Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3196 → Rev 3197

/alcasar.sh/alcasar.sh
48,7 → 48,7
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
DIR_WEB="/var/www/html" # directory of Lighttpd
DIR_DG="/etc/e2guardian" # directory of E2Guardian
DIR_E2G="/etc/e2guardian" # directory of E2Guardian
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
921,7 → 921,7
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf
echo "interface ignore wildcard" >> /etc/ntp.conf
echo "interface listen lo" >> /etc/ntp.conf
echo "interface listen $INTIF" >> /etc/ntp.conf
echo "interface listen tun0" >> /etc/ntp.conf
# Synchronize now
ntpdate fr.pool.ntp.org &
sleep 2 # wait for time server responce
1280,33 → 1280,33
$SED "/^PIDFile=/d" /etc/systemd/system/e2guardian.service
 
# Adapt the main conf file
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
[ -e $DIR_E2G/e2guardian.conf.default ] || cp $DIR_E2G/e2guardian.conf $DIR_E2G/e2guardian.conf.default
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
$SED "s?^language =.*?language = 'french'?g" $DIR_E2G/e2guardian.conf
# +++ listen & loop prevention on loopback
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_E2G/e2guardian.conf
# 2 filtergroups (8080 & 8090)
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_E2G/e2guardian.conf
# Listen on LAN only
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_E2G/e2guardian.conf
# Listen on 8080 (group1 : BL users on HTTP)
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_E2G/e2guardian.conf
# Listen on 8081 (group2 : previously AV users --> to be redefine)
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_DG/e2guardian.conf
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_E2G/e2guardian.conf
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_E2G/e2guardian.conf
# for now we don't listen transparently on 8443 (HTTPS) (only in future version)
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_E2G/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_E2G/e2guardian.conf
# Disable HTML content control (weighted & banned)
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_E2G/e2guardian.conf
# Enable authport plugin
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_E2G/e2guardian.conf
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_E2G/e2guardian.conf
# !!! Set Max RAM cache to 10Mb (for antimalware/EDR)
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_E2G/e2guardian.conf
# !!! Set Max file size cache to 20Mb (for antimalware/EDR)
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_E2G/e2guardian.conf
 
# copy & adapt HTML templates
cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1316,26 → 1316,23
 
###### ALCASAR filtering for group1 (blacklisted_users) ####
# Adapt group1 conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_DG/e2guardianf1.conf
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_DG/lists/group1/g" $DIR_DG/e2guardianf1.conf
DIR_COMMON="$DIR_DG/lists/common"
cp -r $DIR_DG/lists/example.group $DIR_GROUP1
chown -R e2guardian:root $DIR_GROUP1
[ -e $DIR_E2G/e2guardianf1.conf.default ] || cp $DIR_E2G/e2guardianf1.conf $DIR_E2G/e2guardianf1.conf.default
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_E2G/e2guardianf1.conf
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_E2G/e2guardianf1.conf
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_E2G/e2guardianf1.conf
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_E2G/lists/group1/g" $DIR_E2G/e2guardianf1.conf
DIR_E2G_GROUP1="$DIR_E2G/lists/group1"
cp -r $DIR_E2G/lists/example.group $DIR_E2G_GROUP1
chown -R e2guardian:root $DIR_E2G_GROUP1
# RAZ bannedphraselist
[ -e $DIR_GROUP1/bannedphraselist.default ] || mv $DIR_GROUP1/bannedphraselist $DIR_GROUP1/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedphraselist # (comment what is not)
$SED "s?^[^#]?#&?g" $DIR_E2G_GROUP1/bannedphraselist # (comment what is not)
# Disable URL control with regex
[ -e $DIR_GROUP1/banned.regexpurllist.default ] || mv $DIR_GROUP1/regexpurllist $DIR_GROUP1/regexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedregexpurllist # (comment what is not)
$SED "s?^[^#]?#&?g" $DIR_E2G_GROUP1/bannedregexpurllist # (comment what is not)
# Dont filtering files by extension or mime-type (empty list)
> $DIR_GROUP1/bannedextensionlist
> $DIR_GROUP1/bannedmimetypelist
> $DIR_E2G_GROUP1/bannedextensionlist
> $DIR_E2G_GROUP1/bannedmimetypelist
# Creation of ALCASAR banned site list
[ -e $DIR_GROUP1/greysitelist.default ] || mv $DIR_GROUP1/greysitelist $DIR_GROUP1/greysitelist.default
cat <<EOF > $DIR_GROUP1/greysitelist
cat <<EOF > $DIR_E2G_GROUP1/greysitelist
# E2guardian filter config for ALCASAR
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
# block all SSL and CONNECT tunnels
1346,32 → 1343,29
*ip
EOF
# Creation of file for banned URLs (filled later with Toulouse BL --> see BL function)
[ -e $DIR_GROUP1/bannedurllist.default ] || mv $DIR_GROUP1/bannedurllist $DIR_GROUP1/bannedurllist.default
cat <<EOF > $DIR_GROUP1/bannedurllist
cat <<EOF > $DIR_E2G_GROUP1/bannedurllist
# E2guardian URL filter config for ALCASAR
EOF
# Creation of files for rehabilited domains
[ -e $DIR_GROUP1/exceptionsitelist.default ] || mv $DIR_GROUP1/exceptionsitelist $DIR_GROUP1/exceptionsitelist.default
touch $DIR_GROUP1/exceptionsitelist
> $DIR_E2G_GROUP1/exceptionsitelist
# Creation of files for rehabilited IP
[ -e $DIR_DG/lists/common/exceptioniplist.default ] || mv $DIR_DG/lists/common/exceptioniplist $DIR_DG/lists/common/exceptioniplist.default
touch $DIR_DG/lists/common/exceptioniplist
[ -e $DIR_E2G/lists/common/exceptioniplist.default ] || mv $DIR_E2G/lists/common/exceptioniplist $DIR_E2G/lists/common/exceptioniplist.default
touch $DIR_E2G/lists/common/exceptioniplist
# Add Bing to the safesearch url regext list (parental control)
[ -e $DIR_GROUP1/urlregexplist.default ] || cp $DIR_GROUP1/urlregexplist $DIR_GROUP1/urlregexplist.default
cat <<EOF >> $DIR_GROUP1/urlregexplist
cat <<EOF >> $DIR_E2G_GROUP1/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
EOF
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_GROUP1/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_GROUP1/urlregexplist
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_E2G_GROUP1/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_E2G_GROUP1/urlregexplist
 
# Create & adapt group2 conf file (av + av_wl)
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
cp $DIR_E2G/e2guardianf1.conf.default $DIR_E2G/e2guardianf2.conf
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_E2G/e2guardianf2.conf
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_E2G/e2guardianf2.conf
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist.default'?g" $DIR_E2G/e2guardianf2.conf # no banned urls
 
# create log folder
mkdir -p /var/log/e2guardian
1670,26 → 1664,26
BL()
{
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
rm -rf $DIR_DG/lists/blacklists
rm -rf $DIR_E2G/lists/blacklists
mkdir -p /tmp/blacklists
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
mkdir -p $DIR_DG/lists/blacklists/ossi-bl
touch $DIR_DG/lists/blacklists/ossi-bl/domains
mkdir -p $DIR_E2G/lists/blacklists/ossi-bl
touch $DIR_E2G/lists/blacklists/ossi-bl/domains
echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
mkdir -p $DIR_DG/lists/blacklists/ossi-wl
touch $DIR_DG/lists/blacklists/ossi-wl/domains
mkdir -p $DIR_E2G/lists/blacklists/ossi-wl
touch $DIR_E2G/lists/blacklists/ossi-wl/domains
echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
# add additional BL files
for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
do
mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains
mkdir $DIR_E2G/lists/blacklists/ossi-bl-$x
cp $DIR_BLACKLIST/$x $DIR_E2G/lists/blacklists/ossi-bl-$x/domains
echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
done
chown -R e2guardian:apache $DIR_DG
chown -R e2guardian:apache $DIR_E2G
chown -R root:apache $DIR_DEST_SHARE
chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
chmod -R g+rw $DIR_E2G $DIR_DEST_SHARE
# adapt the Toulouse BL to ALCASAR architecture
$DIR_DEST_BIN/alcasar-bl.sh --adapt
# enable the default categories