99,8 → 99,8 |
} # End of header_install () |
|
################################################################## |
## Fonction TESTING ## |
## - Test de la connectivité Internet ## |
## Function TESTING ## |
## - Test of Internet access ## |
################################################################## |
testing () |
{ |
1126,7 → 1126,6 |
useradd -r -g havp -s /bin/false -c "system user for havp" havp |
mkdir -p /var/tmp/havp /var/log/havp |
chown -R havp /var/tmp/havp /var/log/havp /var/run/havp |
$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp |
# configuration d'HAVP |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
1140,6 → 1139,7 |
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files |
# remplacement du fichier d'initialisation |
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default |
# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp |
cp -f $DIR_CONF/havp-init /etc/init.d/havp |
# on remplace la page d'interception (template) |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html |
1149,7 → 1149,8 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
# Virus database update |
rm -f /var/lib/clamav/*.cld # in case of old database scheme |
[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam |
cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd |
/usr/bin/freshclam |
} |
|
################################################################################## |
1507,8 → 1508,9 |
do |
/sbin/chkconfig --add $i |
done |
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse) |
cat << EOF > /etc/rc.local |
|
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse) |
# cat << EOF > /etc/rc.local |
#!/bin/sh |
# |
### BEGIN INIT INFO |
1520,29 → 1522,19 |
# You can put your own initialization stuff in here if you don't |
# want to do the full Sys V style init stuff. |
### END INIT INFO |
# |
#/etc/init.d/mysqld restart |
#sleep 1 |
#/etc/init.d/radiusd restart |
# |
#touch /var/lock/subsys/local |
#EOF |
|
/etc/init.d/mysqld restart |
sleep 1 |
/etc/init.d/radiusd restart |
|
touch /var/lock/subsys/local |
EOF |
# pour éviter les alertes de dépendance entre service. |
$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld |
$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld |
$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd |
$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd |
# On affecte le niveau de sécurité du système : type "fileserver" |
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf |
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 ) |
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver |
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible) |
# Apply French Security Agency rules (sysctl + msec when possible) |
# On applique les préconisations ANSSI |
# Apply French Security Agency rules |
# ignorer les broadcast ICMP. (attaque smurf) |
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
# ignorer les erreurs ICMP bogus |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
# désactiver l'envoi et la réponse aux ICMP redirects |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
1571,7 → 1563,6 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
fi |
# activer l'antispoofing niveau Noyau |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.conf.all.rp_filter=1 |
# ignorer le source routing |
sysctl -w net.ipv4.conf.all.accept_source_route=0 |
1593,34 → 1584,8 |
fi |
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) |
sysctl -w net.ipv4.conf.all.log_martians=0 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
|
|
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
# On mets en place la sécurité sur les fichiers |
# des modif par rapport à radius update |
cat <<EOF > /etc/security/msec/perm.local |
/var/log/firewall/ root.apache 750 |
/var/log/firewall/* root.apache 640 |
/etc/security/msec/perm.local root.root 640 |
/etc/security/msec/level.local root.root 640 |
/etc/freeradius-web root.apache 750 |
/etc/freeradius-web/admin.conf root.apache 640 |
/etc/freeradius-web/config.php root.apache 640 |
/etc/raddb/dictionnary root.radius 640 |
/etc/raddb/ldap.attrmap root.radius 640 |
/etc/raddb/hints root.radius 640 |
/etc/raddb/huntgroups root.radius 640 |
/etc/raddb/attrs.access_reject root.radius 640 |
/etc/raddb/attrs.accounting_response root.radius 640 |
/etc/raddb/acct_users root.radius 640 |
/etc/raddb/preproxy_users root.radius 640 |
/etc/raddb/modules/ldap radius.apache 660 |
/etc/raddb/sites-available/alcasar radius.apache 660 |
/etc/pki/* root.apache 750 |
EOF |
/usr/sbin/msec |
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
# modification /etc/inittab |
[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default |
# We keep only 3 TTYs |
1630,12 → 1595,17 |
# switch to multi-users runlevel (instead of x11) |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target |
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab |
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran |
# GRUB modifications |
# limit wait time to 3s |
# create an alcasar entry instead of linux-nonfb |
# change display to 1024*768 (vga791) |
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst |
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst |
$SED "s? vga=791??2g" /boot/grub/menu.lst |
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst |
$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst |
|
# Remove unused services and users |
for svc in alsa sound dm atd bootlogd stop-bootlogd |
for svc in alsa sound dm |
do |
/sbin/chkconfig --del $svc |
done |
1706,7 → 1676,7 |
} # End post_install () |
|
################################# |
# Boucle principale du script # |
# Main Install loop # |
################################# |
dir_exec=`dirname "$0"` |
if [ $dir_exec != "." ] |