Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1572 → Rev 1574

/alcasar.sh
887,7 → 887,7
[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
systemctl start mysqld.service
/usr/bin/systemctl start mysqld.service
sleep 4
mysqladmin -u root password $mysqlpwd
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
902,7 → 902,7
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
systemctl daemon-reload
/usr/bin/systemctl daemon-reload
} # End of init_db ()
 
##########################################################################
971,7 → 971,7
# make certain that mysql is up before radius start
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
systemctl daemon-reload
/usr/bin/systemctl daemon-reload
} # End radius ()
 
##########################################################################
1448,7 → 1448,7
# Add the listen port to collect netflow packet (nfcapd)
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
systemctl start nfsen
/usr/bin/systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
# add SURFmap plugin
cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1887,13 → 1887,13
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
do
systemctl -q enable $i.service
/usr/bin/systemctl -q enable $i.service
done
# disable processes at boot time (Systemctl)
for i in ulogd
do
systemctl -q disable $i.service
/usr/bin/systemctl -q disable $i.service
done
# Apply French Security Agency (ANSSI) rules
1931,7 → 1931,7
# Remove unused services and users
for svc in sshd
do
/bin/systemctl -q disable $svc.service
/usr/bin/systemctl -q disable $svc.service
done
# Load and apply the previous conf file
if [ "$mode" = "update" ]
/conf/logrotate.d/ulogd
12,7 → 12,7
dateext
sharedscripts
postrotate
systemctl restart ulogd-traceability
/usr/bin/systemctl restart ulogd-traceability
endscript
}
/var/log/firewall/ssh.log {
23,7 → 23,7
dateext
sharedscripts
postrotate
systemctl restart ulogd-ssh
/usr/bin/systemctl restart ulogd-ssh
endscript
}
/var/log/firewall/ext-access.log {
34,6 → 34,6
dateext
sharedscripts
postrotate
systemctl restart ulogd-ext-access
/usr/bin/systemctl restart ulogd-ext-access
endscript
}
/conf/sudoers
23,7 → 23,7
Cmnd_Alias NF=/usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset # pour gérer le filtrage réseau
Cmnd_Alias LOGOUT=/usr/local/sbin/alcasar-logout.sh # pour déconnecter les usagers
Cmnd_Alias UAM=/usr/local/sbin/alcasar-uamallowed.sh # pour gérer les site de confiance (uamallowed)
Cmnd_Alias SERVICE=/sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl # pour gérer les services
Cmnd_Alias SERVICE=/usr/bin/systemctl # pour gérer les services
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # pour gérer le service d'autoinscription par SMS
Cmnd_Alias SSL=/usr/bin/openssl # pour récupérer les info des certificats
 
/scripts/alcasar-conf.sh
148,9 → 148,9
ssh_active=`grep SSH= $CONF_FILE|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
systemctl -q enable sshd.service
/usr/bin/systemctl -q enable sshd.service
else
systemctl -q disable sshd.service
/usr/bin/systemctl -q disable sshd.service
fi
# Remove the update folder
rm -rf $DIR_UPDATE
216,7 → 216,7
echo -n "Stop services : "
for i in ntpd httpd tinyproxy dnsmasq dnsmasq-whitelist dnsmasq-blacklist chilli network
do
systemctl stop $i && echo -n "$i, "
/usr/bin/systemctl stop $i && echo -n "$i, "
done
echo
fi
282,12 → 282,12
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
# Services start
systemctl start network && echo -n "Start service : network" && sleep 1
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
$DIR_SBIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", coova" # apply DHCP mode and start coova
for i in dnsmasq httpd tinyproxy ntpd
do
sleep 1
systemctl start $i && echo -n ", $i"
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_SBIN/alcasar-bl.sh -reload && echo ", dnsmasq-blacklist, dnsmasq-whitelist, iptables"
fi
295,16 → 295,16
ssh_active=`grep SSH= $CONF_FILE|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
/bin/systemctl enable sshd.service
/usr/bin/systemctl enable sshd.service
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/bin/systemctl start sshd.service
/usr/bin/systemctl start sshd.service
fi
else
/bin/systemctl disable sshd.service
/usr/bin/systemctl disable sshd.service
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/bin/systemctl stop sshd.service
/usr/bin/systemctl stop sshd.service
fi
fi
;;
/scripts/alcasar-daemon.sh
13,11 → 13,11
SERVICES="mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd"
 
function ServiceTest () {
CMD=`systemctl is-active $s`
CMD=`/usr/bin/systemctl is-active $s`
if [ $CMD != "active" ]
then
logger -i "!! $s is inactive. Activation attempt"
systemctl start $s.service
/usr/bin/systemctl start $s.service
fi
}
 
/scripts/sbin/alcasar-bl.sh
225,8 → 225,8
cp -f $DIR_DG_BL/ossi/domains $DIR_DNS_BL/ossi.conf
$SED "s?.*?address=/&/$PRIVATE_IP?g" $DIR_DNS_BL/ossi.conf
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf
systemctl restart dnsmasq-blacklist
systemctl restart dnsmasq-whitelist
/usr/bin/systemctl restart dnsmasq-blacklist
/usr/bin/systemctl restart dnsmasq-whitelist
/usr/local/bin/alcasar-iptables.sh
;;
*)
/scripts/sbin/alcasar-bypass.sh
43,7 → 43,7
$SED "s?^#no-dhcp-interface=$INTIF?no-dhcp-interface=$INTIF?g" /etc/dnsmasq.conf
$SED "s?^#no-dhcp-interface=tun0?no-dhcp-interface=tun0?g" /etc/dnsmasq.conf
$SED "s?^#no-dhcp-interface=lo?no-dhcp-interface=lo?g" /etc/dnsmasq.conf
systemctl restart dnsmasq
/usr/bin/systemctl restart dnsmasq
/usr/bin/systemctl start chilli
sh /usr/local/bin/alcasar-iptables.sh
# activation of the "daemon-watchdog" every 18'
/scripts/sbin/alcasar-uninstall.sh
21,7 → 21,7
 
for i in alcasar-load_balancing freshclam ntpd dansguardian httpd radiusd mysqld dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy havp nfsen chilli fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability vnstat
do
[ -e /lib/systemd/system/$i.service ] && systemctl disable $i.service && systemctl stop $i.service 1>/dev/null
[ -e /lib/systemd/system/$i.service ] && /usr/bin/systemctl disable $i.service && /usr/bin/systemctl stop $i.service 1>/dev/null
done
 
echo "Reset ALCASAR main functions : "
61,7 → 61,7
echo -en "\n- init_db(2) : "
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1, "
[ -e /lib/systemd/system/mysqld.service.default ] && mv -f /lib/systemd/system/mysqld.service.default /lib/systemd/system/mysqld.service && echo -n "2"
systemctl daemon-reload
/usr/bin/systemctl daemon-reload
rm -rf /var/lib/mysql
sleep 1
 
/web/acc/admin/services.php
35,6 → 35,10
$l_ulogd_ssh = "journalisation des accès par SSH";
$l_ulogd_ext_access = "journalisation des tentatives d'accès externes";
$l_ulogd_traceability = "journalisation des connexions WEB filtrés";
$l_execute = "Exécuter";
$l_stop_restart = "Arret et redémarrage du système";
$l_halt = "Arréter le système";
$l_reboot = "Relancer le système";
} else {
$l_services_title = "Services configuration";
$l_main_services = "Main services";
65,6 → 69,10
$l_ulogd_ssh = "SSH access logging process";
$l_ulogd_ext_access = "Extern access attempts logging process";
$l_ulogd_traceability = "Filtering WEB access logging process";
$l_execute = "Execute";
$l_stop_restart = "Halt and restart the system";
$l_halt = "Halt le system";
$l_reboot = "Restart the system";
}
 
/****************************************************************
86,15 → 94,15
//fonction pour faire une action (start,stop,restart) sur un service
function serviceExec($service, $action){
if (($action == "start")||($action == "stop")||($action == "restart")){
exec("sudo /bin/systemctl $action $service",$retval, $retstatus);
exec("sudo /usr/bin/systemctl $action $service",$retval, $retstatus);
if ($service == "sshd"){
if ($action == "start"){
exec("sudo /bin/systemctl enable $service");
exec("sudo /usr/bin/systemctl enable $service");
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE)));
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
}
if ($action == "stop"){
exec("sudo /sbin/systemctl disable $service");
exec("sudo /usr/bin/systemctl disable $service");
file_put_contents(CONF_FILE, str_replace('SSH=on', 'SSH=off', file_get_contents(CONF_FILE)));
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
}
108,7 → 116,7
//(en fonction de la présence d'un mot clé dans la valeur de status)
function checkServiceStatus($service){
$response = false;
exec("/bin/systemctl is-active $service.service",$retval);
exec("/usr/bin/systemctl is-active $service.service",$retval);
foreach( $retval as $val ) {
if ($val == "active"){
$response = true;
119,7 → 127,7
}
 
//-------------------------------
// Les actions sur un service
// Actions on services
//-------------------------------
//sécurité sur les actions à réaliser
$autorizeService = array("radiusd","chilli","dansguardian","mysqld","httpd","sshd","freshclam","ntpd","havp","tinyproxy","dnsmasq","dnsmasq-blacklist","dnsmasq-whitelist","dnsmasq-blackhole");
132,6 → 140,23
}
}
//-------------------------------
// Actions on system
//-------------------------------
if (isset($_POST['choix'])){
switch ($_POST['choix']){
case 'reboot' :
exec ("sudo /usr/local/sbin/alcasar-logout.sh all");
exec ("sudo /usr/bin/systemctl reboot");
break;
case 'halt' :
exec ("sudo /usr/local/sbin/alcasar-logout.sh all");
exec ("sudo /usr/bin/systemctl halt");
break;
}
}
 
 
//-------------------------------
//recherche du status des services
//-------------------------------
$MainServiceStatus = array();
183,7 → 208,7
<td align="center"><img src="/images/state_ok.gif" width="15" height="15" alt="<?php echo $l_service_status_img_ok; ?>"></td>
<td align="center"><?php $comment="l_$serviceName"; echo "<b>$serviceName</b></td><td>${$comment}" ;?> </td>
<td width="80" align="center">---</td>
<td width="80" align="center"><?php if ($serviceName != "chilli") { echo "<a href=".$_SERVER['PHP_SELF']."?action=stop&service=$serviceName\"> $l_service_stop</a>"; } else echo "---";?></td>
<td width="80" align="center"><?php if ($serviceName != "chilli") { echo "<a href=\"".$_SERVER['PHP_SELF']."?action=stop&service=$serviceName\"> $l_service_stop</a>"; } else echo "---";?></td>
<td width="80" align="center"><a href="<?php echo $_SERVER['PHP_SELF']."?action=restart&service=$serviceName\"> $l_service_restart";?></a></td>
<?php } else { ?>
<td align="center"><img src="/images/state_error.gif" width="15" height="15" alt="<?php echo $l_service_status_img_ko ?>"></td>
247,6 → 272,20
</tr>
<?php } ?>
</td></tr>
</table>
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><th><? echo $l_stop_restart;?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</TABLE>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td valign="middle" align="left">
<FORM action="services.php" method=POST><b>
<select name='choix'></b>
<option selected value="reboot"><?echo "$l_reboot";?>
<option value="halt"><?echo "$l_halt";?>
</select>
<input type=submit value="<?echo "$l_execute";?>">
</FORM>
</td></tr>
</TABLE>
</body>
</html>