Subversion Repositories ALCASAR

Rev

Rev 1003 | Rev 1007 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1003 Rev 1005
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 1003 2013-01-03 18:53:02Z richard $ 
2
#  $Id: alcasar.sh 1005 2013-01-04 15:11:35Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR - Portail captif d'accès à l'Internet -  Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...] 
6
# ALCASAR - Portail captif d'accès à l'Internet -  Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...] 
7
# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU, 
7
# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU, 
Line 97... Line 97...
97
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
97
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
98
	echo "-----------------------------------------------------------------------------"
98
	echo "-----------------------------------------------------------------------------"
99
} # End of header_install ()
99
} # End of header_install ()
100
 
100
 
101
##################################################################
101
##################################################################
102
##			Fonction TESTING			##
102
##			Function TESTING			##
103
## - Test de la connectivité Internet				##
103
## - Test of Internet access					##
104
##################################################################
104
##################################################################
105
testing ()
105
testing ()
106
{
106
{
107
	if [ $Lang == "fr" ]
107
	if [ $Lang == "fr" ]
108
		then echo -n "Tests des paramètres réseau : "
108
		then echo -n "Tests des paramètres réseau : "
Line 1124... Line 1124...
1124
	fi
1124
	fi
1125
	groupadd -f havp
1125
	groupadd -f havp
1126
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1126
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1127
	mkdir -p /var/tmp/havp /var/log/havp
1127
	mkdir -p /var/tmp/havp /var/log/havp
1128
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1128
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1129
	$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
-
 
1130
# configuration d'HAVP
1129
# configuration d'HAVP
1131
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1130
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1132
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1131
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1133
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1132
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1134
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1133
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
Line 1138... Line 1137...
1138
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1137
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1139
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1138
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1140
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1139
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1141
# remplacement du fichier d'initialisation
1140
# remplacement du fichier d'initialisation
1142
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1141
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
-
 
1142
# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
1143
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1143
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1144
# on remplace la page d'interception (template)
1144
# on remplace la page d'interception (template)
1145
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1145
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1146
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1146
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1147
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1147
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1148
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1148
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1149
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1149
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1150
# Virus database update
1150
# Virus database update
1151
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1151
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1152
	[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
1152
	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
-
 
1153
	/usr/bin/freshclam
1153
}
1154
}
1154
 
1155
 
1155
##################################################################################
1156
##################################################################################
1156
##			param_ulogd function					##
1157
##			param_ulogd function					##
1157
## - Ulog config for multi-log files 						##
1158
## - Ulog config for multi-log files 						##
Line 1505... Line 1506...
1505
# processus lancés par défaut au démarrage
1506
# processus lancés par défaut au démarrage
1506
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1507
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1507
	do
1508
	do
1508
		/sbin/chkconfig --add $i
1509
		/sbin/chkconfig --add $i
1509
	done
1510
	done
-
 
1511
 
1510
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
1512
	# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
1511
	cat << EOF > /etc/rc.local
1513
#	cat << EOF > /etc/rc.local
1512
#!/bin/sh
1514
#!/bin/sh
1513
#
1515
#
1514
### BEGIN INIT INFO
1516
### BEGIN INIT INFO
1515
# Provides: rc.local
1517
# Provides: rc.local
1516
# X-Mandriva-Compat-Mode
1518
# X-Mandriva-Compat-Mode
Line 1518... Line 1520...
1518
# Short-Description: Local initialization script
1520
# Short-Description: Local initialization script
1519
# Description: This script will be executed *after* all the other init scripts.
1521
# Description: This script will be executed *after* all the other init scripts.
1520
#              You can put your own initialization stuff in here if you don't
1522
#              You can put your own initialization stuff in here if you don't
1521
#              want to do the full Sys V style init stuff.
1523
#              want to do the full Sys V style init stuff.
1522
### END INIT INFO
1524
### END INIT INFO
-
 
1525
#
-
 
1526
#/etc/init.d/mysqld restart
-
 
1527
#sleep 1
-
 
1528
#/etc/init.d/radiusd restart
-
 
1529
#
-
 
1530
#touch /var/lock/subsys/local
-
 
1531
#EOF
1523
 
1532
 
1524
/etc/init.d/mysqld restart
-
 
1525
sleep 1
-
 
1526
/etc/init.d/radiusd restart
-
 
1527
 
-
 
1528
touch /var/lock/subsys/local
-
 
1529
EOF
-
 
1530
# pour éviter les alertes de dépendance entre service.
-
 
1531
	$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
-
 
1532
	$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
-
 
1533
	$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
-
 
1534
	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
-
 
1535
# On affecte le niveau de sécurité du système : type "fileserver"
-
 
1536
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
-
 
1537
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
-
 
1538
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
-
 
1539
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
1533
# On applique les préconisations ANSSI
1540
# Apply French Security Agency rules (sysctl + msec when possible)
1534
# Apply French Security Agency rules
1541
# ignorer les broadcast ICMP. (attaque smurf) 
1535
# ignorer les broadcast ICMP. (attaque smurf) 
1542
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
-
 
1543
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1536
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1544
# ignorer les erreurs ICMP bogus
1537
# ignorer les erreurs ICMP bogus
1545
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
-
 
1546
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
1538
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
1547
# désactiver l'envoi et la réponse aux ICMP redirects
1539
# désactiver l'envoi et la réponse aux ICMP redirects
1548
sysctl -w net.ipv4.conf.all.accept_redirects=0
1540
sysctl -w net.ipv4.conf.all.accept_redirects=0
1549
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1541
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1550
	if [ "$accept_redirect" == "0" ]
1542
	if [ "$accept_redirect" == "0" ]
Line 1569... Line 1561...
1569
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1561
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1570
	else
1562
	else
1571
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
1563
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
1572
	fi
1564
	fi
1573
# activer l'antispoofing niveau Noyau
1565
# activer l'antispoofing niveau Noyau
1574
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
-
 
1575
sysctl -w net.ipv4.conf.all.rp_filter=1
1566
sysctl -w net.ipv4.conf.all.rp_filter=1
1576
# ignorer le source routing
1567
# ignorer le source routing
1577
sysctl -w net.ipv4.conf.all.accept_source_route=0
1568
sysctl -w net.ipv4.conf.all.accept_source_route=0
1578
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1569
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1579
	if [ "$accept_source_route" == "0" ]
1570
	if [ "$accept_source_route" == "0" ]
Line 1591... Line 1582...
1591
	else
1582
	else
1592
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
1583
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
1593
	fi
1584
	fi
1594
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
1585
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
1595
sysctl -w net.ipv4.conf.all.log_martians=0
1586
sysctl -w net.ipv4.conf.all.log_martians=0
1596
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
-
 
1597
 
-
 
1598
 
-
 
1599
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1587
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1600
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1588
# ???	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1601
# On mets en place la sécurité sur les fichiers
-
 
1602
# des modif par rapport à radius update
-
 
1603
	cat <<EOF > /etc/security/msec/perm.local
-
 
1604
/var/log/firewall/			root.apache	750
-
 
1605
/var/log/firewall/*			root.apache	640
-
 
1606
/etc/security/msec/perm.local		root.root	640
-
 
1607
/etc/security/msec/level.local		root.root	640
-
 
1608
/etc/freeradius-web			root.apache	750
-
 
1609
/etc/freeradius-web/admin.conf		root.apache	640
-
 
1610
/etc/freeradius-web/config.php		root.apache	640
-
 
1611
/etc/raddb/dictionnary			root.radius	640
-
 
1612
/etc/raddb/ldap.attrmap			root.radius	640
-
 
1613
/etc/raddb/hints			root.radius	640
-
 
1614
/etc/raddb/huntgroups			root.radius	640
-
 
1615
/etc/raddb/attrs.access_reject		root.radius	640
-
 
1616
/etc/raddb/attrs.accounting_response	root.radius	640
-
 
1617
/etc/raddb/acct_users			root.radius	640
-
 
1618
/etc/raddb/preproxy_users		root.radius	640
-
 
1619
/etc/raddb/modules/ldap			radius.apache	660
-
 
1620
/etc/raddb/sites-available/alcasar	radius.apache	660
-
 
1621
/etc/pki/*				root.apache	750
-
 
1622
EOF
-
 
1623
	/usr/sbin/msec
-
 
1624
# modification /etc/inittab
1589
# modification /etc/inittab
1625
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
1590
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
1626
# We keep only 3 TTYs
1591
# We keep only 3 TTYs
1627
	$SED "s?^4.*?#&?g" /etc/inittab
1592
	$SED "s?^4.*?#&?g" /etc/inittab
1628
	$SED "s?^5.*?#&?g" /etc/inittab
1593
	$SED "s?^5.*?#&?g" /etc/inittab
1629
	$SED "s?^6.*?#&?g" /etc/inittab
1594
	$SED "s?^6.*?#&?g" /etc/inittab
1630
# switch to multi-users runlevel (instead of x11)
1595
# switch to multi-users runlevel (instead of x11)
1631
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1596
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1632
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1597
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
-
 
1598
#	GRUB modifications
-
 
1599
# limit wait time to 3s
1633
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
1600
# create an alcasar entry instead of linux-nonfb
-
 
1601
# change display to 1024*768 (vga791)
1634
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1602
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
-
 
1603
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1635
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
1604
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1636
$SED "s? vga=791??2g" /boot/grub/menu.lst
1605
$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
-
 
1606
 
1637
# Remove unused services and users
1607
# Remove unused services and users
1638
for svc in alsa sound dm atd bootlogd stop-bootlogd
1608
for svc in alsa sound dm 
1639
do
1609
do
1640
	/sbin/chkconfig --del $svc
1610
	/sbin/chkconfig --del $svc
1641
done
1611
done
1642
for rm_users in avahi-autoipd avahi icapd
1612
for rm_users in avahi-autoipd avahi icapd
1643
do
1613
do
Line 1704... Line 1674...
1704
	sleep 2
1674
	sleep 2
1705
	reboot
1675
	reboot
1706
} # End post_install ()
1676
} # End post_install ()
1707
 
1677
 
1708
#################################
1678
#################################
1709
#  Boucle principale du script  #
1679
#  	Main Install loop  	#
1710
#################################
1680
#################################
1711
dir_exec=`dirname "$0"`
1681
dir_exec=`dirname "$0"`
1712
if [ $dir_exec != "." ]
1682
if [ $dir_exec != "." ]
1713
then
1683
then
1714
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
1684
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"