WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1148 2013-07-08 16:19:10Z crox53 $
1	root	3
		4	# alcasar.sh
959	franck	5
1114	richard	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
806	richard	23	# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
29	richard	30	# testing : Tests de connectivité et de téléchargement avant installation
1	root	31	# init : Installation des RPM et des scripts
		32	# network : Paramètrage du réseau
		33	# gestion : Installation de l'interface de gestion
		34	# AC : Initialisation de l'autorité de certification. Création des certificats
		35	# init_db : Création de la base 'radius' sur le serveur MySql
		36	# param_radius : Configuration du serveur d'authentification FreeRadius
		37	# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
		38	# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
		39	# param_squid : Configuration du proxy squid en mode 'cache'
		40	# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479	richard	41	# antivirus : Installation havp + libclamav
1	root	42	# param_awstats : Configuration de l'interface des statistiques de consultation WEB
297	richard	43	# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
308	richard	44	# BL : Configuration de la BlackList
1	root	45	# cron : Mise en place des exports de logs (+ chiffrement)
532	richard	46	# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1	root	47
		48	DATE=`date '+%d %B %Y - %Hh%M'`
		49	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	50	Lang=`echo $LANG\|cut -c 1-2`
1	root	51	# ***** Files parameters - paramètres fichiers *******
1015	richard	52	DIR_INSTALL=`pwd` # current directory
		53	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		54	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		55	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		56	DIR_WEB="/var/www/html" # directory of APACHE
		57	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		58	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		59	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		60	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		61	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		62	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		63	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		64	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	65	# ***** DBMS parameters - paramètres SGBD ******
		66	DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
		67	DB_USER="radius" # nom de l'utilisateur de la base de données
		68	# ***** Network parameters - paramètres réseau *****
503	richard	69	HOSTNAME="alcasar" #
1	root	70	DOMAIN="localdomain" # domaine local
		71	EXTIF="eth0" # ETH0 est l'interface connectée à Internet (Box FAI)
1148	crox53	72	MTU="1500"
1133	franck	73	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1	root	74	INTIF="eth1" # ETH1 est l'interface connectée au réseau local de consultation
597	richard	75	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1	root	76	# **** Paths - chemin des commandes *****
		77	SED="/bin/sed -i"
		78	# **************** End of global parameters *******************
		79
959	franck	80	license ()
		81	{
		82	if [ $Lang == "fr" ]
967	franck	83	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		84	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	85	fi
975	franck	86	echo "Taper sur Entrée pour continuer !"
		87	echo "Enter to continue."
959	franck	88	read a
		89	}
		90
1	root	91	header_install ()
		92	{
		93	clear
		94	echo "-----------------------------------------------------------------------------"
460	richard	95	echo " ALCASAR V$VERSION Installation"
1	root	96	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		97	echo "-----------------------------------------------------------------------------"
		98	} # End of header_install ()
		99
		100	##################################################################
1005	richard	101	## Function TESTING ##
		102	## - Test of Internet access ##
29	richard	103	##################################################################
		104	testing ()
		105	{
595	richard	106	if [ $Lang == "fr" ]
784	richard	107	then echo -n "Tests des paramètres réseau : "
595	richard	108	else echo -n "Network parameters tests : "
		109	fi
784	richard	110	# We test eth0 config files
		111	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		112	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		113	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		114	then
		115	if [ $Lang == "fr" ]
		116	then
		117	echo "Échec"
		118	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		119	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	120	echo "Appliquez les changements : 'service network restart'"
784	richard	121	else
		122	echo "Failed"
		123	echo "The Internet connected network card ($EXTIF) isn't well configured."
		124	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	125	echo "Apply the new configuration 'service network restart'"
784	richard	126	fi
830	richard	127	echo "DEVICE=$EXTIF"
784	richard	128	echo "IPADDR="
		129	echo "NETMASK="
		130	echo "GATEWAY="
		131	echo "DNS1="
		132	echo "DNS2="
830	richard	133	echo "ONBOOT=yes"
784	richard	134	exit 0
		135	fi
		136	echo -n "."
460	richard	137	# We test the Ethernet links state
29	richard	138	for i in $EXTIF $INTIF
		139	do
294	richard	140	/sbin/ip link set $i up
306	richard	141	sleep 3
1031	richard	142	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		143	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	144	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	145	then
595	richard	146	if [ $Lang == "fr" ]
		147	then
		148	echo "Échec"
		149	echo "Le lien réseau de la carte $i n'est pas actif."
		150	echo "Réglez ce problème puis relancez ce script."
		151	else
		152	echo "Failed"
		153	echo "The link state of $i interface id down."
		154	echo "Resolv this problem, then restart this script."
		155	fi
29	richard	156	exit 0
		157	fi
308	richard	158	echo -n "."
29	richard	159	done
		160	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	161	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	162	if [ $Lang == "fr" ]
		163	then
		164	echo "Échec"
		165	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		166	echo "Réglez ce problème puis relancez ce script."
		167	else
		168	echo "Failed"
		169	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		170	echo "Resolv this problem, then restart this script."
		171	fi
29	richard	172	exit 0
		173	fi
308	richard	174	echo -n "."
978	franck	175	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	176	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	177	if [ $Lang == "fr" ]
		178	then echo "La configuration des cartes réseau va être corrigée."
		179	else echo "The Ethernet card configuration will be corrected."
		180	fi
29	richard	181	/etc/init.d/network stop
		182	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		183	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		184	/etc/init.d/network start
		185	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		186	sleep 2
595	richard	187	if [ $Lang == "fr" ]
		188	then echo "Configuration corrigée"
		189	else echo "Configuration updated"
		190	fi
29	richard	191	sleep 2
595	richard	192	if [ $Lang == "fr" ]
		193	then echo "Vous pouvez relancer ce script."
		194	else echo "You can restart this script."
		195	fi
29	richard	196	exit 0
		197	fi
308	richard	198	echo -n "."
978	franck	199	# On teste le lien vers le routeur par defaut
308	richard	200	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		201	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	202	if [ $(expr $arp_reply) -eq 0 ]
308	richard	203	then
595	richard	204	if [ $Lang == "fr" ]
		205	then
		206	echo "Échec"
		207	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		208	echo "Réglez ce problème puis relancez ce script."
		209	else
		210	echo "Failed"
		211	echo "The Internet gateway doesn't answered"
		212	echo "Resolv this problem, then restart this script."
		213	fi
308	richard	214	exit 0
		215	fi
		216	echo -n "."
421	franck	217	# On teste la connectivité Internet
29	richard	218	rm -rf /tmp/con_ok.html
308	richard	219	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	220	if [ ! -e /tmp/con_ok.html ]
		221	then
595	richard	222	if [ $Lang == "fr" ]
		223	then
		224	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		225	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		226	echo "Vérifiez la validité des adresses IP des DNS."
		227	else
		228	echo "The Internet connection try failed (google.fr)."
		229	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		230	echo "Verify the DNS IP addresses"
		231	fi
29	richard	232	exit 0
		233	fi
		234	rm -rf /tmp/con_ok.html
308	richard	235	echo ". : ok"
302	richard	236	} # end of testing
		237
		238	##################################################################
		239	## Fonction INIT ##
		240	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		241	## - Installation et modification des scripts du portail ##
		242	##################################################################
		243	init ()
		244	{
527	richard	245	if [ "$mode" != "update" ]
302	richard	246	then
		247	# On affecte le nom d'organisme
597	richard	248	header_install
302	richard	249	ORGANISME=!
		250	PTN='^[a-zA-Z0-9-]*$'
580	richard	251	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	252	do
595	richard	253	if [ $Lang == "fr" ]
597	richard	254	then echo -n "Entrez le nom de votre organisme : "
		255	else echo -n "Enter the name of your organism : "
595	richard	256	fi
330	franck	257	read ORGANISME
613	richard	258	if [ "$ORGANISME" == "" ]
330	franck	259	then
		260	ORGANISME=!
		261	fi
		262	done
302	richard	263	fi
1	root	264	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	265	rm -f $PASSWD_FILE
59	richard	266	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	267	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		268	echo "$grubpwd" >> $PASSWD_FILE
59	richard	269	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	270	$SED "/^password.*/d" /boot/grub/menu.lst
		271	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	272	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	273	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	274	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	275	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	276	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	277	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	278	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	279	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		280	echo "$secretuam" >> $PASSWD_FILE
1	root	281	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	282	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		283	echo "$secretradius" >> $PASSWD_FILE
		284	chmod 640 $PASSWD_FILE
977	richard	285	# Scripts and conf files copy
		286	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	287	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	288	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	289	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	290	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	291	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	292	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		293	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	294	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		295	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	296	# generate central conf file
		297	cat <<EOF > $CONF_FILE
612	richard	298	##########################################
		299	## ##
		300	## ALCASAR Parameters ##
		301	## ##
		302	##########################################
1	root	303
612	richard	304	INSTALL_DATE=$DATE
		305	VERSION=$VERSION
		306	ORGANISM=$ORGANISME
923	franck	307	DOMAIN=$DOMAIN
612	richard	308	EOF
628	richard	309	chmod o-rwx $CONF_FILE
1	root	310	} # End of init ()
		311
		312	##################################################################
		313	## Fonction network ##
		314	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	315	## - Nommage DNS du système ##
1	root	316	## - Configuration de l'interface eth1 (réseau de consultation) ##
		317	## - Modification du fichier /etc/hosts ##
		318	## - Configuration du serveur de temps (NTP) ##
		319	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		320	##################################################################
		321	network ()
		322	{
		323	header_install
636	richard	324	if [ "$mode" != "update" ]
		325	then
		326	if [ $Lang == "fr" ]
		327	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		328	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		329	fi
		330	response=0
		331	PTN='^[oOyYnN]$'
		332	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	333	do
595	richard	334	if [ $Lang == "fr" ]
659	richard	335	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	336	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	337	fi
1	root	338	read response
		339	done
636	richard	340	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		341	then
		342	PRIVATE_IP_MASK="0"
		343	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		344	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	345	do
595	richard	346	if [ $Lang == "fr" ]
597	richard	347	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		348	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	349	fi
597	richard	350	read PRIVATE_IP_MASK
1	root	351	done
636	richard	352	else
		353	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		354	fi
595	richard	355	else
637	richard	356	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		357	rm -rf conf/etc/alcasar.conf
1	root	358	fi
861	richard	359	# Define LAN side global parameters
1	root	360	hostname $HOSTNAME
1033	richard	361	echo $HOSTNAME > /etc/hostname
977	richard	362	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		363	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		364	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		365	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		366	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		367	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		368	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		369	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		370	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		371	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	372	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	373	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	374	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	375	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	376	# Define Internet parameters
14	richard	377	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		378	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		379	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	380	DNS1=${DNS1:=208.67.220.220}
		381	DNS2=${DNS2:=208.67.222.222}
597	richard	382	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	383	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	384	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	385	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	386	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	387	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	388	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	389	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		390	echo "DNS1=$DNS1" >> $CONF_FILE
		391	echo "DNS2=$DNS2" >> $CONF_FILE
		392	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	393	echo "DHCP=full" >> $CONF_FILE
914	franck	394	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		395	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		396	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	397	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	398	# config network
1	root	399	cat <<EOF > /etc/sysconfig/network
		400	NETWORKING=yes
		401	HOSTNAME="$HOSTNAME"
		402	FORWARD_IPV4=true
		403	EOF
841	richard	404	# config /etc/hosts
1	root	405	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		406	cat <<EOF > /etc/hosts
503	richard	407	127.0.0.1 localhost
914	franck	408	$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN
1	root	409	EOF
841	richard	410	# Config eth0 (Internet)
14	richard	411	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		412	DEVICE=$EXTIF
		413	BOOTPROTO=static
597	richard	414	IPADDR=$PUBLIC_IP
		415	NETMASK=$PUBLIC_NETMASK
		416	GATEWAY=$PUBLIC_GATEWAY
14	richard	417	DNS1=127.0.0.1
		418	ONBOOT=yes
		419	METRIC=10
		420	NOZEROCONF=yes
		421	MII_NOT_SUPPORTED=yes
		422	IPV6INIT=no
		423	IPV6TO4INIT=no
		424	ACCOUNTING=no
		425	USERCTL=no
994	franck	426	MTU=$MTU
14	richard	427	EOF
841	richard	428	# Config eth1 (consultation LAN) in normal mode
		429	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		430	DEVICE=$INTIF
		431	BOOTPROTO=static
		432	ONBOOT=yes
		433	NOZEROCONF=yes
		434	MII_NOT_SUPPORTED=yes
		435	IPV6INIT=no
		436	IPV6TO4INIT=no
		437	ACCOUNTING=no
		438	USERCTL=no
1148	crox53	439	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	440	EOF
		441	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	442	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	443	DEVICE=$INTIF
		444	BOOTPROTO=static
		445	IPADDR=$PRIVATE_IP
604	richard	446	NETMASK=$PRIVATE_NETMASK
1	root	447	ONBOOT=yes
		448	METRIC=10
		449	NOZEROCONF=yes
		450	MII_NOT_SUPPORTED=yes
14	richard	451	IPV6INIT=no
		452	IPV6TO4INIT=no
		453	ACCOUNTING=no
		454	USERCTL=no
1	root	455	EOF
440	franck	456	# Mise à l'heure du serveur
		457	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		458	cat <<EOF > /etc/ntp/step-tickers
455	franck	459	0.fr.pool.ntp.org # adapt to your country
		460	1.fr.pool.ntp.org
		461	2.fr.pool.ntp.org
440	franck	462	EOF
		463	# Configuration du serveur de temps (sur lui même)
1	root	464	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		465	cat <<EOF > /etc/ntp.conf
456	franck	466	server 0.fr.pool.ntp.org # adapt to your country
447	franck	467	server 1.fr.pool.ntp.org
		468	server 2.fr.pool.ntp.org
		469	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	470	fudge 127.127.1.0 stratum 10
604	richard	471	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	472	restrict 127.0.0.1
310	richard	473	driftfile /var/lib/ntp/drift
1	root	474	logfile /var/log/ntp.log
		475	EOF
440	franck	476
310	richard	477	chown -R ntp:ntp /var/lib/ntp
1	root	478	# Renseignement des fichiers hosts.allow et hosts.deny
		479	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		480	cat <<EOF > /etc/hosts.allow
		481	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	482	sshd: ALL
1	root	483	ntpd: $PRIVATE_NETWORK_SHORT
		484	EOF
		485	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		486	cat <<EOF > /etc/hosts.deny
		487	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		488	EOF
1148	crox53	489	read a
		490	# modify "network-functions" Mageia script (waiting for bug fix bugzilla:10623)
		491	$SED "s?/sbin/ethtool?/usr/sbin/ethtool?g" /etc/sysconfig/network-scripts/network-functions
604	richard	492	# Firewall config
790	richard	493	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		494	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		495	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	496	# create the filter exception file and ip_bloqued file
790	richard	497	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	498	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	499	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	500	# load conntrack ftp module
		501	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		502	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1148	crox53	503	#
860	richard	504	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	505	} # End of network ()
		506
		507	##################################################################
		508	## Fonction gestion ##
		509	## - installation du centre de gestion ##
		510	## - configuration du serveur web (Apache) ##
		511	## - définition du 1er comptes de gestion ##
		512	## - sécurisation des accès ##
		513	##################################################################
		514	gestion()
		515	{
		516	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		517	mkdir $DIR_WEB
		518	# Copie et configuration des fichiers du centre de gestion
316	richard	519	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	520	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	521	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		522	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		523	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		524	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498	richard	525	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316	richard	526	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	527	chown -R apache:apache $DIR_WEB/*
840	richard	528	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	529	do
		530	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		531	done
5	franck	532	chown -R root:apache $DIR_SAVE
71	richard	533	# Configuration et sécurisation php
		534	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	535	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		536	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	537	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		538	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	539	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		540	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		541	# Configuration et sécurisation Apache
790	richard	542	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	543	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580	richard	544	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303	richard	545	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	546	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		547	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		548	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	549	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		551	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		552	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		553	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		554	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	555	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	556	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		557	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		558	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		559	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		560	cat <<EOF > /var/www/error/include/bottom.html
		561	</body>
		562	</html>
		563	EOF
		564	# Définition du premier compte lié au profil 'admin'
509	richard	565	header_install
510	richard	566	if [ "$mode" = "install" ]
		567	then
613	richard	568	admin_portal=!
		569	PTN='^[a-zA-Z0-9-]*$'
		570	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		571	do
		572	header_install
		573	if [ $Lang == "fr" ]
		574	then
		575	echo ""
		576	echo "Définissez un premier compte d'administration du portail :"
		577	echo
		578	echo -n "Nom : "
		579	else
		580	echo ""
		581	echo "Define the first account allow to administrate the portal :"
		582	echo
		583	echo -n "Account : "
		584	fi
		585	read admin_portal
		586	if [ "$admin_portal" == "" ]
		587	then
		588	admin_portal=!
		589	fi
		590	done
1	root	591	# Création du fichier de clés de ce compte dans le profil "admin"
510	richard	592	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		593	mkdir -p $DIR_DEST_ETC/digest
		594	chmod 755 $DIR_DEST_ETC/digest
		595	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		596	do
613	richard	597	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	598	done
		599	$DIR_DEST_SBIN/alcasar-profil.sh --list
595	richard	600	else # mise à jour des versions < 2.1
1010	richard	601	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 1 ])
510	richard	602	then
613	richard	603	if [ $Lang == "fr" ]
		604	then
		605	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		606	echo
		607	echo -n "Nom : "
		608	else
		609	echo "This update need to redefine the first admin account"
		610	echo
		611	echo -n "Account : "
		612	fi
		613	read admin_portal
510	richard	614	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		615	mkdir -p $DIR_DEST_ETC/digest
		616	chmod 755 $DIR_DEST_ETC/digest
		617	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		618	do
613	richard	619	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	620	done
		621	$DIR_DEST_SBIN/alcasar-profil.sh --list
		622	fi
		623	fi
434	richard	624	# synchronisation horaire
		625	ntpd -q -g &
1	root	626	# Sécurisation du centre
988	franck	627	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	628	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	629	<Directory $DIR_ACC>
1	root	630	SSLRequireSSL
		631	AllowOverride None
		632	Order deny,allow
		633	Deny from all
		634	Allow from 127.0.0.1
		635	Allow from $PRIVATE_NETWORK_MASK
990	franck	636	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	637	require valid-user
		638	AuthType digest
		639	AuthName $HOSTNAME
		640	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	641	AuthUserFile $DIR_DEST_ETC/digest/key_all
580	richard	642	ErrorDocument 404 https://$HOSTNAME/
1	root	643	</Directory>
316	richard	644	<Directory $DIR_ACC/admin>
1	root	645	SSLRequireSSL
		646	AllowOverride None
		647	Order deny,allow
		648	Deny from all
		649	Allow from 127.0.0.1
		650	Allow from $PRIVATE_NETWORK_MASK
990	franck	651	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	652	require valid-user
		653	AuthType digest
		654	AuthName $HOSTNAME
		655	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	656	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	657	ErrorDocument 404 https://$HOSTNAME/
1	root	658	</Directory>
344	richard	659	<Directory $DIR_ACC/manager>
1	root	660	SSLRequireSSL
		661	AllowOverride None
		662	Order deny,allow
		663	Deny from all
		664	Allow from 127.0.0.1
		665	Allow from $PRIVATE_NETWORK_MASK
990	franck	666	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	667	require valid-user
		668	AuthType digest
		669	AuthName $HOSTNAME
		670	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	671	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580	richard	672	ErrorDocument 404 https://$HOSTNAME/
1	root	673	</Directory>
316	richard	674	<Directory $DIR_ACC/backup>
		675	SSLRequireSSL
		676	AllowOverride None
		677	Order deny,allow
		678	Deny from all
		679	Allow from 127.0.0.1
		680	Allow from $PRIVATE_NETWORK_MASK
990	franck	681	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	682	require valid-user
		683	AuthType digest
		684	AuthName $HOSTNAME
		685	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	686	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580	richard	687	ErrorDocument 404 https://$HOSTNAME/
316	richard	688	</Directory>
811	richard	689	Alias /save/ "$DIR_SAVE/"
		690	<Directory $DIR_SAVE>
		691	SSLRequireSSL
		692	Options Indexes
		693	Order deny,allow
		694	Deny from all
		695	Allow from 127.0.0.1
		696	Allow from $PRIVATE_NETWORK_MASK
990	franck	697	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	698	require valid-user
		699	AuthType digest
		700	AuthName $HOSTNAME
		701	AuthUserFile $DIR_DEST_ETC/digest/key_backup
		702	ErrorDocument 404 https://$HOSTNAME/
		703	</Directory>
1	root	704	EOF
		705	} # End of gestion ()
		706
		707	##########################################################################################
		708	## Fonction AC() ##
		709	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		710	##########################################################################################
		711	AC ()
		712	{
		713	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	714	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	715	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	716	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		717	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		718	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	719	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	720	chown -R root:apache /etc/pki
1	root	721	chmod -R 750 /etc/pki
		722	} # End AC ()
		723
		724	##########################################################################################
		725	## Fonction init_db() ##
		726	## - Initialisation de la base Mysql ##
		727	## - Affectation du mot de passe de l'administrateur (root) ##
		728	## - Suppression des bases et des utilisateurs superflus ##
		729	## - Création de la base 'radius' ##
		730	## - Installation du schéma de cette base ##
		731	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		732	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		733	##########################################################################################
		734	init_db ()
		735	{
		736	mkdir -p /var/lib/mysql/.tmp
1008	richard	737	chown -R mysql:mysql /var/lib/mysql/
227	franck	738	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	739	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		740	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		741	/etc/init.d/mysqld start
		742	sleep 4
		743	mysqladmin -u root password $mysqlpwd
		744	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	745	# Delete exemple databases if exist
1	root	746	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	747	# Create 'radius' database
1	root	748	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	749	# Add an empty radius database structure
364	franck	750	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	751	# modify the start script in order to close accounting connexion when the system is comming down or up
		752	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		753	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		754	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	755	} # End init_db ()
		756
		757	##########################################################################
		758	## Fonction param_radius ##
		759	## - Paramètrage des fichiers de configuration FreeRadius ##
		760	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		761	## - Modification de fichier de conf pour l'accès à Mysql ##
		762	##########################################################################
		763	param_radius ()
		764	{
		765	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		766	chown -R radius:radius /etc/raddb
		767	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
		768	# paramètrage radius.conf
		769	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		770	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		771	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
		772	# suppression de la fonction proxy
		773	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		774	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654	richard	775	# suppression du module EAP
		776	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1	root	777	# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
		778	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
		779	# prise en compte du module SQL et des compteurs SQL
		780	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		781	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		782	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
		783	# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
		784	rm -f /etc/raddb/sites-enabled/*
		785	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
		786	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		787	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		788	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		789	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	790	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	791	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
		792	# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
		793	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		794	cat << EOF > /etc/raddb/clients.conf
		795	client 127.0.0.1 {
		796	secret = $secretradius
		797	shortname = localhost
		798	}
		799	EOF
		800	# modif sql.conf
		801	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		802	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		803	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		804	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		805	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
		806	# modif dialup.conf
		807	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
		808	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1114	richard	809	# insures that mysql is up before radius start
		810	$SED "s?^# Should-Start.*?# Should-Start: \$network mysqld?" /etc/init.d/radiusd
		811	$SED "s?^# Should-Stop.*?# Should-Start: \$network mysqld?" /etc/init.d/radiusd
		812
1	root	813	} # End param_radius ()
		814
		815	##########################################################################
		816	## Fonction param_web_radius ##
		817	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		818	## - Création du lien vers la page de changement de mot de passe ##
		819	##########################################################################
		820	param_web_radius ()
		821	{
		822	# copie de l'interface d'origine dans la structure Alcasar
316	richard	823	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		824	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		825	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	826	# copie des fichiers modifiés
		827	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	828	chown -R apache:apache $DIR_ACC/manager/
344	richard	829	# Modification des fichiers de configuration
1	root	830	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	831	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	832	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		833	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		834	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		835	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		836	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		837	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		838	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	839	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	840	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
		841	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	842	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	843	nas1_name: alcasar-$ORGANISME
1	root	844	nas1_model: Portail captif
		845	nas1_ip: $PRIVATE_IP
		846	nas1_port_num: 0
		847	nas1_community: public
		848	EOF
		849	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		850	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
		851	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	852	# Ajout du mappage des attributs chillispot
		853	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
		854	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	855	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
		856	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
		857	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		858	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	859	chown -R apache:apache /etc/freeradius-web
1	root	860	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		861	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	862	<Directory $DIR_WEB/pass>
1	root	863	SSLRequireSSL
		864	AllowOverride None
		865	Order deny,allow
		866	Deny from all
		867	Allow from 127.0.0.1
		868	Allow from $PRIVATE_NETWORK_MASK
580	richard	869	ErrorDocument 404 https://$HOSTNAME
1	root	870	</Directory>
		871	EOF
		872	} # End of param_web_radius ()
		873
799	richard	874	##################################################################################
		875	## Fonction param_chilli ##
		876	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		877	## - Paramètrage de la page d'authentification (intercept.php) ##
		878	##################################################################################
1	root	879	param_chilli ()
		880	{
799	richard	881	# init file creation
461	richard	882	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	883	cat <<EOF > /etc/init.d/chilli
		884	#!/bin/sh
		885	#
		886	# chilli CoovaChilli init
		887	#
		888	# chkconfig: 2345 65 35
		889	# description: CoovaChilli
		890	### BEGIN INIT INFO
		891	# Provides: chilli
		892	# Required-Start: network
		893	# Should-Start:
		894	# Required-Stop: network
		895	# Should-Stop:
		896	# Default-Start: 2 3 5
		897	# Default-Stop:
		898	# Description: CoovaChilli access controller
		899	### END INIT INFO
		900
		901	[ -f /usr/sbin/chilli ] \|\| exit 0
		902	. /etc/init.d/functions
		903	CONFIG=/etc/chilli.conf
		904	pidfile=/var/run/chilli.pid
		905	[ -f \$CONFIG ] \|\| {
		906	echo "\$CONFIG Not found"
		907	exit 0
		908	}
		909	RETVAL=0
		910	prog="chilli"
		911	case \$1 in
		912	start)
		913	if [ -f \$pidfile ] ; then
		914	gprintf "chilli is already running"
		915	else
		916	gprintf "Starting \$prog: "
		917	rm -f /var/run/chilli* # cleaning
		918	/sbin/modprobe tun >/dev/null 2>&1
		919	echo 1 > /proc/sys/net/ipv4/ip_forward
		920	[ -e /dev/net/tun ] \|\| {
		921	(cd /dev;
		922	mkdir net;
		923	cd net;
		924	mknod tun c 10 200)
		925	}
		926	ifconfig eth1 0.0.0.0
		927	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		928	RETVAL=$?
		929	fi
		930	;;
		931
		932	reload)
		933	killall -HUP chilli
		934	;;
		935
		936	restart)
		937	\$0 stop
		938	sleep 2
		939	\$0 start
		940	;;
		941
		942	status)
		943	status chilli
		944	RETVAL=0
		945	;;
		946
		947	stop)
		948	if [ -f \$pidfile ] ; then
		949	gprintf "Shutting down \$prog: "
		950	killproc /usr/sbin/chilli
		951	RETVAL=\$?
		952	[ \$RETVAL = 0 ] && rm -f $pidfile
		953	else
		954	gprintf "chilli is not running"
		955	fi
		956	;;
		957
		958	*)
		959	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		960	exit 1
		961	esac
		962	echo
		963	EOF
		964
		965	# conf file creation
346	richard	966	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		967	cat <<EOF > /etc/chilli.conf
		968	# coova config for ALCASAR
		969	cmdsocket /var/run/chilli.sock
		970	unixipc chilli.eth1.ipc
		971	pidfile /var/run/chilli.eth1.pid
		972	net $PRIVATE_NETWORK_MASK
595	richard	973	dhcpif $INTIF
841	richard	974	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	975	#nodynip
865	richard	976	#statip
		977	dynip $PRIVATE_NETWORK_MASK
346	richard	978	domain localdomain
355	richard	979	dns1 $PRIVATE_IP
		980	dns2 $PRIVATE_IP
346	richard	981	uamlisten $PRIVATE_IP
503	richard	982	uamport 3990
837	richard	983	macauth
		984	macpasswd password
346	richard	985	locationname $HOSTNAME
		986	radiusserver1 127.0.0.1
		987	radiusserver2 127.0.0.1
		988	radiussecret $secretradius
		989	radiusauthport 1812
		990	radiusacctport 1813
467	richard	991	uamserver https://$HOSTNAME/intercept.php
346	richard	992	radiusnasid $HOSTNAME
		993	uamsecret $secretuam
793	richard	994	uamallowed alcasar
346	richard	995	coaport 3799
503	richard	996	include $DIR_DEST_ETC/alcasar-uamallowed
		997	include $DIR_DEST_ETC/alcasar-uamdomain
1118	franck	998	#dhcpgateway
		999	#dhcprelayagent
		1000	#dhcpgatewayport
346	richard	1001	EOF
977	richard	1002	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		1003	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1004	# create files for trusted domains and urls
1148	crox53	1005	# cp -f $DIR_CONF/etc/alcasar-uam* $DIR_DEST_ETC/.
		1006	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1007	chown root:apache $DIR_DEST_ETC/alcasar-*
		1008	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1009	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1010	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1011	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1012	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1013	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1014	if [ "$chilli_exist" == "1" ]
		1015	then
		1016	userdel -r chilli 2>/dev/null
		1017	fi
		1018	groupadd -f chilli
		1019	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1020	} # End of param_chilli ()
		1021
		1022	##########################################################
		1023	## Fonction param_squid ##
		1024	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1025	## - Initialisation de la base de données ##
		1026	##########################################################
		1027	param_squid ()
		1028	{
		1029	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1030	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1031	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1032	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1033	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1034	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1035	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1036	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1037	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1038	# mode 'proxy transparent local'
595	richard	1039	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1040	# Configuration du cache local
749	franck	1041	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
405	franck	1042	# emplacement et formatage standard des logs
419	franck	1043	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
749	franck	1044	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
405	franck	1045	echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1	root	1046	# compatibilité des logs avec awstats
315	richard	1047	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
749	franck	1048	echo "half_closed_clients off" >> /etc/squid/squid.conf
		1049	echo "server_persistent_connections off" >> /etc/squid/squid.conf
		1050	echo "client_persistent_connections on" >> /etc/squid/squid.conf
		1051	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
		1052	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
		1053	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
726	franck	1054	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
749	franck	1055	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
		1056	echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf
835	richard	1057	# anonymisation of squid version
813	richard	1058	echo "via off" >> /etc/squid/squid.conf
835	richard	1059	# remove the 'X_forwarded' http option
812	richard	1060	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1061	# linked squid output in HAVP input
		1062	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1063	echo "never_direct allow all" >> /etc/squid/squid.conf
		1064	# avoid error messages on network interfaces state changes
313	richard	1065	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1066	# reduce squid shutdown time (100 to 50)
		1067	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1068
835	richard	1069	# Squid cache init
1	root	1070	/usr/sbin/squid -z
		1071	} # End of param_squid ()
		1072
		1073	##################################################################
		1074	## Fonction param_dansguardian ##
		1075	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1076	##################################################################
		1077	param_dansguardian ()
		1078	{
		1079	mkdir /var/dansguardian
		1080	chown dansguardian /var/dansguardian
497	richard	1081	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307	richard	1082	# Le filtrage est désactivé par défaut
497	richard	1083	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1	root	1084	# la page d'interception est en français
497	richard	1085	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1	root	1086	# on limite l'écoute de Dansguardian côté LAN
497	richard	1087	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835	richard	1088	# on chaîne Dansguardian au proxy cache SQUID
		1089	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1	root	1090	# on remplace la page d'interception (template)
		1091	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1092	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
		1093	# on ne loggue que les deny (pour le reste, on a squid)
497	richard	1094	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659	richard	1095	# lauch of 10 daemons (20 in largest server)
		1096	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1097	# on désactive par défaut le controle de contenu des pages html
497	richard	1098	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1099	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1100	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1101	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1102	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1103	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1104	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1105	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1106	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1107	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1108	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1109	touch $DIR_DG/lists/bannedextensionlist
		1110	touch $DIR_DG/lists/bannedmimetypelist
		1111	# 'Safesearch' regex actualisation
498	richard	1112	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1113	# empty LAN IP list that won't be WEB filtered
		1114	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1115	touch $DIR_DG/lists/exceptioniplist
		1116	# Keep a copy of URL & domain filter configuration files
		1117	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1118	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1119	} # End of param_dansguardian ()
		1120
71	richard	1121	##################################################################
		1122	## Fonction antivirus ##
479	richard	1123	## - configuration havp + libclamav ##
71	richard	1124	##################################################################
		1125	antivirus ()
		1126	{
288	richard	1127	# création de l'usager 'havp'
		1128	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1129	if [ "$havp_exist" == "1" ]
288	richard	1130	then
478	richard	1131	userdel -r havp 2>/dev/null
894	richard	1132	groupdel havp 2>/dev/null
288	richard	1133	fi
307	richard	1134	groupadd -f havp
796	richard	1135	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1136	mkdir -p /var/tmp/havp /var/log/havp
		1137	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1138	# configuration d'HAVP
		1139	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1140	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1141	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1142	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1143	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1144	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1145	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1146	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1147	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1148	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1149	# skip checking of youtube flow (too heavy load / risk too low)
		1150	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1151	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1152	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1153	# remplacement du fichier d'initialisation
335	richard	1154	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1155	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1156	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1157	# on remplace la page d'interception (template)
		1158	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1159	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1160	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1161	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1162	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1163	# Virus database update
		1164	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1165	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1166	/usr/bin/freshclam
71	richard	1167	}
		1168
1	root	1169	##################################################################################
476	richard	1170	## param_ulogd function ##
		1171	## - Ulog config for multi-log files ##
		1172	##################################################################################
		1173	param_ulogd ()
		1174	{
		1175	# Three instances of ulogd (three different logfiles)
		1176	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1177	nl=1
		1178	for log_type in tracability ssh ext-access
		1179	do
		1180	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1181	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1182	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1183	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1184	cat << EOF >> /etc/ulogd-$log_type.conf
		1185	[LOGEMU]
		1186	file="/var/log/firewall/$log_type.log"
		1187	sync=1
		1188	EOF
		1189	nl=`expr $nl + 1`
		1190	done
476	richard	1191	chown -R root:apache /var/log/firewall
		1192	chmod 750 /var/log/firewall
		1193	chmod 640 /var/log/firewall/*
		1194	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1195	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1196	} # End of param_ulogd ()
		1197
		1198	##################################################################################
1	root	1199	## Fonction param_awstats ##
		1200	## - configuration de l'interface des logs de consultation WEB (AWSTAT) ##
		1201	##################################################################################
		1202	param_awstats()
		1203	{
316	richard	1204	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
		1205	chown -R apache:apache $DIR_ACC/awstats
1	root	1206	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
		1207	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
		1208	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
		1209	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
		1210	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
		1211	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
344	richard	1212	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
		1213	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1	root	1214	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
		1215	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
59	richard	1216	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
580	richard	1217	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
		1218	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1219	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
		1220	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
		1221	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
		1222	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
		1223	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
		1224	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
		1225	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
		1226	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
		1227	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
		1228	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
		1229	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
		1230	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
		1231	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
		1232
1	root	1233	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	1234	<Directory $DIR_ACC/awstats>
1	root	1235	SSLRequireSSL
		1236	Options ExecCGI
		1237	AddHandler cgi-script .pl
		1238	DirectoryIndex awstats.pl
		1239	Order deny,allow
		1240	Deny from all
		1241	Allow from 127.0.0.1
		1242	Allow from $PRIVATE_NETWORK_MASK
990	franck	1243	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	1244	require valid-user
		1245	AuthType digest
		1246	AuthName $HOSTNAME
		1247	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	1248	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	1249	ErrorDocument 404 https://$HOSTNAME/
1	root	1250	</Directory>
		1251	SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
		1252	EOF
		1253	} # End of param_awstats ()
		1254
		1255	##########################################################
235	richard	1256	## Fonction param_dnsmasq ##
1	root	1257	##########################################################
219	jeremy	1258	param_dnsmasq ()
		1259	{
		1260	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1261	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1262	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1263	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1264	cat << EOF > /etc/dnsmasq.conf
520	richard	1265	# Configuration file for "dnsmasq in forward mode"
503	richard	1266	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1267	listen-address=$PRIVATE_IP
		1268	listen-address=127.0.0.1
286	richard	1269	no-dhcp-interface=$INTIF
259	richard	1270	bind-interfaces
		1271	cache-size=256
		1272	domain=$DOMAIN
		1273	domain-needed
		1274	expand-hosts
		1275	bogus-priv
		1276	filterwin2k
		1277	server=$DNS1
		1278	server=$DNS2
498	richard	1279	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1280	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1281	dhcp-option=option:router,$PRIVATE_IP
259	richard	1282	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1283
291	franck	1284	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1285	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1286	EOF
520	richard	1287	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1288	cat << EOF > /etc/dnsmasq-blackhole.conf
		1289	# Configuration file for "dnsmasq with blackhole"
		1290	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1291	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1292	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1293	listen-address=$PRIVATE_IP
		1294	port=54
		1295	no-dhcp-interface=$INTIF
		1296	bind-interfaces
		1297	cache-size=256
		1298	domain=$DOMAIN
		1299	domain-needed
		1300	expand-hosts
		1301	bogus-priv
		1302	filterwin2k
		1303	server=$DNS1
		1304	server=$DNS2
		1305	EOF
718	franck	1306
800	richard	1307	# Init file modification
503	richard	1308	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1309	# Start and stop a 2nd process for the "DNS blackhole"
520	richard	1310	$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503	richard	1311	$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800	richard	1312	# Start after chilli (65) which create tun0
		1313	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1314	# Optionnellement on pré-active les logs DNS des clients
786	richard	1315	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
933	franck	1316	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1144	franck	1317	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
		1318	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1319	# Optionnellement, exemple de configuration avec un A.D.
1144	franck	1320	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1321	} # End dnsmasq
		1322
		1323	##########################################################
		1324	## Fonction BL (BlackList) ##
		1325	##########################################################
		1326	BL ()
		1327	{
		1328	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1329	rm -rf $DIR_DG/lists/blacklists
		1330	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1331	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1332	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1333	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1334	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1335	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1336	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1337	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1338	touch $DIR_DG/lists/exceptionsitelist
		1339	touch $DIR_DG/lists/exceptionurllist
311	richard	1340	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1341	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1342	# Dansguardian filter config for ALCASAR
		1343	EOF
648	richard	1344	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1345	# Dansguardian domain filter config for ALCASAR
		1346	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1347	#**
		1348	# block all SSL and CONNECT tunnels
		1349	**s
		1350	# block all SSL and CONNECT tunnels specified only as an IP
		1351	*ips
		1352	# block all sites specified only by an IP
		1353	*ip
		1354	EOF
1000	richard	1355	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1356	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1357	# Bing - add 'adlt=strict'
		1358	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1359	# Youtube - add 'edufilter=your_ID'
885	richard	1360	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1361	EOF
1000	richard	1362	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1363	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1364	chown -R dansguardian:apache $DIR_DG
		1365	chmod -R g+rw $DIR_DG
786	richard	1366	# On adapte la BL de Toulouse à notre structure
654	richard	1367	if [ "$mode" != "update" ]; then
		1368	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1369	fi
308	richard	1370	}
219	jeremy	1371
1	root	1372	##########################################################
		1373	## Fonction cron ##
		1374	## - Mise en place des différents fichiers de cron ##
		1375	##########################################################
		1376	cron ()
		1377	{
		1378	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1379	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1380	cat <<EOF > /etc/crontab
		1381	SHELL=/bin/bash
		1382	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1383	MAILTO=root
		1384	HOME=/
		1385
		1386	# run-parts
		1387	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1388	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1389	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1390	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1391	EOF
		1392	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1393	cat <<EOF >> /etc/anacrontab
667	franck	1394	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1395	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1396	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1397	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1398	EOF
667	franck	1399	cat <<EOF > /etc/cron.d/alcasar-clean_log
713	franck	1400	# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
865	richard	1401	30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1	root	1402	EOF
811	richard	1403	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1404	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1405	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1406	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1407	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1408	EOF
667	franck	1409	cat <<EOF > /etc/cron.d/alcasar-export_log
713	franck	1410	# export des log squid, firewall et apache (tous les lundi à 5h00)
865	richard	1411	00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1	root	1412	EOF
952	franck	1413	cat <<EOF > /etc/cron.d/alcasar-archive
		1414	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1415	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1416	EOF
1	root	1417	cat << EOF > /etc/cron.d/awstats
713	franck	1418	# mise à jour des stats de consultation WEB toutes les 30'
419	franck	1419	/30 * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1	root	1420	EOF
667	franck	1421	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1422	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1423	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1424	EOF
722	franck	1425	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1426	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1427	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1428	EOF
1	root	1429	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1430	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1431	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1432	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1433	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1434	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1435	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1436	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1437	rm -f /etc/cron.daily/freeradius-web
		1438	rm -f /etc/cron.monthly/freeradius-web
		1439	cat << EOF > /etc/cron.d/freeradius-web
		1440	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1441	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1442	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1443	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1444	EOF
671	franck	1445	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1446	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1447	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1448	EOF
808	franck	1449	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1450	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1451	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1452	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1453	EOF
522	richard	1454	# suppression des crons usagers
		1455	rm -f /var/spool/cron/*
1	root	1456	} # End cron
		1457
		1458	##################################################################
		1459	## Fonction post_install ##
		1460	## - Modification des bannières (locales et ssh) et des prompts ##
		1461	## - Installation de la structure de chiffrement pour root ##
		1462	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1463	## - Mise en place du la rotation des logs ##
5	franck	1464	## - Configuration dans le cas d'une mise à jour ##
1	root	1465	##################################################################
		1466	post_install()
		1467	{
		1468	# adaptation du script "chien de garde" (watchdog)
376	franck	1469	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1470	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1471	# création de la bannière locale
1007	richard	1472	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1473	cp -f $DIR_CONF/banner /etc/mageia-release
		1474	echo " V$VERSION" >> /etc/mageia-release
1	root	1475	# création de la bannière SSH
1007	richard	1476	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1477	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1478	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1479	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1480	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1481	# postfix banner anonymisation
		1482	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1483	# sshd écoute côté LAN et WAN
1	root	1484	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1485	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1486	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1487	echo "SSH=off" >> $CONF_FILE
1063	richard	1488	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1489	echo "QOS=off" >> $CONF_FILE
		1490	echo "LDAP=off" >> $CONF_FILE
786	richard	1491	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1492	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1493	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1494	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1495	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1496	echo "MULTIWAN=off" >> $CONF_FILE
		1497	echo "FAILOVER=30" >> $CONF_FILE
		1498	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
		1499	echo "#WAN1=\"1,eth0:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1500	echo "#WAN2=\"1,eth0:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1501	# Coloration des prompts
		1502	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1503	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1504	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1505	# Droits d'exécution pour utilisateur apache et sysadmin
		1506	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1507	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1508	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1509	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1510	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1511	chmod 644 /etc/logrotate.d/*
714	franck	1512	# rectification sur versions précédentes de la compression des logs
706	franck	1513	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1514	# actualisation des fichiers logs compressés
714	franck	1515	for dir in firewall squid dansguardian httpd
706	franck	1516	do
714	franck	1517	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1518	done
		1519	# export des logs en 'retard' dans /var/Save/logs
865	richard	1520	/usr/local/bin/alcasar-log.sh --export
1	root	1521	# processus lancés par défaut au démarrage
796	richard	1522	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1	root	1523	do
		1524	/sbin/chkconfig --add $i
		1525	done
1005	richard	1526
1118	franck	1527	cat << EOF > /etc/rc.local
		1528	/usr/local/sbin/alcasar-load_balancing.sh start &
		1529	sleep 3
		1530	service radiusd restart
		1531	EOF
953	franck	1532
1005	richard	1533	# On applique les préconisations ANSSI
		1534	# Apply French Security Agency rules
568	richard	1535	# ignorer les broadcast ICMP. (attaque smurf)
		1536	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
		1537	# ignorer les erreurs ICMP bogus
		1538	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1539	# désactiver l'envoi et la réponse aux ICMP redirects
679	richard	1540	sysctl -w net.ipv4.conf.all.accept_redirects=0
568	richard	1541	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
		1542	if [ "$accept_redirect" == "0" ]
		1543	then
679	richard	1544	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1545	else
		1546	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1547	fi
679	richard	1548	sysctl -w net.ipv4.conf.all.send_redirects=0
568	richard	1549	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
		1550	if [ "$send_redirect" == "0" ]
		1551	then
679	richard	1552	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1553	else
		1554	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1555	fi
		1556	# activer les SYN Cookies (attaque syn flood)
679	richard	1557	sysctl -w net.ipv4.tcp_syncookies=1
568	richard	1558	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
		1559	if [ "$tcp_syncookies" == "0" ]
		1560	then
679	richard	1561	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1562	else
		1563	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1564	fi
595	richard	1565	# activer l'antispoofing niveau Noyau
568	richard	1566	sysctl -w net.ipv4.conf.all.rp_filter=1
		1567	# ignorer le source routing
679	richard	1568	sysctl -w net.ipv4.conf.all.accept_source_route=0
568	richard	1569	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
		1570	if [ "$accept_source_route" == "0" ]
		1571	then
679	richard	1572	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1573	else
		1574	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1575	fi
679	richard	1576	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
		1577	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1578	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
		1579	if [ "$timeout_established" == "0" ]
		1580	then
		1581	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1582	else
793	richard	1583	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1584	fi
1114	richard	1585	# disable log_martians (ALCASAR is often installed between two private network addresses)
568	richard	1586	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1587	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1588	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
59	richard	1589	# modification /etc/inittab
		1590	[ -e /etc/inittab.default ] \|\| cp /etc/inittab /etc/inittab.default
1003	richard	1591	# We keep only 3 TTYs
59	richard	1592	$SED "s?^4.*?#&?g" /etc/inittab
		1593	$SED "s?^5.*?#&?g" /etc/inittab
		1594	$SED "s?^6.*?#&?g" /etc/inittab
1003	richard	1595	# switch to multi-users runlevel (instead of x11)
		1596	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
		1597	$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1005	richard	1598	# GRUB modifications
		1599	# limit wait time to 3s
		1600	# create an alcasar entry instead of linux-nonfb
		1601	# change display to 1024*768 (vga791)
470	richard	1602	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1005	richard	1603	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1604	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1605	$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
1076	richard	1606	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1007	richard	1607	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1005	richard	1608
1003	richard	1609	# Remove unused services and users
1007	richard	1610	for old_svc in alsa sound dm
532	richard	1611	do
1007	richard	1612	/sbin/chkconfig --del $old_svc
532	richard	1613	done
1008	richard	1614	for svc in snmpd.service sshd.service
1007	richard	1615	do
1008	richard	1616	/bin/systemctl disable $svc
1007	richard	1617	done
532	richard	1618	for rm_users in avahi-autoipd avahi icapd
		1619	do
		1620	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1621	if [ "$user" == "$rm_users" ]
		1622	then
		1623	/usr/sbin/userdel -f $rm_users
		1624	fi
		1625	done
1060	richard	1626	# Load and apply the previous conf file
5	franck	1627	if [ "$mode" = "update" ]
		1628	then
389	franck	1629	$DIR_DEST_BIN/alcasar-conf.sh --load
1060	richard	1630	PARENT_SCRIPT=`basename $0`
		1631	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1632	$DIR_DEST_BIN/alcasar-conf.sh --apply
628	richard	1633	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1634	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5	franck	1635	fi
595	richard	1636	rm -f /tmp/alcasar-conf*
434	richard	1637	chown -R root:apache $DIR_DEST_ETC/*
512	richard	1638	chmod -R 660 $DIR_DEST_ETC/*
1041	richard	1639	chmod ug+x $DIR_DEST_ETC/digest
1133	franck	1640
		1641	# correction temporaire du bug du paquet ethtool
		1642	[ -e /sbin/ethtool ] \|\| ln -s /usr/sbin/ethtool /sbin/ethtool
		1643
1045	franck	1644	# Apply and save the firewall rules
		1645	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1646	sleep 2
1	root	1647	cd $DIR_INSTALL
5	franck	1648	echo ""
1	root	1649	echo "#############################################################################"
638	richard	1650	if [ $Lang == "fr" ]
		1651	then
		1652	echo "# Fin d'installation d'ALCASAR #"
		1653	echo "# #"
		1654	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1655	echo "# des Accès au Réseau ( ALCASAR ) #"
		1656	echo "# #"
		1657	echo "#############################################################################"
		1658	echo
		1659	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1660	echo
		1661	echo "- Lisez attentivement la documentation d'exploitation"
		1662	echo
		1663	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1664	echo
		1665	echo " Appuyez sur 'Entrée' pour continuer"
		1666	else
		1667	echo "# Enf of ALCASAR install process #"
		1668	echo "# #"
		1669	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1670	echo "# des Accès au Réseau ( ALCASAR ) #"
		1671	echo "# #"
		1672	echo "#############################################################################"
		1673	echo
		1674	echo "- The system will be rebooted in order to operate ALCASAR"
		1675	echo
		1676	echo "- Read the exploitation documentation"
		1677	echo
		1678	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1679	echo
		1680	echo " Hit 'Enter' to continue"
		1681	fi
815	richard	1682	sleep 2
		1683	if [ "$mode" != "update" ]
820	richard	1684	then
815	richard	1685	read a
		1686	fi
774	richard	1687	clear
1045	franck	1688
1	root	1689	reboot
		1690	} # End post_install ()
		1691
		1692	#################################
1005	richard	1693	# Main Install loop #
1	root	1694	#################################
832	richard	1695	dir_exec=`dirname "$0"`
		1696	if [ $dir_exec != "." ]
		1697	then
		1698	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1699	echo "Launch this program from the ALCASAR archive directory"
		1700	exit 0
		1701	fi
		1702	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1703	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1704	nb_args=$#
		1705	args=$1
		1706	if [ $nb_args -eq 0 ]
		1707	then
		1708	nb_args=1
		1709	args="-h"
		1710	fi
1062	richard	1711	chmod -R u+x $DIR_SCRIPTS/*
1	root	1712	case $args in
		1713	-\? \| -h* \| --h*)
		1714	echo "$usage"
		1715	exit 0
		1716	;;
291	franck	1717	-i \| --install)
959	franck	1718	license
5	franck	1719	header_install
29	richard	1720	testing
597	richard	1721	# Test if ALCASAR is already installed
5	franck	1722	if [ -e $DIR_WEB/VERSION ]
1	root	1723	then
460	richard	1724	actual_version=`cat $DIR_WEB/VERSION`
595	richard	1725	if [ $Lang == "fr" ]
		1726	then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
		1727	else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
		1728	fi
5	franck	1729	response=0
460	richard	1730	PTN='^[oOnNyY]$'
580	richard	1731	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1732	do
595	richard	1733	if [ $Lang == "fr" ]
		1734	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1735	else echo -n "Do you want to update (Y/n)?";
		1736	fi
5	franck	1737	read response
		1738	done
597	richard	1739	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1740	then
597	richard	1741	rm -f /tmp/alcasar-conf*
		1742	else
636	richard	1743	# Create a backup of running version importants files
389	franck	1744	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1745	mode="update"
5	franck	1746	fi
1	root	1747	fi
595	richard	1748	# RPMs install
		1749	$DIR_SCRIPTS/alcasar-urpmi.sh
		1750	if [ "$?" != "0" ]
1	root	1751	then
595	richard	1752	exit 0
		1753	fi
		1754	if [ -e $DIR_WEB/VERSION ]
		1755	then
597	richard	1756	# Uninstall the running version
532	richard	1757	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1758	fi
636	richard	1759	# Test if manual update
1057	richard	1760	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1761	then
636	richard	1762	header_install
595	richard	1763	if [ $Lang == "fr" ]
636	richard	1764	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1765	else echo "The configuration file of an old version has been found";
595	richard	1766	fi
597	richard	1767	response=0
		1768	PTN='^[oOnNyY]$'
		1769	until [[ $(expr $response : $PTN) -gt 0 ]]
		1770	do
		1771	if [ $Lang == "fr" ]
		1772	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1773	else echo -n "Do you want to use it (Y/n)?";
		1774	fi
		1775	read response
		1776	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1777	then rm -f /tmp/alcasar-conf*
		1778	fi
		1779	done
		1780	fi
636	richard	1781	# Test if update
1057	richard	1782	if [ -e /tmp/alcasar-conf* ]
597	richard	1783	then
		1784	if [ $Lang == "fr" ]
		1785	then echo "#### Installation avec mise à jour ####";
		1786	else echo "#### Installation with update ####";
		1787	fi
636	richard	1788	# Extract the central configuration file
1057	richard	1789	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1790	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1791	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1792	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1793	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1794	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1795	mode="update"
		1796	else
		1797	mode="install"
1	root	1798	fi
604	richard	1799	for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
5	franck	1800	do
		1801	$func
1148	crox53	1802	echo "* 'debug' : end of function $func *"; read a
14	richard	1803	done
5	franck	1804	;;
291	franck	1805	-u \| --uninstall)
5	franck	1806	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1807	then
597	richard	1808	if [ $Lang == "fr" ]
		1809	then echo "ALCASAR n'est pas installé!";
		1810	else echo "ALCASAR isn't installed!";
		1811	fi
1	root	1812	exit 0
		1813	fi
5	franck	1814	response=0
		1815	PTN='^[oOnN]$'
580	richard	1816	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1817	do
597	richard	1818	if [ $Lang == "fr" ]
		1819	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1820	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1821	fi
5	franck	1822	read response
		1823	done
1103	richard	1824	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1825	then
1103	richard	1826	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1827	else
		1828	rm -f /tmp/alcasar-conf*
1	root	1829	fi
597	richard	1830	# Uninstall the running version
65	richard	1831	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1832	;;
		1833	*)
		1834	echo "Argument inconnu :$1";
460	richard	1835	echo "Unknown argument :$1";
1	root	1836	echo "$usage"
		1837	exit 1
		1838	;;
		1839	esac
10	franck	1840	# end of script
366	franck	1841

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1148