/alcasar.sh |
---|
887,7 → 887,7 |
[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default |
$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf |
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf |
systemctl start mysqld.service |
/usr/bin/systemctl start mysqld.service |
sleep 4 |
mysqladmin -u root password $mysqlpwd |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec" |
902,7 → 902,7 |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service |
systemctl daemon-reload |
/usr/bin/systemctl daemon-reload |
} # End of init_db () |
########################################################################## |
971,7 → 971,7 |
# make certain that mysql is up before radius start |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
systemctl daemon-reload |
/usr/bin/systemctl daemon-reload |
} # End radius () |
########################################################################## |
1448,7 → 1448,7 |
# Add the listen port to collect netflow packet (nfcapd) |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
systemctl start nfsen |
/usr/bin/systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
# add SURFmap plugin |
cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/ |
1887,13 → 1887,13 |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat |
do |
systemctl -q enable $i.service |
/usr/bin/systemctl -q enable $i.service |
done |
# disable processes at boot time (Systemctl) |
for i in ulogd |
do |
systemctl -q disable $i.service |
/usr/bin/systemctl -q disable $i.service |
done |
# Apply French Security Agency (ANSSI) rules |
1931,7 → 1931,7 |
# Remove unused services and users |
for svc in sshd |
do |
/bin/systemctl -q disable $svc.service |
/usr/bin/systemctl -q disable $svc.service |
done |
# Load and apply the previous conf file |
if [ "$mode" = "update" ] |
/conf/logrotate.d/ulogd |
---|
12,7 → 12,7 |
dateext |
sharedscripts |
postrotate |
systemctl restart ulogd-traceability |
/usr/bin/systemctl restart ulogd-traceability |
endscript |
} |
/var/log/firewall/ssh.log { |
23,7 → 23,7 |
dateext |
sharedscripts |
postrotate |
systemctl restart ulogd-ssh |
/usr/bin/systemctl restart ulogd-ssh |
endscript |
} |
/var/log/firewall/ext-access.log { |
34,6 → 34,6 |
dateext |
sharedscripts |
postrotate |
systemctl restart ulogd-ext-access |
/usr/bin/systemctl restart ulogd-ext-access |
endscript |
} |
/conf/sudoers |
---|
23,7 → 23,7 |
Cmnd_Alias NF=/usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # pour gérer le filtrage réseau |
Cmnd_Alias LOGOUT=/usr/local/sbin/alcasar-logout.sh # pour déconnecter les usagers |
Cmnd_Alias UAM=/usr/local/sbin/alcasar-uamallowed.sh # pour gérer les site de confiance (uamallowed) |
Cmnd_Alias SERVICE=/sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl # pour gérer les services |
Cmnd_Alias SERVICE=/usr/bin/systemctl # pour gérer les services |
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # pour gérer le service d'autoinscription par SMS |
Cmnd_Alias SSL=/usr/bin/openssl # pour récupérer les info des certificats |
/scripts/alcasar-conf.sh |
---|
148,9 → 148,9 |
ssh_active=`grep SSH= $CONF_FILE|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
systemctl -q enable sshd.service |
/usr/bin/systemctl -q enable sshd.service |
else |
systemctl -q disable sshd.service |
/usr/bin/systemctl -q disable sshd.service |
fi |
# Remove the update folder |
rm -rf $DIR_UPDATE |
216,7 → 216,7 |
echo -n "Stop services : " |
for i in ntpd httpd tinyproxy dnsmasq dnsmasq-whitelist dnsmasq-blacklist chilli network |
do |
systemctl stop $i && echo -n "$i, " |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
echo |
fi |
282,12 → 282,12 |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
# Services start |
systemctl start network && echo -n "Start service : network" && sleep 1 |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_SBIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", coova" # apply DHCP mode and start coova |
for i in dnsmasq httpd tinyproxy ntpd |
do |
sleep 1 |
systemctl start $i && echo -n ", $i" |
/usr/bin/systemctl start $i && echo -n ", $i" |
done |
$DIR_SBIN/alcasar-bl.sh -reload && echo ", dnsmasq-blacklist, dnsmasq-whitelist, iptables" |
fi |
295,16 → 295,16 |
ssh_active=`grep SSH= $CONF_FILE|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
/bin/systemctl enable sshd.service |
/usr/bin/systemctl enable sshd.service |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
/bin/systemctl start sshd.service |
/usr/bin/systemctl start sshd.service |
fi |
else |
/bin/systemctl disable sshd.service |
/usr/bin/systemctl disable sshd.service |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
/bin/systemctl stop sshd.service |
/usr/bin/systemctl stop sshd.service |
fi |
fi |
;; |
/scripts/alcasar-daemon.sh |
---|
13,11 → 13,11 |
SERVICES="mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd" |
function ServiceTest () { |
CMD=`systemctl is-active $s` |
CMD=`/usr/bin/systemctl is-active $s` |
if [ $CMD != "active" ] |
then |
logger -i "!! $s is inactive. Activation attempt" |
systemctl start $s.service |
/usr/bin/systemctl start $s.service |
fi |
} |
/scripts/sbin/alcasar-bl.sh |
---|
225,8 → 225,8 |
cp -f $DIR_DG_BL/ossi/domains $DIR_DNS_BL/ossi.conf |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $DIR_DNS_BL/ossi.conf |
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf |
systemctl restart dnsmasq-blacklist |
systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
/scripts/sbin/alcasar-bypass.sh |
---|
43,7 → 43,7 |
$SED "s?^#no-dhcp-interface=$INTIF?no-dhcp-interface=$INTIF?g" /etc/dnsmasq.conf |
$SED "s?^#no-dhcp-interface=tun0?no-dhcp-interface=tun0?g" /etc/dnsmasq.conf |
$SED "s?^#no-dhcp-interface=lo?no-dhcp-interface=lo?g" /etc/dnsmasq.conf |
systemctl restart dnsmasq |
/usr/bin/systemctl restart dnsmasq |
/usr/bin/systemctl start chilli |
sh /usr/local/bin/alcasar-iptables.sh |
# activation of the "daemon-watchdog" every 18' |
/scripts/sbin/alcasar-uninstall.sh |
---|
21,7 → 21,7 |
for i in alcasar-load_balancing freshclam ntpd dansguardian httpd radiusd mysqld dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy havp nfsen chilli fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability vnstat |
do |
[ -e /lib/systemd/system/$i.service ] && systemctl disable $i.service && systemctl stop $i.service 1>/dev/null |
[ -e /lib/systemd/system/$i.service ] && /usr/bin/systemctl disable $i.service && /usr/bin/systemctl stop $i.service 1>/dev/null |
done |
echo "Reset ALCASAR main functions : " |
61,7 → 61,7 |
echo -en "\n- init_db(2) : " |
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1, " |
[ -e /lib/systemd/system/mysqld.service.default ] && mv -f /lib/systemd/system/mysqld.service.default /lib/systemd/system/mysqld.service && echo -n "2" |
systemctl daemon-reload |
/usr/bin/systemctl daemon-reload |
rm -rf /var/lib/mysql |
sleep 1 |
/web/acc/admin/services.php |
---|
35,6 → 35,10 |
$l_ulogd_ssh = "journalisation des accès par SSH"; |
$l_ulogd_ext_access = "journalisation des tentatives d'accès externes"; |
$l_ulogd_traceability = "journalisation des connexions WEB filtrés"; |
$l_execute = "Exécuter"; |
$l_stop_restart = "Arret et redémarrage du système"; |
$l_halt = "Arréter le système"; |
$l_reboot = "Relancer le système"; |
} else { |
$l_services_title = "Services configuration"; |
$l_main_services = "Main services"; |
65,6 → 69,10 |
$l_ulogd_ssh = "SSH access logging process"; |
$l_ulogd_ext_access = "Extern access attempts logging process"; |
$l_ulogd_traceability = "Filtering WEB access logging process"; |
$l_execute = "Execute"; |
$l_stop_restart = "Halt and restart the system"; |
$l_halt = "Halt le system"; |
$l_reboot = "Restart the system"; |
} |
/**************************************************************** |
86,15 → 94,15 |
//fonction pour faire une action (start,stop,restart) sur un service |
function serviceExec($service, $action){ |
if (($action == "start")||($action == "stop")||($action == "restart")){ |
exec("sudo /bin/systemctl $action $service",$retval, $retstatus); |
exec("sudo /usr/bin/systemctl $action $service",$retval, $retstatus); |
if ($service == "sshd"){ |
if ($action == "start"){ |
exec("sudo /bin/systemctl enable $service"); |
exec("sudo /usr/bin/systemctl enable $service"); |
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE))); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
if ($action == "stop"){ |
exec("sudo /sbin/systemctl disable $service"); |
exec("sudo /usr/bin/systemctl disable $service"); |
file_put_contents(CONF_FILE, str_replace('SSH=on', 'SSH=off', file_get_contents(CONF_FILE))); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
108,7 → 116,7 |
//(en fonction de la présence d'un mot clé dans la valeur de status) |
function checkServiceStatus($service){ |
$response = false; |
exec("/bin/systemctl is-active $service.service",$retval); |
exec("/usr/bin/systemctl is-active $service.service",$retval); |
foreach( $retval as $val ) { |
if ($val == "active"){ |
$response = true; |
119,7 → 127,7 |
} |
//------------------------------- |
// Les actions sur un service |
// Actions on services |
//------------------------------- |
//sécurité sur les actions à réaliser |
$autorizeService = array("radiusd","chilli","dansguardian","mysqld","httpd","sshd","freshclam","ntpd","havp","tinyproxy","dnsmasq","dnsmasq-blacklist","dnsmasq-whitelist","dnsmasq-blackhole"); |
132,6 → 140,23 |
} |
} |
//------------------------------- |
// Actions on system |
//------------------------------- |
if (isset($_POST['choix'])){ |
switch ($_POST['choix']){ |
case 'reboot' : |
exec ("sudo /usr/local/sbin/alcasar-logout.sh all"); |
exec ("sudo /usr/bin/systemctl reboot"); |
break; |
case 'halt' : |
exec ("sudo /usr/local/sbin/alcasar-logout.sh all"); |
exec ("sudo /usr/bin/systemctl halt"); |
break; |
} |
} |
//------------------------------- |
//recherche du status des services |
//------------------------------- |
$MainServiceStatus = array(); |
183,7 → 208,7 |
<td align="center"><img src="/images/state_ok.gif" width="15" height="15" alt="<?php echo $l_service_status_img_ok; ?>"></td> |
<td align="center"><?php $comment="l_$serviceName"; echo "<b>$serviceName</b></td><td>${$comment}" ;?> </td> |
<td width="80" align="center">---</td> |
<td width="80" align="center"><?php if ($serviceName != "chilli") { echo "<a href=".$_SERVER['PHP_SELF']."?action=stop&service=$serviceName\"> $l_service_stop</a>"; } else echo "---";?></td> |
<td width="80" align="center"><?php if ($serviceName != "chilli") { echo "<a href=\"".$_SERVER['PHP_SELF']."?action=stop&service=$serviceName\"> $l_service_stop</a>"; } else echo "---";?></td> |
<td width="80" align="center"><a href="<?php echo $_SERVER['PHP_SELF']."?action=restart&service=$serviceName\"> $l_service_restart";?></a></td> |
<?php } else { ?> |
<td align="center"><img src="/images/state_error.gif" width="15" height="15" alt="<?php echo $l_service_status_img_ko ?>"></td> |
247,6 → 272,20 |
</tr> |
<?php } ?> |
</td></tr> |
</table> |
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th><? echo $l_stop_restart;?></th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</TABLE> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1> |
<tr><td valign="middle" align="left"> |
<FORM action="services.php" method=POST><b> |
<select name='choix'></b> |
<option selected value="reboot"><?echo "$l_reboot";?> |
<option value="halt"><?echo "$l_halt";?> |
</select> |
<input type=submit value="<?echo "$l_execute";?>"> |
</FORM> |
</td></tr> |
</TABLE> |
</body> |
</html> |