration de l'interface des logs de consultation WEB (AWSTAT) ##
		1193	##################################################################################
		1194	param_awstats()
		1195	{
316	richard	1196	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
		1197	chown -R apache:apache $DIR_ACC/awstats
1	root	1198	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
		1199	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
		1200	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
		1201	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
		1202	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
		1203	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
344	richard	1204	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
		1205	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1	root	1206	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
		1207	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
59	richard	1208	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
580	richard	1209	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
		1210	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1211	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1212	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
		1213	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
		1214	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
		1215	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
		1216	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
		1217	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
		1218	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
		1219	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
		1220	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
		1221	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
		1222	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
		1223	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
		1224
1	root	1225	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	1226	<Directory $DIR_ACC/awstats>
1	root	1227	SSLRequireSSL
		1228	Options ExecCGI
		1229	AddHandler cgi-script .pl
		1230	DirectoryIndex awstats.pl
		1231	Order deny,allow
		1232	Deny from all
		1233	Allow from 127.0.0.1
		1234	Allow from $PRIVATE_NETWORK_MASK
990	franck	1235	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	1236	require valid-user
		1237	AuthType digest
		1238	AuthName $HOSTNAME
		1239	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	1240	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	1241	ErrorDocument 404 https://$HOSTNAME/
1	root	1242	</Directory>
		1243	SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
		1244	EOF
		1245	} # End of param_awstats ()
		1246
		1247	##########################################################
235	richard	1248	## Fonction param_dnsmasq ##
1	root	1249	##########################################################
219	jeremy	1250	param_dnsmasq ()
		1251	{
		1252	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1253	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1254	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1255	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1256	cat << EOF > /etc/dnsmasq.conf
520	richard	1257	# Configuration file for "dnsmasq in forward mode"
503	richard	1258	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1259	listen-address=$PRIVATE_IP
		1260	listen-address=127.0.0.1
286	richard	1261	no-dhcp-interface=$INTIF
259	richard	1262	bind-interfaces
		1263	cache-size=256
		1264	domain=$DOMAIN
		1265	domain-needed
		1266	expand-hosts
		1267	bogus-priv
		1268	filterwin2k
		1269	server=$DNS1
		1270	server=$DNS2
498	richard	1271	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1272	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1273	dhcp-option=option:router,$PRIVATE_IP
259	richard	1274	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1275
291	franck	1276	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1277	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1278	EOF
520	richard	1279	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1280	cat << EOF > /etc/dnsmasq-blackhole.conf
		1281	# Configuration file for "dnsmasq with blackhole"
		1282	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1283	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1284	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1285	listen-address=$PRIVATE_IP
		1286	port=54
		1287	no-dhcp-interface=$INTIF
		1288	bind-interfaces
		1289	cache-size=256
		1290	domain=$DOMAIN
		1291	domain-needed
		1292	expand-hosts
		1293	bogus-priv
		1294	filterwin2k
		1295	server=$DNS1
		1296	server=$DNS2
		1297	EOF
718	franck	1298
800	richard	1299	# Init file modification
503	richard	1300	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1301	# Start and stop a 2nd process for the "DNS blackhole"
520	richard	1302	$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503	richard	1303	$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800	richard	1304	# Start after chilli (65) which create tun0
		1305	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1306	# Optionnellement on pré-active les logs DNS des clients
786	richard	1307	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
933	franck	1308	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1309	# Optionnellement, exemple de configuration avec un A.D.
975	franck	1310	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.2"' >> /etc/sysconfig/dnsmasq
308	richard	1311	} # End dnsmasq
		1312
		1313	##########################################################
		1314	## Fonction BL (BlackList) ##
		1315	##########################################################
		1316	BL ()
		1317	{
		1318	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1319	rm -rf $DIR_DG/lists/blacklists
		1320	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1321	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1322	mkdir $DIR_DG/lists/blacklists/ossi
		1323	touch $DIR_DG/lists/blacklists/ossi/domains
		1324	touch $DIR_DG/lists/blacklists/ossi/urls
309	richard	1325	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1326	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1327	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1328	touch $DIR_DG/lists/exceptionsitelist
		1329	touch $DIR_DG/lists/exceptionurllist
311	richard	1330	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1331	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1332	# Dansguardian filter config for ALCASAR
		1333	EOF
648	richard	1334	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1335	# Dansguardian domain filter config for ALCASAR
		1336	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1337	#**
		1338	# block all SSL and CONNECT tunnels
		1339	**s
		1340	# block all SSL and CONNECT tunnels specified only as an IP
		1341	*ips
		1342	# block all sites specified only by an IP
		1343	*ip
		1344	EOF
1000	richard	1345	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1346	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1347	# Bing - add 'adlt=strict'
		1348	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1349	# Youtube - add 'edufilter=your_ID'
885	richard	1350	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1351	EOF
1000	richard	1352	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1353	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1354	chown -R dansguardian:apache $DIR_DG
		1355	chmod -R g+rw $DIR_DG
786	richard	1356	# On adapte la BL de Toulouse à notre structure
654	richard	1357	if [ "$mode" != "update" ]; then
		1358	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1359	fi
308	richard	1360	}
219	jeremy	1361
1	root	1362	##########################################################
		1363	## Fonction cron ##
		1364	## - Mise en place des différents fichiers de cron ##
		1365	##########################################################
		1366	cron ()
		1367	{
		1368	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1369	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1370	cat <<EOF > /etc/crontab
		1371	SHELL=/bin/bash
		1372	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1373	MAILTO=root
		1374	HOME=/
		1375
		1376	# run-parts
		1377	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1378	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1379	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1380	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1381	EOF
		1382	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1383	cat <<EOF >> /etc/anacrontab
667	franck	1384	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1385	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1386	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1387	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1388	EOF
667	franck	1389	cat <<EOF > /etc/cron.d/alcasar-clean_log
713	franck	1390	# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
865	richard	1391	30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1	root	1392	EOF
811	richard	1393	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1394	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1395	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1396	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1397	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1398	EOF
667	franck	1399	cat <<EOF > /etc/cron.d/alcasar-export_log
713	franck	1400	# export des log squid, firewall et apache (tous les lundi à 5h00)
865	richard	1401	00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1	root	1402	EOF
952	franck	1403	cat <<EOF > /etc/cron.d/alcasar-archive
		1404	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1405	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1406	EOF
1	root	1407	cat << EOF > /etc/cron.d/awstats
713	franck	1408	# mise à jour des stats de consultation WEB toutes les 30'
419	franck	1409	/30 * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1	root	1410	EOF
667	franck	1411	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1412	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1413	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1414	EOF
722	franck	1415	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1416	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1417	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1418	EOF
1	root	1419	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1420	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1421	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1422	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1423	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1424	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1425	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1426	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1427	rm -f /etc/cron.daily/freeradius-web
		1428	rm -f /etc/cron.monthly/freeradius-web
		1429	cat << EOF > /etc/cron.d/freeradius-web
		1430	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1431	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1432	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1433	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1434	EOF
671	franck	1435	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1436	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1437	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1438	EOF
808	franck	1439	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1440	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1441	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1442	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1443	EOF
522	richard	1444	# suppression des crons usagers
		1445	rm -f /var/spool/cron/*
1	root	1446	} # End cron
		1447
		1448	##################################################################
		1449	## Fonction post_install ##
		1450	## - Modification des bannières (locales et ssh) et des prompts ##
		1451	## - Installation de la structure de chiffrement pour root ##
		1452	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1453	## - Mise en place du la rotation des logs ##
5	franck	1454	## - Configuration dans le cas d'une mise à jour ##
1	root	1455	##################################################################
		1456	post_install()
		1457	{
		1458	# adaptation du script "chien de garde" (watchdog)
376	franck	1459	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1460	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1461	# création de la bannière locale
1007	richard	1462	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1463	cp -f $DIR_CONF/banner /etc/mageia-release
		1464	echo " V$VERSION" >> /etc/mageia-release
1	root	1465	# création de la bannière SSH
1007	richard	1466	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1467	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1468	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1469	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1470	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1471	# postfix banner anonymisation
		1472	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1473	# sshd écoute côté LAN et WAN
1	root	1474	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1475	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1476	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1477	echo "SSH=off" >> $CONF_FILE
694	franck	1478	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
628	richard	1479	echo "QOS=off" >> $CONF_FILE
		1480	echo "LDAP=off" >> $CONF_FILE
786	richard	1481	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1482	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1483	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1484	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1485	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1	root	1486	# Coloration des prompts
		1487	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1488	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1489	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1490	# Droits d'exécution pour utilisateur apache et sysadmin
		1491	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1492	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1493	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1494	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1495	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1496	chmod 644 /etc/logrotate.d/*
714	franck	1497	# rectification sur versions précédentes de la compression des logs
706	franck	1498	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1499	# actualisation des fichiers logs compressés
714	franck	1500	for dir in firewall squid dansguardian httpd
706	franck	1501	do
714	franck	1502	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1503	done
		1504	# export des logs en 'retard' dans /var/Save/logs
865	richard	1505	/usr/local/bin/alcasar-log.sh --export
1	root	1506	# processus lancés par défaut au démarrage
796	richard	1507	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1	root	1508	do
		1509	/sbin/chkconfig --add $i
		1510	done
1005	richard	1511
		1512	# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
		1513	# cat << EOF > /etc/rc.local
953	franck	1514	#!/bin/sh
		1515	#
		1516	### BEGIN INIT INFO
		1517	# Provides: rc.local
		1518	# X-Mandriva-Compat-Mode
		1519	# Default-Start: 2 3 4 5
		1520	# Short-Description: Local initialization script
		1521	# Description: This script will be executed after all the other init scripts.
		1522	# You can put your own initialization stuff in here if you don't
		1523	# want to do the full Sys V style init stuff.
		1524	### END INIT INFO
1005	richard	1525	#
		1526	#/etc/init.d/mysqld restart
		1527	#sleep 1
		1528	#/etc/init.d/radiusd restart
		1529	#
		1530	#touch /var/lock/subsys/local
		1531	#EOF
953	franck	1532
1005	richard	1533	# On applique les préconisations ANSSI
		1534	# Apply French Security Agency rules
568	richard	1535	# ignorer les broadcast ICMP. (attaque smurf)
		1536	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
		1537	# ignorer les erreurs ICMP bogus
		1538	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1539	# désactiver l'envoi et la réponse aux ICMP redirects
679	richard	1540	sysctl -w net.ipv4.conf.all.accept_redirects=0
568	richard	1541	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
		1542	if [ "$accept_redirect" == "0" ]
		1543	then
679	richard	1544	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1545	else
		1546	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1547	fi
679	richard	1548	sysctl -w net.ipv4.conf.all.send_redirects=0
568	richard	1549	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
		1550	if [ "$send_redirect" == "0" ]
		1551	then
679	richard	1552	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1553	else
		1554	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1555	fi
		1556	# activer les SYN Cookies (attaque syn flood)
679	richard	1557	sysctl -w net.ipv4.tcp_syncookies=1
568	richard	1558	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
		1559	if [ "$tcp_syncookies" == "0" ]
		1560	then
679	richard	1561	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1562	else
		1563	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1564	fi
595	richard	1565	# activer l'antispoofing niveau Noyau
568	richard	1566	sysctl -w net.ipv4.conf.all.rp_filter=1
		1567	# ignorer le source routing
679	richard	1568	sysctl -w net.ipv4.conf.all.accept_source_route=0
568	richard	1569	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
		1570	if [ "$accept_source_route" == "0" ]
		1571	then
679	richard	1572	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1573	else
		1574	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1575	fi
679	richard	1576	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
		1577	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1578	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
		1579	if [ "$timeout_established" == "0" ]
		1580	then
		1581	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1582	else
793	richard	1583	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1584	fi
		1585	# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
568	richard	1586	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1587	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1588	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
59	richard	1589	# modification /etc/inittab
		1590	[ -e /etc/inittab.default ] \|\| cp /etc/inittab /etc/inittab.default
1003	richard	1591	# We keep only 3 TTYs
59	richard	1592	$SED "s?^4.*?#&?g" /etc/inittab
		1593	$SED "s?^5.*?#&?g" /etc/inittab
		1594	$SED "s?^6.*?#&?g" /etc/inittab
1003	richard	1595	# switch to multi-users runlevel (instead of x11)
		1596	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
		1597	$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1005	richard	1598	# GRUB modifications
		1599	# limit wait time to 3s
		1600	# create an alcasar entry instead of linux-nonfb
		1601	# change display to 1024*768 (vga791)
470	richard	1602	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1005	richard	1603	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1604	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1605	$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
1007	richard	1606	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1005	richard	1607
1003	richard	1608	# Remove unused services and users
1007	richard	1609	for old_svc in alsa sound dm
532	richard	1610	do
1007	richard	1611	/sbin/chkconfig --del $old_svc
532	richard	1612	done
1008	richard	1613	for svc in snmpd.service sshd.service
1007	richard	1614	do
1008	richard	1615	/bin/systemctl disable $svc
1007	richard	1616	done
532	richard	1617	for rm_users in avahi-autoipd avahi icapd
		1618	do
		1619	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1620	if [ "$user" == "$rm_users" ]
		1621	then
		1622	/usr/sbin/userdel -f $rm_users
		1623	fi
		1624	done
628	richard	1625	# Load and update the previous conf file
5	franck	1626	if [ "$mode" = "update" ]
		1627	then
389	franck	1628	$DIR_DEST_BIN/alcasar-conf.sh --load
628	richard	1629	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1630	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5	franck	1631	fi
595	richard	1632	rm -f /tmp/alcasar-conf*
434	richard	1633	chown -R root:apache $DIR_DEST_ETC/*
512	richard	1634	chmod -R 660 $DIR_DEST_ETC/*
434	richard	1635	chmod ug+x $DIR_DEST_ETC/digest $DIR_DEST_ETC/alcasar-dnsfilter*
1	root	1636	cd $DIR_INSTALL
5	franck	1637	echo ""
1	root	1638	echo "#############################################################################"
638	richard	1639	if [ $Lang == "fr" ]
		1640	then
		1641	echo "# Fin d'installation d'ALCASAR #"
		1642	echo "# #"
		1643	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1644	echo "# des Accès au Réseau ( ALCASAR ) #"
		1645	echo "# #"
		1646	echo "#############################################################################"
		1647	echo
		1648	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1649	echo
		1650	echo "- Lisez attentivement la documentation d'exploitation"
		1651	echo
		1652	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1653	echo
		1654	echo " Appuyez sur 'Entrée' pour continuer"
		1655	else
		1656	echo "# Enf of ALCASAR install process #"
		1657	echo "# #"
		1658	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1659	echo "# des Accès au Réseau ( ALCASAR ) #"
		1660	echo "# #"
		1661	echo "#############################################################################"
		1662	echo
		1663	echo "- The system will be rebooted in order to operate ALCASAR"
		1664	echo
		1665	echo "- Read the exploitation documentation"
		1666	echo
		1667	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1668	echo
		1669	echo " Hit 'Enter' to continue"
		1670	fi
815	richard	1671	sleep 2
		1672	if [ "$mode" != "update" ]
820	richard	1673	then
815	richard	1674	read a
		1675	fi
774	richard	1676	clear
		1677	# Apply and save the firewall rules
490	richard	1678	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1679	sleep 2
1	root	1680	reboot
		1681	} # End post_install ()
		1682
		1683	#################################
1005	richard	1684	# Main Install loop #
1	root	1685	#################################
832	richard	1686	dir_exec=`dirname "$0"`
		1687	if [ $dir_exec != "." ]
		1688	then
		1689	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1690	echo "Launch this program from the ALCASAR archive directory"
		1691	exit 0
		1692	fi
		1693	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1694	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1695	nb_args=$#
		1696	args=$1
		1697	if [ $nb_args -eq 0 ]
		1698	then
		1699	nb_args=1
		1700	args="-h"
		1701	fi
		1702	case $args in
		1703	-\? \| -h* \| --h*)
		1704	echo "$usage"
		1705	exit 0
		1706	;;
291	franck	1707	-i \| --install)
959	franck	1708	license
5	franck	1709	header_install
29	richard	1710	testing
597	richard	1711	# Test if ALCASAR is already installed
5	franck	1712	if [ -e $DIR_WEB/VERSION ]
1	root	1713	then
460	richard	1714	actual_version=`cat $DIR_WEB/VERSION`
595	richard	1715	if [ $Lang == "fr" ]
		1716	then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
		1717	else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
		1718	fi
5	franck	1719	response=0
460	richard	1720	PTN='^[oOnNyY]$'
580	richard	1721	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1722	do
595	richard	1723	if [ $Lang == "fr" ]
		1724	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1725	else echo -n "Do you want to update (Y/n)?";
		1726	fi
5	franck	1727	read response
		1728	done
597	richard	1729	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1730	then
597	richard	1731	rm -f /tmp/alcasar-conf*
		1732	else
636	richard	1733	# Create a backup of running version importants files
5	franck	1734	chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
389	franck	1735	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1736	mode="update"
5	franck	1737	fi
1	root	1738	fi
595	richard	1739	# RPMs install
		1740	$DIR_SCRIPTS/alcasar-urpmi.sh
		1741	if [ "$?" != "0" ]
1	root	1742	then
595	richard	1743	exit 0
		1744	fi
		1745	if [ -e $DIR_WEB/VERSION ]
		1746	then
597	richard	1747	# Uninstall the running version
532	richard	1748	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1749	fi
636	richard	1750	# Test if manual update
597	richard	1751	if [ -e /tmp/alcasar-conf.tar.gz ] && [ "$mode" != "update" ]
595	richard	1752	then
636	richard	1753	header_install
595	richard	1754	if [ $Lang == "fr" ]
636	richard	1755	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1756	else echo "The configuration file of an old version has been found";
595	richard	1757	fi
597	richard	1758	response=0
		1759	PTN='^[oOnNyY]$'
		1760	until [[ $(expr $response : $PTN) -gt 0 ]]
		1761	do
		1762	if [ $Lang == "fr" ]
		1763	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1764	else echo -n "Do you want to use it (Y/n)?";
		1765	fi
		1766	read response
		1767	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1768	then rm -f /tmp/alcasar-conf*
		1769	fi
		1770	done
		1771	fi
636	richard	1772	# Test if update
597	richard	1773	if [ -e /tmp/alcasar-conf.tar.gz ]
		1774	then
		1775	if [ $Lang == "fr" ]
		1776	then echo "#### Installation avec mise à jour ####";
		1777	else echo "#### Installation with update ####";
		1778	fi
636	richard	1779	# Extract the central configuration file
637	richard	1780	tar -xf /tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
		1781	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1782	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1783	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1784	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1785	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1786	mode="update"
		1787	else
		1788	mode="install"
1	root	1789	fi
604	richard	1790	for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
5	franck	1791	do
		1792	$func
1007	richard	1793	# echo "* 'debug' : end of function $func *"; read a
14	richard	1794	done
5	franck	1795	;;
291	franck	1796	-u \| --uninstall)
5	franck	1797	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1798	then
597	richard	1799	if [ $Lang == "fr" ]
		1800	then echo "ALCASAR n'est pas installé!";
		1801	else echo "ALCASAR isn't installed!";
		1802	fi
1	root	1803	exit 0
		1804	fi
5	franck	1805	response=0
		1806	PTN='^[oOnN]$'
580	richard	1807	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1808	do
597	richard	1809	if [ $Lang == "fr" ]
		1810	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1811	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1812	fi
5	franck	1813	read response
		1814	done
597	richard	1815	if [ "$reponse" = "o" ] \|\| [ "$reponse" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1816	then
389	franck	1817	$DIR_SCRIPT/alcasar-conf.sh --create
498	richard	1818	else
		1819	rm -f /tmp/alcasar-conf*
1	root	1820	fi
597	richard	1821	# Uninstall the running version
65	richard	1822	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1823	;;
		1824	*)
		1825	echo "Argument inconnu :$1";
460	richard	1826	echo "Unknown argument :$1";
1	root	1827	echo "$usage"
		1828	exit 1
		1829	;;
		1830	esac
10	franck	1831	# end of script
366	franck	1832

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1031