Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 674 → Rev 675

/scripts/alcasar-CA.sh
1,13 → 1,13
#!/bin/bash
#!/bin/sh
# $Id$
 
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
 
# Création de la PKI et des certificats ALCASAR - Plusieurs idées ont été récupéées dans le script "nessus-mkcert" de Renaud Deraison et Michel Arboi
# Creation of the ALCASAR PKI and certificates - Some ideas are from "nessus-mkcert" script written by Renaud Deraison and Michel Arboi
 
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
14,9 → 14,10
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
216,8 → 217,10
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT
cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process
chmod a+r $CACERT $SRVCERT $SRVCHAIN
 
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
/scripts/alcasar-iptables.sh
1,17 → 1,16
#!/bin/bash
#!/bin/sh
# $Id$
 
# alcasar-iptables.sh
# by Rexy - 3abtux - CPN
# This script is distributed under the Gnu General Public License (GPL)
 
# Mise en place des regles du parefeu d'Alcasar (mode normal)
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
# There are three channels for log :
# 1 (default) for tracability;
# 2 for secure admin (ssh);
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
 
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
35,7 → 34,7
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
EXTIF="eth0"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0" # listen card for chilli daemon
IPTABLES="/sbin/iptables"
66,20 → 65,12
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
# On élimine les paquets "NEW not SYN"
# Ensure that TCP connections start with syn packets
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
#############################
# INTIF rules #
#############################
# les requètes dhcp entrantes sont acceptées
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 
# La règle suivante interdit la sortie par INTIF. Elle n'est utile que lorsque chilli est arrêté.
# INTIF is closed (all by TUNIF)
# interdit l'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
86,14 → 77,15
#############################
# Local protection rules #
#############################
# On stoppe les tentatives de NULLSCAN et XMAS (tous flags à 1)
# Drop XMAS & NULLscans
# On stoppe les demande de connexions non conformes (NullScan, XMAS (tous flags à 1), NEW not SYN, etc.)
# Drop non standard connexions (NULLscans, XMAS, "NEW not SYN", etc.)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
# On stoppe les broadcasts et multicast
# On ne traite pas les broadcasts et multicast
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
/scripts/alcasar-conf.sh
111,7 → 111,11
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
[ -e /etc/pki/tls/certs/server-chain.crt ] && cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE # cas d'un certificat officiel
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then
cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt
fi
fi
# si version < 2.2
if [ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 2 ])
192,11 → 196,7
[ -e $DIR_UPDATE/alcasar-ca.key ] && cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
[ -e $DIR_UPDATE/alcasar.crt ] && cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
[ -e $DIR_UPDATE/alcasar.key ] && cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
if [ -e $DIR_UPDATE/server-chain.crt ]; then # si un certificat officiel est installé
cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*`
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?g" $FIC_VIRTUAL_SSL
fi
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
# Import de la dernière base usagers