/alcasar.sh |
---|
630,6 → 630,7 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL |
$SED "s^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End AC () |
/scripts/alcasar-CA.sh |
---|
1,13 → 1,13 |
#!/bin/bash |
#!/bin/sh |
# $Id$ |
# alcasar-CA.sh |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# Création de la PKI et des certificats ALCASAR - Plusieurs idées ont été récupéées dans le script "nessus-mkcert" de Renaud Deraison et Michel Arboi |
# Creation of the ALCASAR PKI and certificates - Some ideas are from "nessus-mkcert" script written by Renaud Deraison and Michel Arboi |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# and Michel Arboi <arboi@alussinan.org> |
# |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$ |
DIR_PKI=/etc/pki |
DIR_CERT=$DIR_PKI/tls |
14,9 → 14,10 |
DIR_WEB=/var/www/html |
CACERT=$DIR_PKI/CA/alcasar-ca.crt |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key |
SRVREQ=$DIR_CERT/alcasar.req |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVREQ=$DIR_CERT/alcasar.req |
SRVCHAIN=$DIR_CERT/certs/server-chain.crt |
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
216,8 → 217,10 |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
rm -f $SRVREQ |
chmod a+r $CACERT $SRVCERT |
cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process |
chmod a+r $CACERT $SRVCERT $SRVCHAIN |
# Link certs in ALCASAR Control Center |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ]; |
then |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs |
/scripts/alcasar-iptables.sh |
---|
1,17 → 1,16 |
#!/bin/bash |
#!/bin/sh |
# $Id$ |
# alcasar-iptables.sh |
# by Rexy - 3abtux - CPN |
# This script is distributed under the Gnu General Public License (GPL) |
# Mise en place des regles du parefeu d'Alcasar (mode normal) |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal) |
# This script write the netfilter rules for ALCASAR |
# Rexy - 3abtux - CPN |
# |
# Reminders |
# There are three channels for log : |
# 1 (default) for tracability; |
# 2 for secure admin (ssh); |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
35,7 → 34,7 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
EXTIF="eth0" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" # listen card for chilli daemon |
IPTABLES="/sbin/iptables" |
66,20 → 65,12 |
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# On élimine les paquets "NEW not SYN" |
# Ensure that TCP connections start with syn packets |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
############################# |
# INTIF rules # |
############################# |
# les requètes dhcp entrantes sont acceptées |
# accept dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
# La règle suivante interdit la sortie par INTIF. Elle n'est utile que lorsque chilli est arrêté. |
# INTIF is closed (all by TUNIF) |
# interdit l'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Reject INTIF access (only when chilli is down) |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
86,14 → 77,15 |
############################# |
# Local protection rules # |
############################# |
# On stoppe les tentatives de NULLSCAN et XMAS (tous flags à 1) |
# Drop XMAS & NULLscans |
# On stoppe les demande de connexions non conformes (NullScan, XMAS (tous flags à 1), NEW not SYN, etc.) |
# Drop non standard connexions (NULLscans, XMAS, "NEW not SYN", etc.) |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
# On stoppe les broadcasts et multicast |
# On ne traite pas les broadcasts et multicast |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
/scripts/alcasar-conf.sh |
---|
111,7 → 111,11 |
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE |
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE |
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE |
[ -e /etc/pki/tls/certs/server-chain.crt ] && cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE # cas d'un certificat officiel |
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then |
cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
fi |
fi |
# si version < 2.2 |
if [ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 2 ]) |
192,11 → 196,7 |
[ -e $DIR_UPDATE/alcasar-ca.key ] && cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
[ -e $DIR_UPDATE/alcasar.crt ] && cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
[ -e $DIR_UPDATE/alcasar.key ] && cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
if [ -e $DIR_UPDATE/server-chain.crt ]; then # si un certificat officiel est installé |
cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/ |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*` |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?g" $FIC_VIRTUAL_SSL |
fi |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/ |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import de la dernière base usagers |
/web/acc/admin/ldap.php |
---|
165,53 → 165,53 |
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']); |
$Language = strtolower(substr(chop($Langue[0]),0,2)); } |
if($Language == 'fr'){ |
$l_ldap_title = "Authentification externe : LDAP"; |
$l_ldap_legend = "Authentification LDAP"; |
$l_ldap_title = "Authentification externe : LDAP"; |
$l_ldap_legend = "Authentification LDAP"; |
$l_ldap_auth_enable_label = "Activer l'authentification LDAP:"; |
$l_ldap_YES = "OUI"; |
$l_ldap_NO = "NON"; |
$l_ldap_YES = "OUI"; |
$l_ldap_NO = "NON"; |
$l_ldap_server_label = "Nom du serveur LDAP:"; |
$l_ldap_server_text = "Nom ou IP du serveur LDAP éventuel."; |
$l_ldap_server_text = "Nom ou IP du serveur LDAP éventuel."; |
$l_ldap_base_dn_label = "DN de la base LDAP:"; |
$l_ldap_base_dn_text = "DN est le 'Distinguished Name', il situe les informations utilisateurs, exemple: 'o=Mon entreprise, c=FR'."; |
$l_ldap_filter_label = "Identifiant LDAP:"; |
$l_ldap_filter_text = "Clé utilisée pour la recherche d'un identifiant de connexion, exemple: 'uid', 'sn', etc. Pour un AD mettre 'sAMAccountName'."; |
$l_ldap_filter_text = "Clé utilisée pour la recherche d'un identifiant de connexion, exemple: 'uid', 'sn', etc. Pour un AD mettre 'sAMAccountName'."; |
$l_ldap_base_filter_label = "Filtre de l'utilisateur LDAP:"; |
$l_ldap_base_filter_text = "Sur option, vous pouvez en plus limiter les objets recherchés avec des filtres additionnels. Par exemple 'objectClass=posixGroup' aurait comme conséquence l'utilisation de '(&(uid=username)(objectClass=posixGroup))'"; |
$l_ldap_user_label = "Utilisateur LDAP dn:"; |
$l_ldap_user_text = "Laissez vide pour utiliser un accès invité. Si renseigné, il se connectera au serveur LDAP en tant qu'un utilisateur spécifié, exemple: 'uid=Utilisateur,ou=MonUnité,o=MaCompagnie,c=FR'. Requis pour les serveurs possédant un Active Directory."; |
$l_ldap_user_label = "Utilisateur LDAP:"; |
$l_ldap_user_text = "Laissez vide pour utiliser un accès invité. Si renseigné, ALCASAR se connectera au serveur LDAP en tant qu'un utilisateur spécifié, exemple: 'uid=Utilisateur,ou=MonUnité,o=MaCompagnie,c=FR'. Requis pour les serveurs possédant un Active Directory."; |
$l_ldap_password_label = "Mot de passe LDAP:"; |
$l_ldap_password_text = "Laissez vide pour un accès invité. Sinon, indiquez le mot de passe de connexion. Requis pour les serveurs possédant un Active Directory."; |
$l_ldap_submit = "Enregistrer"; |
$l_ldap_reset = "Annuler"; |
$l_ldap_test_network_failed = "Pas de connectivité réseau avec le serveur LDAP."; |
$l_ldap_submit = "Enregistrer"; |
$l_ldap_reset = "Annuler"; |
$l_ldap_test_network_failed = "Pas de connectivité réseau avec le serveur LDAP."; |
$l_ldap_test_connection_failed = "Impossible de se connecter au serveur LDAP."; |
$l_ldap_test_bind_ok = "Connexion LDAP réussie..."; |
$l_ldap_test_bind_failed = "Echec d'authentification sur le serveur LDAP...Vérifiez votre configuration ldap..."; |
$l_ldap_test_bind_ok = "Connexion LDAP réussie..."; |
$l_ldap_test_bind_failed = "Echec d'authentification sur le serveur LDAP...Vérifiez votre configuration ldap..."; |
} else { |
$l_ldap_title = "External authentication : LDAP"; |
$l_ldap_legend = "LDAP authentication"; |
$l_ldap_title = "External authentication : LDAP"; |
$l_ldap_legend = "LDAP authentication"; |
$l_ldap_auth_enable_label = "Use LDAP authentication :"; |
$l_ldap_YES = "YES"; |
$l_ldap_NO = "NO"; |
$l_ldap_YES = "YES"; |
$l_ldap_NO = "NO"; |
$l_ldap_server_label = "LDAP server name:"; |
$l_ldap_server_text = "This is the hostname or IP address of the LDAP server."; |
$l_ldap_server_text = "This is the hostname or IP address of the LDAP server."; |
$l_ldap_base_dn_label = "LDAP base dn:"; |
$l_ldap_base_dn_text = "This is the 'Distinguished Name', locating the user information, e.g. 'o=My Company,c=US'."; |
$l_ldap_filter_label = "LDAP uid:"; |
$l_ldap_filter_text = "This is the key under which to search for a given login identity, e.g. 'uid', 'sn', etc.. For AD use 'sAMAccountName'."; |
$l_ldap_filter_text = "This is the key under which to search for a given login identity, e.g. 'uid', 'sn', etc.. For AD use 'sAMAccountName'."; |
$l_ldap_base_filter_label = "LDAP user filter:"; |
$l_ldap_base_filter_text = "Optionally you can further limit the searched objects with additional filters. For example 'objectClass=posixGroup' would result in the use of '(&(uid=username)(objectClass=posixGroup))'"; |
$l_ldap_user_label = "LDAP user dn:"; |
$l_ldap_user_text = "Leave blank to use anonymous binding. If filled uses the specified distinguished name on login attempts to find the correct user, e.g. 'uid=Username,ou=MyUnit,o=MyCompany,c=US'. Required for Active Directory Servers."; |
$l_ldap_user_label = "LDAP user dn:"; |
$l_ldap_user_text = "Leave blank to use anonymous binding. If filled, ALCASAR uses the specified distinguished name on login attempts to find the correct user, e.g. 'uid=Username,ou=MyUnit,o=MyCompany,c=US'. Required for Active Directory Servers."; |
$l_ldap_password_label = "LDAP password:"; |
$l_ldap_password_text = "Leave blank to use anonymous binding. Else fill in the password for the above user. Required for Active Directory Servers."; |
$l_ldap_submit = "Save"; |
$l_ldap_reset = "Reset"; |
$l_ldap_test_network_failed = "LDAP server is not reachable."; |
$l_ldap_submit = "Save"; |
$l_ldap_reset = "Reset"; |
$l_ldap_test_network_failed = "LDAP server is not reachable."; |
$l_ldap_test_connection_failed = "LDAP connexion failed..."; |
$l_ldap_test_bind_ok = "LDAP connexion success..."; |
$l_ldap_test_bind_failed = "LDAP authentication failed...Check your ldap setup..."; |
$l_ldap_test_bind_ok = "LDAP connexion success..."; |
$l_ldap_test_bind_failed = "LDAP authentication failed...Check your ldap setup..."; |
} |
function ldap_test($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_port = "389"){ |