BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /alcasar.sh @ 1004

  → /alcasar.sh @ 1005

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1004 → Rev 1005

/alcasar.sh
99,8 → 99,8
} # End of header_install ()
##################################################################
## Fonction TESTING ##
## - Test de la connectivité Internet ##
## Function TESTING ##
## - Test of Internet access ##
##################################################################
testing ()
{
1126,7 → 1126,6
useradd -r -g havp -s /bin/false -c "system user for havp" havp
mkdir -p /var/tmp/havp /var/log/havp
chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
# configuration d'HAVP
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1140,6 → 1139,7
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
# remplacement du fichier d'initialisation
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
cp -f $DIR_CONF/havp-init /etc/init.d/havp
# on remplace la page d'interception (template)
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1149,7 → 1149,8
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
# Virus database update
rm -f /var/lib/clamav/*.cld # in case of old database scheme
[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
/usr/bin/freshclam
}
##################################################################################
1507,8 → 1508,9
do
/sbin/chkconfig --add $i
done
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
cat << EOF > /etc/rc.local
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
# cat << EOF > /etc/rc.local
#!/bin/sh
#
### BEGIN INIT INFO
1520,29 → 1522,19
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
### END INIT INFO
#
#/etc/init.d/mysqld restart
#sleep 1
#/etc/init.d/radiusd restart
#
#touch /var/lock/subsys/local
#EOF
/etc/init.d/mysqld restart
sleep 1
/etc/init.d/radiusd restart
touch /var/lock/subsys/local
EOF
# pour éviter les alertes de dépendance entre service.
$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
# On affecte le niveau de sécurité du système : type "fileserver"
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
# Apply French Security Agency rules (sysctl + msec when possible)
# On applique les préconisations ANSSI
# Apply French Security Agency rules
# ignorer les broadcast ICMP. (attaque smurf)
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# ignorer les erreurs ICMP bogus
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# désactiver l'envoi et la réponse aux ICMP redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
1571,7 → 1563,6
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
fi
# activer l'antispoofing niveau Noyau
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
sysctl -w net.ipv4.conf.all.rp_filter=1
# ignorer le source routing
sysctl -w net.ipv4.conf.all.accept_source_route=0
1593,34 → 1584,8
fi
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
sysctl -w net.ipv4.conf.all.log_martians=0
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
# On mets en place la sécurité sur les fichiers
# des modif par rapport à radius update
cat <<EOF > /etc/security/msec/perm.local
/var/log/firewall/ root.apache 750
/var/log/firewall/* root.apache 640
/etc/security/msec/perm.local root.root 640
/etc/security/msec/level.local root.root 640
/etc/freeradius-web root.apache 750
/etc/freeradius-web/admin.conf root.apache 640
/etc/freeradius-web/config.php root.apache 640
/etc/raddb/dictionnary root.radius 640
/etc/raddb/ldap.attrmap root.radius 640
/etc/raddb/hints root.radius 640
/etc/raddb/huntgroups root.radius 640
/etc/raddb/attrs.access_reject root.radius 640
/etc/raddb/attrs.accounting_response root.radius 640
/etc/raddb/acct_users root.radius 640
/etc/raddb/preproxy_users root.radius 640
/etc/raddb/modules/ldap radius.apache 660
/etc/raddb/sites-available/alcasar radius.apache 660
/etc/pki/* root.apache 750
EOF
/usr/sbin/msec
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
# modification /etc/inittab
[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
# We keep only 3 TTYs
1630,12 → 1595,17
# switch to multi-users runlevel (instead of x11)
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
# GRUB modifications
# limit wait time to 3s
# create an alcasar entry instead of linux-nonfb
# change display to 1024*768 (vga791)
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
$SED "s? vga=791??2g" /boot/grub/menu.lst
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
# Remove unused services and users
for svc in alsa sound dm atd bootlogd stop-bootlogd
for svc in alsa sound dm
do
/sbin/chkconfig --del $svc
done
1706,7 → 1676,7
} # End post_install ()
#################################
# Boucle principale du script #
# Main Install loop #
#################################
dir_exec=`dirname "$0"`
if [ $dir_exec != "." ]