Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 674 → Rev 675

/alcasar.sh
630,6 → 630,7
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
$SED "s^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
} # End AC ()
/scripts/alcasar-CA.sh
1,13 → 1,13
#!/bin/bash
#!/bin/sh
# $Id$
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
 
# Création de la PKI et des certificats ALCASAR - Plusieurs idées ont été récupéées dans le script "nessus-mkcert" de Renaud Deraison et Michel Arboi
# Creation of the ALCASAR PKI and certificates - Some ideas are from "nessus-mkcert" script written by Renaud Deraison and Michel Arboi
 
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
14,9 → 14,10
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
216,8 → 217,10
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT
cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process
chmod a+r $CACERT $SRVCERT $SRVCHAIN
 
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
/scripts/alcasar-iptables.sh
1,17 → 1,16
#!/bin/bash
#!/bin/sh
# $Id$
 
# alcasar-iptables.sh
# by Rexy - 3abtux - CPN
# This script is distributed under the Gnu General Public License (GPL)
 
# Mise en place des regles du parefeu d'Alcasar (mode normal)
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
# There are three channels for log :
# 1 (default) for tracability;
# 2 for secure admin (ssh);
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
 
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
35,7 → 34,7
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
EXTIF="eth0"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0" # listen card for chilli daemon
IPTABLES="/sbin/iptables"
66,20 → 65,12
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
# On élimine les paquets "NEW not SYN"
# Ensure that TCP connections start with syn packets
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
#############################
# INTIF rules #
#############################
# les requètes dhcp entrantes sont acceptées
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 
# La règle suivante interdit la sortie par INTIF. Elle n'est utile que lorsque chilli est arrêté.
# INTIF is closed (all by TUNIF)
# interdit l'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
86,14 → 77,15
#############################
# Local protection rules #
#############################
# On stoppe les tentatives de NULLSCAN et XMAS (tous flags à 1)
# Drop XMAS & NULLscans
# On stoppe les demande de connexions non conformes (NullScan, XMAS (tous flags à 1), NEW not SYN, etc.)
# Drop non standard connexions (NULLscans, XMAS, "NEW not SYN", etc.)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
# On stoppe les broadcasts et multicast
# On ne traite pas les broadcasts et multicast
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
/scripts/alcasar-conf.sh
111,7 → 111,11
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
[ -e /etc/pki/tls/certs/server-chain.crt ] && cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE # cas d'un certificat officiel
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then
cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt
fi
fi
# si version < 2.2
if [ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 2 ])
192,11 → 196,7
[ -e $DIR_UPDATE/alcasar-ca.key ] && cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
[ -e $DIR_UPDATE/alcasar.crt ] && cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
[ -e $DIR_UPDATE/alcasar.key ] && cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
if [ -e $DIR_UPDATE/server-chain.crt ]; then # si un certificat officiel est installé
cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*`
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?g" $FIC_VIRTUAL_SSL
fi
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
# Import de la dernière base usagers
/web/acc/admin/ldap.php
165,53 → 165,53
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr'){
$l_ldap_title = "Authentification externe : LDAP";
$l_ldap_legend = "Authentification LDAP";
$l_ldap_title = "Authentification externe : LDAP";
$l_ldap_legend = "Authentification LDAP";
$l_ldap_auth_enable_label = "Activer l'authentification LDAP:";
$l_ldap_YES = "OUI";
$l_ldap_NO = "NON";
$l_ldap_YES = "OUI";
$l_ldap_NO = "NON";
$l_ldap_server_label = "Nom du serveur LDAP:";
$l_ldap_server_text = "Nom ou IP du serveur LDAP éventuel.";
$l_ldap_server_text = "Nom ou IP du serveur LDAP éventuel.";
$l_ldap_base_dn_label = "DN de la base LDAP:";
$l_ldap_base_dn_text = "DN est le 'Distinguished Name', il situe les informations utilisateurs, exemple: 'o=Mon entreprise, c=FR'.";
$l_ldap_filter_label = "Identifiant LDAP:";
$l_ldap_filter_text = "Clé utilisée pour la recherche d'un identifiant de connexion, exemple: 'uid', 'sn', etc. Pour un AD mettre 'sAMAccountName'.";
$l_ldap_filter_text = "Clé utilisée pour la recherche d'un identifiant de connexion, exemple: 'uid', 'sn', etc. Pour un AD mettre 'sAMAccountName'.";
$l_ldap_base_filter_label = "Filtre de l'utilisateur LDAP:";
$l_ldap_base_filter_text = "Sur option, vous pouvez en plus limiter les objets recherchés avec des filtres additionnels. Par exemple 'objectClass=posixGroup' aurait comme conséquence l'utilisation de '(&amp;(uid=username)(objectClass=posixGroup))'";
$l_ldap_user_label = "Utilisateur LDAP dn:";
$l_ldap_user_text = "Laissez vide pour utiliser un accès invité. Si renseigné, il se connectera au serveur LDAP en tant qu'un utilisateur spécifié, exemple: 'uid=Utilisateur,ou=MonUnité,o=MaCompagnie,c=FR'. Requis pour les serveurs possédant un Active Directory.";
$l_ldap_user_label = "Utilisateur LDAP:";
$l_ldap_user_text = "Laissez vide pour utiliser un accès invité. Si renseigné, ALCASAR se connectera au serveur LDAP en tant qu'un utilisateur spécifié, exemple: 'uid=Utilisateur,ou=MonUnité,o=MaCompagnie,c=FR'. Requis pour les serveurs possédant un Active Directory.";
$l_ldap_password_label = "Mot de passe LDAP:";
$l_ldap_password_text = "Laissez vide pour un accès invité. Sinon, indiquez le mot de passe de connexion. Requis pour les serveurs possédant un Active Directory.";
$l_ldap_submit = "Enregistrer";
$l_ldap_reset = "Annuler";
$l_ldap_test_network_failed = "Pas de connectivité réseau avec le serveur LDAP.";
$l_ldap_submit = "Enregistrer";
$l_ldap_reset = "Annuler";
$l_ldap_test_network_failed = "Pas de connectivité réseau avec le serveur LDAP.";
$l_ldap_test_connection_failed = "Impossible de se connecter au serveur LDAP.";
$l_ldap_test_bind_ok = "Connexion LDAP réussie...";
$l_ldap_test_bind_failed = "Echec d'authentification sur le serveur LDAP...Vérifiez votre configuration ldap...";
$l_ldap_test_bind_ok = "Connexion LDAP réussie...";
$l_ldap_test_bind_failed = "Echec d'authentification sur le serveur LDAP...Vérifiez votre configuration ldap...";
} else {
$l_ldap_title = "External authentication : LDAP";
$l_ldap_legend = "LDAP authentication";
$l_ldap_title = "External authentication : LDAP";
$l_ldap_legend = "LDAP authentication";
$l_ldap_auth_enable_label = "Use LDAP authentication :";
$l_ldap_YES = "YES";
$l_ldap_NO = "NO";
$l_ldap_YES = "YES";
$l_ldap_NO = "NO";
$l_ldap_server_label = "LDAP server name:";
$l_ldap_server_text = "This is the hostname or IP address of the LDAP server.";
$l_ldap_server_text = "This is the hostname or IP address of the LDAP server.";
$l_ldap_base_dn_label = "LDAP base dn:";
$l_ldap_base_dn_text = "This is the 'Distinguished Name', locating the user information, e.g. 'o=My Company,c=US'.";
$l_ldap_filter_label = "LDAP uid:";
$l_ldap_filter_text = "This is the key under which to search for a given login identity, e.g. 'uid', 'sn', etc.. For AD use 'sAMAccountName'.";
$l_ldap_filter_text = "This is the key under which to search for a given login identity, e.g. 'uid', 'sn', etc.. For AD use 'sAMAccountName'.";
$l_ldap_base_filter_label = "LDAP user filter:";
$l_ldap_base_filter_text = "Optionally you can further limit the searched objects with additional filters. For example 'objectClass=posixGroup' would result in the use of '(&amp;(uid=username)(objectClass=posixGroup))'";
$l_ldap_user_label = "LDAP user dn:";
$l_ldap_user_text = "Leave blank to use anonymous binding. If filled uses the specified distinguished name on login attempts to find the correct user, e.g. 'uid=Username,ou=MyUnit,o=MyCompany,c=US'. Required for Active Directory Servers.";
$l_ldap_user_label = "LDAP user dn:";
$l_ldap_user_text = "Leave blank to use anonymous binding. If filled, ALCASAR uses the specified distinguished name on login attempts to find the correct user, e.g. 'uid=Username,ou=MyUnit,o=MyCompany,c=US'. Required for Active Directory Servers.";
$l_ldap_password_label = "LDAP password:";
$l_ldap_password_text = "Leave blank to use anonymous binding. Else fill in the password for the above user. Required for Active Directory Servers.";
$l_ldap_submit = "Save";
$l_ldap_reset = "Reset";
$l_ldap_test_network_failed = "LDAP server is not reachable.";
$l_ldap_submit = "Save";
$l_ldap_reset = "Reset";
$l_ldap_test_network_failed = "LDAP server is not reachable.";
$l_ldap_test_connection_failed = "LDAP connexion failed...";
$l_ldap_test_bind_ok = "LDAP connexion success...";
$l_ldap_test_bind_failed = "LDAP authentication failed...Check your ldap setup...";
$l_ldap_test_bind_ok = "LDAP connexion success...";
$l_ldap_test_bind_failed = "LDAP authentication failed...Check your ldap setup...";
}
 
function ldap_test($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_port = "389"){