| 901,6 → 901,11 |
|---|
| # automatisation de la mise à jour de la base antivirale (toutes les 2 heures) |
| $SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf |
| $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
| # on supprime le fichier 'main.cld' si 'main.cvd' existe (cas d'une mise à jour) |
| if ([ -e /var/lib/clamav/main.cld ] && [ -e /var/lib/clamav/main.cvd ]) |
| then |
| rm -f /var/lib/clamav/main.cld |
| fi |
| } |
| |
| ################################################################################## |
| 1225,8 → 1230,53 |
|---|
| $SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf |
| # On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 ) |
| $SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver |
| # On supprime les log_martians |
| $SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
| |
| # On applique les préconisations ANSSI (sysctl + msec quand c'est possible) |
| # Apply French Security Agency rules (sysctl + msec when possible) |
| # ignorer les broadcast ICMP. (attaque smurf) |
| $SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver |
| sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
| # ignorer les erreurs ICMP bogus |
| $SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver |
| sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
| # désactiver l’envoi et la réponse aux ICMP redirects |
| accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
| if [ "$accept_redirect" == "0" ] |
| then |
| echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
| fi |
| send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l` |
| if [ "$send_redirect" == "0" ] |
| then |
| echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
| fi |
| $SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
| $SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.conf.all.accept_redirects=0 |
| sysctl -w net.ipv4.conf.all.send_redirects=0 |
| # activer les SYN Cookies (attaque syn flood) |
| tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l` |
| if [ "$tcp_syncookies" == "0" ] |
| then |
| echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
| fi |
| $SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.tcp_syncookies=1 |
| # activer l’antispoofing niveau Noyau |
| $SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver |
| sysctl -w net.ipv4.conf.all.rp_filter=1 |
| # ignorer le source routing |
| accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l` |
| if [ "$accept_source_route" == "0" ] |
| then |
| echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
| fi |
| $SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.conf.all.accept_source_route=0 |
| # On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée') |
| sysctl -w net.ipv4.conf.all.log_martians=0 |
| $SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
| |
| # On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys |
| $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
| # On mets en place la sécurité sur les fichiers |