| /alcasar.sh |
|---|
| 818,7 → 818,6 |
| uamserver https://$HOSTNAME/intercept.php |
| radiusnasid $HOSTNAME |
| papalwaysok |
| #dnsparanoia |
| uamsecret $secretuam |
| coaport 3799 |
| include /usr/local/etc/alcasar-uamallowed |
| 924,10 → 923,10 |
| havp_exist=`grep havp /etc/passwd|wc -l` |
| if [ "$havp_exist" == "1" ] |
| then |
| userdel -r havp |
| userdel -r havp 2>/dev/null |
| fi |
| groupadd -f havp |
| useradd -g havp havp |
| useradd -M -g havp havp |
| # création de la zone de travail temporaire (50Mo) en mémoire |
| mkdir -p /var/tmp/havp /var/log/havp |
| chown -R havp /var/tmp/havp /var/log/havp /var/run/havp |
| 981,32 → 980,23 |
| { |
| # Three instances of ulogd (three different logfiles) |
| [ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
| [ -e /var/log/firewall/tracability.log ] || touch /var/log/firewall/tracability.log |
| [ -e /var/log/firewall/ssh.log ] || touch /var/log/firewall/ssh.log |
| [ -e /var/log/firewall/ext-access.log ] || touch /var/log/firewall/ext-access.log |
| nl=1 |
| for log_type in tracability ssh ext-access |
| do |
| [ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log |
| cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf |
| $SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf |
| $SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf |
| cat << EOF >> /etc/ulogd-$log_type.conf |
| [LOGEMU] |
| file="/var/log/firewall/$log_type.log" |
| sync=1 |
| EOF |
| nl=`expr $nl + 1` |
| done |
| chown -R root:apache /var/log/firewall |
| chmod 750 /var/log/firewall |
| chmod 640 /var/log/firewall/* |
| cat <<EOF > /etc/ulogd-tracability.conf |
| # ulogd configuration for ALCASAR |
| [global] |
| nlgroup=1 |
| logfile="/var/log/ulogd.log" |
| loglevel=5 |
| rmem=131071 |
| bufsize=150000 |
| plugin="/usr/lib/ulogd/ulogd_BASE.so" |
| plugin="/usr/lib/ulogd/ulogd_LOGEMU.so" |
| [LOGEMU] |
| file="/var/log/firewall/tracability.log" |
| sync=1 |
| EOF |
| cp -f /etc/ulogd-tracability.conf /etc/ulogd-ssh.conf |
| $SED "s?^nlgroup=.*?nlgroup=2?g" /etc/ulogd-ssh.conf |
| $SED "s?^file=\"/var/log/firewall/.*?file=\"/var/log/firewall/ssh.log\"?g" /etc/ulogd-ssh.conf |
| cp -f /etc/ulogd-tracability.conf /etc/ulogd-ext-access.conf |
| $SED "s?^nlgroup=.*?nlgroup=3?g" /etc/ulogd-ext-access.conf |
| $SED "s?^file=\"/var/log/firewall/.*?file=\"/var/log/firewall/ext-access.log\"?g" /etc/ulogd-ext-access.conf |
| [ -e /etc/init.d/ulogd.default ] || cp /etc/init.d/ulogd /etc/init.d/ulogd.default |
| cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd |
| } # End of param_ulogd () |
| 1388,7 → 1378,7 |
| do |
| $func |
| # echo "*** 'debug' : end of function $func ***"; read a |
| # echo "*** 'debug' : end of function $func ***"; read a |
| done |
| ;; |
| -u | --uninstall) |
| /scripts/alcasar-iptables.sh |
|---|
| 5,7 → 5,7 |
| # there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts, |
| IPTABLES="/sbin/iptables" |
| FILTERING="yes" |
| FILTERING="no" |
| EXTIF="eth0" |
| INTIF="eth1" |
| TUNIF="tun0" |
| /scripts/alcasar-conf.sh |
|---|
| 5,6 → 5,7 |
| # Ce script permet de créer ou de charger l'archive des fichiers de configuration (/tmp/alcasar-conf.tar.gz) |
| DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
| DIR_WEB="/var/www/html" # répertoire du centre de gestion |
| DIR_BIN="/usr/local/bin" # répertoire des scripts d'admin |
| DIR_SBIN="/usr/local/sbin" # répertoire des scripts d'admin |
| DIR_ETC="/usr/local/etc" # répertoire des fichiers de conf |
| DB_USER="radius" |
| 62,10 → 63,11 |
| then |
| cp -rf $DIR_WEB/acc/digest $DIR_UPDATE/etc/ # version = 2.0 |
| fi |
| # sauvegarde du fichier alcasar-iptables-local.sh ( cas de migration vers 2.0 depuis <2.x) |
| # sauvegarde du fichier alcasar-iptables.sh (et alcasar-iptables-local.sh si migration depuis V<2.x) |
| cp -f $DIR_BIN/alcasar-iptables.sh $DIR_UPDATE |
| if [ -e /usr/local/bin/alcasar-iptables-local.sh ] |
| then |
| cp -f /usr/local/bin/alcasar-iptables-local.sh $DIR_UPDATE/etc/old-version_alcasar-iptables-local.sh # versions < 2.x |
| cp -f /usr/local/bin/alcasar-iptables-local.sh $DIR_UPDATE/etc/old-version_alcasar-iptables-local.sh |
| fi |
| # création de l'archive |
| cd /tmp |
| 100,7 → 102,7 |
| cp -rf $DIR_UPDATE/ossi /etc/dansguardian/lists/blacklists/ |
| chown -R dansguardian:apache /etc/dansguardian/lists |
| chmod -R g+rw /etc/dansguardian/lists |
| # on active/desactive la BL |
| # On active/désactive la BL |
| active_bl=`cat $DIR_UPDATE/dansguardian.conf|grep ^reportinglevel|cut -d" " -f3` |
| $SED "s/^reportinglevel =.*/reportinglevel = $active_bl/g" /etc/dansguardian/dansguardian.conf |
| PARENT_SCRIPT=$0 |
| 113,6 → 115,10 |
| cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
| # Prise en compte des comptes de gestion (admin + manager + backup) |
| $DIR_SBIN/alcasar-profil.sh --list |
| # On active/désactive le filtrage de protocoles |
| active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2` |
| $SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh |
| $DIR_BIN/alcasar-iptables.sh |
| # Effacement du répertoire d'update |
| rm -rf $DIR_UPDATE |
| ;; |
| /scripts/sbin/alcasar-uninstall.sh |
|---|
| 171,7 → 171,6 |
| echo -en "\n- network(7) : " |
| hostname localhost |
| /sbin/ifdown eth0 |
| /sbin/ifdown eth1 |
| [ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, " |
| [ -e /etc/sysconfig/network.default ] && mv /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "2, " |
| [ -e /etc/hosts.default ] && mv /etc/hosts.default /etc/hosts && echo -n "3, " |
| /scripts/alcasar-log-export.sh |
|---|
| 24,11 → 24,11 |
| if [ $CHIFFREMENT -eq "1" ] |
| then |
| # chiffrement des logs dans /var/Save/logs/(squid|firewall|httpd) |
| find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \; |
| find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'tracability*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \; |
| else |
| # copie simple des logs dans /var/Save/logs/(squid|firewall|httpd) |
| find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \; |
| find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'tracability*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \; |
| fi |
| done |
| chown -R apache.apache $TO_SAVE |