WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 1215 2013-09-18 22:08:14Z richard $
+#  $Id: alcasar.sh 1219 2013-09-20 13:41:29Z crox53 $
 # alcasar.sh
 # ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
 # Ce programme est un logiciel libre ; This software is free and open source
 # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
 # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
 # Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
+#
-# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav  and firewalleyes
+# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav
 # Options :
 #       -i or --install
 #       -u or --uninstall
 ##              Fonction param_nfsen			##
 ##########################################################
 param_nfsen()
+{
 #Decompression tarball
-	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
+tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
 #Création groupe et utilisteur
-	if grep "^www-data:" /etc/group > /dev/null; then
+if grep "^www-data:" /etc/group > /dev/null; then
-		echo "Group already exists !"
+	echo "Group already exists !"
-	else
+else
-		groupadd www-data
+	groupadd www-data
-		echo "Group 'www-data' created !"
+	echo "Group 'www-data' created !"
-	fi
+fi
-	if grep "^nfsen:" /etc/passwd > /dev/null; then
+if grep "^nfsen:" /etc/passwd > /dev/null; then
-		echo "User already exists !"
+	echo "User already exists !"
-	else
+else
-		useradd -m nfsen
+	useradd -m nfsen
-		echo "User 'nfsen' created !"
+	echo "User 'nfsen' created !"
-	fi
+fi
-	usermod -G www-data nfsen
+usermod -G www-data nfsen
 #Ajout du plugin nfsen : PortTracker
-	mkdir -p /var/www/nfsen/plugins
+mkdir -p /var/www/nfsen/plugins
-	chown -R nfsen:www-data /var/www/nfsen
+chown -R nfsen:www-data /var/www/nfsen
 #Ajout du plugin PortTracker
-	mkdir -p /var/log/netflow/porttracker /usr/share/nfsen/plugins
+mkdir -p /var/log/netflow/porttracker
+mkdir -p /usr/share/nfsen/plugins
-	chown -R apache:apache /var/log/netflow/porttracker /usr/share/nfsen
+chown -R apache:apache /usr/share/nfsen
-	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
+cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
+chown apache /var/log/netflow/porttracker
 #Copie du fichier de conf modifié de nfsen
-	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
+cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
 #Copie du script d'initialisation de nfsen
-	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
+cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
+systemctl enable nfsen.service
 #Installation de nfsen via le scrip Perl
-	DirTmp=$(pwd)
+DirTmp=$(pwd)
-	cd /tmp/nfsen-1.3.6p1/
+cd /tmp/nfsen-1.3.6p1/
-	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
+/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
-	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
+/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
 #Création de la DB pour rrdtool
-	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
+cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
-	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
+cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
-	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
+sudo -u apache nftrack -I -d /var/log/netflow/porttracker
-	chown -R apache:www-data /var/log/netflow/porttracker/
+chown -R apache:www-data /var/log/netflow/porttracker/
-	chmod -R 775 /var/log/netflow/porttracker
+chmod -R 775 /var/log/netflow/porttracker
 #Configuration du fichier de conf d'apache
-	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
+if [ -f /etc/httpd/conf.d/nfsen.conf ];then
-		rm -f /etc/httpd/conf.d/nfsen.conf
+	rm -f /etc/httpd/conf.d/nfsen.conf
-	fi
+fi
-	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
+cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
 Alias /nfsen /var/www/nfsen
 <Directory /var/www/nfsen/>
 DirectoryIndex nfsen.php
 Options -Indexes
 AllowOverride all
 php_flag magic_quotes_gpc on
 php_flag track_vars on
 </Directory>
 EOF
 #Configuration du délais d'expiration des captures du profile "live"
-	nfsen -m live -e 62d
+nfsen -m live -e 62d
 #Suppression des sources de nfsen
-	cd $DirTmp
+cd $DirTmp
-	rm -rf /tmp/nfsen-1.3.6p1/
+rm -rf /tmp/nfsen-1.3.6p1/
 } # End of param_nfsen
 ##########################################################
 ##		Fonction param_dnsmasq			##
 ##########################################################
 server=$DNS1
 server=$DNS2
 EOF
 # Init file modification
-	[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
+[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
 # Start and stop a 2nd process for the "DNS blackhole"
-	cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
+cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
 # Start after chilli (65) which create tun0
-	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
+$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
 # Optionnellement on pré-active les logs DNS des clients
-	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
+[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
-	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
+$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
 # Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
-	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
+echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
 # Optionnellement, exemple de configuration avec un A.D.
-	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
+echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
 } # End dnsmasq
 ##########################################################
 ##		Fonction BL (BlackList)			##
 ##########################################################
 # mise à jour automatique de la distribution tous les jours 3h30
 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
 EOF
 	cat << EOF > /etc/cron.d/alcasar-netflow
 # mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
-0 * * 5  root $DIR_DEST_BIN/alcasar-netflow.sh
+0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
 EOF
 # mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
 # on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
 # 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
 	do
 	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
 	done
 # export des logs en 'retard' dans /var/Save/logs
 	/usr/local/bin/alcasar-log.sh --export
-# creation of the unit of alcasar-load_balancing
+# processus lancés par défaut au démarrage
+	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
+	do
+		/sbin/chkconfig --add $i
+	done
-	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
+cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
 #  This file is part of systemd.
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 SysVStartPriority=99
 [Install]
 WantedBy=multi-user.target
 EOF
-# process launch at boot time
-	for service in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
-	do
-		/sbin/chkconfig --add $service
-	done
-	for service in alcasar-load_balancing.service nfsen.service
+systemctl enable alcasar-load_balancing.service
-	do
-		 /bin/systemctl enable $service
-	done
 # On applique les préconisations ANSSI
 # Apply French Security Agency rules
 # ignorer les broadcast ICMP. (attaque smurf)
-	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
+sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
 # ignorer les erreurs ICMP bogus
-	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
 # désactiver l'envoi et la réponse aux ICMP redirects
-	sysctl -w net.ipv4.conf.all.accept_redirects=0
+sysctl -w net.ipv4.conf.all.accept_redirects=0
-	accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
+accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
 	if [ "$accept_redirect" == "0" ]
 	then
 		echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
 	else
 		$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
 			mode="install"
 		fi
 		for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
 		do
 			$func
-# echo "*** 'debug' : end of function $func ***"; read a
+ echo "*** 'debug' : end of function $func ***"; read a
 		done
 		;;
 	-u | --uninstall)
 		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
 		then

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 1215 → 1219