WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 2818 2020-05-10 21:53:28Z rexy $
 
# alcasar.sh
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#  team@alcasar.net

	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
 
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 

		until [ -s $DIR_DEST_ETC/digest/key_admin ]
		do
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
		done
	fi
 
# Creation of ACC certs links
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
# Run lighttpd after coova (in order waiting tun0 to be up)
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
	# Log file for ACC access imputability
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
	chown root:apache /var/Save/security/acc_access.log
	chmod 664 /var/Save/security/acc_access.log

radiusserver1	127.0.0.1
radiusserver2	127.0.0.1
radiussecret	$secretradius
radiusauthport	1812
radiusacctport	1813
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
redirurl
radiusnasid	$HOSTNAME.$DOMAIN
uamsecret	$secretuam
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
coaport		3799

#dhcpgateway		none
#dhcprelayagent		none
#dhcpgatewayport	none
sslkeyfile	/etc/pki/tls/private/alcasar.key
sslcertfile	/etc/pki/tls/certs/alcasar.crt
#redirssl
#uamuissl
EOF
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
# create files for trusted domains and urls

# sshd liste on EXTIF & INTIF
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
# sshd authorized certificate for root login
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
# ALCASAR conf file
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
	echo "SSH=on" >> $CONF_FILE
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
	echo "LDAP=off" >> $CONF_FILE
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE

Rev 2815	Rev 2818
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 2815 2020-05-03 22:10:04Z rexy $`	2	`# $Id: alcasar.sh 2818 2020-05-10 21:53:28Z rexy $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`	5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# team@alcasar.net`	7	`# team@alcasar.net`
Line 848...	Line 848...
848	`cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/`	848	`cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/`
849	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf`	849	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf`
850	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf`	850	`$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf`
851	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf`	851	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf`
852	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf`	852	`$SED "s/^\([\t ]\)var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf`
853	`ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf`	853	`ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf`
854		854
855	`[ -d /var/log/lighttpd ] \|\| mkdir /var/log/lighttpd`	855	`[ -d /var/log/lighttpd ] \|\| mkdir /var/log/lighttpd`
856	`[ -e /var/log/lighttpd/access.log ] \|\| touch /var/log/lighttpd/access.log`	856	`[ -e /var/log/lighttpd/access.log ] \|\| touch /var/log/lighttpd/access.log`
857	`[ -e /var/log/lighttpd/error.log ] \|\| touch /var/log/lighttpd/error.log`	857	`[ -e /var/log/lighttpd/error.log ] \|\| touch /var/log/lighttpd/error.log`
858		858
Line 873...	Line 873...
873	`until [ -s $DIR_DEST_ETC/digest/key_admin ]`	873	`until [ -s $DIR_DEST_ETC/digest/key_admin ]`
874	`do`	874	`do`
875	`$DIR_DEST_BIN/alcasar-profil.sh --add admin`	875	`$DIR_DEST_BIN/alcasar-profil.sh --add admin`
876	`done`	876	`done`
877	`fi`	877	`fi`
878		-
-		878	`# Creation of ACC certs links`
-		879	`[ -d /var/www/html/certs ] \|\| mkdir /var/www/html/certs`
-		880	`ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt`
879	`# Run lighttpd after coova (in order waiting tun0 to be up)`	881	`# Run lighttpd after coova (in order waiting tun0 to be up)`
880	`$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service`	882	`$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service`
881	`# Log file for ACC access imputability`	883	`# Log file for ACC access imputability`
882	`[ -e /var/Save/security/acc_access.log ] \|\| touch /var/Save/security/acc_access.log`	884	`[ -e /var/Save/security/acc_access.log ] \|\| touch /var/Save/security/acc_access.log`
883	`chown root:apache /var/Save/security/acc_access.log`	885	`chown root:apache /var/Save/security/acc_access.log`
884	`chmod 664 /var/Save/security/acc_access.log`	886	`chmod 664 /var/Save/security/acc_access.log`
Line 1213...	Line 1215...
1213	`radiusserver1 127.0.0.1`	1215	`radiusserver1 127.0.0.1`
1214	`radiusserver2 127.0.0.1`	1216	`radiusserver2 127.0.0.1`
1215	`radiussecret $secretradius`	1217	`radiussecret $secretradius`
1216	`radiusauthport 1812`	1218	`radiusauthport 1812`
1217	`radiusacctport 1813`	1219	`radiusacctport 1813`
1218	`uamserver https://$HOSTNAME.$DOMAIN/intercept.php`	1220	`uamserver http://$HOSTNAME.$DOMAIN/intercept.php`
1219	`redirurl`	1221	`redirurl`
1220	`radiusnasid $HOSTNAME.$DOMAIN`	1222	`radiusnasid $HOSTNAME.$DOMAIN`
1221	`uamsecret $secretuam`	1223	`uamsecret $secretuam`
1222	`uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN`	1224	`uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN`
1223	`coaport 3799`	1225	`coaport 3799`
Line 1230...	Line 1232...
1230	`#dhcpgateway none`	1232	`#dhcpgateway none`
1231	`#dhcprelayagent none`	1233	`#dhcprelayagent none`
1232	`#dhcpgatewayport none`	1234	`#dhcpgatewayport none`
1233	`sslkeyfile /etc/pki/tls/private/alcasar.key`	1235	`sslkeyfile /etc/pki/tls/private/alcasar.key`
1234	`sslcertfile /etc/pki/tls/certs/alcasar.crt`	1236	`sslcertfile /etc/pki/tls/certs/alcasar.crt`
1235	`redirssl`	1237	`#redirssl`
1236	`uamuissl`	1238	`#uamuissl`
1237	`EOF`	1239	`EOF`
1238	`# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)`	1240	`# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)`
1239	`echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers`	1241	`echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers`
1240	`echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info`	1242	`echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info`
1241	`# create files for trusted domains and urls`	1243	`# create files for trusted domains and urls`
Line 2133...	Line 2135...
2133	`# sshd liste on EXTIF & INTIF`	2135	`# sshd liste on EXTIF & INTIF`
2134	`$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config`	2136	`$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config`
2135	`# sshd authorized certificate for root login`	2137	`# sshd authorized certificate for root login`
2136	`$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config`	2138	`$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config`
2137	`# ALCASAR conf file`	2139	`# ALCASAR conf file`
2138	`echo "HTTPS_LOGIN=on" >> $CONF_FILE`	2140	`echo "HTTPS_LOGIN=off" >> $CONF_FILE`
2139	`echo "HTTPS_CHILLI=off" >> $CONF_FILE`	2141	`echo "HTTPS_CHILLI=off" >> $CONF_FILE`
2140	`echo "SSH=on" >> $CONF_FILE`	2142	`echo "SSH=on" >> $CONF_FILE`
2141	`echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE`	2143	`echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE`
2142	`echo "LDAP=off" >> $CONF_FILE`	2144	`echo "LDAP=off" >> $CONF_FILE`
2143	`echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE`	2145	`echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE`

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2705 – Rev 2815 → 2818