Subversion Repositories ALCASAR

Rev

Rev 2887 | Rev 2922 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2887 Rev 2888
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
2
#  $Id: alcasar.sh 2888 2020-11-29 18:13:41Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
# Functions :
26
# Functions :
27
#       testing                 : connectivity tests, free space test and mageia version test
27
#       testing                 : connectivity tests, free space test and mageia version test
28
#       init                    : Installation of RPM and scripts
28
#       init                    : Installation of RPM and scripts
29
#       network                 : Network parameters
29
#       network                 : Network parameters
30
#       ACC                             : ALCASAR Control Center installation
30
#       ACC                             : ALCASAR Control Center installation
31
#       CA                              : Certification Authority initialization
31
#       CA                              : Certification Authority initialization
32
#       time_server             : NTPd configuration
32
#       time_server             : NTPd configuration
33
#       init_db                 : Initilization of radius database managed with MariaDB
33
#       init_db                 : Initilization of radius database managed with MariaDB
34
#       freeradius              : FreeRadius initialisation
34
#       freeradius              : FreeRadius initialisation
35
#       chilli                  : coovachilli initialisation (+authentication page)
35
#       chilli                  : coovachilli initialisation (+authentication page)
36
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
36
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
37
#       antivirus               : clamav & freshclam configuration
37
#       antivirus               : clamav & freshclam configuration
38
#       ulogd                   : log system in userland (match NFLOG target of iptables)
38
#       ulogd                   : log system in userland (match NFLOG target of iptables)
39
#       nfsen                   : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
39
#       nfsen                   : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
40
#       unbound                 : Name server configuration
40
#       unbound                 : Name server configuration
41
#       dnsmasq                 : Name server configuration (for whitelist ipset support)
41
#       dnsmasq                 : Name server configuration (for whitelist ipset support)
42
#       vnstat                  : little network stat daemon
42
#       vnstat                  : little network stat daemon
43
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
43
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
44
#       cron                    : Logs export + watchdog + connexion statistics
44
#       cron                    : Logs export + watchdog + connexion statistics
45
#       fail2ban                : Fail2ban IDS installation and configuration
45
#       fail2ban                : Fail2ban IDS installation and configuration
46
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
46
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
47
#       msec                    : Mandriva security package configuration
47
#       msec                    : Mandriva security package configuration
48
#       letsencrypt             : Let's Encrypt client
48
#       letsencrypt             : Let's Encrypt client
49
#       post_install    : Security, log rotation, etc.
49
#       post_install    : Security, log rotation, etc.
50
 
50
 
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR       # Debug mode = wait (hit key) after each function
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR       # Debug mode = wait (hit key) after each function
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`                                               # current directory
57
DIR_INSTALL=`pwd`                                               # current directory
58
DIR_CONF="$DIR_INSTALL/conf"                    # install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"                    # install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"              # install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"              # install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"  # install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"  # install directory (with blacklist files)
61
DIR_SAVE="/var/Save"                                    # backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"                                    # backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
62
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
63
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
63
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
64
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (unbound for instance)
67
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (unbound for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"                                              # database name used by FreeRadius server
71
DB_RADIUS="radius"                                              # database name used by FreeRadius server
72
DB_USER="radius"                                                # user name allows to request the users database
72
DB_USER="radius"                                                # user name allows to request the users database
73
DB_GAMMU="gammu"                                                # database name used by Gammu-smsd
73
DB_GAMMU="gammu"                                                # database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"                                              # default hostname
75
HOSTNAME="alcasar"                                              # default hostname
76
DOMAIN="localdomain"                                    # default local domain
76
DOMAIN="localdomain"                                    # default local domain
77
EXTIF=''                                                                # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=''                                                                # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=''                                                                # INTIF is connected to the consultation network
78
INTIF=''                                                                # INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license()
85
license()
86
{
86
{
87
        if [ $Lang == "fr" ]
87
        if [ $Lang == "fr" ]
88
        then
88
        then
89
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
        else
90
        else
91
                cat $DIR_INSTALL/gpl-warning.txt | more
91
                cat $DIR_INSTALL/gpl-warning.txt | more
92
        fi
92
        fi
93
        response=0
93
        response=0
94
        PTN='^[oOyYnN]?$'
94
        PTN='^[oOyYnN]?$'
95
        until [[ "$response" =~ $PTN ]]
95
        until [[ "$response" =~ $PTN ]]
96
        do
96
        do
97
                if [ $Lang == "fr" ]
97
                if [ $Lang == "fr" ]
98
                        then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
                        then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
                        else echo -n "Do you accept the terms of this license (Y/n)? : "
99
                        else echo -n "Do you accept the terms of this license (Y/n)? : "
100
                fi
100
                fi
101
                read response
101
                read response
102
        done
102
        done
103
        if [ "$response" = "n" ] || [ "$response" = "N" ]
103
        if [ "$response" = "n" ] || [ "$response" = "N" ]
104
        then
104
        then
105
                exit 1
105
                exit 1
106
        fi
106
        fi
107
} # End of license()
107
} # End of license()
108
 
108
 
109
header_install()
109
header_install()
110
{
110
{
111
        clear
111
        clear
112
        echo "-----------------------------------------------------------------------------"
112
        echo "-----------------------------------------------------------------------------"
113
        echo "                     ALCASAR V$VERSION Installation"
113
        echo "                     ALCASAR V$VERSION Installation"
114
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
        echo "-----------------------------------------------------------------------------"
115
        echo "-----------------------------------------------------------------------------"
116
} # End of header_install()
116
} # End of header_install()
117
 
117
 
118
########################################################
118
########################################################
119
##              Function "testing_system"             ##
119
##              Function "testing_system"             ##
120
## - Test Mageia version                              ##
120
## - Test Mageia version                              ##
121
## - Test ALCASAR version (if already installed)      ##
121
## - Test ALCASAR version (if already installed)      ##
122
## - Test free space on /var  (>10G)                  ##
122
## - Test free space on /var  (>10G)                  ##
123
## - Test Internet access                             ##
123
## - Test Internet access                             ##
124
########################################################
124
########################################################
125
testing_system()
125
testing_system()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
        fic=`cat /etc/product.id`
129
        fic=`cat /etc/product.id`
130
        unknown_os=0
130
        unknown_os=0
131
        old="$IFS"
131
        old="$IFS"
132
        IFS=","
132
        IFS=","
133
        set $fic
133
        set $fic
134
        for i in "$@"
134
        for i in "$@"
135
        do
135
        do
136
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
                        then
137
                        then
138
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
                        unknown_os=`expr $unknown_os + 1`
139
                        unknown_os=`expr $unknown_os + 1`
140
                fi
140
                fi
141
                if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
                if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
                        then
142
                        then
143
                        CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
                        CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
                        unknown_os=`expr $unknown_os + 1`
144
                        unknown_os=`expr $unknown_os + 1`
145
                fi
145
                fi
146
                if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
                if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
                        then
147
                        then
148
                        ARCH=`echo $i|cut -d"=" -f2`
148
                        ARCH=`echo $i|cut -d"=" -f2`
149
                        unknown_os=`expr $unknown_os + 1`
149
                        unknown_os=`expr $unknown_os + 1`
150
                fi
150
                fi
151
        done
151
        done
152
        if [ "$ARCH" != "x86_64" ]
152
        if [ "$ARCH" != "x86_64" ]
153
                then
153
                then
154
                if [ $Lang == "fr" ]
154
                if [ $Lang == "fr" ]
155
                        then echo "Votre architecture matérielle doit être en 64bits"
155
                        then echo "Votre architecture matérielle doit être en 64bits"
156
                        else echo "You hardware architecture must be 64bits"
156
                        else echo "You hardware architecture must be 64bits"
157
                fi
157
                fi
158
                exit 1
158
                exit 1
159
        fi
159
        fi
160
        IFS="$old"
160
        IFS="$old"
161
        if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
161
        if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
162
        then
162
        then
163
                if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
163
                if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
164
                        then
164
                        then
165
                        echo
165
                        echo
166
                        if [ $Lang == "fr" ]
166
                        if [ $Lang == "fr" ]
167
                                then
167
                                then
168
                                echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
168
                                echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
169
                                echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
169
                                echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
170
                                echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
170
                                echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
171
                                echo "3 - Importez votre base des usagers"
171
                                echo "3 - Importez votre base des usagers"
172
                        else
172
                        else
173
                                echo "The automatic update of ALCASAR can't be performed."
173
                                echo "The automatic update of ALCASAR can't be performed."
174
                                echo "1 - Save your traceability files and the user database"
174
                                echo "1 - Save your traceability files and the user database"
175
                                echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
175
                                echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
176
                                echo "3 - Import your users database"
176
                                echo "3 - Import your users database"
177
                        fi
177
                        fi
178
                else
178
                else
179
                        if [ $Lang == "fr" ]
179
                        if [ $Lang == "fr" ]
180
                                then echo "L'installation d'ALCASAR ne peut pas être réalisée."
180
                                then echo "L'installation d'ALCASAR ne peut pas être réalisée."
181
                                else echo "The installation of ALCASAR can't be performed."
181
                                else echo "The installation of ALCASAR can't be performed."
182
                        fi
182
                        fi
183
                fi
183
                fi
184
                echo
184
                echo
185
                if [ $Lang == "fr" ]
185
                if [ $Lang == "fr" ]
186
                        then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
186
                        then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
187
                        else echo "The OS must be replaced (Mageia7.1-64bits)"
187
                        else echo "The OS must be replaced (Mageia7.1-64bits)"
188
                fi
188
                fi
189
                exit 1
189
                exit 1
190
        fi
190
        fi
191
 
191
 
192
# Test if ALCASAR is already installed
192
# Test if ALCASAR is already installed
193
        if [ -e $CONF_FILE ]
193
        if [ -e $CONF_FILE ]
194
        then
194
        then
195
                current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
195
                current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
196
                if [ $Lang == "fr" ]
196
                if [ $Lang == "fr" ]
197
                        then echo "La version $current_version d'ALCASAR est déjà installée"
197
                        then echo "La version $current_version d'ALCASAR est déjà installée"
198
                        else echo "ALCASAR version $current_version is already installed"
198
                        else echo "ALCASAR version $current_version is already installed"
199
                fi
199
                fi
200
                response=0
200
                response=0
201
                PTN='^[12]$'
201
                PTN='^[12]$'
202
                until [[ "$response" =~ $PTN ]]
202
                until [[ "$response" =~ $PTN ]]
203
                do
203
                do
204
                        if [ $Lang == "fr" ]
204
                        if [ $Lang == "fr" ]
205
                                then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
205
                                then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
206
                                else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
206
                                else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
207
                        fi
207
                        fi
208
                        read response
208
                        read response
209
                done
209
                done
210
                if [ "$response" = "2" ]
210
                if [ "$response" = "2" ]
211
                then
211
                then
212
                        rm -f /var/tmp/alcasar-conf*
212
                        rm -f /var/tmp/alcasar-conf*
213
                else
213
                else
214
# Create the archive of conf files
214
# Create the archive of conf files
215
                        $DIR_SCRIPTS/alcasar-conf.sh --create
215
                        $DIR_SCRIPTS/alcasar-conf.sh --create
216
                        mode="update"
216
                        mode="update"
217
                fi
217
                fi
218
        fi
218
        fi
219
# Free /var (when updating) and test free space
219
# Free /var (when updating) and test free space
220
        [ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
220
        [ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
221
        [ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
221
        [ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
222
        journalctl -q --vacuum-files 1  # remove previous journal logs
222
        journalctl -q --vacuum-files 1  # remove previous journal logs
223
        free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
223
        free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
224
        if [ $free_space -lt 10 ]
224
        if [ $free_space -lt 10 ]
225
                then
225
                then
226
                if [ $Lang == "fr" ]
226
                if [ $Lang == "fr" ]
227
                        then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
227
                        then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
228
                        else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
228
                        else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
229
                fi
229
                fi
230
        exit 0
230
        exit 0
231
        fi
231
        fi
232
} # End of testing_system
232
} # End of testing_system
233
 
233
 
234
########################################################
234
########################################################
235
##             Function "testing_network"             ##
235
##             Function "testing_network"             ##
236
## - Test Internet access                             ##
236
## - Test Internet access                             ##
237
########################################################
237
########################################################
238
testing_network()
238
testing_network()
239
{
239
{
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
        if [ -z "$EXTIF" ]; then
241
        if [ -z "$EXTIF" ]; then
242
                EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
                EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
                if [ -z "$EXTIF" ]; then
243
                if [ -z "$EXTIF" ]; then
244
                        if [ "$Lang" == 'fr' ]
244
                        if [ "$Lang" == 'fr' ]
245
                                then echo "Aucune passerelle par défaut configurée"
245
                                then echo "Aucune passerelle par défaut configurée"
246
                                else echo "No default gateway configured"
246
                                else echo "No default gateway configured"
247
                        fi
247
                        fi
248
                        exit 1
248
                        exit 1
249
                fi
249
                fi
250
        fi
250
        fi
251
        if [ "$Lang" == 'fr' ]
251
        if [ "$Lang" == 'fr' ]
252
                then echo "Interface externe (Internet) utilisée : $EXTIF"
252
                then echo "Interface externe (Internet) utilisée : $EXTIF"
253
                else echo "External interface (Internet) used: $EXTIF"
253
                else echo "External interface (Internet) used: $EXTIF"
254
        fi
254
        fi
255
 
255
 
256
        if [ -z "$INTIF" ]; then
256
        if [ -z "$INTIF" ]; then
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
                interfacesCount=$(echo "$interfacesList" | wc -w)
258
                interfacesCount=$(echo "$interfacesList" | wc -w)
259
                if [ $interfacesCount -eq 0 ]; then
259
                if [ $interfacesCount -eq 0 ]; then
260
                        if [ "$Lang" == 'fr' ]
260
                        if [ "$Lang" == 'fr' ]
261
                                then echo "Aucune interface de disponible pour le réseau interne"
261
                                then echo "Aucune interface de disponible pour le réseau interne"
262
                                else echo "No interface available for the internal network"
262
                                else echo "No interface available for the internal network"
263
                        fi
263
                        fi
264
                        exit 1
264
                        exit 1
265
                elif [ $interfacesCount -eq 1 ]; then
265
                elif [ $interfacesCount -eq 1 ]; then
266
                        INTIF="$interfacesList"
266
                        INTIF="$interfacesList"
267
                else
267
                else
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
                        if [ "$Lang" == 'fr' ]
270
                        if [ "$Lang" == 'fr' ]
271
                                then echo 'Liste des interfaces disponible :'
271
                                then echo 'Liste des interfaces disponible :'
272
                                else echo 'List of available interfaces:'
272
                                else echo 'List of available interfaces:'
273
                        fi
273
                        fi
274
                        echo "$interfacesSorted"
274
                        echo "$interfacesSorted"
275
                        response=''
275
                        response=''
276
                        while true; do
276
                        while true; do
277
                                if [ "$Lang" == 'fr' ]
277
                                if [ "$Lang" == 'fr' ]
278
                                        then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
                                        then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
                                        else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
                                        else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
                                fi
280
                                fi
281
                                read response
281
                                read response
282
 
282
 
283
                                [ -z "$response" ] && response="$interfacePreferred"
283
                                [ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
                                # Check if interface exist
285
                                # Check if interface exist
286
                                if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
                                if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
                                        INTIF="$response"
287
                                        INTIF="$response"
288
                                        break
288
                                        break
289
                                else
289
                                else
290
                                        if [ "$Lang" == 'fr' ]
290
                                        if [ "$Lang" == 'fr' ]
291
                                                then echo "Interface \"$response\" introuvable"
291
                                                then echo "Interface \"$response\" introuvable"
292
                                                else echo "Interface \"$response\" not found"
292
                                                else echo "Interface \"$response\" not found"
293
                                        fi
293
                                        fi
294
                                fi
294
                                fi
295
                        done
295
                        done
296
                fi
296
                fi
297
        fi
297
        fi
298
        if [ "$Lang" == 'fr' ]
298
        if [ "$Lang" == 'fr' ]
299
                then echo "Interface interne utilisée : $INTIF"
299
                then echo "Interface interne utilisée : $INTIF"
300
                else echo "Internal interface used: $INTIF"
300
                else echo "Internal interface used: $INTIF"
301
        fi
301
        fi
302
 
302
 
303
        if [ $Lang == "fr" ]
303
        if [ $Lang == "fr" ]
304
                then echo -n "Tests des paramètres réseau : "
304
                then echo -n "Tests des paramètres réseau : "
305
                else echo -n "Network parameters tests: "
305
                else echo -n "Network parameters tests: "
306
        fi
306
        fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
        cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
        cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
        for i in $IF_INTERFACES
310
        for i in $IF_INTERFACES
311
        do
311
        do
312
                if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
                if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
                        rm -f ifcfg-$i
313
                        rm -f ifcfg-$i
314
 
314
 
315
                        if [ $Lang == "fr" ]
315
                        if [ $Lang == "fr" ]
316
                                then echo "Suppression : ifcfg-$i"
316
                                then echo "Suppression : ifcfg-$i"
317
                                else echo "Deleting: ifcfg-$i"
317
                                else echo "Deleting: ifcfg-$i"
318
                        fi
318
                        fi
319
                fi
319
                fi
320
        done
320
        done
321
        cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
        cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
        echo -n "."
322
        echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
        interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
        interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
        if [ ! -z "$interfacesDown" ]; then
325
        if [ ! -z "$interfacesDown" ]; then
326
                for i in $interfacesDown; do
326
                for i in $interfacesDown; do
327
                        if [ $Lang == "fr" ]
327
                        if [ $Lang == "fr" ]
328
                        then
328
                        then
329
                                echo -e "\nÉchec"
329
                                echo -e "\nÉchec"
330
                                echo "Le lien réseau de la carte $i n'est pas actif."
330
                                echo "Le lien réseau de la carte $i n'est pas actif."
331
                                echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
                                echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
                        else
332
                        else
333
                                echo -e "\nFailed"
333
                                echo -e "\nFailed"
334
                                echo "The link state of $i interface is down."
334
                                echo "The link state of $i interface is down."
335
                                echo "Make sure that this network card is connected to a switch or an A.P."
335
                                echo "Make sure that this network card is connected to a switch or an A.P."
336
                        fi
336
                        fi
337
                done
337
                done
338
                exit 1
338
                exit 1
339
        fi
339
        fi
340
        echo -n "."
340
        echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
        PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
        PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
        PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
        PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
        if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
        if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
        then
346
        then
347
                if [ $Lang == "fr" ]
347
                if [ $Lang == "fr" ]
348
                then
348
                then
349
                        echo -e "\nÉchec"
349
                        echo -e "\nÉchec"
350
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
                        echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
                        echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
                        echo "Appliquez les changements : 'systemctl restart network'"
352
                        echo "Appliquez les changements : 'systemctl restart network'"
353
                else
353
                else
354
                        echo -e "\nFailed"
354
                        echo -e "\nFailed"
355
                        echo "The Internet connected network card ($EXTIF) isn't well configured."
355
                        echo "The Internet connected network card ($EXTIF) isn't well configured."
356
                        echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
                        echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
                        echo "Apply the new configuration: 'systemctl restart network'"
357
                        echo "Apply the new configuration: 'systemctl restart network'"
358
                fi
358
                fi
359
                echo "DEVICE=$EXTIF"
359
                echo "DEVICE=$EXTIF"
360
                echo "IPADDR="
360
                echo "IPADDR="
361
                echo "NETMASK="
361
                echo "NETMASK="
362
                echo "GATEWAY="
362
                echo "GATEWAY="
363
                echo "DNS1="
363
                echo "DNS1="
364
                echo "DNS2="
364
                echo "DNS2="
365
                echo "ONBOOT=yes"
365
                echo "ONBOOT=yes"
366
                exit 1
366
                exit 1
367
        fi
367
        fi
368
        echo -n "."
368
        echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
        if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
        if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
                if [ $Lang == "fr" ]
371
                if [ $Lang == "fr" ]
372
                then
372
                then
373
                        echo -e "\nÉchec"
373
                        echo -e "\nÉchec"
374
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
                        echo "Réglez ce problème puis relancez ce script."
375
                        echo "Réglez ce problème puis relancez ce script."
376
                else
376
                else
377
                        echo -e "\nFailed"
377
                        echo -e "\nFailed"
378
                        echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
                        echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
                        echo "Resolv this problem, then restart this script."
379
                        echo "Resolv this problem, then restart this script."
380
                fi
380
                fi
381
                exit 1
381
                exit 1
382
        fi
382
        fi
383
        echo -n "."
383
        echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
        if [ "$(expr $arp_reply)" -eq 0 ]
386
        if [ "$(expr $arp_reply)" -eq 0 ]
387
                then
387
                then
388
                if [ $Lang == "fr" ]
388
                if [ $Lang == "fr" ]
389
                then
389
                then
390
                        echo -e "\nÉchec"
390
                        echo -e "\nÉchec"
391
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
                        echo "Réglez ce problème puis relancez ce script."
392
                        echo "Réglez ce problème puis relancez ce script."
393
                else
393
                else
394
                        echo -e "\nFailed"
394
                        echo -e "\nFailed"
395
                        echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
                        echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
                        echo "Resolv this problem, then restart this script."
396
                        echo "Resolv this problem, then restart this script."
397
                fi
397
                fi
398
                exit 1
398
                exit 1
399
        fi
399
        fi
400
        echo -n "."
400
        echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
        domainTested='www.google.com'
402
        domainTested='www.google.com'
403
        /usr/bin/curl -s --head "$domainTested" &>/dev/null
403
        /usr/bin/curl -s --head "$domainTested" &>/dev/null
404
        if [ $? -ne 0 ]; then
404
        if [ $? -ne 0 ]; then
405
                if [ $Lang == "fr" ]
405
                if [ $Lang == "fr" ]
406
                then
406
                then
407
                        echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
                        echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
                        echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
                        echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
                        echo "Vérifiez la validité des adresses IP des DNS."
409
                        echo "Vérifiez la validité des adresses IP des DNS."
410
                else
410
                else
411
                        echo -e "\nThe Internet connection try failed ($domainTested)."
411
                        echo -e "\nThe Internet connection try failed ($domainTested)."
412
                        echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
                        echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
                        echo "Verify the DNS IP addresses"
413
                        echo "Verify the DNS IP addresses"
414
                fi
414
                fi
415
                exit 1
415
                exit 1
416
        fi
416
        fi
417
        echo ". : ok"
417
        echo ". : ok"
418
} # End of testing_network()
418
} # End of testing_network()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
        if [ "$mode" != "update" ]
427
        if [ "$mode" != "update" ]
428
        then
428
        then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
                header_install
430
                header_install
431
                ORGANISME=!
431
                ORGANISME=!
432
                PTN='^[a-zA-Z0-9-]*$'
432
                PTN='^[a-zA-Z0-9-]*$'
433
                until [[ "$ORGANISME" =~ $PTN ]]
433
                until [[ "$ORGANISME" =~ $PTN ]]
434
                do
434
                do
435
                        if [ $Lang == "fr" ]
435
                        if [ $Lang == "fr" ]
436
                                then echo -n "Entrez le nom de votre organisme : "
436
                                then echo -n "Entrez le nom de votre organisme : "
437
                                else echo -n "Enter the name of your organism : "
437
                                else echo -n "Enter the name of your organism : "
438
                        fi
438
                        fi
439
                        read ORGANISME
439
                        read ORGANISME
440
                        if [ "$ORGANISME" == "" ]
440
                        if [ "$ORGANISME" == "" ]
441
                        then
441
                        then
442
                                ORGANISME=!
442
                                ORGANISME=!
443
                        fi
443
                        fi
444
                done
444
                done
445
        fi
445
        fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
        rm -f $PASSWD_FILE
448
        rm -f $PASSWD_FILE
449
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
        grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
        grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
                grep -v '[eE]nter password:' | \
453
                grep -v '[eE]nter password:' | \
454
                sed -e "s/PBKDF2 hash of your password is //"`
454
                sed -e "s/PBKDF2 hash of your password is //"`
455
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
        [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
        [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
        chmod 0600 /boot/grub2/user.cfg
458
        chmod 0600 /boot/grub2/user.cfg
459
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
        echo "GRUB2_user=root" >> $PASSWD_FILE
460
        echo "GRUB2_user=root" >> $PASSWD_FILE
461
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
        mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
        mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
        radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
        radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
        echo "db_user=$DB_USER" >> $PASSWD_FILE
467
        echo "db_user=$DB_USER" >> $PASSWD_FILE
468
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
        secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
        secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
        secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
        secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
        chmod 640 $PASSWD_FILE
475
        chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
        cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
        cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
        cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
        cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
        $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
        $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
        cat <<EOF > $CONF_FILE
482
        cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
EOF
492
EOF
493
        chmod o-rwx $CONF_FILE
493
        chmod o-rwx $CONF_FILE
494
} # End of init()
494
} # End of init()
495
 
495
 
496
#########################################################
496
#########################################################
497
##                    Function "network"               ##
497
##                    Function "network"               ##
498
## - Define the several network address                ##
498
## - Define the several network address                ##
499
## - Define the DNS naming                             ##
499
## - Define the DNS naming                             ##
500
## - INTIF parameters (consultation network)           ##
500
## - INTIF parameters (consultation network)           ##
501
## - Write "/etc/hosts" file                           ##
501
## - Write "/etc/hosts" file                           ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
503
#########################################################
503
#########################################################
504
network()
504
network()
505
{
505
{
506
        header_install
506
        header_install
507
        if [ "$mode" != "update" ]
507
        if [ "$mode" != "update" ]
508
                then
508
                then
509
                if [ $Lang == "fr" ]
509
                if [ $Lang == "fr" ]
510
                        then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
510
                        then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
511
                        else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
511
                        else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
512
                fi
512
                fi
513
                response=0
513
                response=0
514
                PTN='^[oOyYnN]?$'
514
                PTN='^[oOyYnN]?$'
515
                until [[ "$response" =~ $PTN ]]
515
                until [[ "$response" =~ $PTN ]]
516
                do
516
                do
517
                        if [ $Lang == "fr" ]
517
                        if [ $Lang == "fr" ]
518
                                then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
518
                                then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
519
                                else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
519
                                else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
520
                        fi
520
                        fi
521
                        read response
521
                        read response
522
                done
522
                done
523
                if [ "$response" = "n" ] || [ "$response" = "N" ]
523
                if [ "$response" = "n" ] || [ "$response" = "N" ]
524
                then
524
                then
525
                        PRIVATE_IP_MASK="0"
525
                        PRIVATE_IP_MASK="0"
526
                        PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
526
                        PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
527
                        until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
527
                        until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
528
                        do
528
                        do
529
                                if [ $Lang == "fr" ]
529
                                if [ $Lang == "fr" ]
530
                                        then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
530
                                        then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
531
                                        else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
531
                                        else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
532
                                fi
532
                                fi
533
                                read PRIVATE_IP_MASK
533
                                read PRIVATE_IP_MASK
534
                        done
534
                        done
535
                else
535
                else
536
                        PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
536
                        PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
537
                fi
537
                fi
538
        else
538
        else
539
                PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
539
                PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
540
                rm -rf /var/tmp/conf
540
                rm -rf /var/tmp/conf
541
        fi
541
        fi
542
# Define LAN side global parameters
542
# Define LAN side global parameters
543
        hostnamectl set-hostname $HOSTNAME.$DOMAIN
543
        hostnamectl set-hostname $HOSTNAME.$DOMAIN
544
        PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network address (ie.: 192.168.182.0)
544
        PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network address (ie.: 192.168.182.0)
545
        private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`                                  # last octet of LAN address
545
        private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`                                  # last octet of LAN address
546
        PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network mask (ie.: 255.255.255.0)
546
        PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network mask (ie.: 255.255.255.0)
547
        PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`                                 # network prefix (ie. 24)
547
        PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`                                 # network prefix (ie. 24)
548
        PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`                                              # ALCASAR private ip address (consultation LAN side)
548
        PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`                                              # ALCASAR private ip address (consultation LAN side)
549
        if [ $PRIVATE_IP == $PRIVATE_NETWORK ]                                                          # when entering network address instead of ip address
549
        if [ $PRIVATE_IP == $PRIVATE_NETWORK ]                                                          # when entering network address instead of ip address
550
        then
550
        then
551
                PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
551
                PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
552
                PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
552
                PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
553
        fi
553
        fi
554
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
554
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
555
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
555
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
556
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
556
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
557
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
557
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
558
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
558
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
559
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
559
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
560
# Define Internet parameters
560
# Define Internet parameters
561
        DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
561
        DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
562
        DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
562
        DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
563
        DNS1=${DNS1:=208.67.220.220}
563
        DNS1=${DNS1:=208.67.220.220}
564
        DNS2=${DNS2:=208.67.222.222}
564
        DNS2=${DNS2:=208.67.222.222}
565
        PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
565
        PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
566
        PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
566
        PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
567
        PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
567
        PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
568
# Write network parameters in the conf file
568
# Write network parameters in the conf file
569
        echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
569
        echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
570
        echo "DOMAIN=$DOMAIN" >> $CONF_FILE
570
        echo "DOMAIN=$DOMAIN" >> $CONF_FILE
571
        echo "EXTIF=$EXTIF" >> $CONF_FILE
571
        echo "EXTIF=$EXTIF" >> $CONF_FILE
572
        echo "INTIF=$INTIF" >> $CONF_FILE
572
        echo "INTIF=$INTIF" >> $CONF_FILE
573
# Retrieve NIC name of other consultation LAN
573
# Retrieve NIC name of other consultation LAN
574
        INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
574
        INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
575
        for i in $INTERFACES
575
        for i in $INTERFACES
576
        do
576
        do
577
                SUB=`echo ${i:0:2}`
577
                SUB=`echo ${i:0:2}`
578
                if [ $SUB = "wl" ]
578
                if [ $SUB = "wl" ]
579
                        then WIFIF=$i
579
                        then WIFIF=$i
580
                elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
580
                elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
581
                        then LANIF=$i
581
                        then LANIF=$i
582
                fi
582
                fi
583
        done
583
        done
584
        if [ -n "$WIFIF" ]
584
        if [ -n "$WIFIF" ]
585
                then echo "WIFIF=$WIFIF" >> $CONF_FILE
585
                then echo "WIFIF=$WIFIF" >> $CONF_FILE
586
        elif [ -n "$LANIF" ]
586
        elif [ -n "$LANIF" ]
587
                then echo "LANIF=$LANIF" >> $CONF_FILE
587
                then echo "LANIF=$LANIF" >> $CONF_FILE
588
        fi
588
        fi
589
        IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
589
        IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
590
        if [ $IP_SETTING == "dhcp" ]
590
        if [ $IP_SETTING == "dhcp" ]
591
        then
591
        then
592
                echo "PUBLIC_IP=dhcp" >> $CONF_FILE
592
                echo "PUBLIC_IP=dhcp" >> $CONF_FILE
593
                echo "GW=dhcp" >> $CONF_FILE
593
                echo "GW=dhcp" >> $CONF_FILE
594
        else
594
        else
595
                echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
595
                echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
596
                echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
596
                echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
597
        fi
597
        fi
598
        echo "DNS1=$DNS1" >> $CONF_FILE
598
        echo "DNS1=$DNS1" >> $CONF_FILE
599
        echo "DNS2=$DNS2" >> $CONF_FILE
599
        echo "DNS2=$DNS2" >> $CONF_FILE
600
        echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
600
        echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
601
        echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
601
        echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
602
        echo "DHCP=on" >> $CONF_FILE
602
        echo "DHCP=on" >> $CONF_FILE
603
        echo "EXT_DHCP_IP=" >> $CONF_FILE
603
        echo "EXT_DHCP_IP=" >> $CONF_FILE
604
        echo "RELAY_DHCP_IP=" >> $CONF_FILE
604
        echo "RELAY_DHCP_IP=" >> $CONF_FILE
605
        echo "RELAY_DHCP_PORT=" >> $CONF_FILE
605
        echo "RELAY_DHCP_PORT=" >> $CONF_FILE
606
        echo "INT_DNS_DOMAIN=" >> $CONF_FILE
606
        echo "INT_DNS_DOMAIN=" >> $CONF_FILE
607
        echo "INT_DNS_IP=" >> $CONF_FILE
607
        echo "INT_DNS_IP=" >> $CONF_FILE
608
        echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
608
        echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
609
# network default
609
# network default
610
        [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
610
        [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
611
        cat <<EOF > /etc/sysconfig/network
611
        cat <<EOF > /etc/sysconfig/network
612
NETWORKING=yes
612
NETWORKING=yes
613
FORWARD_IPV4=true
613
FORWARD_IPV4=true
614
EOF
614
EOF
615
# write "/etc/hosts"
615
# write "/etc/hosts"
616
        [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
616
        [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
617
        cat <<EOF > /etc/hosts
617
        cat <<EOF > /etc/hosts
618
127.0.0.1       localhost
618
127.0.0.1       localhost
619
$PRIVATE_IP     $HOSTNAME
619
$PRIVATE_IP     $HOSTNAME
620
EOF
620
EOF
621
# write EXTIF (Internet) config
621
# write EXTIF (Internet) config
622
        [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
622
        [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
623
        if [ $IP_SETTING == "dhcp" ]
623
        if [ $IP_SETTING == "dhcp" ]
624
        then
624
        then
625
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
625
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
626
DEVICE=$EXTIF
626
DEVICE=$EXTIF
627
BOOTPROTO=dhcp
627
BOOTPROTO=dhcp
628
DNS1=127.0.0.1
628
DNS1=127.0.0.1
629
PEERDNS=no
629
PEERDNS=no
630
RESOLV_MODS=yes
630
RESOLV_MODS=yes
631
ONBOOT=yes
631
ONBOOT=yes
632
NOZEROCONF=yes
632
NOZEROCONF=yes
633
METRIC=10
633
METRIC=10
634
MII_NOT_SUPPORTED=yes
634
MII_NOT_SUPPORTED=yes
635
IPV6INIT=no
635
IPV6INIT=no
636
IPV6TO4INIT=no
636
IPV6TO4INIT=no
637
ACCOUNTING=no
637
ACCOUNTING=no
638
USERCTL=no
638
USERCTL=no
639
MTU=$MTU
639
MTU=$MTU
640
EOF
640
EOF
641
        else
641
        else
642
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
642
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
643
DEVICE=$EXTIF
643
DEVICE=$EXTIF
644
BOOTPROTO=static
644
BOOTPROTO=static
645
IPADDR=$PUBLIC_IP
645
IPADDR=$PUBLIC_IP
646
NETMASK=$PUBLIC_NETMASK
646
NETMASK=$PUBLIC_NETMASK
647
GATEWAY=$PUBLIC_GATEWAY
647
GATEWAY=$PUBLIC_GATEWAY
648
DNS1=$DNS1
648
DNS1=$DNS1
649
DNS2=$DNS2
649
DNS2=$DNS2
650
RESOLV_MODS=yes
650
RESOLV_MODS=yes
651
ONBOOT=yes
651
ONBOOT=yes
652
METRIC=10
652
METRIC=10
653
NOZEROCONF=yes
653
NOZEROCONF=yes
654
MII_NOT_SUPPORTED=yes
654
MII_NOT_SUPPORTED=yes
655
IPV6INIT=no
655
IPV6INIT=no
656
IPV6TO4INIT=no
656
IPV6TO4INIT=no
657
ACCOUNTING=no
657
ACCOUNTING=no
658
USERCTL=no
658
USERCTL=no
659
MTU=$MTU
659
MTU=$MTU
660
EOF
660
EOF
661
        fi
661
        fi
662
# write INTIF (consultation LAN) in normal mode
662
# write INTIF (consultation LAN) in normal mode
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
664
        cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
664
        cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
665
DEVICE=$INTIF
665
DEVICE=$INTIF
666
BOOTPROTO=static
666
BOOTPROTO=static
667
ONBOOT=yes
667
ONBOOT=yes
668
NOZEROCONF=yes
668
NOZEROCONF=yes
669
MII_NOT_SUPPORTED=yes
669
MII_NOT_SUPPORTED=yes
670
IPV6INIT=no
670
IPV6INIT=no
671
IPV6TO4INIT=no
671
IPV6TO4INIT=no
672
ACCOUNTING=no
672
ACCOUNTING=no
673
USERCTL=no
673
USERCTL=no
674
EOF
674
EOF
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
676
        cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
676
        cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
677
DEVICE=$INTIF
677
DEVICE=$INTIF
678
BOOTPROTO=static
678
BOOTPROTO=static
679
IPADDR=$PRIVATE_IP
679
IPADDR=$PRIVATE_IP
680
NETMASK=$PRIVATE_NETMASK
680
NETMASK=$PRIVATE_NETMASK
681
ONBOOT=yes
681
ONBOOT=yes
682
METRIC=10
682
METRIC=10
683
NOZEROCONF=yes
683
NOZEROCONF=yes
684
MII_NOT_SUPPORTED=yes
684
MII_NOT_SUPPORTED=yes
685
IPV6INIT=no
685
IPV6INIT=no
686
IPV6TO4INIT=no
686
IPV6TO4INIT=no
687
ACCOUNTING=no
687
ACCOUNTING=no
688
USERCTL=no
688
USERCTL=no
689
EOF
689
EOF
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
691
        if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
691
        if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
692
        then
692
        then
693
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
693
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
694
DEVICE=$WIFIF
694
DEVICE=$WIFIF
695
BOOTPROTO=static
695
BOOTPROTO=static
696
ONBOOT=yes
696
ONBOOT=yes
697
NOZEROCONF=yes
697
NOZEROCONF=yes
698
MII_NOT_SUPPORTED=yes
698
MII_NOT_SUPPORTED=yes
699
IPV6INIT=no
699
IPV6INIT=no
700
IPV6TO4INIT=no
700
IPV6TO4INIT=no
701
ACCOUNTING=no
701
ACCOUNTING=no
702
USERCTL=no
702
USERCTL=no
703
EOF
703
EOF
704
        elif [ -n "$LANIF" ]
704
        elif [ -n "$LANIF" ]
705
        then
705
        then
706
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
706
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
707
DEVICE=$LANIF
707
DEVICE=$LANIF
708
BOOTPROTO=static
708
BOOTPROTO=static
709
ONBOOT=yes
709
ONBOOT=yes
710
NOZEROCONF=yes
710
NOZEROCONF=yes
711
MII_NOT_SUPPORTED=yes
711
MII_NOT_SUPPORTED=yes
712
IPV6INIT=no
712
IPV6INIT=no
713
IPV6TO4INIT=no
713
IPV6TO4INIT=no
714
ACCOUNTING=no
714
ACCOUNTING=no
715
USERCTL=no
715
USERCTL=no
716
EOF
716
EOF
717
        fi
717
        fi
718
# write hosts.allow & hosts.deny
718
# write hosts.allow & hosts.deny
719
        [ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
719
        [ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
720
        cat <<EOF > /etc/hosts.allow
720
        cat <<EOF > /etc/hosts.allow
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
722
sshd: ALL
722
sshd: ALL
723
ntpd: $PRIVATE_NETWORK_SHORT
723
ntpd: $PRIVATE_NETWORK_SHORT
724
EOF
724
EOF
725
        [ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
725
        [ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
726
        cat <<EOF > /etc/hosts.deny
726
        cat <<EOF > /etc/hosts.deny
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
728
EOF
728
EOF
729
        chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
729
        chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
731
        echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
731
        echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
732
# load conntrack ftp module
732
# load conntrack ftp module
733
        [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
733
        [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
734
        echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
734
        echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
735
# load ipt_NETFLOW module
735
# load ipt_NETFLOW module
736
        echo "ipt_NETFLOW" >>  /etc/modprobe.preload
736
        echo "ipt_NETFLOW" >>  /etc/modprobe.preload
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
738
        [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
738
        [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
739
        $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
739
        $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
740
        [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
740
        [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
741
        $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
741
        $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
742
#
742
#
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
744
} # End of network()
744
} # End of network()
745
 
745
 
746
##################################################################
746
##################################################################
747
##                      Fonction "CA"                           ##
747
##                      Fonction "CA"                           ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
749
##################################################################
749
##################################################################
750
CA()
750
CA()
751
{
751
{
752
        $DIR_DEST_BIN/alcasar-CA.sh
752
        $DIR_DEST_BIN/alcasar-CA.sh
753
        chmod 755 /etc/pki/
753
        chmod 755 /etc/pki/
754
        chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
754
        chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
755
        chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
755
        chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
756
        chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
756
        chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
757
        chmod 600 /etc/pki/CA/private/*
757
        chmod 600 /etc/pki/CA/private/*
758
        chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
758
        chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
759
        chmod 640 /etc/pki/tls/private/*
759
        chmod 640 /etc/pki/tls/private/*
760
        chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
760
        chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
761
} # End of CA()
761
} # End of CA()
762
 
762
 
763
###################################################
763
###################################################
764
##                  Function "ACC"               ##
764
##                  Function "ACC"               ##
765
## - copy ALCASAR Control Center (ACC) files     ##
765
## - copy ALCASAR Control Center (ACC) files     ##
766
## - configuration of the web server (Lighttpd)  ##
766
## - configuration of the web server (Lighttpd)  ##
767
## - creation of the first ACC admin account     ##
767
## - creation of the first ACC admin account     ##
768
## - secure the ACC access                       ##
768
## - secure the ACC access                       ##
769
###################################################
769
###################################################
770
ACC()
770
ACC()
771
{
771
{
772
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
772
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
773
        mkdir $DIR_WEB
773
        mkdir $DIR_WEB
774
# Copy & adapt ACC files
774
# Copy & adapt ACC files
775
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
775
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
776
        $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
776
        $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
777
        $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
777
        $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
778
        $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
778
        $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
779
        $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
779
        $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
780
        chown -R apache:apache $DIR_WEB/*
780
        chown -R apache:apache $DIR_WEB/*
781
# copy & adapt "freeradius-web" files
781
# copy & adapt "freeradius-web" files
782
        cp -rf $DIR_CONF/freeradius-web/ /etc/
782
        cp -rf $DIR_CONF/freeradius-web/ /etc/
783
        [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
783
        [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
784
        $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
784
        $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
785
        $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
785
        $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
786
        $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
786
        $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
787
        cat <<EOF > /etc/freeradius-web/naslist.conf
787
        cat <<EOF > /etc/freeradius-web/naslist.conf
788
nas1_name: alcasar-$ORGANISME
788
nas1_name: alcasar-$ORGANISME
789
nas1_model: Network Access Controler
789
nas1_model: Network Access Controler
790
nas1_ip: $PRIVATE_IP
790
nas1_ip: $PRIVATE_IP
791
nas1_port_num: 0
791
nas1_port_num: 0
792
nas1_community: public
792
nas1_community: public
793
EOF
793
EOF
794
        chown -R apache:apache /etc/freeradius-web/
794
        chown -R apache:apache /etc/freeradius-web/
795
# create the log & backup structure :
795
# create the log & backup structure :
796
# - base = users database
796
# - base = users database
797
# - archive = tarball of "base + http firewall + netflow"
797
# - archive = tarball of "base + http firewall + netflow"
798
# - security = watchdog log
798
# - security = watchdog log
799
# - conf_file = archive conf file (usefull in updating process)
799
# - conf_file = archive conf file (usefull in updating process)
800
        for i in base archive security activity_report iot_captures;
800
        for i in base archive security activity_report iot_captures;
801
        do
801
        do
802
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
        done
803
        done
804
        chown -R root:apache $DIR_SAVE
804
        chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
806
        [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
806
        [ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
807
        timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
807
        timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
808
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
808
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
809
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
810
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
811
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
812
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
813
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
814
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
814
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
815
        $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
815
        $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
816
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
816
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
817
# Configuring & securing Lighttpd
817
# Configuring & securing Lighttpd
818
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
818
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
819
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
819
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
820
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
820
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
821
        $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
821
        $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
822
        $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
822
        $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
823
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
823
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
824
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
824
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
825
 
825
 
826
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
826
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
827
        $SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
827
        $SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
828
        $SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
828
        $SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
829
        $SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
829
        $SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
830
        $SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
830
        $SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
831
        $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
831
        $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
832
 
832
 
833
        [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
833
        [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
834
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
834
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
835
 
835
 
836
        [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
836
        [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
837
        $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
837
        $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
838
        $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
838
        $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
839
        $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
839
        $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
840
 
840
 
841
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
841
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
842
        cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
842
        cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
843
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
843
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
844
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
844
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
845
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
846
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
847
        ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
847
        ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
848
 
848
 
849
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
849
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
850
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
850
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
851
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
851
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
852
 
852
 
853
        chown -R apache:apache /var/log/lighttpd
853
        chown -R apache:apache /var/log/lighttpd
854
 
854
 
855
# Creation of the first account (in 'admin' profile)
855
# Creation of the first account (in 'admin' profile)
856
        if [ "$mode" = "install" ]
856
        if [ "$mode" = "install" ]
857
        then
857
        then
858
                header_install
858
                header_install
859
# Creation of keys file for the admin account ("admin")
859
# Creation of keys file for the admin account ("admin")
860
                [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
860
                [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
861
                mkdir -p $DIR_DEST_ETC/digest
861
                mkdir -p $DIR_DEST_ETC/digest
862
                chmod 755 $DIR_DEST_ETC/digest
862
                chmod 755 $DIR_DEST_ETC/digest
863
                if [ $Lang == "fr" ]
863
                if [ $Lang == "fr" ]
864
                        then echo "Création du premier compte administrateur : "
864
                        then echo "Création du premier compte administrateur : "
865
                        else echo "Creation of the first admin account : "
865
                        else echo "Creation of the first admin account : "
866
                fi
866
                fi
867
                until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
                until [ -s $DIR_DEST_ETC/digest/key_admin ]
868
                do
868
                do
869
                        $DIR_DEST_BIN/alcasar-profil.sh --add admin
869
                        $DIR_DEST_BIN/alcasar-profil.sh --add admin
870
                done
870
                done
871
        fi
871
        fi
872
# Creation of ACC certs links
872
# Creation of ACC certs links
873
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
        [ -d /var/www/html/certs ] || mkdir /var/www/html/certs
874
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
        ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
875
# Run lighttpd after coova (in order waiting tun0 to be up)
875
# Run lighttpd after coova (in order waiting tun0 to be up)
876
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
877
        # Log file for ACC access imputability
877
        # Log file for ACC access imputability
878
        [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
878
        [ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
879
        chown root:apache $DIR_SAVE/security/acc_access.log
879
        chown root:apache $DIR_SAVE/security/acc_access.log
880
        chmod 664 $DIR_SAVE/security/acc_access.log
880
        chmod 664 $DIR_SAVE/security/acc_access.log
-
 
881
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
-
 
882
    cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
881
} # End of ACC()
883
} # End of ACC()
882
 
884
 
883
#############################################################
885
#############################################################
884
##               Function "time_server"                    ##
886
##               Function "time_server"                    ##
885
## - Configuring NTP server                                ##
887
## - Configuring NTP server                                ##
886
#############################################################
888
#############################################################
887
time_server()
889
time_server()
888
{
890
{
889
# Set the Internet time server
891
# Set the Internet time server
890
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
892
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
891
        cat <<EOF > /etc/ntp/step-tickers
893
        cat <<EOF > /etc/ntp/step-tickers
892
0.fr.pool.ntp.org       # adapt to your country
894
0.fr.pool.ntp.org       # adapt to your country
893
1.fr.pool.ntp.org
895
1.fr.pool.ntp.org
894
2.fr.pool.ntp.org
896
2.fr.pool.ntp.org
895
EOF
897
EOF
896
        [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
898
        [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
897
        cat <<EOF > /etc/ntp.conf
899
        cat <<EOF > /etc/ntp.conf
898
server 0.fr.pool.ntp.org        # adapt to your country
900
server 0.fr.pool.ntp.org        # adapt to your country
899
server 1.fr.pool.ntp.org
901
server 1.fr.pool.ntp.org
900
server 2.fr.pool.ntp.org
902
server 2.fr.pool.ntp.org
901
server 127.127.1.0              # local clock si NTP internet indisponible ...
903
server 127.127.1.0              # local clock si NTP internet indisponible ...
902
fudge 127.127.1.0 stratum 10
904
fudge 127.127.1.0 stratum 10
903
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
905
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
904
restrict 127.0.0.1
906
restrict 127.0.0.1
905
driftfile /var/lib/ntp/drift
907
driftfile /var/lib/ntp/drift
906
logfile /var/log/ntp.log
908
logfile /var/log/ntp.log
907
disable monitor
909
disable monitor
908
EOF
910
EOF
909
        chown -R ntp:ntp /var/lib/ntp
911
        chown -R ntp:ntp /var/lib/ntp
910
# Synchronize now
912
# Synchronize now
911
        ntpd -4 -q -g &
913
        ntpd -4 -q -g &
912
} # End of time_server()
914
} # End of time_server()
913
 
915
 
914
#####################################################################
916
#####################################################################
915
##                     Function "init_db"                          ##
917
##                     Function "init_db"                          ##
916
## - Mysql initialization                                          ##
918
## - Mysql initialization                                          ##
917
## - Set admin (root) password                                     ##
919
## - Set admin (root) password                                     ##
918
## - Remove unused users & databases                               ##
920
## - Remove unused users & databases                               ##
919
## - Radius database creation                                      ##
921
## - Radius database creation                                      ##
920
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
922
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
921
#####################################################################
923
#####################################################################
922
init_db()
924
init_db()
923
{
925
{
924
        if [ "`systemctl is-active mysqld`" == "active" ]
926
        if [ "`systemctl is-active mysqld`" == "active" ]
925
        then
927
        then
926
                systemctl stop mysqld
928
                systemctl stop mysqld
927
        fi
929
        fi
928
        rm -rf /var/lib/mysql # to be sure that there is no former installation
930
        rm -rf /var/lib/mysql # to be sure that there is no former installation
929
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
931
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
930
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
932
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
931
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
933
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
932
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
934
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
933
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
935
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
934
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
936
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
935
        [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
937
        [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
936
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
938
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
937
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
939
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
938
        /usr/bin/systemctl start mysqld
940
        /usr/bin/systemctl start mysqld
939
        nb_round=1
941
        nb_round=1
940
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
942
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
941
        do
943
        do
942
                nb_round=`expr $nb_round + 1`
944
                nb_round=`expr $nb_round + 1`
943
                sleep 2
945
                sleep 2
944
        done
946
        done
945
        if [ ! -S /var/lib/mysql/mysql.sock ]
947
        if [ ! -S /var/lib/mysql/mysql.sock ]
946
        then
948
        then
947
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
949
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
948
                exit
950
                exit
949
        fi
951
        fi
950
# Secure the server
952
# Secure the server
951
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
953
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
952
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
954
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
953
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
955
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
954
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
956
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
955
# Create 'radius' database
957
# Create 'radius' database
956
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
958
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
957
# Add an empty radius database structure
959
# Add an empty radius database structure
958
        /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
960
        /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
959
# modify the start script in order to close accounting connexion when the system is comming down or up
961
# modify the start script in order to close accounting connexion when the system is comming down or up
960
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
962
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
961
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
963
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
962
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
964
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
963
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
965
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
964
        /usr/bin/systemctl daemon-reload
966
        /usr/bin/systemctl daemon-reload
965
} # End of init_db()
967
} # End of init_db()
966
 
968
 
967
###################################################################
969
###################################################################
968
##                       Function "freeradius"                   ##
970
##                       Function "freeradius"                   ##
969
## - Set the configuration files                                 ##
971
## - Set the configuration files                                 ##
970
## - Set the shared secret between coova-chilli and freeradius   ##
972
## - Set the shared secret between coova-chilli and freeradius   ##
971
## - Adapt the Mysql conf file and counters                      ##
973
## - Adapt the Mysql conf file and counters                      ##
972
###################################################################
974
###################################################################
973
freeradius()
975
freeradius()
974
{
976
{
975
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
977
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
976
        chown -R radius:radius /etc/raddb
978
        chown -R radius:radius /etc/raddb
977
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
979
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
978
# Set radius global parameters (radius.conf)
980
# Set radius global parameters (radius.conf)
979
        $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
981
        $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
980
        $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
982
        $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
981
        $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
983
        $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
982
        $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
984
        $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
983
        $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
985
        $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
984
# Add ALCASAR & Coovachilli dictionaries
986
# Add ALCASAR & Coovachilli dictionaries
985
        [ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
987
        [ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
986
        cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
988
        cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
987
        echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
989
        echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
988
        cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
990
        cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
989
        echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
991
        echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
990
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
992
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
991
        [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
993
        [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
992
        cat << EOF > /etc/raddb/clients.conf
994
        cat << EOF > /etc/raddb/clients.conf
993
client localhost {
995
client localhost {
994
        ipaddr = 127.0.0.1
996
        ipaddr = 127.0.0.1
995
        secret = $secretradius
997
        secret = $secretradius
996
        shortname = chilli
998
        shortname = chilli
997
        nas_type = other
999
        nas_type = other
998
}
1000
}
999
EOF
1001
EOF
1000
# Set Virtual server
1002
# Set Virtual server
1001
    # Remvoveing all except "alcasar virtual site")
1003
    # Remvoveing all except "alcasar virtual site")
1002
        # INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1004
        # INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1003
        cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1005
        cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1004
        cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1006
        cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1005
        chown radius:apache /etc/raddb/sites-available/alcasar*
1007
        chown radius:apache /etc/raddb/sites-available/alcasar*
1006
        chmod 660 /etc/raddb/sites-available/alcasar*
1008
        chmod 660 /etc/raddb/sites-available/alcasar*
1007
        rm -f /etc/raddb/sites-enabled/*
1009
        rm -f /etc/raddb/sites-enabled/*
1008
        ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1010
        ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1009
# Set modules
1011
# Set modules
1010
        # Add custom LDAP "available module"
1012
        # Add custom LDAP "available module"
1011
        # INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1013
        # INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1012
        cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1014
        cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1013
        chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1015
        chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1014
        # Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1016
        # Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1015
        rm -rf  /etc/raddb/mods-enabled/*
1017
        rm -rf  /etc/raddb/mods-enabled/*
1016
        for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1018
        for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1017
        do
1019
        do
1018
                ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1020
                ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1019
        done
1021
        done
1020
# Configure SQL module
1022
# Configure SQL module
1021
        [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1023
        [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1022
        $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1024
        $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1023
        $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1025
        $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1024
        $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1026
        $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1025
        $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1027
        $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1026
        $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1028
        $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1027
        $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1029
        $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1028
        $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1030
        $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1029
        # no TLS encryption on 127.0.0.1
1031
        # no TLS encryption on 127.0.0.1
1030
        $SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1032
        $SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1031
        $SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1033
        $SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1032
        $SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1034
        $SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1033
        $SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1035
        $SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1034
        $SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1036
        $SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1035
        $SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1037
        $SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1036
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1038
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1037
        [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1039
        [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1038
        cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
        cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1039
        chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1041
        chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
# sqlcounter modifications
1042
# sqlcounter modifications
1041
        [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1043
        [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1042
        cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1044
        cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1043
        chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1045
        chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1044
# make certain that mysql is up before freeradius start
1046
# make certain that mysql is up before freeradius start
1045
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1046
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1047
        /usr/bin/systemctl daemon-reload
1049
        /usr/bin/systemctl daemon-reload
1048
# Allow apache to change some conf files (ie : ldap on/off)
1050
# Allow apache to change some conf files (ie : ldap on/off)
1049
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
        chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
        chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
} # End of freeradius()
1053
} # End of freeradius()
1052
 
1054
 
1053
#############################################################################
1055
#############################################################################
1054
##                           Function "chilli"                             ##
1056
##                           Function "chilli"                             ##
1055
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1057
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1056
## - Adapt the authentication web page (intercept.php)                     ##
1058
## - Adapt the authentication web page (intercept.php)                     ##
1057
#############################################################################
1059
#############################################################################
1058
chilli()
1060
chilli()
1059
{
1061
{
1060
# chilli unit for systemd
1062
# chilli unit for systemd
1061
        cat << EOF > /lib/systemd/system/chilli.service
1063
        cat << EOF > /lib/systemd/system/chilli.service
1062
#  This file is part of systemd.
1064
#  This file is part of systemd.
1063
#
1065
#
1064
#  systemd is free software; you can redistribute it and/or modify it
1066
#  systemd is free software; you can redistribute it and/or modify it
1065
#  under the terms of the GNU General Public License as published by
1067
#  under the terms of the GNU General Public License as published by
1066
#  the Free Software Foundation; either version 2 of the License, or
1068
#  the Free Software Foundation; either version 2 of the License, or
1067
#  (at your option) any later version.
1069
#  (at your option) any later version.
1068
 
1070
 
1069
# This unit launches coova-chilli a captive portal
1071
# This unit launches coova-chilli a captive portal
1070
[Unit]
1072
[Unit]
1071
Description=chilli is a captive portal daemon
1073
Description=chilli is a captive portal daemon
1072
After=network.target
1074
After=network.target
1073
 
1075
 
1074
[Service]
1076
[Service]
1075
Type=forking
1077
Type=forking
1076
ExecStart=/usr/libexec/chilli start
1078
ExecStart=/usr/libexec/chilli start
1077
ExecStop=/usr/libexec/chilli stop
1079
ExecStop=/usr/libexec/chilli stop
1078
ExecReload=/usr/libexec/chilli reload
1080
ExecReload=/usr/libexec/chilli reload
1079
PIDFile=/run/chilli.pid
1081
PIDFile=/run/chilli.pid
1080
 
1082
 
1081
[Install]
1083
[Install]
1082
WantedBy=multi-user.target
1084
WantedBy=multi-user.target
1083
EOF
1085
EOF
1084
# init file creation
1086
# init file creation
1085
        [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1087
        [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1086
        cat <<EOF > /etc/init.d/chilli
1088
        cat <<EOF > /etc/init.d/chilli
1087
#!/bin/sh
1089
#!/bin/sh
1088
#
1090
#
1089
# chilli CoovaChilli init
1091
# chilli CoovaChilli init
1090
#
1092
#
1091
# chkconfig: 2345 65 35
1093
# chkconfig: 2345 65 35
1092
# description: CoovaChilli
1094
# description: CoovaChilli
1093
### BEGIN INIT INFO
1095
### BEGIN INIT INFO
1094
# Provides:       chilli
1096
# Provides:       chilli
1095
# Required-Start: network
1097
# Required-Start: network
1096
# Should-Start:
1098
# Should-Start:
1097
# Required-Stop:  network
1099
# Required-Stop:  network
1098
# Should-Stop:
1100
# Should-Stop:
1099
# Default-Start:  2 3 5
1101
# Default-Start:  2 3 5
1100
# Default-Stop:
1102
# Default-Stop:
1101
# Description:    CoovaChilli access controller
1103
# Description:    CoovaChilli access controller
1102
### END INIT INFO
1104
### END INIT INFO
1103
 
1105
 
1104
[ -f /usr/sbin/chilli ] || exit 0
1106
[ -f /usr/sbin/chilli ] || exit 0
1105
. /etc/init.d/functions
1107
. /etc/init.d/functions
1106
CONFIG=/etc/chilli.conf
1108
CONFIG=/etc/chilli.conf
1107
pidfile=/run/chilli.pid
1109
pidfile=/run/chilli.pid
1108
[ -f \$CONFIG ] || {
1110
[ -f \$CONFIG ] || {
1109
        echo "\$CONFIG Not found"
1111
        echo "\$CONFIG Not found"
1110
        exit 0
1112
        exit 0
1111
}
1113
}
1112
current_users_file="/tmp/current_users.txt"     # file containing active users
1114
current_users_file="/tmp/current_users.txt"     # file containing active users
1113
RETVAL=0
1115
RETVAL=0
1114
prog="chilli"
1116
prog="chilli"
1115
case \$1 in
1117
case \$1 in
1116
        start)
1118
        start)
1117
                if [ -f \$pidfile ] ; then
1119
                if [ -f \$pidfile ] ; then
1118
                        gprintf "chilli is already running"
1120
                        gprintf "chilli is already running"
1119
                else
1121
                else
1120
                        gprintf "Starting \$prog: "
1122
                        gprintf "Starting \$prog: "
1121
                        echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1123
                        echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1122
                        rm -f /run/chilli* # cleaning
1124
                        rm -f /run/chilli* # cleaning
1123
                        /usr/sbin/modprobe tun >/dev/null 2>&1
1125
                        /usr/sbin/modprobe tun >/dev/null 2>&1
1124
                        echo 1 > /proc/sys/net/ipv4/ip_forward
1126
                        echo 1 > /proc/sys/net/ipv4/ip_forward
1125
                        [ -e /dev/net/tun ] || {
1127
                        [ -e /dev/net/tun ] || {
1126
                                (cd /dev;
1128
                                (cd /dev;
1127
                                mkdir net;
1129
                                mkdir net;
1128
                                cd net;
1130
                                cd net;
1129
                                mknod tun c 10 200)
1131
                                mknod tun c 10 200)
1130
                        }
1132
                        }
1131
                        ifconfig $INTIF 0.0.0.0
1133
                        ifconfig $INTIF 0.0.0.0
1132
                        /usr/sbin/ethtool -K $INTIF gro off
1134
                        /usr/sbin/ethtool -K $INTIF gro off
1133
                        daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1135
                        daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1134
                        RETVAL=\$?
1136
                        RETVAL=\$?
1135
                fi
1137
                fi
1136
                ;;
1138
                ;;
1137
 
1139
 
1138
        reload)
1140
        reload)
1139
                killall -HUP chilli
1141
                killall -HUP chilli
1140
                ;;
1142
                ;;
1141
 
1143
 
1142
        restart)
1144
        restart)
1143
                \$0 stop
1145
                \$0 stop
1144
                sleep 2
1146
                sleep 2
1145
                \$0 start
1147
                \$0 start
1146
                ;;
1148
                ;;
1147
 
1149
 
1148
        status)
1150
        status)
1149
                status chilli
1151
                status chilli
1150
                RETVAL=0
1152
                RETVAL=0
1151
                ;;
1153
                ;;
1152
 
1154
 
1153
        stop)
1155
        stop)
1154
                if [ -f \$pidfile ] ; then
1156
                if [ -f \$pidfile ] ; then
1155
                        gprintf "Shutting down \$prog: "
1157
                        gprintf "Shutting down \$prog: "
1156
                        killproc /usr/sbin/chilli
1158
                        killproc /usr/sbin/chilli
1157
                        RETVAL=\$?
1159
                        RETVAL=\$?
1158
                        [ \$RETVAL = 0 ] && rm -f \$pidfile
1160
                        [ \$RETVAL = 0 ] && rm -f \$pidfile
1159
                        [ -e \$current_users_file ] && rm -f \$current_users_file
1161
                        [ -e \$current_users_file ] && rm -f \$current_users_file
1160
                else
1162
                else
1161
                        gprintf "chilli is not running"
1163
                        gprintf "chilli is not running"
1162
                fi
1164
                fi
1163
                ;;
1165
                ;;
1164
 
1166
 
1165
        *)
1167
        *)
1166
                echo "Usage: \$0 {start|stop|restart|reload|status}"
1168
                echo "Usage: \$0 {start|stop|restart|reload|status}"
1167
                exit 1
1169
                exit 1
1168
esac
1170
esac
1169
echo
1171
echo
1170
EOF
1172
EOF
1171
        chmod a+x /etc/init.d/chilli
1173
        chmod a+x /etc/init.d/chilli
1172
        ln -s /etc/init.d/chilli /usr/libexec/chilli
1174
        ln -s /etc/init.d/chilli /usr/libexec/chilli
1173
# conf file creation
1175
# conf file creation
1174
        [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1176
        [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1175
        #NTP Option configuration for DHCP
1177
        #NTP Option configuration for DHCP
1176
        #DHCP Options : rfc2132
1178
        #DHCP Options : rfc2132
1177
                #dhcp option value will be convert in hexa.
1179
                #dhcp option value will be convert in hexa.
1178
                #NTP option (or 'option 42') is like :
1180
                #NTP option (or 'option 42') is like :
1179
                #
1181
                #
1180
                #    Code   Len         Address 1               Address 2
1182
                #    Code   Len         Address 1               Address 2
1181
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1183
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1184
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1183
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1185
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1184
                #
1186
                #
1185
                #Code : 42 => 2a
1187
                #Code : 42 => 2a
1186
                #Len : 4 => 04
1188
                #Len : 4 => 04
1187
        PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1189
        PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1188
        cat <<EOF > /etc/chilli.conf
1190
        cat <<EOF > /etc/chilli.conf
1189
# coova config for ALCASAR
1191
# coova config for ALCASAR
1190
cmdsocket       /run/chilli.sock
1192
cmdsocket       /run/chilli.sock
1191
unixipc         chilli.$INTIF.ipc
1193
unixipc         chilli.$INTIF.ipc
1192
pidfile         /run/chilli.pid
1194
pidfile         /run/chilli.pid
1193
net             $PRIVATE_NETWORK_MASK
1195
net             $PRIVATE_NETWORK_MASK
1194
dhcpif          $INTIF
1196
dhcpif          $INTIF
1195
ethers          $DIR_DEST_ETC/alcasar-ethers
1197
ethers          $DIR_DEST_ETC/alcasar-ethers
1196
#nodynip
1198
#nodynip
1197
#statip
1199
#statip
1198
dynip           $PRIVATE_NETWORK_MASK
1200
dynip           $PRIVATE_NETWORK_MASK
1199
domain          $DOMAIN
1201
domain          $DOMAIN
1200
dns1            $PRIVATE_IP
1202
dns1            $PRIVATE_IP
1201
dns2            $PRIVATE_IP
1203
dns2            $PRIVATE_IP
1202
uamlisten       $PRIVATE_IP
1204
uamlisten       $PRIVATE_IP
1203
uamport         3990
1205
uamport         3990
1204
uamuiport       3991
1206
uamuiport       3991
1205
macauth
1207
macauth
1206
macpasswd       password
1208
macpasswd       password
1207
strictmacauth
1209
strictmacauth
1208
locationname    $HOSTNAME.$DOMAIN
1210
locationname    $HOSTNAME.$DOMAIN
1209
radiusserver1   127.0.0.1
1211
radiusserver1   127.0.0.1
1210
radiusserver2   127.0.0.1
1212
radiusserver2   127.0.0.1
1211
radiussecret    $secretradius
1213
radiussecret    $secretradius
1212
radiusauthport  1812
1214
radiusauthport  1812
1213
radiusacctport  1813
1215
radiusacctport  1813
1214
uamserver       http://$HOSTNAME.$DOMAIN/intercept.php
1216
uamserver       http://$HOSTNAME.$DOMAIN/intercept.php
1215
redirurl
1217
redirurl
1216
radiusnasid     $HOSTNAME.$DOMAIN
1218
radiusnasid     $HOSTNAME.$DOMAIN
1217
uamsecret       $secretuam
1219
uamsecret       $secretuam
1218
uamallowed      $HOSTNAME,$HOSTNAME.$DOMAIN
1220
uamallowed      $HOSTNAME,$HOSTNAME.$DOMAIN
1219
coaport         3799
1221
coaport         3799
1220
conup           $DIR_DEST_BIN/alcasar-conup.sh
1222
conup           $DIR_DEST_BIN/alcasar-conup.sh
1221
condown         $DIR_DEST_BIN/alcasar-condown.sh
1223
condown         $DIR_DEST_BIN/alcasar-condown.sh
1222
macup           $DIR_DEST_BIN/alcasar-macup.sh
1224
macup           $DIR_DEST_BIN/alcasar-macup.sh
1223
include         $DIR_DEST_ETC/alcasar-uamallowed
1225
include         $DIR_DEST_ETC/alcasar-uamallowed
1224
include         $DIR_DEST_ETC/alcasar-uamdomain
1226
include         $DIR_DEST_ETC/alcasar-uamdomain
1225
dhcpopt         2a04$PRIVATE_IP_HEXA
1227
dhcpopt         2a04$PRIVATE_IP_HEXA
1226
#dhcpgateway            none
1228
#dhcpgateway            none
1227
#dhcprelayagent         none
1229
#dhcprelayagent         none
1228
#dhcpgatewayport        none
1230
#dhcpgatewayport        none
1229
sslkeyfile      /etc/pki/tls/private/alcasar.key
1231
sslkeyfile      /etc/pki/tls/private/alcasar.key
1230
sslcertfile     /etc/pki/tls/certs/alcasar.crt
1232
sslcertfile     /etc/pki/tls/certs/alcasar.crt
1231
#redirssl
1233
#redirssl
1232
#uamuissl
1234
#uamuissl
1233
EOF
1235
EOF
1234
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1236
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1235
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1237
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1236
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1238
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1237
# create files for trusted domains and urls
1239
# create files for trusted domains and urls
1238
        touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1240
        touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1239
        chown root:apache $DIR_DEST_ETC/alcasar-*
1241
        chown root:apache $DIR_DEST_ETC/alcasar-*
1240
        chmod 660 $DIR_DEST_ETC/alcasar-*
1242
        chmod 660 $DIR_DEST_ETC/alcasar-*
1241
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1243
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1242
        $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1244
        $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1243
# user 'chilli' creation (in order to run conup/off and up/down scripts
1245
# user 'chilli' creation (in order to run conup/off and up/down scripts
1244
        chilli_exist=`grep -c ^chilli: /etc/passwd`
1246
        chilli_exist=`grep -c ^chilli: /etc/passwd`
1245
        if [ "$chilli_exist" == "1" ]
1247
        if [ "$chilli_exist" == "1" ]
1246
        then
1248
        then
1247
                userdel -r chilli 2>/dev/null
1249
                userdel -r chilli 2>/dev/null
1248
        fi
1250
        fi
1249
        groupadd -f chilli
1251
        groupadd -f chilli
1250
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1252
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1251
}  # End of chilli()
1253
}  # End of chilli()
1252
 
1254
 
1253
################################################################
1255
################################################################
1254
##                   Function "e2guardian"                    ##
1256
##                   Function "e2guardian"                    ##
1255
## - Set the parameters of this HTML proxy (as controler)     ##
1257
## - Set the parameters of this HTML proxy (as controler)     ##
1256
################################################################
1258
################################################################
1257
e2guardian()
1259
e2guardian()
1258
{
1260
{
1259
# Adapt systemd unit
1261
# Adapt systemd unit
1260
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1262
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1261
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1263
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1262
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1264
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1263
        [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1265
        [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1264
# Adapt the main conf file
1266
# Adapt the main conf file
1265
# French deny HTML page
1267
# French deny HTML page
1266
        $SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1268
        $SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1267
# 2 filtergroups (8080 & 8090)
1269
# 2 filtergroups (8080 & 8090)
1268
        $SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1270
        $SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1269
# Listen on 8080 (HTTP for BL users) only on LAN side
1271
# Listen on 8080 (HTTP for BL users) only on LAN side
1270
        $SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1272
        $SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1271
        $SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1273
        $SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1272
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1274
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1273
        $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1275
        $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1274
        $SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1276
        $SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1275
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1277
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1276
        $SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1278
        $SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1277
# Don't log
1279
# Don't log
1278
        $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1280
        $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1279
# Disable HTML content control (weighted & banned)
1281
# Disable HTML content control (weighted & banned)
1280
        $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1282
        $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1281
# Enable authport plugin
1283
# Enable authport plugin
1282
        $SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1284
        $SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1283
        $SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1285
        $SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1284
# Enable clamd scanner
1286
# Enable clamd scanner
1285
        $SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1287
        $SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1286
 
1288
 
1287
# Adapt the first group conf file
1289
# Adapt the first group conf file
1288
        [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1290
        [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1289
        $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1291
        $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1290
        $SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1292
        $SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1291
        $SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1293
        $SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1292
 
1294
 
1293
# copy & adapt HTML templates
1295
# copy & adapt HTML templates
1294
        cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1296
        cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1295
        cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1297
        cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1296
        $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1298
        $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1297
        $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1299
        $SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1298
 
1300
 
1299
###### ALCASAR special filtering ####
1301
###### ALCASAR special filtering ####
1300
# RAZ bannedphraselist
1302
# RAZ bannedphraselist
1301
        cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1303
        cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1302
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1304
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1303
# Disable URL control with regex
1305
# Disable URL control with regex
1304
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1306
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1305
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1307
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1306
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1308
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1307
#       [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1309
#       [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1308
#       cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1310
#       cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1309
#       [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1311
#       [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1310
#       cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1312
#       cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1311
# Dont filtering files by extension or mime-type (empty list)
1313
# Dont filtering files by extension or mime-type (empty list)
1312
        [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1314
        [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1313
        touch $DIR_DG/lists/bannedextensionlist
1315
        touch $DIR_DG/lists/bannedextensionlist
1314
        [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1316
        [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1315
        touch $DIR_DG/lists/bannedmimetypelist
1317
        touch $DIR_DG/lists/bannedmimetypelist
1316
# Empty LAN IP list that won't be WEB filtered
1318
# Empty LAN IP list that won't be WEB filtered
1317
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1319
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1318
        touch $DIR_DG/lists/exceptioniplist
1320
        touch $DIR_DG/lists/exceptioniplist
1319
# Creation of ALCASAR banned site list
1321
# Creation of ALCASAR banned site list
1320
        [ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1322
        [ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1321
        cat <<EOF > $DIR_DG/lists/greysitelist
1323
        cat <<EOF > $DIR_DG/lists/greysitelist
1322
# E2guardian filter config for ALCASAR
1324
# E2guardian filter config for ALCASAR
1323
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1325
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1324
# block all SSL and CONNECT tunnels
1326
# block all SSL and CONNECT tunnels
1325
**s
1327
**s
1326
# block all SSL and CONNECT tunnels specified only as an IP
1328
# block all SSL and CONNECT tunnels specified only as an IP
1327
*ips
1329
*ips
1328
# block all sites specified only by an IP
1330
# block all sites specified only by an IP
1329
*ip
1331
*ip
1330
EOF
1332
EOF
1331
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1333
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1332
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1334
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1333
        cat <<EOF > $DIR_DG/lists/bannedurllist
1335
        cat <<EOF > $DIR_DG/lists/bannedurllist
1334
# E2guardian filter config for ALCASAR
1336
# E2guardian filter config for ALCASAR
1335
EOF
1337
EOF
1336
# Creation of files for rehabilited domains and urls
1338
# Creation of files for rehabilited domains and urls
1337
        [ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1339
        [ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1338
        [ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1340
        [ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1339
        touch $DIR_DG/lists/exceptionsitelist
1341
        touch $DIR_DG/lists/exceptionsitelist
1340
        touch $DIR_DG/lists/exceptionurllist
1342
        touch $DIR_DG/lists/exceptionurllist
1341
# Add Bing to the safesearch url regext list (parental control)
1343
# Add Bing to the safesearch url regext list (parental control)
1342
        [ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1344
        [ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1343
        cat <<EOF >> $DIR_DG/lists/urlregexplist
1345
        cat <<EOF >> $DIR_DG/lists/urlregexplist
1344
 
1346
 
1345
# Bing - add 'adlt=strict'
1347
# Bing - add 'adlt=strict'
1346
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1348
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1347
EOF
1349
EOF
1348
# 'Safesearch' regex actualisation
1350
# 'Safesearch' regex actualisation
1349
        $SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1351
        $SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1350
# change the google safesearch ("safe=strict" instead of "safe=vss")
1352
# change the google safesearch ("safe=strict" instead of "safe=vss")
1351
        $SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1353
        $SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1352
 
1354
 
1353
# Create & adapt the second group conf file (av + av_wl)
1355
# Create & adapt the second group conf file (av + av_wl)
1354
        cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1356
        cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1355
        $SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1357
        $SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1356
        $SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1358
        $SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1357
        $SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1359
        $SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1358
 
1360
 
1359
# create log folder
1361
# create log folder
1360
    mkdir -p /var/log/e2guardian
1362
    mkdir -p /var/log/e2guardian
1361
        chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1363
        chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1362
} # End of e2guardian()
1364
} # End of e2guardian()
1363
 
1365
 
1364
##################################################################
1366
##################################################################
1365
##                     Function "antivirus"                     ##
1367
##                     Function "antivirus"                     ##
1366
## - Set the parameters of clamav and freshclam                 ##
1368
## - Set the parameters of clamav and freshclam                 ##
1367
##################################################################
1369
##################################################################
1368
antivirus()
1370
antivirus()
1369
{
1371
{
1370
# Clamd adaptation to e2guardian
1372
# Clamd adaptation to e2guardian
1371
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1373
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1372
        $SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1374
        $SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1373
        $SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1375
        $SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1374
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1376
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1375
        $SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1377
        $SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1376
        $SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1378
        $SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1377
       
1379
       
1378
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1380
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1379
        $SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1381
        $SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1380
        $SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1382
        $SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1381
        $SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1383
        $SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1382
        $SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1384
        $SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1383
        $SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1385
        $SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1384
        $SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1386
        $SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1385
        chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1387
        chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1386
        chmod 775 /var/log/clamav /var/lib/clamav
1388
        chmod 775 /var/log/clamav /var/lib/clamav
1387
        chmod 664 /var/log/clamav/*
1389
        chmod 664 /var/log/clamav/*
1388
# update virus database every 4 hours (24h/6)
1390
# update virus database every 4 hours (24h/6)
1389
        [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1391
        [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1390
        $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1392
        $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1391
        $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1393
        $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1392
        $SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1394
        $SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1393
        $SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1395
        $SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1394
        $SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1396
        $SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1395
# update now
1397
# update now
1396
        /usr/bin/freshclam --no-warnings --quiet
1398
        /usr/bin/freshclam --no-warnings --quiet
1397
} # End of antivirus()
1399
} # End of antivirus()
1398
 
1400
 
1399
##############################################################
1401
##############################################################
1400
##                            function "ulogd"              ##
1402
##                            function "ulogd"              ##
1401
## - Ulog config for multi-log files                        ##
1403
## - Ulog config for multi-log files                        ##
1402
##############################################################
1404
##############################################################
1403
ulogd()
1405
ulogd()
1404
{
1406
{
1405
# Three instances of ulogd (three different logfiles)
1407
# Three instances of ulogd (three different logfiles)
1406
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1408
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1407
        nl=1
1409
        nl=1
1408
        for log_type in traceability ssh ext-access
1410
        for log_type in traceability ssh ext-access
1409
        do
1411
        do
1410
                [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1412
                [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1411
                [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1413
                [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1412
                cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1414
                cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1413
                $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1415
                $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1414
                cat << EOF >> /etc/ulogd-$log_type.conf
1416
                cat << EOF >> /etc/ulogd-$log_type.conf
1415
[emu1]
1417
[emu1]
1416
file="/var/log/firewall/$log_type.log"
1418
file="/var/log/firewall/$log_type.log"
1417
sync=1
1419
sync=1
1418
EOF
1420
EOF
1419
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1421
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1420
                nl=`expr $nl + 1`
1422
                nl=`expr $nl + 1`
1421
        done
1423
        done
1422
        chown -R root:apache /var/log/firewall
1424
        chown -R root:apache /var/log/firewall
1423
        chmod 750 /var/log/firewall
1425
        chmod 750 /var/log/firewall
1424
        chmod 640 /var/log/firewall/*
1426
        chmod 640 /var/log/firewall/*
1425