WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1062 2013-04-01 21:20:12Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
		6	# ALCASAR - Portail captif d'accès à l'Internet - Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...]
		7	# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU,
		8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12	# Vous devriez avoir reçu un exemplaire de la Licence Publique Générale GNU avec ce programme ;
976	richard	13	# si ce n'est pas le cas, consultez : <http://www.gnu.org/licenses/>.
959	franck	14
967	franck	15	# team@alcasar.net
959	franck	16
1	root	17	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		18	# This script is distributed under the Gnu General Public License (GPL)
		19
672	richard	20	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	21	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	22	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	23	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	24	#
806	richard	25	# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
1	root	26
		27	# Options :
376	franck	28	# -i or --install
		29	# -u or --uninstall
1	root	30
376	franck	31	# Functions :
29	richard	32	# testing : Tests de connectivité et de téléchargement avant installation
1	root	33	# init : Installation des RPM et des scripts
		34	# network : Paramètrage du réseau
		35	# gestion : Installation de l'interface de gestion
		36	# AC : Initialisation de l'autorité de certification. Création des certificats
		37	# init_db : Création de la base 'radius' sur le serveur MySql
		38	# param_radius : Configuration du serveur d'authentification FreeRadius
		39	# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
		40	# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
		41	# param_squid : Configuration du proxy squid en mode 'cache'
		42	# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479	richard	43	# antivirus : Installation havp + libclamav
1	root	44	# param_awstats : Configuration de l'interface des statistiques de consultation WEB
297	richard	45	# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
308	richard	46	# BL : Configuration de la BlackList
1	root	47	# cron : Mise en place des exports de logs (+ chiffrement)
532	richard	48	# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1	root	53	# ***** Files parameters - paramètres fichiers *******
1015	richard	54	DIR_INSTALL=`pwd` # current directory
		55	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		56	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		57	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		58	DIR_WEB="/var/www/html" # directory of APACHE
		59	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		60	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		61	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		62	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		63	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		64	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		65	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		66	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	67	# ***** DBMS parameters - paramètres SGBD ******
		68	DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
		69	DB_USER="radius" # nom de l'utilisateur de la base de données
		70	# ***** Network parameters - paramètres réseau *****
503	richard	71	HOSTNAME="alcasar" #
1	root	72	DOMAIN="localdomain" # domaine local
		73	EXTIF="eth0" # ETH0 est l'interface connectée à Internet (Box FAI)
994	franck	74	MTU="1500"
		75	ETHTOOL_OPTS="speed 100 duplex full"
1	root	76	INTIF="eth1" # ETH1 est l'interface connectée au réseau local de consultation
597	richard	77	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1	root	78	# **** Paths - chemin des commandes *****
		79	SED="/bin/sed -i"
		80	# **************** End of global parameters *******************
		81
959	franck	82	license ()
		83	{
		84	if [ $Lang == "fr" ]
967	franck	85	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		86	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	87	fi
975	franck	88	echo "Taper sur Entrée pour continuer !"
		89	echo "Enter to continue."
959	franck	90	read a
		91	}
		92
1	root	93	header_install ()
		94	{
		95	clear
		96	echo "-----------------------------------------------------------------------------"
460	richard	97	echo " ALCASAR V$VERSION Installation"
1	root	98	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		99	echo "-----------------------------------------------------------------------------"
		100	} # End of header_install ()
		101
		102	##################################################################
1005	richard	103	## Function TESTING ##
		104	## - Test of Internet access ##
29	richard	105	##################################################################
		106	testing ()
		107	{
595	richard	108	if [ $Lang == "fr" ]
784	richard	109	then echo -n "Tests des paramètres réseau : "
595	richard	110	else echo -n "Network parameters tests : "
		111	fi
784	richard	112	# We test eth0 config files
		113	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		114	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		115	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		116	then
		117	if [ $Lang == "fr" ]
		118	then
		119	echo "Échec"
		120	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		121	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	122	echo "Appliquez les changements : 'service network restart'"
784	richard	123	else
		124	echo "Failed"
		125	echo "The Internet connected network card ($EXTIF) isn't well configured."
		126	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	127	echo "Apply the new configuration 'service network restart'"
784	richard	128	fi
830	richard	129	echo "DEVICE=$EXTIF"
784	richard	130	echo "IPADDR="
		131	echo "NETMASK="
		132	echo "GATEWAY="
		133	echo "DNS1="
		134	echo "DNS2="
830	richard	135	echo "ONBOOT=yes"
784	richard	136	exit 0
		137	fi
		138	echo -n "."
460	richard	139	# We test the Ethernet links state
29	richard	140	for i in $EXTIF $INTIF
		141	do
294	richard	142	/sbin/ip link set $i up
306	richard	143	sleep 3
1031	richard	144	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		145	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	146	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	147	then
595	richard	148	if [ $Lang == "fr" ]
		149	then
		150	echo "Échec"
		151	echo "Le lien réseau de la carte $i n'est pas actif."
		152	echo "Réglez ce problème puis relancez ce script."
		153	else
		154	echo "Failed"
		155	echo "The link state of $i interface id down."
		156	echo "Resolv this problem, then restart this script."
		157	fi
29	richard	158	exit 0
		159	fi
308	richard	160	echo -n "."
29	richard	161	done
		162	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	163	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	164	if [ $Lang == "fr" ]
		165	then
		166	echo "Échec"
		167	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		168	echo "Réglez ce problème puis relancez ce script."
		169	else
		170	echo "Failed"
		171	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		172	echo "Resolv this problem, then restart this script."
		173	fi
29	richard	174	exit 0
		175	fi
308	richard	176	echo -n "."
978	franck	177	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	178	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	179	if [ $Lang == "fr" ]
		180	then echo "La configuration des cartes réseau va être corrigée."
		181	else echo "The Ethernet card configuration will be corrected."
		182	fi
29	richard	183	/etc/init.d/network stop
		184	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		185	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		186	/etc/init.d/network start
		187	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		188	sleep 2
595	richard	189	if [ $Lang == "fr" ]
		190	then echo "Configuration corrigée"
		191	else echo "Configuration updated"
		192	fi
29	richard	193	sleep 2
595	richard	194	if [ $Lang == "fr" ]
		195	then echo "Vous pouvez relancer ce script."
		196	else echo "You can restart this script."
		197	fi
29	richard	198	exit 0
		199	fi
308	richard	200	echo -n "."
978	franck	201	# On teste le lien vers le routeur par defaut
308	richard	202	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		203	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	204	if [ $(expr $arp_reply) -eq 0 ]
308	richard	205	then
595	richard	206	if [ $Lang == "fr" ]
		207	then
		208	echo "Échec"
		209	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		210	echo "Réglez ce problème puis relancez ce script."
		211	else
		212	echo "Failed"
		213	echo "The Internet gateway doesn't answered"
		214	echo "Resolv this problem, then restart this script."
		215	fi
308	richard	216	exit 0
		217	fi
		218	echo -n "."
421	franck	219	# On teste la connectivité Internet
29	richard	220	rm -rf /tmp/con_ok.html
308	richard	221	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	222	if [ ! -e /tmp/con_ok.html ]
		223	then
595	richard	224	if [ $Lang == "fr" ]
		225	then
		226	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		227	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		228	echo "Vérifiez la validité des adresses IP des DNS."
		229	else
		230	echo "The Internet connection try failed (google.fr)."
		231	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		232	echo "Verify the DNS IP addresses"
		233	fi
29	richard	234	exit 0
		235	fi
		236	rm -rf /tmp/con_ok.html
308	richard	237	echo ". : ok"
302	richard	238	} # end of testing
		239
		240	##################################################################
		241	## Fonction INIT ##
		242	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		243	## - Installation et modification des scripts du portail ##
		244	##################################################################
		245	init ()
		246	{
527	richard	247	if [ "$mode" != "update" ]
302	richard	248	then
		249	# On affecte le nom d'organisme
597	richard	250	header_install
302	richard	251	ORGANISME=!
		252	PTN='^[a-zA-Z0-9-]*$'
580	richard	253	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	254	do
595	richard	255	if [ $Lang == "fr" ]
597	richard	256	then echo -n "Entrez le nom de votre organisme : "
		257	else echo -n "Enter the name of your organism : "
595	richard	258	fi
330	franck	259	read ORGANISME
613	richard	260	if [ "$ORGANISME" == "" ]
330	franck	261	then
		262	ORGANISME=!
		263	fi
		264	done
302	richard	265	fi
1	root	266	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	267	rm -f $PASSWD_FILE
59	richard	268	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	269	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		270	echo "$grubpwd" >> $PASSWD_FILE
59	richard	271	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	272	$SED "/^password.*/d" /boot/grub/menu.lst
		273	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	274	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	275	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	276	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	277	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	278	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	279	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	280	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	281	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		282	echo "$secretuam" >> $PASSWD_FILE
1	root	283	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	284	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		285	echo "$secretradius" >> $PASSWD_FILE
		286	chmod 640 $PASSWD_FILE
977	richard	287	# Scripts and conf files copy
		288	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	289	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	290	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	291	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	292	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	293	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	294	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		295	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	296	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		297	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	298	# generate central conf file
		299	cat <<EOF > $CONF_FILE
612	richard	300	##########################################
		301	## ##
		302	## ALCASAR Parameters ##
		303	## ##
		304	##########################################
1	root	305
612	richard	306	INSTALL_DATE=$DATE
		307	VERSION=$VERSION
		308	ORGANISM=$ORGANISME
923	franck	309	DOMAIN=$DOMAIN
612	richard	310	EOF
628	richard	311	chmod o-rwx $CONF_FILE
1	root	312	} # End of init ()
		313
		314	##################################################################
		315	## Fonction network ##
		316	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	317	## - Nommage DNS du système ##
1	root	318	## - Configuration de l'interface eth1 (réseau de consultation) ##
		319	## - Modification du fichier /etc/hosts ##
		320	## - Configuration du serveur de temps (NTP) ##
		321	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		322	##################################################################
		323	network ()
		324	{
		325	header_install
636	richard	326	if [ "$mode" != "update" ]
		327	then
		328	if [ $Lang == "fr" ]
		329	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		330	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		331	fi
		332	response=0
		333	PTN='^[oOyYnN]$'
		334	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	335	do
595	richard	336	if [ $Lang == "fr" ]
659	richard	337	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	338	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	339	fi
1	root	340	read response
		341	done
636	richard	342	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		343	then
		344	PRIVATE_IP_MASK="0"
		345	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		346	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	347	do
595	richard	348	if [ $Lang == "fr" ]
597	richard	349	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		350	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	351	fi
597	richard	352	read PRIVATE_IP_MASK
1	root	353	done
636	richard	354	else
		355	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		356	fi
595	richard	357	else
637	richard	358	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		359	rm -rf conf/etc/alcasar.conf
1	root	360	fi
861	richard	361	# Define LAN side global parameters
1	root	362	hostname $HOSTNAME
1033	richard	363	echo $HOSTNAME > /etc/hostname
977	richard	364	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		365	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		366	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		367	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		368	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		369	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		370	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		371	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		372	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		373	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	374	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	375	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	376	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	377	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	378	# Define Internet parameters
14	richard	379	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		380	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		381	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	382	DNS1=${DNS1:=208.67.220.220}
		383	DNS2=${DNS2:=208.67.222.222}
597	richard	384	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	385	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	386	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	387	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
861	richard	388
765	stephane	389	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	390	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	391	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		392	echo "DNS1=$DNS1" >> $CONF_FILE
		393	echo "DNS2=$DNS2" >> $CONF_FILE
		394	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	395	echo "DHCP=full" >> $CONF_FILE
914	franck	396	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		397	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		398	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	399	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	400	# config network
1	root	401	cat <<EOF > /etc/sysconfig/network
		402	NETWORKING=yes
		403	HOSTNAME="$HOSTNAME"
		404	FORWARD_IPV4=true
		405	EOF
841	richard	406	# config /etc/hosts
1	root	407	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		408	cat <<EOF > /etc/hosts
503	richard	409	127.0.0.1 localhost
914	franck	410	$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN
1	root	411	EOF
841	richard	412	# Config eth0 (Internet)
14	richard	413	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		414	DEVICE=$EXTIF
		415	BOOTPROTO=static
597	richard	416	IPADDR=$PUBLIC_IP
		417	NETMASK=$PUBLIC_NETMASK
		418	GATEWAY=$PUBLIC_GATEWAY
14	richard	419	DNS1=127.0.0.1
		420	ONBOOT=yes
		421	METRIC=10
		422	NOZEROCONF=yes
		423	MII_NOT_SUPPORTED=yes
		424	IPV6INIT=no
		425	IPV6TO4INIT=no
		426	ACCOUNTING=no
		427	USERCTL=no
994	franck	428	MTU=$MTU
		429	#ETHTOOL_OPTS=$ETHTOOL_OPTS
14	richard	430	EOF
841	richard	431	# Config eth1 (consultation LAN) in normal mode
		432	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		433	DEVICE=$INTIF
		434	BOOTPROTO=static
		435	ONBOOT=yes
		436	NOZEROCONF=yes
		437	MII_NOT_SUPPORTED=yes
		438	IPV6INIT=no
		439	IPV6TO4INIT=no
		440	ACCOUNTING=no
		441	USERCTL=no
		442	EOF
		443	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	444	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	445	DEVICE=$INTIF
		446	BOOTPROTO=static
		447	IPADDR=$PRIVATE_IP
604	richard	448	NETMASK=$PRIVATE_NETMASK
1	root	449	ONBOOT=yes
		450	METRIC=10
		451	NOZEROCONF=yes
		452	MII_NOT_SUPPORTED=yes
14	richard	453	IPV6INIT=no
		454	IPV6TO4INIT=no
		455	ACCOUNTING=no
		456	USERCTL=no
1	root	457	EOF
440	franck	458	# Mise à l'heure du serveur
		459	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		460	cat <<EOF > /etc/ntp/step-tickers
455	franck	461	0.fr.pool.ntp.org # adapt to your country
		462	1.fr.pool.ntp.org
		463	2.fr.pool.ntp.org
440	franck	464	EOF
		465	# Configuration du serveur de temps (sur lui même)
1	root	466	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		467	cat <<EOF > /etc/ntp.conf
456	franck	468	server 0.fr.pool.ntp.org # adapt to your country
447	franck	469	server 1.fr.pool.ntp.org
		470	server 2.fr.pool.ntp.org
		471	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	472	fudge 127.127.1.0 stratum 10
604	richard	473	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	474	restrict 127.0.0.1
310	richard	475	driftfile /var/lib/ntp/drift
1	root	476	logfile /var/log/ntp.log
		477	EOF
440	franck	478
310	richard	479	chown -R ntp:ntp /var/lib/ntp
1	root	480	# Renseignement des fichiers hosts.allow et hosts.deny
		481	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		482	cat <<EOF > /etc/hosts.allow
		483	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	484	sshd: ALL
1	root	485	ntpd: $PRIVATE_NETWORK_SHORT
		486	EOF
		487	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		488	cat <<EOF > /etc/hosts.deny
		489	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		490	EOF
604	richard	491	# Firewall config
790	richard	492	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		493	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		494	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	495	# create the filter exception file and ip_bloqued file
790	richard	496	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	497	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
		498	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	499	# load conntrack ftp module
		500	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		501	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
860	richard	502	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	503	} # End of network ()
		504
		505	##################################################################
		506	## Fonction gestion ##
		507	## - installation du centre de gestion ##
		508	## - configuration du serveur web (Apache) ##
		509	## - définition du 1er comptes de gestion ##
		510	## - sécurisation des accès ##
		511	##################################################################
		512	gestion()
		513	{
		514	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		515	mkdir $DIR_WEB
		516	# Copie et configuration des fichiers du centre de gestion
316	richard	517	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	518	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	519	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		520	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		521	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		522	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498	richard	523	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316	richard	524	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	525	chown -R apache:apache $DIR_WEB/*
840	richard	526	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	527	do
		528	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		529	done
5	franck	530	chown -R root:apache $DIR_SAVE
71	richard	531	# Configuration et sécurisation php
		532	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	533	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		534	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	535	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		536	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	537	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		538	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		539	# Configuration et sécurisation Apache
790	richard	540	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	541	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580	richard	542	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303	richard	543	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	544	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		545	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		546	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	547	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		548	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		549	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		551	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		552	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	553	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	554	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		555	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		556	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		557	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		558	cat <<EOF > /var/www/error/include/bottom.html
		559	</body>
		560	</html>
		561	EOF
		562	# Définition du premier compte lié au profil 'admin'
509	richard	563	header_install
510	richard	564	if [ "$mode" = "install" ]
		565	then
613	richard	566	admin_portal=!
		567	PTN='^[a-zA-Z0-9-]*$'
		568	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		569	do
		570	header_install
		571	if [ $Lang == "fr" ]
		572	then
		573	echo ""
		574	echo "Définissez un premier compte d'administration du portail :"
		575	echo
		576	echo -n "Nom : "
		577	else
		578	echo ""
		579	echo "Define the first account allow to administrate the portal :"
		580	echo
		581	echo -n "Account : "
		582	fi
		583	read admin_portal
		584	if [ "$admin_portal" == "" ]
		585	then
		586	admin_portal=!
		587	fi
		588	done
1	root	589	# Création du fichier de clés de ce compte dans le profil "admin"
510	richard	590	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		591	mkdir -p $DIR_DEST_ETC/digest
		592	chmod 755 $DIR_DEST_ETC/digest
		593	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		594	do
613	richard	595	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	596	done
		597	$DIR_DEST_SBIN/alcasar-profil.sh --list
595	richard	598	else # mise à jour des versions < 2.1
1010	richard	599	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 1 ])
510	richard	600	then
613	richard	601	if [ $Lang == "fr" ]
		602	then
		603	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		604	echo
		605	echo -n "Nom : "
		606	else
		607	echo "This update need to redefine the first admin account"
		608	echo
		609	echo -n "Account : "
		610	fi
		611	read admin_portal
510	richard	612	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		613	mkdir -p $DIR_DEST_ETC/digest
		614	chmod 755 $DIR_DEST_ETC/digest
		615	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		616	do
613	richard	617	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	618	done
		619	$DIR_DEST_SBIN/alcasar-profil.sh --list
		620	fi
		621	fi
434	richard	622	# synchronisation horaire
		623	ntpd -q -g &
1	root	624	# Sécurisation du centre
988	franck	625	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	626	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	627	<Directory $DIR_ACC>
1	root	628	SSLRequireSSL
		629	AllowOverride None
		630	Order deny,allow
		631	Deny from all
		632	Allow from 127.0.0.1
		633	Allow from $PRIVATE_NETWORK_MASK
990	franck	634	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	635	require valid-user
		636	AuthType digest
		637	AuthName $HOSTNAME
		638	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	639	AuthUserFile $DIR_DEST_ETC/digest/key_all
580	richard	640	ErrorDocument 404 https://$HOSTNAME/
1	root	641	</Directory>
316	richard	642	<Directory $DIR_ACC/admin>
1	root	643	SSLRequireSSL
		644	AllowOverride None
		645	Order deny,allow
		646	Deny from all
		647	Allow from 127.0.0.1
		648	Allow from $PRIVATE_NETWORK_MASK
990	franck	649	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	650	require valid-user
		651	AuthType digest
		652	AuthName $HOSTNAME
		653	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	654	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	655	ErrorDocument 404 https://$HOSTNAME/
1	root	656	</Directory>
344	richard	657	<Directory $DIR_ACC/manager>
1	root	658	SSLRequireSSL
		659	AllowOverride None
		660	Order deny,allow
		661	Deny from all
		662	Allow from 127.0.0.1
		663	Allow from $PRIVATE_NETWORK_MASK
990	franck	664	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	665	require valid-user
		666	AuthType digest
		667	AuthName $HOSTNAME
		668	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	669	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580	richard	670	ErrorDocument 404 https://$HOSTNAME/
1	root	671	</Directory>
316	richard	672	<Directory $DIR_ACC/backup>
		673	SSLRequireSSL
		674	AllowOverride None
		675	Order deny,allow
		676	Deny from all
		677	Allow from 127.0.0.1
		678	Allow from $PRIVATE_NETWORK_MASK
990	franck	679	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	680	require valid-user
		681	AuthType digest
		682	AuthName $HOSTNAME
		683	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	684	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580	richard	685	ErrorDocument 404 https://$HOSTNAME/
316	richard	686	</Directory>
811	richard	687	Alias /save/ "$DIR_SAVE/"
		688	<Directory $DIR_SAVE>
		689	SSLRequireSSL
		690	Options Indexes
		691	Order deny,allow
		692	Deny from all
		693	Allow from 127.0.0.1
		694	Allow from $PRIVATE_NETWORK_MASK
990	franck	695	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	696	require valid-user
		697	AuthType digest
		698	AuthName $HOSTNAME
		699	AuthUserFile $DIR_DEST_ETC/digest/key_backup
		700	ErrorDocument 404 https://$HOSTNAME/
		701	</Directory>
1	root	702	EOF
		703	} # End of gestion ()
		704
		705	##########################################################################################
		706	## Fonction AC() ##
		707	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		708	##########################################################################################
		709	AC ()
		710	{
		711	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	712	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	713	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	714	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		715	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		716	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	717	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	718	chown -R root:apache /etc/pki
1	root	719	chmod -R 750 /etc/pki
		720	} # End AC ()
		721
		722	##########################################################################################
		723	## Fonction init_db() ##
		724	## - Initialisation de la base Mysql ##
		725	## - Affectation du mot de passe de l'administrateur (root) ##
		726	## - Suppression des bases et des utilisateurs superflus ##
		727	## - Création de la base 'radius' ##
		728	## - Installation du schéma de cette base ##
		729	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		730	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		731	##########################################################################################
		732	init_db ()
		733	{
		734	mkdir -p /var/lib/mysql/.tmp
1008	richard	735	chown -R mysql:mysql /var/lib/mysql/
227	franck	736	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	737	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		738	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		739	/etc/init.d/mysqld start
		740	sleep 4
		741	mysqladmin -u root password $mysqlpwd
		742	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	743	# Delete exemple databases if exist
1	root	744	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	745	# Create 'radius' database
1	root	746	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	747	# Add an empty radius database structure
364	franck	748	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	749	# modify the start script in order to close accounting connexion when the system is comming down or up
		750	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		751	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		752	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	753	} # End init_db ()
		754
		755	##########################################################################
		756	## Fonction param_radius ##
		757	## - Paramètrage des fichiers de configuration FreeRadius ##
		758	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		759	## - Modification de fichier de conf pour l'accès à Mysql ##
		760	##########################################################################
		761	param_radius ()
		762	{
		763	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		764	chown -R radius:radius /etc/raddb
		765	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
		766	# paramètrage radius.conf
		767	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		768	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		769	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
		770	# suppression de la fonction proxy
		771	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		772	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654	richard	773	# suppression du module EAP
		774	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1	root	775	# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
		776	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
		777	# prise en compte du module SQL et des compteurs SQL
		778	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		779	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		780	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
		781	# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
		782	rm -f /etc/raddb/sites-enabled/*
		783	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
		784	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		785	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		786	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		787	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	788	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	789	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
		790	# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
		791	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		792	cat << EOF > /etc/raddb/clients.conf
		793	client 127.0.0.1 {
		794	secret = $secretradius
		795	shortname = localhost
		796	}
		797	EOF
		798	# modif sql.conf
		799	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		800	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		801	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		802	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		803	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
		804	# modif dialup.conf
		805	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
		806	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		807	} # End param_radius ()
		808
		809	##########################################################################
		810	## Fonction param_web_radius ##
		811	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		812	## - Création du lien vers la page de changement de mot de passe ##
		813	##########################################################################
		814	param_web_radius ()
		815	{
		816	# copie de l'interface d'origine dans la structure Alcasar
316	richard	817	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		818	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		819	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	820	# copie des fichiers modifiés
		821	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	822	chown -R apache:apache $DIR_ACC/manager/
344	richard	823	# Modification des fichiers de configuration
1	root	824	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	825	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	826	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		827	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		828	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		829	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		830	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		831	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		832	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	833	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	834	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
		835	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	836	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	837	nas1_name: alcasar-$ORGANISME
1	root	838	nas1_model: Portail captif
		839	nas1_ip: $PRIVATE_IP
		840	nas1_port_num: 0
		841	nas1_community: public
		842	EOF
		843	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		844	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
		845	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	846	# Ajout du mappage des attributs chillispot
		847	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
		848	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	849	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
		850	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
		851	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		852	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	853	chown -R apache:apache /etc/freeradius-web
1	root	854	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		855	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	856	<Directory $DIR_WEB/pass>
1	root	857	SSLRequireSSL
		858	AllowOverride None
		859	Order deny,allow
		860	Deny from all
		861	Allow from 127.0.0.1
		862	Allow from $PRIVATE_NETWORK_MASK
580	richard	863	ErrorDocument 404 https://$HOSTNAME
1	root	864	</Directory>
		865	EOF
		866	} # End of param_web_radius ()
		867
799	richard	868	##################################################################################
		869	## Fonction param_chilli ##
		870	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		871	## - Paramètrage de la page d'authentification (intercept.php) ##
		872	##################################################################################
1	root	873	param_chilli ()
		874	{
799	richard	875	# init file creation
461	richard	876	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	877	cat <<EOF > /etc/init.d/chilli
		878	#!/bin/sh
		879	#
		880	# chilli CoovaChilli init
		881	#
		882	# chkconfig: 2345 65 35
		883	# description: CoovaChilli
		884	### BEGIN INIT INFO
		885	# Provides: chilli
		886	# Required-Start: network
		887	# Should-Start:
		888	# Required-Stop: network
		889	# Should-Stop:
		890	# Default-Start: 2 3 5
		891	# Default-Stop:
		892	# Description: CoovaChilli access controller
		893	### END INIT INFO
		894
		895	[ -f /usr/sbin/chilli ] \|\| exit 0
		896	. /etc/init.d/functions
		897	CONFIG=/etc/chilli.conf
		898	pidfile=/var/run/chilli.pid
		899	[ -f \$CONFIG ] \|\| {
		900	echo "\$CONFIG Not found"
		901	exit 0
		902	}
		903	RETVAL=0
		904	prog="chilli"
		905	case \$1 in
		906	start)
		907	if [ -f \$pidfile ] ; then
		908	gprintf "chilli is already running"
		909	else
		910	gprintf "Starting \$prog: "
		911	rm -f /var/run/chilli* # cleaning
		912	/sbin/modprobe tun >/dev/null 2>&1
		913	echo 1 > /proc/sys/net/ipv4/ip_forward
		914	[ -e /dev/net/tun ] \|\| {
		915	(cd /dev;
		916	mkdir net;
		917	cd net;
		918	mknod tun c 10 200)
		919	}
		920	ifconfig eth1 0.0.0.0
		921	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		922	RETVAL=$?
		923	fi
		924	;;
		925
		926	reload)
		927	killall -HUP chilli
		928	;;
		929
		930	restart)
		931	\$0 stop
		932	sleep 2
		933	\$0 start
		934	;;
		935
		936	status)
		937	status chilli
		938	RETVAL=0
		939	;;
		940
		941	stop)
		942	if [ -f \$pidfile ] ; then
		943	gprintf "Shutting down \$prog: "
		944	killproc /usr/sbin/chilli
		945	RETVAL=\$?
		946	[ \$RETVAL = 0 ] && rm -f $pidfile
		947	else
		948	gprintf "chilli is not running"
		949	fi
		950	;;
		951
		952	*)
		953	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		954	exit 1
		955	esac
		956	echo
		957	EOF
		958
		959	# conf file creation
346	richard	960	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		961	cat <<EOF > /etc/chilli.conf
		962	# coova config for ALCASAR
		963	cmdsocket /var/run/chilli.sock
		964	unixipc chilli.eth1.ipc
		965	pidfile /var/run/chilli.eth1.pid
		966	net $PRIVATE_NETWORK_MASK
595	richard	967	dhcpif $INTIF
841	richard	968	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	969	#nodynip
865	richard	970	#statip
		971	dynip $PRIVATE_NETWORK_MASK
346	richard	972	domain localdomain
355	richard	973	dns1 $PRIVATE_IP
		974	dns2 $PRIVATE_IP
346	richard	975	uamlisten $PRIVATE_IP
503	richard	976	uamport 3990
837	richard	977	macauth
		978	macpasswd password
346	richard	979	locationname $HOSTNAME
		980	radiusserver1 127.0.0.1
		981	radiusserver2 127.0.0.1
		982	radiussecret $secretradius
		983	radiusauthport 1812
		984	radiusacctport 1813
467	richard	985	uamserver https://$HOSTNAME/intercept.php
346	richard	986	radiusnasid $HOSTNAME
		987	uamsecret $secretuam
793	richard	988	uamallowed alcasar
346	richard	989	coaport 3799
503	richard	990	include $DIR_DEST_ETC/alcasar-uamallowed
		991	include $DIR_DEST_ETC/alcasar-uamdomain
917	franck	992	#dhcpgateway
		993	#dhcprelayagent
		994	#dhcpgatewayport
346	richard	995	EOF
977	richard	996	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		997	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	998	# create files for trusted domains and urls
		999	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1000	chown root:apache $DIR_DEST_ETC/alcasar-*
		1001	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1002	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1003	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1004	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1005	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1006	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1007	if [ "$chilli_exist" == "1" ]
		1008	then
		1009	userdel -r chilli 2>/dev/null
		1010	fi
		1011	groupadd -f chilli
		1012	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1013	} # End of param_chilli ()
		1014
		1015	##########################################################
		1016	## Fonction param_squid ##
		1017	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1018	## - Initialisation de la base de données ##
		1019	##########################################################
		1020	param_squid ()
		1021	{
		1022	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1023	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1024	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1025	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1026	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1027	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1028	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1029	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1030	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1031	# mode 'proxy transparent local'
595	richard	1032	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1033	# Configuration du cache local
749	franck	1034	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
405	franck	1035	# emplacement et formatage standard des logs
419	franck	1036	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
749	franck	1037	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
405	franck	1038	echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1	root	1039	# compatibilité des logs avec awstats
315	richard	1040	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
749	franck	1041	echo "half_closed_clients off" >> /etc/squid/squid.conf
		1042	echo "server_persistent_connections off" >> /etc/squid/squid.conf
		1043	echo "client_persistent_connections on" >> /etc/squid/squid.conf
		1044	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
		1045	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
		1046	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
726	franck	1047	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
749	franck	1048	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
		1049	echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf
835	richard	1050	# anonymisation of squid version
813	richard	1051	echo "via off" >> /etc/squid/squid.conf
835	richard	1052	# remove the 'X_forwarded' http option
812	richard	1053	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1054	# linked squid output in HAVP input
		1055	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1056	echo "never_direct allow all" >> /etc/squid/squid.conf
		1057	# avoid error messages on network interfaces state changes
313	richard	1058	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1059	# reduce squid shutdown time (100 to 50)
		1060	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1061
835	richard	1062	# Squid cache init
1	root	1063	/usr/sbin/squid -z
		1064	} # End of param_squid ()
		1065
		1066	##################################################################
		1067	## Fonction param_dansguardian ##
		1068	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1069	##################################################################
		1070	param_dansguardian ()
		1071	{
		1072	mkdir /var/dansguardian
		1073	chown dansguardian /var/dansguardian
497	richard	1074	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307	richard	1075	# Le filtrage est désactivé par défaut
497	richard	1076	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1	root	1077	# la page d'interception est en français
497	richard	1078	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1	root	1079	# on limite l'écoute de Dansguardian côté LAN
497	richard	1080	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835	richard	1081	# on chaîne Dansguardian au proxy cache SQUID
		1082	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1	root	1083	# on remplace la page d'interception (template)
		1084	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1085	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
		1086	# on ne loggue que les deny (pour le reste, on a squid)
497	richard	1087	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659	richard	1088	# lauch of 10 daemons (20 in largest server)
		1089	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1090	# on désactive par défaut le controle de contenu des pages html
497	richard	1091	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1092	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1093	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1094	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1095	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1096	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1097	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1098	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1099	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1100	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1101	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1102	touch $DIR_DG/lists/bannedextensionlist
		1103	touch $DIR_DG/lists/bannedmimetypelist
		1104	# 'Safesearch' regex actualisation
498	richard	1105	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1106	# empty LAN IP list that won't be WEB filtered
		1107	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1108	touch $DIR_DG/lists/exceptioniplist
		1109	# Keep a copy of URL & domain filter configuration files
		1110	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1111	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1112	} # End of param_dansguardian ()
		1113
71	richard	1114	##################################################################
		1115	## Fonction antivirus ##
479	richard	1116	## - configuration havp + libclamav ##
71	richard	1117	##################################################################
		1118	antivirus ()
		1119	{
288	richard	1120	# création de l'usager 'havp'
		1121	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1122	if [ "$havp_exist" == "1" ]
288	richard	1123	then
478	richard	1124	userdel -r havp 2>/dev/null
894	richard	1125	groupdel havp 2>/dev/null
288	richard	1126	fi
307	richard	1127	groupadd -f havp
796	richard	1128	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1129	mkdir -p /var/tmp/havp /var/log/havp
		1130	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1131	# configuration d'HAVP
		1132	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1133	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1134	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1135	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1136	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1137	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1138	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1139	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1140	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1141	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1142	# skip checking of youtube flow (too heavy load / risk too low)
		1143	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1144	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1145	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1146	# remplacement du fichier d'initialisation
335	richard	1147	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1148	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1149	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1150	# on remplace la page d'interception (template)
		1151	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1152	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1153	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1154	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1155	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1156	# Virus database update
		1157	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1158	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1159	/usr/bin/freshclam
71	richard	1160	}
		1161
1	root	1162	##################################################################################
476	richard	1163	## param_ulogd function ##
		1164	## - Ulog config for multi-log files ##
		1165	##################################################################################
		1166	param_ulogd ()
		1167	{
		1168	# Three instances of ulogd (three different logfiles)
		1169	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1170	nl=1
		1171	for log_type in tracability ssh ext-access
		1172	do
		1173	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1174	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1175	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1176	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1177	cat << EOF >> /etc/ulogd-$log_type.conf
		1178	[LOGEMU]
		1179	file="/var/log/firewall/$log_type.log"
		1180	sync=1
		1181	EOF
		1182	nl=`expr $nl + 1`
		1183	done
476	richard	1184	chown -R root:apache /var/log/firewall
		1185	chmod 750 /var/log/firewall
		1186	chmod 640 /var/log/firewall/*
		1187	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1188	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1189	} # End of param_ulogd ()
		1190
		1191	##################################################################################
1	root	1192	## Fonction param_awstats ##
		1193	## - configuration de l'interface des logs de consultation WEB (AWSTAT) ##
		1194	##################################################################################
		1195	param_awstats()
		1196	{
316	richard	1197	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
		1198	chown -R apache:apache $DIR_ACC/awstats
1	root	1199	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
		1200	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
		1201	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
		1202	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
		1203	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
		1204	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
344	richard	1205	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
		1206	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1	root	1207	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
		1208	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
59	richard	1209	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
580	richard	1210	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
		1211	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1212	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1213	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
		1214	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
		1215	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
		1216	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
		1217	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
		1218	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
		1219	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
		1220	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
		1221	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
		1222	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
		1223	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
		1224	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
		1225
1	root	1226	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	1227	<Directory $DIR_ACC/awstats>
1	root	1228	SSLRequireSSL
		1229	Options ExecCGI
		1230	AddHandler cgi-script .pl
		1231	DirectoryIndex awstats.pl
		1232	Order deny,allow
		1233	Deny from all
		1234	Allow from 127.0.0.1
		1235	Allow from $PRIVATE_NETWORK_MASK
990	franck	1236	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	1237	require valid-user
		1238	AuthType digest
		1239	AuthName $HOSTNAME
		1240	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	1241	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	1242	ErrorDocument 404 https://$HOSTNAME/
1	root	1243	</Directory>
		1244	SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
		1245	EOF
		1246	} # End of param_awstats ()
		1247
		1248	##########################################################
235	richard	1249	## Fonction param_dnsmasq ##
1	root	1250	##########################################################
219	jeremy	1251	param_dnsmasq ()
		1252	{
		1253	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1254	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1255	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1256	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1257	cat << EOF > /etc/dnsmasq.conf
520	richard	1258	# Configuration file for "dnsmasq in forward mode"
503	richard	1259	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1260	listen-address=$PRIVATE_IP
		1261	listen-address=127.0.0.1
286	richard	1262	no-dhcp-interface=$INTIF
259	richard	1263	bind-interfaces
		1264	cache-size=256
		1265	domain=$DOMAIN
		1266	domain-needed
		1267	expand-hosts
		1268	bogus-priv
		1269	filterwin2k
		1270	server=$DNS1
		1271	server=$DNS2
498	richard	1272	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1273	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1274	dhcp-option=option:router,$PRIVATE_IP
259	richard	1275	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1276
291	franck	1277	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1278	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1279	EOF
520	richard	1280	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1281	cat << EOF > /etc/dnsmasq-blackhole.conf
		1282	# Configuration file for "dnsmasq with blackhole"
		1283	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1284	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1285	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1286	listen-address=$PRIVATE_IP
		1287	port=54
		1288	no-dhcp-interface=$INTIF
		1289	bind-interfaces
		1290	cache-size=256
		1291	domain=$DOMAIN
		1292	domain-needed
		1293	expand-hosts
		1294	bogus-priv
		1295	filterwin2k
		1296	server=$DNS1
		1297	server=$DNS2
		1298	EOF
718	franck	1299
800	richard	1300	# Init file modification
503	richard	1301	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1302	# Start and stop a 2nd process for the "DNS blackhole"
520	richard	1303	$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503	richard	1304	$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800	richard	1305	# Start after chilli (65) which create tun0
		1306	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1307	# Optionnellement on pré-active les logs DNS des clients
786	richard	1308	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
933	franck	1309	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1310	# Optionnellement, exemple de configuration avec un A.D.
975	franck	1311	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.2"' >> /etc/sysconfig/dnsmasq
308	richard	1312	} # End dnsmasq
		1313
		1314	##########################################################
		1315	## Fonction BL (BlackList) ##
		1316	##########################################################
		1317	BL ()
		1318	{
		1319	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1320	rm -rf $DIR_DG/lists/blacklists
		1321	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1322	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1323	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1324	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1325	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1326	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1327	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1328	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1329	touch $DIR_DG/lists/exceptionsitelist
		1330	touch $DIR_DG/lists/exceptionurllist
311	richard	1331	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1332	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1333	# Dansguardian filter config for ALCASAR
		1334	EOF
648	richard	1335	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1336	# Dansguardian domain filter config for ALCASAR
		1337	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1338	#**
		1339	# block all SSL and CONNECT tunnels
		1340	**s
		1341	# block all SSL and CONNECT tunnels specified only as an IP
		1342	*ips
		1343	# block all sites specified only by an IP
		1344	*ip
		1345	EOF
1000	richard	1346	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1347	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1348	# Bing - add 'adlt=strict'
		1349	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1350	# Youtube - add 'edufilter=your_ID'
885	richard	1351	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1352	EOF
1000	richard	1353	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1354	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1355	chown -R dansguardian:apache $DIR_DG
		1356	chmod -R g+rw $DIR_DG
786	richard	1357	# On adapte la BL de Toulouse à notre structure
654	richard	1358	if [ "$mode" != "update" ]; then
		1359	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1360	fi
308	richard	1361	}
219	jeremy	1362
1	root	1363	##########################################################
		1364	## Fonction cron ##
		1365	## - Mise en place des différents fichiers de cron ##
		1366	##########################################################
		1367	cron ()
		1368	{
		1369	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1370	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1371	cat <<EOF > /etc/crontab
		1372	SHELL=/bin/bash
		1373	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1374	MAILTO=root
		1375	HOME=/
		1376
		1377	# run-parts
		1378	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1379	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1380	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1381	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1382	EOF
		1383	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1384	cat <<EOF >> /etc/anacrontab
667	franck	1385	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1386	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1387	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1388	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1389	EOF
667	franck	1390	cat <<EOF > /etc/cron.d/alcasar-clean_log
713	franck	1391	# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
865	richard	1392	30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1	root	1393	EOF
811	richard	1394	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1395	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1396	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1397	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1398	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1399	EOF
667	franck	1400	cat <<EOF > /etc/cron.d/alcasar-export_log
713	franck	1401	# export des log squid, firewall et apache (tous les lundi à 5h00)
865	richard	1402	00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1	root	1403	EOF
952	franck	1404	cat <<EOF > /etc/cron.d/alcasar-archive
		1405	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1406	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1407	EOF
1	root	1408	cat << EOF > /etc/cron.d/awstats
713	franck	1409	# mise à jour des stats de consultation WEB toutes les 30'
419	franck	1410	/30 * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1	root	1411	EOF
667	franck	1412	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1413	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1414	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1415	EOF
722	franck	1416	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1417	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1418	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1419	EOF
1	root	1420	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1421	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1422	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1423	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1424	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1425	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1426	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1427	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1428	rm -f /etc/cron.daily/freeradius-web
		1429	rm -f /etc/cron.monthly/freeradius-web
		1430	cat << EOF > /etc/cron.d/freeradius-web
		1431	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1432	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1433	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1434	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1435	EOF
671	franck	1436	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1437	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1438	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1439	EOF
808	franck	1440	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1441	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1442	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1443	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1444	EOF
522	richard	1445	# suppression des crons usagers
		1446	rm -f /var/spool/cron/*
1	root	1447	} # End cron
		1448
		1449	##################################################################
		1450	## Fonction post_install ##
		1451	## - Modification des bannières (locales et ssh) et des prompts ##
		1452	## - Installation de la structure de chiffrement pour root ##
		1453	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1454	## - Mise en place du la rotation des logs ##
5	franck	1455	## - Configuration dans le cas d'une mise à jour ##
1	root	1456	##################################################################
		1457	post_install()
		1458	{
		1459	# adaptation du script "chien de garde" (watchdog)
376	franck	1460	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1461	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1462	# création de la bannière locale
1007	richard	1463	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1464	cp -f $DIR_CONF/banner /etc/mageia-release
		1465	echo " V$VERSION" >> /etc/mageia-release
1	root	1466	# création de la bannière SSH
1007	richard	1467	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1468	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1469	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1470	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1471	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1472	# postfix banner anonymisation
		1473	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1474	# sshd écoute côté LAN et WAN
1	root	1475	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1476	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1477	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1478	echo "SSH=off" >> $CONF_FILE
1062	richard	1479	echo 'SSH_ADMIN_from=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1480	echo "QOS=off" >> $CONF_FILE
		1481	echo "LDAP=off" >> $CONF_FILE
786	richard	1482	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1483	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1484	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1485	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1486	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1	root	1487	# Coloration des prompts
		1488	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1489	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1490	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1491	# Droits d'exécution pour utilisateur apache et sysadmin
		1492	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1493	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1494	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1495	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1496	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1497	chmod 644 /etc/logrotate.d/*
714	franck	1498	# rectification sur versions précédentes de la compression des logs
706	franck	1499	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1500	# actualisation des fichiers logs compressés
714	franck	1501	for dir in firewall squid dansguardian httpd
706	franck	1502	do
714	franck	1503	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1504	done
		1505	# export des logs en 'retard' dans /var/Save/logs
865	richard	1506	/usr/local/bin/alcasar-log.sh --export
1	root	1507	# processus lancés par défaut au démarrage
796	richard	1508	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1	root	1509	do
		1510	/sbin/chkconfig --add $i
		1511	done
1005	richard	1512
		1513	# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
		1514	# cat << EOF > /etc/rc.local
953	franck	1515	#!/bin/sh
		1516	#
		1517	### BEGIN INIT INFO
		1518	# Provides: rc.local
		1519	# X-Mandriva-Compat-Mode
		1520	# Default-Start: 2 3 4 5
		1521	# Short-Description: Local initialization script
		1522	# Description: This script will be executed after all the other init scripts.
		1523	# You can put your own initialization stuff in here if you don't
		1524	# want to do the full Sys V style init stuff.
		1525	### END INIT INFO
1005	richard	1526	#
		1527	#/etc/init.d/mysqld restart
		1528	#sleep 1
		1529	#/etc/init.d/radiusd restart
		1530	#
		1531	#touch /var/lock/subsys/local
		1532	#EOF
953	franck	1533
1005	richard	1534	# On applique les préconisations ANSSI
		1535	# Apply French Security Agency rules
568	richard	1536	# ignorer les broadcast ICMP. (attaque smurf)
		1537	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
		1538	# ignorer les erreurs ICMP bogus
		1539	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1540	# désactiver l'envoi et la réponse aux ICMP redirects
679	richard	1541	sysctl -w net.ipv4.conf.all.accept_redirects=0
568	richard	1542	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
		1543	if [ "$accept_redirect" == "0" ]
		1544	then
679	richard	1545	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1546	else
		1547	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1548	fi
679	richard	1549	sysctl -w net.ipv4.conf.all.send_redirects=0
568	richard	1550	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
		1551	if [ "$send_redirect" == "0" ]
		1552	then
679	richard	1553	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1554	else
		1555	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1556	fi
		1557	# activer les SYN Cookies (attaque syn flood)
679	richard	1558	sysctl -w net.ipv4.tcp_syncookies=1
568	richard	1559	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
		1560	if [ "$tcp_syncookies" == "0" ]
		1561	then
679	richard	1562	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1563	else
		1564	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1565	fi
595	richard	1566	# activer l'antispoofing niveau Noyau
568	richard	1567	sysctl -w net.ipv4.conf.all.rp_filter=1
		1568	# ignorer le source routing
679	richard	1569	sysctl -w net.ipv4.conf.all.accept_source_route=0
568	richard	1570	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
		1571	if [ "$accept_source_route" == "0" ]
		1572	then
679	richard	1573	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1574	else
		1575	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1576	fi
679	richard	1577	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
		1578	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1579	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
		1580	if [ "$timeout_established" == "0" ]
		1581	then
		1582	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1583	else
793	richard	1584	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1585	fi
		1586	# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
568	richard	1587	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1588	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1589	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
59	richard	1590	# modification /etc/inittab
		1591	[ -e /etc/inittab.default ] \|\| cp /etc/inittab /etc/inittab.default
1003	richard	1592	# We keep only 3 TTYs
59	richard	1593	$SED "s?^4.*?#&?g" /etc/inittab
		1594	$SED "s?^5.*?#&?g" /etc/inittab
		1595	$SED "s?^6.*?#&?g" /etc/inittab
1003	richard	1596	# switch to multi-users runlevel (instead of x11)
		1597	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
		1598	$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1005	richard	1599	# GRUB modifications
		1600	# limit wait time to 3s
		1601	# create an alcasar entry instead of linux-nonfb
		1602	# change display to 1024*768 (vga791)
470	richard	1603	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1005	richard	1604	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1605	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1606	$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
1060	richard	1607	$SED "/^kernel/s/BOOT_IMAGE=linux/BOOT_IMAGE=linux-nonfb/" /boot/grub/menu.lst
1007	richard	1608	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1005	richard	1609
1003	richard	1610	# Remove unused services and users
1007	richard	1611	for old_svc in alsa sound dm
532	richard	1612	do
1007	richard	1613	/sbin/chkconfig --del $old_svc
532	richard	1614	done
1008	richard	1615	for svc in snmpd.service sshd.service
1007	richard	1616	do
1008	richard	1617	/bin/systemctl disable $svc
1007	richard	1618	done
532	richard	1619	for rm_users in avahi-autoipd avahi icapd
		1620	do
		1621	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1622	if [ "$user" == "$rm_users" ]
		1623	then
		1624	/usr/sbin/userdel -f $rm_users
		1625	fi
		1626	done
1060	richard	1627	# Load and apply the previous conf file
5	franck	1628	if [ "$mode" = "update" ]
		1629	then
389	franck	1630	$DIR_DEST_BIN/alcasar-conf.sh --load
1060	richard	1631	PARENT_SCRIPT=`basename $0`
		1632	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1633	$DIR_DEST_BIN/alcasar-conf.sh --apply
628	richard	1634	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1635	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5	franck	1636	fi
595	richard	1637	rm -f /tmp/alcasar-conf*
434	richard	1638	chown -R root:apache $DIR_DEST_ETC/*
512	richard	1639	chmod -R 660 $DIR_DEST_ETC/*
1041	richard	1640	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1641	# Apply and save the firewall rules
		1642	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1643	sleep 2
1	root	1644	cd $DIR_INSTALL
5	franck	1645	echo ""
1	root	1646	echo "#############################################################################"
638	richard	1647	if [ $Lang == "fr" ]
		1648	then
		1649	echo "# Fin d'installation d'ALCASAR #"
		1650	echo "# #"
		1651	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1652	echo "# des Accès au Réseau ( ALCASAR ) #"
		1653	echo "# #"
		1654	echo "#############################################################################"
		1655	echo
		1656	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1657	echo
		1658	echo "- Lisez attentivement la documentation d'exploitation"
		1659	echo
		1660	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1661	echo
		1662	echo " Appuyez sur 'Entrée' pour continuer"
		1663	else
		1664	echo "# Enf of ALCASAR install process #"
		1665	echo "# #"
		1666	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1667	echo "# des Accès au Réseau ( ALCASAR ) #"
		1668	echo "# #"
		1669	echo "#############################################################################"
		1670	echo
		1671	echo "- The system will be rebooted in order to operate ALCASAR"
		1672	echo
		1673	echo "- Read the exploitation documentation"
		1674	echo
		1675	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1676	echo
		1677	echo " Hit 'Enter' to continue"
		1678	fi
815	richard	1679	sleep 2
		1680	if [ "$mode" != "update" ]
820	richard	1681	then
815	richard	1682	read a
		1683	fi
774	richard	1684	clear
1045	franck	1685
1	root	1686	reboot
		1687	} # End post_install ()
		1688
		1689	#################################
1005	richard	1690	# Main Install loop #
1	root	1691	#################################
832	richard	1692	dir_exec=`dirname "$0"`
		1693	if [ $dir_exec != "." ]
		1694	then
		1695	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1696	echo "Launch this program from the ALCASAR archive directory"
		1697	exit 0
		1698	fi
		1699	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1700	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1701	nb_args=$#
		1702	args=$1
		1703	if [ $nb_args -eq 0 ]
		1704	then
		1705	nb_args=1
		1706	args="-h"
		1707	fi
1062	richard	1708	chmod -R u+x $DIR_SCRIPTS/*
1	root	1709	case $args in
		1710	-\? \| -h* \| --h*)
		1711	echo "$usage"
		1712	exit 0
		1713	;;
291	franck	1714	-i \| --install)
959	franck	1715	license
5	franck	1716	header_install
29	richard	1717	testing
597	richard	1718	# Test if ALCASAR is already installed
5	franck	1719	if [ -e $DIR_WEB/VERSION ]
1	root	1720	then
460	richard	1721	actual_version=`cat $DIR_WEB/VERSION`
595	richard	1722	if [ $Lang == "fr" ]
		1723	then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
		1724	else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
		1725	fi
5	franck	1726	response=0
460	richard	1727	PTN='^[oOnNyY]$'
580	richard	1728	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1729	do
595	richard	1730	if [ $Lang == "fr" ]
		1731	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1732	else echo -n "Do you want to update (Y/n)?";
		1733	fi
5	franck	1734	read response
		1735	done
597	richard	1736	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1737	then
597	richard	1738	rm -f /tmp/alcasar-conf*
		1739	else
636	richard	1740	# Create a backup of running version importants files
389	franck	1741	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1742	mode="update"
5	franck	1743	fi
1	root	1744	fi
595	richard	1745	# RPMs install
		1746	$DIR_SCRIPTS/alcasar-urpmi.sh
		1747	if [ "$?" != "0" ]
1	root	1748	then
595	richard	1749	exit 0
		1750	fi
		1751	if [ -e $DIR_WEB/VERSION ]
		1752	then
597	richard	1753	# Uninstall the running version
532	richard	1754	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1755	fi
636	richard	1756	# Test if manual update
1057	richard	1757	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1758	then
636	richard	1759	header_install
595	richard	1760	if [ $Lang == "fr" ]
636	richard	1761	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1762	else echo "The configuration file of an old version has been found";
595	richard	1763	fi
597	richard	1764	response=0
		1765	PTN='^[oOnNyY]$'
		1766	until [[ $(expr $response : $PTN) -gt 0 ]]
		1767	do
		1768	if [ $Lang == "fr" ]
		1769	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1770	else echo -n "Do you want to use it (Y/n)?";
		1771	fi
		1772	read response
		1773	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1774	then rm -f /tmp/alcasar-conf*
		1775	fi
		1776	done
		1777	fi
636	richard	1778	# Test if update
1057	richard	1779	if [ -e /tmp/alcasar-conf* ]
597	richard	1780	then
		1781	if [ $Lang == "fr" ]
		1782	then echo "#### Installation avec mise à jour ####";
		1783	else echo "#### Installation with update ####";
		1784	fi
636	richard	1785	# Extract the central configuration file
1057	richard	1786	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1787	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1788	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1789	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1790	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1791	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1792	mode="update"
		1793	else
		1794	mode="install"
1	root	1795	fi
604	richard	1796	for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
5	franck	1797	do
		1798	$func
1007	richard	1799	# echo "* 'debug' : end of function $func *"; read a
14	richard	1800	done
5	franck	1801	;;
291	franck	1802	-u \| --uninstall)
5	franck	1803	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1804	then
597	richard	1805	if [ $Lang == "fr" ]
		1806	then echo "ALCASAR n'est pas installé!";
		1807	else echo "ALCASAR isn't installed!";
		1808	fi
1	root	1809	exit 0
		1810	fi
5	franck	1811	response=0
		1812	PTN='^[oOnN]$'
580	richard	1813	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1814	do
597	richard	1815	if [ $Lang == "fr" ]
		1816	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1817	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1818	fi
5	franck	1819	read response
		1820	done
597	richard	1821	if [ "$reponse" = "o" ] \|\| [ "$reponse" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1822	then
389	franck	1823	$DIR_SCRIPT/alcasar-conf.sh --create
498	richard	1824	else
		1825	rm -f /tmp/alcasar-conf*
1	root	1826	fi
597	richard	1827	# Uninstall the running version
65	richard	1828	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1829	;;
		1830	*)
		1831	echo "Argument inconnu :$1";
460	richard	1832	echo "Unknown argument :$1";
1	root	1833	echo "$usage"
		1834	exit 1
		1835	;;
		1836	esac
10	franck	1837	# end of script
366	franck	1838

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1062