Subversion Repositories ALCASAR

Rev

Rev 2886 | Rev 2888 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2886 Rev 2887
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 2886 2020-11-23 22:50:01Z rexy $
 2 
#  $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6 
# This script is distributed under the Gnu General Public License (GPL)
 6 
# This script is distributed under the Gnu General Public License (GPL)
7 
#  team@alcasar.net
 7 
#  team@alcasar.net
Line 795... Line 795...
795 
# create the log & backup structure :
 795 
# create the log & backup structure :
796 
# - base = users database
 796 
# - base = users database
797 
# - archive = tarball of "base + http firewall + netflow"
 797 
# - archive = tarball of "base + http firewall + netflow"
798 
# - security = watchdog log
 798 
# - security = watchdog log
799 
# - conf_file = archive conf file (usefull in updating process)
 799 
# - conf_file = archive conf file (usefull in updating process)
800 
        for i in base archive security activity_report conf_file;
 800 
        for i in base archive security activity_report iot_captures;
801 
        do
 801 
        do
802 
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
 802 
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803 
        done
 803 
        done
804 
        chown -R root:apache $DIR_SAVE
 804 
        chown -R root:apache $DIR_SAVE
805 
# Configuring & securing php
 805 
# Configuring & securing php
- 
 
 806 
        [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
- 
 
 807 
        timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
- 
 
 808 
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
806 
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
 809 
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
807 
        timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
 - 
 
808 
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
 - 
 
809 
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
 810 
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810 
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
 811 
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811 
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
 812 
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812 
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
 813 
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813 
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
 814 
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
Line 872... Line 873...
872 
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
 873 
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873 
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
 874 
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874 
# Run lighttpd after coova (in order waiting tun0 to be up)
 875 
# Run lighttpd after coova (in order waiting tun0 to be up)
875 
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
 876 
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876 
        # Log file for ACC access imputability
 877 
        # Log file for ACC access imputability
877 
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
 878 
        [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
878 
        chown root:apache /var/Save/security/acc_access.log
 879 
        chown root:apache $DIR_SAVE/security/acc_access.log
879 
        chmod 664 /var/Save/security/acc_access.log
 880 
        chmod 664 $DIR_SAVE/security/acc_access.log
880 
} # End of ACC()
 881 
} # End of ACC()
881 
 
 882 
 
882 
#############################################################
 883 
#############################################################
883 
##               Function "time_server"                    ##
 884 
##               Function "time_server"                    ##
884 
## - Configuring NTP server                                ##
 885 
## - Configuring NTP server                                ##
Line 1929... Line 1930...
1929 
ignoreregex =
 1930 
ignoreregex =
1930 
EOF
 1931 
EOF
1931 
 
 1932 
 
1932 
# allow reading of 2 log files (fail2ban & watchdog).
 1933 
# allow reading of 2 log files (fail2ban & watchdog).
1933 
        [ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
 1934 
        [ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1934 
        [ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
 1935 
        [ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1935 
        chmod 644 /var/log/fail2ban.log
 1936 
        chmod 644 /var/log/fail2ban.log
1936 
        chmod 644 /var/Save/security/watchdog.log
 1937 
        chmod 644 $DIR_SAVE/security/watchdog.log
1937 
        /usr/bin/touch /var/log/auth.log
 1938 
        /usr/bin/touch /var/log/auth.log
1938 
# fail2ban unit
 1939 
# fail2ban unit
1939 
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
 1940 
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1940 
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
 1941 
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1941 
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
 1942 
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
Line 2277... Line 2278...
2277 
        fi
 2278 
        fi
2278 
        /usr/bin/update-grub2
 2279 
        /usr/bin/update-grub2
2279 
# Load and apply the previous conf file
 2280 
# Load and apply the previous conf file
2280 
        if [ "$mode" = "update" ]
 2281 
        if [ "$mode" = "update" ]
2281 
        then
 2282 
        then
2282 
                $DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
 2283 
                $DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2283 
                $DIR_DEST_BIN/alcasar-conf.sh --load
 2284 
                $DIR_DEST_BIN/alcasar-conf.sh --load
2284 
                PARENT_SCRIPT=`basename $0`
 2285 
                PARENT_SCRIPT=`basename $0`
2285 
                export PARENT_SCRIPT # to avoid stop&start process during the installation process
 2286 
                export PARENT_SCRIPT # to avoid stop&start process during the installation process
2286 
                $DIR_DEST_BIN/alcasar-conf.sh --apply
 2287 
                $DIR_DEST_BIN/alcasar-conf.sh --apply
2287 
                $DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
 2288 
                $DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf