Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 2757 → Rev 2758

/alcasar.sh
879,8 → 879,8
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 
chown -R apache:apache /var/log/lighttpd
/usr/bin/systemctl start lighttpd
/usr/bin/systemctl start php-fpm
# /usr/bin/systemctl start lighttpd
# /usr/bin/systemctl start php-fpm
 
# Creation of the first account (in 'admin' profile)
if [ "$mode" = "install" ]
1036,16 → 1036,18
nas_type = other
}
EOF
# Set Virtual server (remvove all except "alcasar virtual site")
rm -f /etc/raddb/sites-enabled/*
# Set Virtual server
# Remvoveing all except "alcasar virtual site")
# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled) Change the firewall rules to allow "radius" extern connections.
cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
chown radius:apache /etc/raddb/sites-available/alcasar*
chmod 660 /etc/raddb/sites-available/alcasar*
rm -f /etc/raddb/sites-enabled/*
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
# Set modules
# Add custom LDAP "available module"
# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1054,8 → 1056,7
do
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
done
# INFO : To connect from outside (EAP), add the EAP module (and right accesses to the keys (/etc/pki/tls/private/radius.pem)
# Configure SQL mod
# Configure SQL module
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1064,6 → 1065,13
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
# no TLS encryption on 127.0.0.1
$SED "s?^[\t] ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
$SED "s?^[\t] ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
$SED "s?^[\t] ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
$SED "s?^[\t] ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
$SED "s?^[\t] ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
$SED "s?^[\t] ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1286,57 → 1294,83
{
mkdir -p /var/e2guardian /var/log/e2guardian
chown -R e2guardian /var/e2guardian /var/log/e2guardian
# Adapt systemd unit
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
# By default the filter is off
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
 
# Adapt the main conf file
# French deny HTML page
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# replace the default deny HTML page
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
# The port that E2guardian listens to
$SED "s?^filterports =*?filteports = 8080?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP (127.0.0.1:8090)
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# # Change the default report page
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
# Disable HTML content control
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
# Configure E2guardian for large site
# Minimum number of processus to handle connections
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
# Maximum number of processus to handle connections
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
# Run at least 8 daemons
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
# minimum number of processes to spawn
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
# maximum age of a child process before it croaks it
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
# Disable download files control
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
 
# Adapt the first group file (only one for instance)
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Replace the default deny HTML page (only fr & uk)
[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
# Dont filtering files by extension or mime-type (empty list)
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
touch $DIR_DG/lists/bannedextensionlist
touch $DIR_DG/lists/bannedmimetypelist
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
# empty LAN IP list that won't be WEB filtered
# Empty LAN IP list that won't be WEB filtered
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
touch $DIR_DG/lists/exceptioniplist
# Keep a copy of URL & domain filter configuration files
# Creation of ALCASAR banned site list
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
cat <<EOF > $DIR_DG/lists/bannedsitelist
# E2guardian domain filter config for ALCASAR
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
#**
# block all SSL and CONNECT tunnels
**s
# block all SSL and CONNECT tunnels specified only as an IP
*ips
# block all sites specified only by an IP
*ip
EOF
# Creation of ALCASAR banned URL list (empty)
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
cat <<EOF > $DIR_DG/lists/bannedurllist
# E2guardian filter config for ALCASAR
EOF
# Creation of file for the rehabilited domains and urls
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
touch $DIR_DG/lists/exceptionsitelist
touch $DIR_DG/lists/exceptionurllist
# Add Bing to the safesearch url regext list (parental control)
[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
cat <<EOF >> $DIR_DG/lists/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
EOF
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
} # End of e2guardian()
 
##################################################################
1825,33 → 1859,6
rm -rf $DIR_DG/lists/blacklists
mkdir -p /tmp/blacklists
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
# creation of file for the rehabilited domains and urls
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
touch $DIR_DG/lists/exceptionsitelist
touch $DIR_DG/lists/exceptionurllist
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
cat <<EOF > $DIR_DG/lists/bannedurllist
# E2guardian filter config for ALCASAR
EOF
cat <<EOF > $DIR_DG/lists/bannedsitelist
# E2guardian domain filter config for ALCASAR
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
#**
# block all SSL and CONNECT tunnels
**s
# block all SSL and CONNECT tunnels specified only as an IP
*ips
# block all sites specified only by an IP
*ip
EOF
# Add Bing to the safesearch url regext list (parental control)
cat <<EOF >> $DIR_DG/lists/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
EOF
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
mkdir -p $DIR_DG/lists/blacklists/ossi-bl
touch $DIR_DG/lists/blacklists/ossi-bl/domains
2471,7 → 2478,7
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
mode="update"
fi
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]
/rpms/x86_64/freeradius-3.0.19-1.1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/rpms/x86_64/freeradius-ldap-3.0.19-1.1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/rpms/x86_64/freeradius-mysql-3.0.19-1.1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/scripts/alcasar-CA.sh
28,6 → 28,7
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:apache $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE = $HOME/.rnd
234,6 → 235,6
rm -rf $DIR_TMP
exit 0
else
echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
exit 1
fi
/scripts/alcasar-uninstall.sh
98,15 → 98,22
 
e2guardian ()
{
echo -en "(8) : "
echo -en "(15) : "
[ -d /var/e2guardian ] && rm -rf /var/e2guardian && echo -n "1, "
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, "
[ -e /etc/e2guardian/lists/bannedphraselist.default ] && mv /etc/e2guardian/lists/bannedphraselist.default /etc/e2guardian/lists/bannedphraselist && echo -n "3, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "4, "
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "5, "
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "6, "
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "7, "
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "8"
[ -e /lib/systemd/system/e2guardian.service.default ] && mv /lib/systemd/system/e2guardian.service.default /lib/systemd/system/e2guardian.service && echo -n "2, "
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "3, "
[ -e /etc/e2guardian/lists/bannedphraselist.default ] && mv /etc/e2guardian/lists/bannedphraselist.default /etc/e2guardian/lists/bannedphraselist && echo -n "4, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "5, "
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "6, "
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "7, "
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, "
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, "
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, "
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, "
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, "
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, "
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, "
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "15"
}
 
antivirus ()
/scripts/alcasar-urpmi.sh
14,7 → 14,7
# The kernel version we compile netflow for
KERNEL="kernel-server-5.3.7-4.mga7-1-1.mga7"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm unbound e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional gammu wkhtmltopdf"
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm unbound e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg2 ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional gammu wkhtmltopdf"
 
rpm_repository_sync ()
{
227,6 → 227,36
urpmi --clean
# the ipt-netflow RPM add the kernel module ipt_NETFLOW (the modules dependance tree need to be updated)
/sbin/depmod -a
# test if all needed rpms are correctly installed
count_pkg=0; nb_pkg=0;
for pkg in $PACKAGES
do
nb_pkg=`expr $nb_pkg + 1`
if rpm -q --quiet $pkg ; then
count_pkg=`expr $count_pkg + 1`
else
echo "error installing $pkg"
fi
done
if [ $count_pkg -ne $nb_pkg ]
then
exit 1
fi
# test if all custom rpms are correctly installed
#count_pkg=0; nb_pkg=0;
#for pkg in `ls rpms/$ARCH/|tr -d .rpm`
#do
# nb_pkg=`expr $nb_pkg + 1`
# if rpm -q --quiet $pkg ; then
# count_pkg=`expr $count_pkg + 1`
# else
# echo "error installing $pkg"
# fi
#done
#if [ $count_pkg -ne $nb_pkg ]
#then
# exit 1
#fi
# fix some RPM versions
echo "/^kernel/" > /etc/urpmi/skip.list
echo "/^freeradius/" >> /etc/urpmi/skip.list