Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2487 → Rev 2488

/scripts/alcasar-CA.sh
17,6 → 17,7
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.crt
 
CACERT_LIFETIME="1460"
218,6 → 219,7
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process
cat $SRVKEY $SRVCERT > $SRVPEM
chmod a+r $CACERT $SRVCERT $SRVCHAIN
 
# Link certs in ALCASAR Control Center
/scripts/alcasar-activity_report.sh
165,7 → 165,7
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ $(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l) -gt 1 ]
then
PACKAGE='php|apache|iptables|dnsmasq|radius|tinyproxy|nfdump|dansguardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget'
PACKAGE='php|lighttpd|iptables|dnsmasq|radius|tinyproxy|nfdump|dansguardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
/scripts/alcasar-archive.sh
18,7 → 18,7
DIR_SAVE="/var/Save" # répertoire accessible par webs
DIR_LOG="/var/log" # répertoire local des log
 
#DIR_SERVICE="squid httpd firewall" # répertoires contenant des logs utiles à exporter
#DIR_SERVICE="squid lighttpd firewall" # répertoires contenant des logs utiles à exporter
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
/scripts/alcasar-certificates.sh
43,7 → 43,7
# Export of server Certificate
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt}
gzip $FILE.tar
echo "Le ficher des certificats exportés est : $FILE.tar.gz"
echo "Le fichier des certificats exportés est : $FILE.tar.gz"
} # end function export
 
 
73,13 → 73,16
 
# Import of CA Certificate
tar xzvf $1 --directory=$DIR_IMPORT
cat $DIR_PKI/tls/private/alcasar.key $DIR_PKI/tls/certs/alcasar.crt > $DIR_PKI/tls/private/alcasar.pem
echo "Import new certificates in ALCASAR !!!"
cp -r $DIR_IMPORT/* /.
chown root:apache $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt}
 
# Service apache restart
service httpd restart
chmod 750 $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.crt}
 
service lighttpd restart
else
echo "You are not import new certificates !!!"
exit 0
/scripts/alcasar-conf.sh
125,6 → 125,7
cp -f $DIR_UPDATE/alcasar-ca.key* /etc/pki/CA/private/ # autosigned & official
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
cat /etc/pki/tls/private/alcasar.key /etc/pki/tls/certs/alcasar.crt > /etc/pki/tls/private/alcasar.pem
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
252,11 → 253,10
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd tinyproxy dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network
for i in ntpd tinyproxy dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network lighttpd
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
/usr/bin/kill -s SIGSTOP $(pidof httpd)
echo
fi
# EXTIF config
324,16 → 324,10
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
# Set hostname in Apache
$SED "s/^ServerName.*/ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/httpd.conf
$SED "s/^\tErrorDocument.*/\tErrorDocument 404 https:\/\/$HOSTNAME.$DOMAIN\//g" /etc/httpd/conf/webapps.d/alcasar.conf
$SED "s/^\tAuthDigestDomain.*/\tAuthDigestDomain $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/webapps.d/alcasar.conf
$SED "s/^ ServerName.*/ ServerName $HOSTNAME.$DOMAIN/g" /etc/httpd/conf/sites.d/00_default_vhosts.conf /etc/httpd/conf/sites.d/00_default_ssl_vhost.conf /etc/httpd/conf/vhosts-ssl.default
# Alcasar Control Center (ACC)
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
FIC_MOD_SSL=`find /etc/httpd/conf/ -type f -name ssl.conf`
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL
$SED "/127.0.0.1/!s?Allow from .*?Allow from $PRIVATE_NETWORK_MASK?g" /etc/httpd/conf/webapps.d/alcasar.conf
# Set hostname in Lighttpd
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
# FreeRADIUS Web
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf
384,8 → 378,7
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", dnsmasq-blacklist, dnsmasq-whitelist, iptables"
/usr/bin/kill -s SIGCONT $(pidof httpd)
/usr/bin/systemctl reload httpd && echo -n ", httpd"
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd"
fi
# Start / Stop SSH Daemon
ssh_active=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`
/scripts/alcasar-daemon.sh
10,7 → 10,7
conf_file="/usr/local/etc/alcasar.conf"
SSH=`grep ^SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SERVICES="mysqld httpd ntpd havp dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd tinyproxy nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat"
SERVICES="mysqld lighttpd ntpd havp dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd tinyproxy nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat"
nb_available_srv=`echo $SERVICES|wc -w`
 
function ServiceTest () {
/scripts/alcasar-importcert.sh
40,6 → 40,9
then
mv $DIR_CERT/certs/server-chain.crt.old $DIR_CERT/certs/server-chain.crt
fi
cat $DIR_CERT/private/alcasar.key $DIR_CERT/certs/alcasar.crt > $DIR_CERT/private/alcasar.pem
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/private/alcasar.pem
}
 
function domainName() # change the domain name in the conf files
80,12 → 83,15
 
cp $cert $DIR_CERT/certs/alcasar.crt
cp $key $DIR_CERT/private/alcasar.key
cat $DIR_CERT/private/alcasar.key $DIR_CERT/certs/alcasar.crt > $DIR_CERT/private/alcasar.pem
 
chown root:apache $DIR_CERT/certs/alcasar.crt
chown root:apache $DIR_CERT/private/alcasar.key
chown root:apache $DIR_CERT/private/alcasar.pem
 
chmod 750 $DIR_CERT/certs/alcasar.crt
chmod 750 $DIR_CERT/private/alcasar.key
chmod 750 $DIR_CERT/private/alcasar.pem
 
if [ "$sc" != "" ]
then
164,7 → 170,7
fi
domainName $cert
certImport $cert $key $sc
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done
175,7 → 181,7
echo "Restoring default certificate"
defaultCert
defaultNdd
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist httpd
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done
/scripts/alcasar-profil.sh
8,6 → 8,7
# Gestion des comptes liés aux profiles
# Manage the profil logins
 
DIR_BIN="/usr/local/bin" # scripts directory
ADM_PROFIL="admin"
PROFILS="backup manager"
ALL_PROFILS=`echo $ADM_PROFIL $PROFILS`
14,7 → 15,50
DIR_KEY="/usr/local/etc/digest"
SED="/bin/sed -i"
Lang=`echo $LANG|cut -c 1-2`
REALM="ALCASAR Control Center (ACC)"
 
# génère le htdigest
function htdigest () {
passwdfile="$1"
username="$2"
 
[ -f "$passwdfile" ] || touch "$passwdfile"
 
[ $(grep -c "${username}:${REALM}:" "$passwdfile") ] && existing_user=0 || existing_user=1
 
if [ $existing_user -eq 1 ]; then
echo "Changing password for user $username in realm $REALM"
else
echo "Adding user $username in realm $REALM"
fi
 
equal=0
 
while [ $equal -eq 0 ]; do
echo -n "New password: "
read -s pass_1
echo
echo -n "Confirm the new password: "
read -s pass_2
echo
 
if [ "$pass_1" != "$pass_2" ]; then
echo -e "\nThe passwords don't match.\n"
else
equal=1
fi
done
 
digest="${username}:${REALM}:"
digest+=$(echo -n "${username}:${REALM}:${pass_1}" | md5sum | cut -d" " -f1)
 
if [ $existing_user -eq 0 ]; then
echo "$digest" >> "$passwdfile"
else
sed -i "s/${username}:${REALM}:.*/${digest}/" "$passwdfile"
fi
}
 
# liste les comptes de chaque profile
function list () {
for i in $ALL_PROFILS
50,9 → 94,10
chmod 640 $DIR_KEY/key_*
}
 
usage="Usage: alcasar-profil.sh [-l|--list] [-a|--add] [-d|--del] [-p|--pass]"
usage="Usage: alcasar-profil.sh [-l|--list] [-a|--add [profil]] [-d|--del] [-p|--pass]"
nb_args=$#
args=$1
arg1=$1
arg2=$2
 
# on met en place la structure minimale
if [ ! -e $DIR_KEY/key_$ADM_PROFIL ]
73,21 → 118,26
echo $usage
exit 0
fi
case $args in
case $arg1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--add|-a)
# ajout d'un compte
list
if [ $Lang == "fr" ]
if [ $nb_args -eq 1 ]
then
echo -n "Choisissez un profil ($ALL_PROFILS) : "
# ajout d'un compte
list
if [ $Lang == "fr" ]
then
echo -n "Choisissez un profil ($ALL_PROFILS) : "
else
echo -n "Select a profile ($ALL_PROFILS) : "
fi
read profil
else
echo -n "Select a profile ($ALL_PROFILS) : "
profil="$2"
fi
read profil
if [ $Lang == "fr" ]
then
echo -n "Entrez le nom du compte à créer (profil '$profil') : "
112,7 → 162,7
fi
done
done
/usr/bin/htdigest $DIR_KEY/key_only_$profil "ALCASAR Control Center (ACC)" $account
htdigest $DIR_KEY/key_only_$profil "$account"
concat
list
;;
151,8 → 201,8
for j in $tmp_account
do
if [ "$j" = "$account" ]
then
/usr/bin/htdigest $DIR_KEY/key_only_$i "ALCASAR Control Center (ACC)" $account
then
htdigest $DIR_KEY/key_only_$i "$account"
fi
done
done
159,7 → 209,7
concat
;;
--list|-l)
# liste des comptes par profile
# liste des comptes par profil
list
;;
*)
/scripts/alcasar-uninstall.sh
20,18 → 20,24
 
ACC ()
{
echo -en "(11) : "
echo -en "(7) : "
[ -d /var/www/html ] && rm -rf /var/www/html && echo -n "1, "
[ -d /etc/freeradius-web ] && rm -rf /etc/freeradius-webl && echo -n "2, "
[ -e /etc/php.ini.default ] && mv -f /etc/php.ini.default /etc/php.ini && echo -n "3, "
[ -e /etc/httpd/conf/httpd.conf.default ] && mv /etc/httpd/conf/httpd.conf.default /etc/httpd/conf/httpd.conf && echo -n "4, "
[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] && mv /etc/httpd/conf/modules.d/00_base.conf.default /etc/httpd/conf/modules.d/00_base.conf && echo -n "5, "
[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] && mv /etc/httpd/conf/conf.d/ssl.conf.default /etc/httpd/conf/conf.d/ssl.conf && echo -n "6, "
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] && mv /etc/httpd/conf/conf.d/multilang-errordoc.conf.default /etc/httpd/conf/conf.d/multilang-errordoc.conf && echo -n "7, "
[ -e /usr/share/httpd/error/include/top.html.default ] && mv /usr/share/httpd/error/include/top.html.default /usr/share/httpd/error/include/top.html && echo -n "8, "
[ -e /usr/share/httpd/error/include/bottom.html.default ] && mv /usr/share/httpd/error/include/bottom.html.default /usr/share/httpd/error/include/top.html && echo -n "9, "
[ -d /usr/local/etc/digest ] && rm -rf /usr/local/etc/digest && echo -n "10, "
[ -e /etc/httpd/conf/webapps.d/alcasar.conf ] && rm -f /etc/httpd/conf/webapps.d/alcasar.conf && echo -n "11"
[ -e /etc/lighttpd/lighttpd.conf.default ] && mv /etc/lighttpd/lighttpd.conf.default /etc/lighttpd/lighttpd.conf && echo -n "4, "
[ -e /etc/lighttpd/modules.conf.default ] && mv /etc/lighttpd/modules.conf.default /etc/lighttpd/modules.conf && echo -n "5, "
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] && mv /etc/lighttpd/conf.d/fastcgi.conf.default /etc/lighttpd/conf.d/fastcgi.conf && echo -n "6, "
[ -d /usr/local/etc/digest ] && rm -rf /usr/local/etc/digest && echo -n "7, "
[ -e /etc/lighttpd/vhosts.d/alcasar.conf ] && rm -f /etc/lighttpd/vhosts.d/alcasar.conf && echo -n "8"
# Removing old Apache configuration
[ -e /etc/httpd/conf/httpd.conf.default ] && mv /etc/httpd/conf/httpd.conf.default /etc/httpd/conf/httpd.conf
[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] && mv /etc/httpd/conf/modules.d/00_base.conf.default /etc/httpd/conf/modules.d/00_base.conf
[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] && mv /etc/httpd/conf/conf.d/ssl.conf.default /etc/httpd/conf/conf.d/ssl.conf
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] && mv /etc/httpd/conf/conf.d/multilang-errordoc.conf.default /etc/httpd/conf/conf.d/multilang-errordoc.conf
[ -e /usr/share/httpd/error/include/top.html.default ] && mv /usr/share/httpd/error/include/top.html.default /usr/share/httpd/error/include/top.html
[ -e /usr/share/httpd/error/include/bottom.html.default ] && mv /usr/share/httpd/error/include/bottom.html.default /usr/share/httpd/error/include/top.html
[ -e /etc/httpd/conf/webapps.d/alcasar.conf ] && rm -f /etc/httpd/conf/webapps.d/alcasar.conf
}
 
CA ()
41,7 → 47,10
[ -e /etc/pki/CA/private/alcasar-ca.key ] && rm -f /etc/pki/CA/private/alcasar-ca.key && echo -n "2, "
[ -e /etc/pki/tls/certs/alcasar.crt ] && rm -f /etc/pki/tls/certs/alcasar.crt && echo -n "3, "
[ -e /etc/pki/tls/private/alcasar.key ] && rm -f /etc/pki/tls/private/alcasar.key && echo -n "4, "
[ -e /etc/httpd/conf/vhosts-ssl.default ] && FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf` && mv /etc/httpd/conf/vhosts-ssl.default $FIC_VIRTUAL_SSL && echo -n "5"
[ -e /etc/pki/tls/private/alcasar.pem ] && rm -f /etc/pki/tls/private/alcasar.pem && echo -n "5"
# Removing old Apache configuration
[ -e /etc/httpd/conf/vhosts-ssl.default ] && FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf*` && mv /etc/httpd/conf/vhosts-ssl.default $FIC_VIRTUAL_SSL
}
 
time_server ()
274,7 → 283,7
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="alcasar-load_balancing vnstat havp freshclam ntpd httpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian dnsmasq sshd chilli"
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian dnsmasq sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
281,9 → 290,12
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# dnsmasq & sshd should stay on to allow remote update
services="alcasar-load_balancing vnstat havp freshclam ntpd httpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian chilli"
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update
fi
 
[ -e /lib/systemd/system/httpd.service ] && services+=" httpd"
 
echo "Stopping service : "
/usr/local/bin/alcasar-sms.sh --stop
for i in $services
/scripts/alcasar-urpmi.sh
14,7 → 14,7
# The kernel version we compile netflow for
KERNEL="kernel-server-4.14.18-1.mga6-1-1.mga6"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap apache apache-mod_ssl apache-mod_php dansguardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron gammu usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional"
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm dansguardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron gammu usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional"
 
rpm_repository_sync ()
{
214,7 → 214,7
else
echo "Nettoyage du système : "
fi
rm_rpm="shorewall mandi squid plymouth cpupower"
rm_rpm="shorewall mandi squid plymouth cpupower apache apache-mod_php apache-mod_ssl"
/usr/sbin/urpme --auto -a $rm_rpm
/usr/sbin/urpme --auto --auto-orphans