Line 1... |
Line 1... |
1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
2 |
# $Id: alcasar.sh 607 2011-05-21 17:45:34Z richard $
|
2 |
# $Id: alcasar.sh 612 2011-05-22 21:19:27Z richard $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
|
7 |
|
Line 47... |
Line 47... |
47 |
DIR_WEB="/var/www/html" # répertoire racine APACHE
|
47 |
DIR_WEB="/var/www/html" # répertoire racine APACHE
|
48 |
DIR_ACC="$DIR_WEB/acc" # répertoire du centre de gestion 'ALCASAR Control Center'
|
48 |
DIR_ACC="$DIR_WEB/acc" # répertoire du centre de gestion 'ALCASAR Control Center'
|
49 |
DIR_DEST_BIN="/usr/local/bin" # répertoire des scripts
|
49 |
DIR_DEST_BIN="/usr/local/bin" # répertoire des scripts
|
50 |
DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin
|
50 |
DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin
|
51 |
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf
|
51 |
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf
|
- |
|
52 |
FIC_CONF="$DIR_DEST_ETC/alcasar.conf" # fichier de conf d'alcasar
|
52 |
FIC_PARAM="/root/ALCASAR-parameters.txt" # fichier texte résumant les paramètres d'installation
|
53 |
FIC_PARAM="/root/ALCASAR-parameters.txt" # fichier texte résumant les paramètres d'installation
|
53 |
FIC_PASSWD="/root/ALCASAR-passwords.txt" # fichier texte contenant les mots de passe et secrets partagés
|
54 |
FIC_PASSWD="/root/ALCASAR-passwords.txt" # fichier texte contenant les mots de passe et secrets partagés
|
54 |
# ******* DBMS parameters - paramètres SGBD ********
|
55 |
# ******* DBMS parameters - paramètres SGBD ********
|
55 |
DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
|
56 |
DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
|
56 |
DB_USER="radius" # nom de l'utilisateur de la base de données
|
57 |
DB_USER="radius" # nom de l'utilisateur de la base de données
|
Line 209... |
Line 210... |
209 |
done
|
210 |
done
|
210 |
fi
|
211 |
fi
|
211 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
212 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
212 |
rm -f $FIC_PASSWD
|
213 |
rm -f $FIC_PASSWD
|
213 |
grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de protection du menu Grub
|
214 |
grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de protection du menu Grub
|
214 |
echo -n "mot de passe de protection du menu de démarrage (GRUB) : " > $FIC_PASSWD
|
215 |
echo -n "Password to protect the boot menu (GRUB) : " > $FIC_PASSWD
|
215 |
echo "$grubpwd" >> $FIC_PASSWD
|
216 |
echo "$grubpwd" >> $FIC_PASSWD
|
216 |
md5_grubpwd=`/usr/bin/md5pass $grubpwd`
|
217 |
md5_grubpwd=`/usr/bin/md5pass $grubpwd`
|
217 |
$SED "/^password.*/d" /boot/grub/menu.lst
|
218 |
$SED "/^password.*/d" /boot/grub/menu.lst
|
218 |
$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
|
219 |
$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
|
219 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'administrateur Mysqld
|
220 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'administrateur Mysqld
|
220 |
echo -n "compte et mot de passe de l'administrateur Mysqld : " >> $FIC_PASSWD
|
221 |
echo -n "Name and password of MYSQL administrator : " >> $FIC_PASSWD
|
221 |
echo "root / $mysqlpwd" >> $FIC_PASSWD
|
222 |
echo "root / $mysqlpwd" >> $FIC_PASSWD
|
222 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
|
223 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
|
223 |
echo -n "compte et mot de passe de l'utilisateur Mysqld : " >> $FIC_PASSWD
|
224 |
echo -n "Name and password of MYSQL user : " >> $FIC_PASSWD
|
224 |
echo "$DB_USER / $radiuspwd" >> $FIC_PASSWD
|
225 |
echo "$DB_USER / $radiuspwd" >> $FIC_PASSWD
|
225 |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre intercept.php et coova-chilli
|
226 |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre intercept.php et coova-chilli
|
226 |
echo -n "secret partagé entre le script 'intercept.php' et coova-chilli : " >> $FIC_PASSWD
|
227 |
echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $FIC_PASSWD
|
227 |
echo "$secretuam" >> $FIC_PASSWD
|
228 |
echo "$secretuam" >> $FIC_PASSWD
|
228 |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre coova-chilli et FreeRadius
|
229 |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre coova-chilli et FreeRadius
|
229 |
echo -n "secret partagé entre coova-chilli et FreeRadius : " >> $FIC_PASSWD
|
230 |
echo -n "Shared secret between coova-chilli and FreeRadius : " >> $FIC_PASSWD
|
230 |
echo "$secretradius" >> $FIC_PASSWD
|
231 |
echo "$secretradius" >> $FIC_PASSWD
|
231 |
chmod 640 $FIC_PASSWD
|
232 |
chmod 640 $FIC_PASSWD
|
232 |
# On installe les scripts et fichiers de configuration d'ALCASAR
|
233 |
# On installe les scripts et fichiers de configuration d'ALCASAR
|
233 |
# - dans /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log-clean.sh,log-export.sh,mondo.sh,watchdog.sh}
|
234 |
# - dans /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log-clean.sh,log-export.sh,mondo.sh,watchdog.sh}
|
234 |
cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
|
235 |
cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
|
Line 238... |
Line 239... |
238 |
cp -f $DIR_SCRIPTS/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
|
239 |
cp -f $DIR_SCRIPTS/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
|
239 |
$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
|
240 |
$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
|
240 |
$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
|
241 |
$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
|
241 |
$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
|
242 |
$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
|
242 |
$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
|
243 |
$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
|
243 |
# On génère le début du fichier récapitulatif
|
244 |
# generate FIC_PARAM and FIC_CONF
|
244 |
cat <<EOF > $FIC_PARAM
|
245 |
cat <<EOF > $FIC_PARAM
|
245 |
################################################
|
246 |
##########################################
|
246 |
## ##
|
247 |
## ##
|
247 |
## ALCASAR Parameters ##
|
248 |
## ALCASAR Parameters ##
|
248 |
## ##
|
249 |
## ##
|
249 |
################################################
|
250 |
##########################################
|
250 |
|
251 |
|
251 |
- Install date : $DATE
|
252 |
- Install date : $DATE
|
252 |
- Version : $VERSION
|
253 |
- Version : $VERSION
|
253 |
- Organism : $ORGANISME
|
254 |
- Organism : $ORGANISME
|
254 |
EOF
|
255 |
EOF
|
- |
|
256 |
cat <<EOF > $FIC_CONF
|
- |
|
257 |
##########################################
|
- |
|
258 |
## ##
|
- |
|
259 |
## ALCASAR Parameters ##
|
- |
|
260 |
## ##
|
- |
|
261 |
##########################################
|
- |
|
262 |
|
- |
|
263 |
INSTALL_DATE=$DATE
|
- |
|
264 |
VERSION=$VERSION
|
- |
|
265 |
ORGANISM=$ORGANISME
|
- |
|
266 |
EOF
|
255 |
chmod o-rwx $FIC_PARAM
|
267 |
chmod o-rwx $FIC_PARAM $FIC_CONF
|
256 |
} # End of init ()
|
268 |
} # End of init ()
|
257 |
|
269 |
|
258 |
##################################################################
|
270 |
##################################################################
|
259 |
## Fonction network ##
|
271 |
## Fonction network ##
|
260 |
## - Définition du plan d'adressage du réseau de consultation ##
|
272 |
## - Définition du plan d'adressage du réseau de consultation ##
|
Line 333... |
Line 345... |
333 |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM
|
345 |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM
|
334 |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM
|
346 |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM
|
335 |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM
|
347 |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM
|
336 |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM
|
348 |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM
|
337 |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM
|
349 |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM
|
338 |
echo "#### ALCASAR Network parameters ####" > $DIR_DEST_ETC/alcasar-network
|
- |
|
339 |
echo "# Lauch the script 'alcasar-network.sh' after your changes" >> $DIR_DEST_ETC/alcasar-network
|
- |
|
340 |
echo "# Lancez le script 'alcasar-network.sh' après vos modifications" >> $DIR_DEST_ETC/alcasar-network
|
- |
|
341 |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $DIR_DEST_ETC/alcasar-network
|
350 |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_CONF
|
342 |
echo "GW=$PUBLIC_GATEWAY" >> $DIR_DEST_ETC/alcasar-network
|
351 |
echo "GW=$PUBLIC_GATEWAY" >> $FIC_CONF
|
343 |
echo "DNS1=$DNS1" >> $DIR_DEST_ETC/alcasar-network
|
352 |
echo "DNS1=$DNS1" >> $FIC_CONF
|
344 |
echo "DNS2=$DNS2" >> $DIR_DEST_ETC/alcasar-network
|
353 |
echo "DNS2=$DNS2" >> $FIC_CONF
|
345 |
echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $DIR_DEST_ETC/alcasar-network
|
354 |
echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $FIC_CONF
|
346 |
echo "DHCP=on" >> $DIR_DEST_ETC/alcasar-network
|
355 |
echo "DHCP=on" >> $FIC_CONF
|
347 |
echo "DHCP_FIRST=$PRIVATE_DYN_FIRST_IP" >> $DIR_DEST_ETC/alcasar-network
|
356 |
echo "DHCP_FIRST=$PRIVATE_DYN_FIRST_IP" >> $FIC_CONF
|
348 |
echo "DHCP_LAST=$PRIVATE_DYN_LAST_IP" >> $DIR_DEST_ETC/alcasar-network
|
357 |
echo "DHCP_LAST=$PRIVATE_DYN_LAST_IP" >> $FIC_CONF
|
349 |
[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
|
358 |
[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
|
350 |
# Configuration réseau
|
359 |
# Configuration réseau
|
351 |
cat <<EOF > /etc/sysconfig/network
|
360 |
cat <<EOF > /etc/sysconfig/network
|
352 |
NETWORKING=yes
|
361 |
NETWORKING=yes
|
353 |
HOSTNAME="$HOSTNAME"
|
362 |
HOSTNAME="$HOSTNAME"
|
Line 1254... |
Line 1263... |
1254 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1263 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1255 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1264 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1256 |
# sshd écoute côté LAN et WAN
|
1265 |
# sshd écoute côté LAN et WAN
|
1257 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
1266 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
1258 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
|
1267 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
|
1259 |
# sshd n'est pas lancé automatiquement au démarrage
|
1268 |
# Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on)
|
1260 |
/sbin/chkconfig --del sshd
|
1269 |
/sbin/chkconfig --del sshd
|
1261 |
echo "SSH=off" >> $DIR_DEST_ETC/alcasar-network
|
1270 |
echo "SSH=off" >> $FIC_CONF
|
- |
|
1271 |
echo "QOS=off" >> $FIC_CONF
|
- |
|
1272 |
echo "PROTOCOLS_FILTERING=off" >> $FIC_CONF
|
- |
|
1273 |
echo "DNS_FILTERING=off" >> $FIC_CONF
|
- |
|
1274 |
echo "WEB_ANTIVIRUS=on" >> $FIC_CONF
|
1262 |
# Coloration des prompts
|
1275 |
# Coloration des prompts
|
1263 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
1276 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
1264 |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
|
1277 |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
|
1265 |
# Droits d'exécution pour utilisateur apache et sysadmin
|
1278 |
# Droits d'exécution pour utilisateur apache et sysadmin
|
1266 |
[ -e /etc/sudoers.default ] || cp /etc/sudoers /etc/sudoers.default
|
1279 |
[ -e /etc/sudoers.default ] || cp /etc/sudoers /etc/sudoers.default
|