Subversion Repositories ALCASAR

Rev

Rev 2886 | Rev 2888 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2886 Rev 2887
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2886 2020-11-23 22:50:01Z rexy $
2
#  $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 795... Line 795...
795
# create the log & backup structure :
795
# create the log & backup structure :
796
# - base = users database
796
# - base = users database
797
# - archive = tarball of "base + http firewall + netflow"
797
# - archive = tarball of "base + http firewall + netflow"
798
# - security = watchdog log
798
# - security = watchdog log
799
# - conf_file = archive conf file (usefull in updating process)
799
# - conf_file = archive conf file (usefull in updating process)
800
        for i in base archive security activity_report conf_file;
800
        for i in base archive security activity_report iot_captures;
801
        do
801
        do
802
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
        done
803
        done
804
        chown -R root:apache $DIR_SAVE
804
        chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
-
 
806
        [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
-
 
807
        timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
-
 
808
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
806
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
807
        timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
-
 
808
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
-
 
809
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
814
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
Line 872... Line 873...
872
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
# Run lighttpd after coova (in order waiting tun0 to be up)
875
# Run lighttpd after coova (in order waiting tun0 to be up)
875
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
        # Log file for ACC access imputability
877
        # Log file for ACC access imputability
877
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
878
        [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
878
        chown root:apache /var/Save/security/acc_access.log
879
        chown root:apache $DIR_SAVE/security/acc_access.log
879
        chmod 664 /var/Save/security/acc_access.log
880
        chmod 664 $DIR_SAVE/security/acc_access.log
880
} # End of ACC()
881
} # End of ACC()
881
 
882
 
882
#############################################################
883
#############################################################
883
##               Function "time_server"                    ##
884
##               Function "time_server"                    ##
884
## - Configuring NTP server                                ##
885
## - Configuring NTP server                                ##
Line 1929... Line 1930...
1929
ignoreregex =
1930
ignoreregex =
1930
EOF
1931
EOF
1931
 
1932
 
1932
# allow reading of 2 log files (fail2ban & watchdog).
1933
# allow reading of 2 log files (fail2ban & watchdog).
1933
        [ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1934
        [ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1934
        [ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1935
        [ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1935
        chmod 644 /var/log/fail2ban.log
1936
        chmod 644 /var/log/fail2ban.log
1936
        chmod 644 /var/Save/security/watchdog.log
1937
        chmod 644 $DIR_SAVE/security/watchdog.log
1937
        /usr/bin/touch /var/log/auth.log
1938
        /usr/bin/touch /var/log/auth.log
1938
# fail2ban unit
1939
# fail2ban unit
1939
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1940
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1940
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1941
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1941
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1942
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
Line 2277... Line 2278...
2277
        fi
2278
        fi
2278
        /usr/bin/update-grub2
2279
        /usr/bin/update-grub2
2279
# Load and apply the previous conf file
2280
# Load and apply the previous conf file
2280
        if [ "$mode" = "update" ]
2281
        if [ "$mode" = "update" ]
2281
        then
2282
        then
2282
                $DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2283
                $DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2283
                $DIR_DEST_BIN/alcasar-conf.sh --load
2284
                $DIR_DEST_BIN/alcasar-conf.sh --load
2284
                PARENT_SCRIPT=`basename $0`
2285
                PARENT_SCRIPT=`basename $0`
2285
                export PARENT_SCRIPT # to avoid stop&start process during the installation process
2286
                export PARENT_SCRIPT # to avoid stop&start process during the installation process
2286
                $DIR_DEST_BIN/alcasar-conf.sh --apply
2287
                $DIR_DEST_BIN/alcasar-conf.sh --apply
2287
                $DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2288
                $DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf