396,7 → 396,9 |
USERCTL=no |
EOF |
# Configuration de l'interface eth1 (réseau de consultation) |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
# utile uniquement pour le mode bypass (cf. alcasar-bypass.sh) |
rm -f /etc/sysconfig/network-scripts/ifcfg-$INTIF |
cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
DEVICE=$INTIF |
BOOTPROTO=static |
IPADDR=$PRIVATE_IP |
848,6 → 850,7 |
uamserver https://$HOSTNAME/intercept.php |
radiusnasid $HOSTNAME |
uamsecret $secretuam |
uamallowed alcasar |
coaport 3799 |
include $DIR_DEST_ETC/alcasar-uamallowed |
include $DIR_DEST_ETC/alcasar-uamdomain |
1296,6 → 1299,8 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf |
# sshd écoute côté LAN et WAN |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
1344,7 → 1349,6 |
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf |
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 ) |
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver |
|
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible) |
# Apply French Security Agency rules (sysctl + msec when possible) |
# ignorer les broadcast ICMP. (attaque smurf) |
1398,12 → 1402,13 |
then |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf |
else |
$SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf |
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf |
fi |
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) |
sysctl -w net.ipv4.conf.all.log_martians=0 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
|
|
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
# On mets en place la sécurité sur les fichiers |
1439,7 → 1444,7 |
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst |
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst |
# On supprime les services et les utilisateurs inutiles |
for svc in alsa sound dm atd netfs bootlogd stop-bootlogd |
for svc in alsa sound dm atd bootlogd stop-bootlogd |
do |
/sbin/chkconfig --del $svc |
done |