Subversion Repositories ALCASAR

Rev

Rev 862 | Rev 868 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 862 Rev 865
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 862 2012-04-22 19:50:30Z richard $ 
2
#  $Id: alcasar.sh 865 2012-05-01 17:48:31Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
 
7
 
8
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
8
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
9
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants :
9
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants :
10
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
10
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
11
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares :
11
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares :
12
#
12
#
13
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav  and firewalleyes
13
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav  and firewalleyes
14
 
14
 
15
# Options :
15
# Options :
16
#       -i or --install
16
#       -i or --install
17
#       -u or --uninstall
17
#       -u or --uninstall
18
 
18
 
19
# Functions :
19
# Functions :
20
#	testing		: Tests de connectivité et de téléchargement avant installation
20
#	testing		: Tests de connectivité et de téléchargement avant installation
21
#	init		: Installation des RPM et des scripts
21
#	init		: Installation des RPM et des scripts
22
#	network		: Paramètrage du réseau
22
#	network		: Paramètrage du réseau
23
#	gestion		: Installation de l'interface de gestion
23
#	gestion		: Installation de l'interface de gestion
24
#	AC		: Initialisation de l'autorité de certification. Création des certificats
24
#	AC		: Initialisation de l'autorité de certification. Création des certificats
25
#	init_db		: Création de la base 'radius' sur le serveur MySql
25
#	init_db		: Création de la base 'radius' sur le serveur MySql
26
#	param_radius	: Configuration du serveur d'authentification FreeRadius
26
#	param_radius	: Configuration du serveur d'authentification FreeRadius
27
#	param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
27
#	param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
28
#	param_chilli	: Configuration du daemon 'coova-chilli' et de la page d'authentification
28
#	param_chilli	: Configuration du daemon 'coova-chilli' et de la page d'authentification
29
#	param_squid	: Configuration du proxy squid en mode 'cache'
29
#	param_squid	: Configuration du proxy squid en mode 'cache'
30
#	param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
30
#	param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
31
#	antivirus	: Installation havp + libclamav
31
#	antivirus	: Installation havp + libclamav
32
#	param_awstats	: Configuration de l'interface des statistiques de consultation WEB
32
#	param_awstats	: Configuration de l'interface des statistiques de consultation WEB
33
#	dnsmasq		: Configuration du serveur de noms et du serveur dhcp de secours
33
#	dnsmasq		: Configuration du serveur de noms et du serveur dhcp de secours
34
#	BL		: Configuration de la BlackList
34
#	BL		: Configuration de la BlackList
35
#	cron		: Mise en place des exports de logs (+ chiffrement)
35
#	cron		: Mise en place des exports de logs (+ chiffrement)
36
#	post_install	: Finalisation environnement ( sécurité, bannières, rotation logs, ...)
36
#	post_install	: Finalisation environnement ( sécurité, bannières, rotation logs, ...)
37
 
37
 
38
DATE=`date '+%d %B %Y - %Hh%M'`
38
DATE=`date '+%d %B %Y - %Hh%M'`
39
DATE_SHORT=`date '+%d/%m/%Y'`
39
DATE_SHORT=`date '+%d/%m/%Y'`
40
Lang=`echo $LANG|cut -c 1-2`
40
Lang=`echo $LANG|cut -c 1-2`
41
# ******* Files parameters - paramètres fichiers *********
41
# ******* Files parameters - paramètres fichiers *********
42
DIR_INSTALL=`pwd`				# install directory 
42
DIR_INSTALL=`pwd`				# install directory 
43
DIR_CONF="$DIR_INSTALL/conf"			# répertoire d'installation contenant les fichiers de configuration
43
DIR_CONF="$DIR_INSTALL/conf"			# répertoire d'installation contenant les fichiers de configuration
44
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# répertoire d'installation contenant les scripts
44
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# répertoire d'installation contenant les scripts
45
DIR_SAVE="/var/Save"				# répertoire de sauvegarde (system_backup, user_db_backup, logs)
45
DIR_SAVE="/var/Save"				# répertoire de sauvegarde (system_backup, user_db_backup, logs)
46
DIR_WEB="/var/www/html"				# répertoire racine APACHE
46
DIR_WEB="/var/www/html"				# répertoire racine APACHE
47
DIR_DG="/etc/dansguardian"			# répertoire de config de DansGuardian
47
DIR_DG="/etc/dansguardian"			# répertoire de config de DansGuardian
48
DIR_ACC="$DIR_WEB/acc"				# répertoire du centre de gestion 'ALCASAR Control Center'
48
DIR_ACC="$DIR_WEB/acc"				# répertoire du centre de gestion 'ALCASAR Control Center'
49
DIR_DEST_BIN="/usr/local/bin"			# répertoire des scripts
49
DIR_DEST_BIN="/usr/local/bin"			# répertoire des scripts
50
DIR_DEST_SBIN="/usr/local/sbin"			# répertoire des scripts d'admin
50
DIR_DEST_SBIN="/usr/local/sbin"			# répertoire des scripts d'admin
51
DIR_DEST_ETC="/usr/local/etc"			# répertoire des fichiers de conf
51
DIR_DEST_ETC="/usr/local/etc"			# répertoire des fichiers de conf
52
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# fichier de conf d'alcasar
52
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# fichier de conf d'alcasar
53
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# fichier texte contenant les mots de passe et secrets partagés 
53
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# fichier texte contenant les mots de passe et secrets partagés 
54
# ******* DBMS parameters - paramètres SGBD ********
54
# ******* DBMS parameters - paramètres SGBD ********
55
DB_RADIUS="radius"				# nom de la base de données utilisée par le serveur FreeRadius
55
DB_RADIUS="radius"				# nom de la base de données utilisée par le serveur FreeRadius
56
DB_USER="radius"				# nom de l'utilisateur de la base de données
56
DB_USER="radius"				# nom de l'utilisateur de la base de données
57
# ******* Network parameters - paramètres réseau *******
57
# ******* Network parameters - paramètres réseau *******
58
HOSTNAME="alcasar"				# 
58
HOSTNAME="alcasar"				# 
59
DOMAIN="localdomain"				# domaine local
59
DOMAIN="localdomain"				# domaine local
60
EXTIF="eth0"					# ETH0 est l'interface connectée à Internet (Box FAI)
60
EXTIF="eth0"					# ETH0 est l'interface connectée à Internet (Box FAI)
61
INTIF="eth1"					# ETH1 est l'interface connectée au réseau local de consultation
61
INTIF="eth1"					# ETH1 est l'interface connectée au réseau local de consultation
62
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
62
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
63
# ****** Paths - chemin des commandes *******
63
# ****** Paths - chemin des commandes *******
64
SED="/bin/sed -i"
64
SED="/bin/sed -i"
65
# ****************** End of global parameters *********************
65
# ****************** End of global parameters *********************
66
 
66
 
67
header_install ()
67
header_install ()
68
{
68
{
69
	clear
69
	clear
70
	echo "-----------------------------------------------------------------------------"
70
	echo "-----------------------------------------------------------------------------"
71
	echo "                     ALCASAR V$VERSION Installation"
71
	echo "                     ALCASAR V$VERSION Installation"
72
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
72
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
73
	echo "-----------------------------------------------------------------------------"
73
	echo "-----------------------------------------------------------------------------"
74
} # End of header_install ()
74
} # End of header_install ()
75
 
75
 
76
##################################################################
76
##################################################################
77
##			Fonction TESTING			##
77
##			Fonction TESTING			##
78
## - Test de la connectivité Internet				##
78
## - Test de la connectivité Internet				##
79
##################################################################
79
##################################################################
80
testing ()
80
testing ()
81
{
81
{
82
	if [ $Lang == "fr" ]
82
	if [ $Lang == "fr" ]
83
		then echo -n "Tests des paramètres réseau : "
83
		then echo -n "Tests des paramètres réseau : "
84
		else echo -n "Network parameters tests : "
84
		else echo -n "Network parameters tests : "
85
	fi
85
	fi
86
# We test eth0 config files
86
# We test eth0 config files
87
	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
87
	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
88
	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
88
	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
89
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
89
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
90
		then
90
		then
91
		if [ $Lang == "fr" ]
91
		if [ $Lang == "fr" ]
92
		then 
92
		then 
93
			echo "Échec"
93
			echo "Échec"
94
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
94
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
95
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
95
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
96
			echo "Appliquez les changements : 'service network restart'"
96
			echo "Appliquez les changements : 'service network restart'"
97
		else
97
		else
98
			echo "Failed"
98
			echo "Failed"
99
			echo "The Internet connected network card ($EXTIF) isn't well configured."
99
			echo "The Internet connected network card ($EXTIF) isn't well configured."
100
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
100
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
101
			echo "Apply the new configuration 'service network restart'"
101
			echo "Apply the new configuration 'service network restart'"
102
		fi
102
		fi
103
		echo "DEVICE=$EXTIF"
103
		echo "DEVICE=$EXTIF"
104
		echo "IPADDR="
104
		echo "IPADDR="
105
		echo "NETMASK="
105
		echo "NETMASK="
106
		echo "GATEWAY="
106
		echo "GATEWAY="
107
		echo "DNS1="
107
		echo "DNS1="
108
		echo "DNS2="
108
		echo "DNS2="
109
		echo "ONBOOT=yes"
109
		echo "ONBOOT=yes"
110
		exit 0
110
		exit 0
111
	fi
111
	fi
112
	echo -n "."
112
	echo -n "."
113
# We test the Ethernet links state
113
# We test the Ethernet links state
114
	for i in $EXTIF $INTIF
114
	for i in $EXTIF $INTIF
115
	do
115
	do
116
		/sbin/ip link set $i up
116
		/sbin/ip link set $i up
117
		sleep 3
117
		sleep 3
118
		CMD=`/usr/sbin/ethtool $i |grep Link | awk '{print $NF}'`
118
		CMD=`/usr/sbin/ethtool $i |grep Link | awk '{print $NF}'`
119
		CMD2=`/sbin/mii-tool $i | grep -i link | awk '{print $NF}'`
119
		CMD2=`/sbin/mii-tool $i | grep -i link | awk '{print $NF}'`
120
		if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
120
		if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
121
			then
121
			then
122
			if [ $Lang == "fr" ]
122
			if [ $Lang == "fr" ]
123
			then 
123
			then 
124
				echo "Échec"
124
				echo "Échec"
125
				echo "Le lien réseau de la carte $i n'est pas actif."
125
				echo "Le lien réseau de la carte $i n'est pas actif."
126
				echo "Réglez ce problème puis relancez ce script."
126
				echo "Réglez ce problème puis relancez ce script."
127
			else
127
			else
128
				echo "Failed"
128
				echo "Failed"
129
				echo "The link state of $i interface id down."
129
				echo "The link state of $i interface id down."
130
				echo "Resolv this problem, then restart this script."
130
				echo "Resolv this problem, then restart this script."
131
			fi
131
			fi
132
			exit 0
132
			exit 0
133
		fi
133
		fi
134
	echo -n "."
134
	echo -n "."
135
	done
135
	done
136
# On teste la présence d'un routeur par défaut (Box FAI)
136
# On teste la présence d'un routeur par défaut (Box FAI)
137
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
137
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
138
		if [ $Lang == "fr" ]
138
		if [ $Lang == "fr" ]
139
		then 
139
		then 
140
			echo "Échec"
140
			echo "Échec"
141
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
141
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
142
			echo "Réglez ce problème puis relancez ce script."
142
			echo "Réglez ce problème puis relancez ce script."
143
		else
143
		else
144
			echo "Failed"
144
			echo "Failed"
145
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
145
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
146
			echo "Resolv this problem, then restart this script."
146
			echo "Resolv this problem, then restart this script."
147
		fi
147
		fi
148
		exit 0
148
		exit 0
149
	fi
149
	fi
150
	echo -n "."
150
	echo -n "."
151
# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines version de BIOS et de VirtualBox)
151
# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines version de BIOS et de VirtualBox)
152
	if [ `ip route list|grep ^default|grep -c eth1` -eq "1" ] ; then
152
	if [ `ip route list|grep ^default|grep -c eth1` -eq "1" ] ; then
153
		if [ $Lang == "fr" ]
153
		if [ $Lang == "fr" ]
154
			then echo "La configuration des cartes réseau va être corrigée."
154
			then echo "La configuration des cartes réseau va être corrigée."
155
			else echo "The Ethernet card configuration will be corrected."
155
			else echo "The Ethernet card configuration will be corrected."
156
		fi
156
		fi
157
		/etc/init.d/network stop
157
		/etc/init.d/network stop
158
		mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
158
		mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
159
		$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
159
		$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
160
		/etc/init.d/network start
160
		/etc/init.d/network start
161
		echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
161
		echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
162
		sleep 2
162
		sleep 2
163
		if [ $Lang == "fr" ]
163
		if [ $Lang == "fr" ]
164
			then echo "Configuration corrigée"
164
			then echo "Configuration corrigée"
165
			else echo "Configuration updated"
165
			else echo "Configuration updated"
166
		fi
166
		fi
167
		sleep 2
167
		sleep 2
168
		if [ $Lang == "fr" ]
168
		if [ $Lang == "fr" ]
169
			then echo "Vous pouvez relancer ce script."
169
			then echo "Vous pouvez relancer ce script."
170
			else echo "You can restart this script."
170
			else echo "You can restart this script."
171
		fi
171
		fi
172
		exit 0
172
		exit 0
173
	fi
173
	fi
174
	echo -n "."
174
	echo -n "."
175
# On test le lien vers le routeur par default
175
# On test le lien vers le routeur par default
176
	IP_GW=`ip route list|grep ^default|cut -d" " -f3`
176
	IP_GW=`ip route list|grep ^default|cut -d" " -f3`
177
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW|grep response|cut -d" " -f2`
177
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW|grep response|cut -d" " -f2`
178
	if [ $(expr $arp_reply) -eq 0 ]
178
	if [ $(expr $arp_reply) -eq 0 ]
179
	       	then
179
	       	then
180
		if [ $Lang == "fr" ]
180
		if [ $Lang == "fr" ]
181
		then 
181
		then 
182
			echo "Échec"
182
			echo "Échec"
183
			echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
183
			echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
184
			echo "Réglez ce problème puis relancez ce script."
184
			echo "Réglez ce problème puis relancez ce script."
185
		else
185
		else
186
			echo "Failed"
186
			echo "Failed"
187
			echo "The Internet gateway doesn't answered"
187
			echo "The Internet gateway doesn't answered"
188
			echo "Resolv this problem, then restart this script."
188
			echo "Resolv this problem, then restart this script."
189
		fi
189
		fi
190
		exit 0
190
		exit 0
191
	fi
191
	fi
192
	echo -n "."
192
	echo -n "."
193
# On teste la connectivité Internet
193
# On teste la connectivité Internet
194
	rm -rf /tmp/con_ok.html
194
	rm -rf /tmp/con_ok.html
195
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
195
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
196
	if [ ! -e /tmp/con_ok.html ]
196
	if [ ! -e /tmp/con_ok.html ]
197
	then
197
	then
198
		if [ $Lang == "fr" ]
198
		if [ $Lang == "fr" ]
199
		then 
199
		then 
200
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
200
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
201
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
201
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
202
			echo "Vérifiez la validité des adresses IP des DNS."
202
			echo "Vérifiez la validité des adresses IP des DNS."
203
		else
203
		else
204
			echo "The Internet connection try failed (google.fr)."
204
			echo "The Internet connection try failed (google.fr)."
205
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
205
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
206
			echo "Verify the DNS IP addresses"
206
			echo "Verify the DNS IP addresses"
207
		fi
207
		fi
208
		exit 0
208
		exit 0
209
	fi
209
	fi
210
	rm -rf /tmp/con_ok.html
210
	rm -rf /tmp/con_ok.html
211
	echo ". : ok"
211
	echo ". : ok"
212
} # end of testing
212
} # end of testing
213
 
213
 
214
##################################################################
214
##################################################################
215
##			Fonction INIT				##
215
##			Fonction INIT				##
216
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
216
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
217
## - Installation et modification des scripts du portail	##
217
## - Installation et modification des scripts du portail	##
218
##################################################################
218
##################################################################
219
init ()
219
init ()
220
{
220
{
221
	if [ "$mode" != "update" ]
221
	if [ "$mode" != "update" ]
222
	then
222
	then
223
# On affecte le nom d'organisme
223
# On affecte le nom d'organisme
224
		header_install
224
		header_install
225
		ORGANISME=!
225
		ORGANISME=!
226
		PTN='^[a-zA-Z0-9-]*$'
226
		PTN='^[a-zA-Z0-9-]*$'
227
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
227
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
228
                do
228
                do
229
			if [ $Lang == "fr" ]
229
			if [ $Lang == "fr" ]
230
			       	then echo -n "Entrez le nom de votre organisme : "
230
			       	then echo -n "Entrez le nom de votre organisme : "
231
				else echo -n "Enter the name of your organism : "
231
				else echo -n "Enter the name of your organism : "
232
			fi
232
			fi
233
			read ORGANISME
233
			read ORGANISME
234
			if [ "$ORGANISME" == "" ]
234
			if [ "$ORGANISME" == "" ]
235
				then
235
				then
236
				ORGANISME=!
236
				ORGANISME=!
237
			fi
237
			fi
238
		done
238
		done
239
	fi
239
	fi
240
# On crée aléatoirement les mots de passe et les secrets partagés
240
# On crée aléatoirement les mots de passe et les secrets partagés
241
	rm -f $PASSWD_FILE
241
	rm -f $PASSWD_FILE
242
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de protection du menu Grub
242
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de protection du menu Grub
243
	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
243
	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
244
	echo "$grubpwd" >> $PASSWD_FILE
244
	echo "$grubpwd" >> $PASSWD_FILE
245
	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
245
	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
246
	$SED "/^password.*/d" /boot/grub/menu.lst
246
	$SED "/^password.*/d" /boot/grub/menu.lst
247
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
247
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
248
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'administrateur Mysqld
248
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'administrateur Mysqld
249
	echo -n "Name and password of MYSQL administrator : " >> $PASSWD_FILE
249
	echo -n "Name and password of MYSQL administrator : " >> $PASSWD_FILE
250
	echo "root / $mysqlpwd" >> $PASSWD_FILE
250
	echo "root / $mysqlpwd" >> $PASSWD_FILE
251
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
251
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
252
	echo -n "Name and password of MYSQL user : " >> $PASSWD_FILE
252
	echo -n "Name and password of MYSQL user : " >> $PASSWD_FILE
253
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
253
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
254
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre intercept.php et coova-chilli
254
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre intercept.php et coova-chilli
255
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
255
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
256
	echo "$secretuam" >> $PASSWD_FILE
256
	echo "$secretuam" >> $PASSWD_FILE
257
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre coova-chilli et FreeRadius
257
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre coova-chilli et FreeRadius
258
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
258
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
259
	echo "$secretradius" >> $PASSWD_FILE
259
	echo "$secretradius" >> $PASSWD_FILE
260
	chmod 640 $PASSWD_FILE
260
	chmod 640 $PASSWD_FILE
261
# On installe les scripts et fichiers de configuration d'ALCASAR 
261
# On installe les scripts et fichiers de configuration d'ALCASAR 
262
#  - dans /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log-clean.sh,log-export.sh,watchdog.sh}
262
#  - dans /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
263
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
263
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
264
#  - dans /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
264
#  - dans /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
265
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
265
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
266
#  - des fichiers de conf dans /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,ethers,iptables-local.sh,services}
266
#  - des fichiers de conf dans /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,ethers,iptables-local.sh,services}
267
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
267
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
268
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
268
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
269
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
269
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
270
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
270
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
271
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
271
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
272
# generate central conf file
272
# generate central conf file
273
	cat <<EOF > $CONF_FILE
273
	cat <<EOF > $CONF_FILE
274
##########################################
274
##########################################
275
##                                      ##
275
##                                      ##
276
##          ALCASAR Parameters          ##
276
##          ALCASAR Parameters          ##
277
##                                      ##
277
##                                      ##
278
##########################################
278
##########################################
279
 
279
 
280
INSTALL_DATE=$DATE
280
INSTALL_DATE=$DATE
281
VERSION=$VERSION
281
VERSION=$VERSION
282
ORGANISM=$ORGANISME
282
ORGANISM=$ORGANISME
283
EOF
283
EOF
284
	chmod o-rwx $CONF_FILE
284
	chmod o-rwx $CONF_FILE
285
} # End of init ()
285
} # End of init ()
286
 
286
 
287
##################################################################
287
##################################################################
288
##			Fonction network			##
288
##			Fonction network			##
289
## - Définition du plan d'adressage du réseau de consultation	##
289
## - Définition du plan d'adressage du réseau de consultation	##
290
## - Nommage DNS du système 					##
290
## - Nommage DNS du système 					##
291
## - Configuration de l'interface eth1 (réseau de consultation)	##
291
## - Configuration de l'interface eth1 (réseau de consultation)	##
292
## - Modification du fichier /etc/hosts				##
292
## - Modification du fichier /etc/hosts				##
293
## - Configuration du serveur de temps (NTP)			##
293
## - Configuration du serveur de temps (NTP)			##
294
## - Renseignement des fichiers hosts.allow et hosts.deny	##
294
## - Renseignement des fichiers hosts.allow et hosts.deny	##
295
##################################################################
295
##################################################################
296
network ()
296
network ()
297
{
297
{
298
	header_install
298
	header_install
299
	if [ "$mode" != "update" ]
299
	if [ "$mode" != "update" ]
300
		then
300
		then
301
		if [ $Lang == "fr" ]
301
		if [ $Lang == "fr" ]
302
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
302
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
303
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
303
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
304
		fi
304
		fi
305
		response=0
305
		response=0
306
		PTN='^[oOyYnN]$'
306
		PTN='^[oOyYnN]$'
307
		until [[ $(expr $response : $PTN) -gt 0 ]]
307
		until [[ $(expr $response : $PTN) -gt 0 ]]
308
		do
308
		do
309
			if [ $Lang == "fr" ]
309
			if [ $Lang == "fr" ]
310
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
310
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
311
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
311
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
312
			fi
312
			fi
313
			read response
313
			read response
314
		done
314
		done
315
		if [ "$response" = "n" ] || [ "$response" = "N" ]
315
		if [ "$response" = "n" ] || [ "$response" = "N" ]
316
		then
316
		then
317
			PRIVATE_IP_MASK="0"
317
			PRIVATE_IP_MASK="0"
318
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
318
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
319
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
319
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
320
			do
320
			do
321
				if [ $Lang == "fr" ]
321
				if [ $Lang == "fr" ]
322
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
322
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
323
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
323
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
324
				fi
324
				fi
325
				read PRIVATE_IP_MASK
325
				read PRIVATE_IP_MASK
326
			done
326
			done
327
		else
327
		else
328
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
328
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
329
		fi
329
		fi
330
	else
330
	else
331
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
331
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
332
		rm -rf conf/etc/alcasar.conf
332
		rm -rf conf/etc/alcasar.conf
333
	fi
333
	fi
334
# Define LAN side global parameters
334
# Define LAN side global parameters
335
	hostname $HOSTNAME
335
	hostname $HOSTNAME
336
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network address (ie.: 192.168.182.0)
336
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network address (ie.: 192.168.182.0)
337
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network mask (ie.: 255.255.255.0)
337
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network mask (ie.: 255.255.255.0)
338
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`					# ALCASAR private ip address (consultation LAN side)
338
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`					# ALCASAR private ip address (consultation LAN side)
339
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`				# network prefix (ie. 24)
339
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`				# network prefix (ie. 24)
340
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX					# ie.: 192.168.182.0/24
340
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX					# ie.: 192.168.182.0/24
341
	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2`		# ie.: 2=classe B, 3=classe C
341
	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2`		# ie.: 2=classe B, 3=classe C
342
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.			# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
342
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.			# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
343
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`		# private network broadcast (ie.: 192.168.182.255)
343
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`		# private network broadcast (ie.: 192.168.182.255)
344
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`		# last octet of LAN address
344
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`		# last octet of LAN address
345
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`		# last octet of LAN broadcast
345
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`		# last octet of LAN broadcast
346
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`		# First network address (ex.: 192.168.182.1)
346
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`		# First network address (ex.: 192.168.182.1)
347
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
347
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
348
 
348
 
349
# Predefine DHCP parameters (LAN side)
-
 
350
	tmp_mask=`echo $PRIVATE_NETWORK_MASK|cut -d"/" -f2`; half_mask=`expr $tmp_mask + 1`	# masque du 1/2 réseau de consultation (ex.: 25)
-
 
351
	PRIVATE_STAT_IP=$PRIVATE_NETWORK/$half_mask						# plage des adresses statiques (ex.: 192.168.182.0/25)
-
 
352
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`		# dernier octet de l'@ de réseau
-
 
353
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`		# dernier octet de l'@ de broadcast
-
 
354
	private_plage=`expr $private_broadcast_ending - $private_network_ending + 1`
-
 
355
	private_half_plage=`expr $private_plage / 2`
-
 
356
	private_dyn=`expr $private_half_plage + $private_network_ending`
-
 
357
	private_dyn_ip_network=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`"."$private_dyn"."`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup_sup-5`
-
 
358
	PRIVATE_DYN_IP=`echo $private_dyn_ip_network | cut -d"." -f1-4`/$half_mask					# @ réseau (CIDR) de la plage des adresses dynamiques (ex.: 192.168.182.128/25)
-
 
359
	private_dyn_ip_ending=`echo $private_dyn_ip_network | cut -d"." -f4`
-
 
360
	PRIVATE_DYN_FIRST_IP=`echo $private_dyn_ip_network | cut -d"." -f1-3`"."`expr $private_dyn_ip_ending + 1`	# 1ère adresse de la plage dynamique (ex.: 192.168.182.129)
-
 
361
	PRIVATE_DYN_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`		# dernière adresse de la plage dynamique (ex.: 192.168.182.254)
-
 
362
 
-
 
363
# Define Internet parameters
349
# Define Internet parameters
364
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
350
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
365
	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 1er DNS
351
	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 1er DNS
366
	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 2ème DNS
352
	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 2ème DNS
367
	DNS1=${DNS1:=208.67.220.220}
353
	DNS1=${DNS1:=208.67.220.220}
368
	DNS2=${DNS2:=208.67.222.222}
354
	DNS2=${DNS2:=208.67.222.222}
369
	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
355
	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
370
	DEFAULT_PUBLIC_NETMASK=`ipcalc -m 192.168.182.2 | cut -d"=" -f2`
356
	DEFAULT_PUBLIC_NETMASK=`ipcalc -m 192.168.182.2 | cut -d"=" -f2`
371
	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
357
	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
372
	PUBLIC_PREFIX=`/bin/ipcalc -p 192.168.182.2 $PUBLIC_NETMASK|cut -d"=" -f2`
358
	PUBLIC_PREFIX=`/bin/ipcalc -p 192.168.182.2 $PUBLIC_NETMASK|cut -d"=" -f2`
373
 
359
 
374
	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
360
	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
375
	echo "PUBLIC_MTU=1500" >> $CONF_FILE
361
	echo "PUBLIC_MTU=1500" >> $CONF_FILE
376
	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
362
	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
377
	echo "DNS1=$DNS1" >> $CONF_FILE
363
	echo "DNS1=$DNS1" >> $CONF_FILE
378
	echo "DNS2=$DNS2" >> $CONF_FILE
364
	echo "DNS2=$DNS2" >> $CONF_FILE
379
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
365
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
380
	echo "DHCP=half" >> $CONF_FILE
366
	echo "DHCP=half" >> $CONF_FILE
381
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
367
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
382
# config network
368
# config network
383
	cat <<EOF > /etc/sysconfig/network
369
	cat <<EOF > /etc/sysconfig/network
384
NETWORKING=yes
370
NETWORKING=yes
385
HOSTNAME="$HOSTNAME"
371
HOSTNAME="$HOSTNAME"
386
FORWARD_IPV4=true
372
FORWARD_IPV4=true
387
EOF
373
EOF
388
# config /etc/hosts
374
# config /etc/hosts
389
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
375
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
390
	cat <<EOF > /etc/hosts
376
	cat <<EOF > /etc/hosts
391
127.0.0.1	localhost
377
127.0.0.1	localhost
392
$PRIVATE_IP	$HOSTNAME 
378
$PRIVATE_IP	$HOSTNAME 
393
EOF
379
EOF
394
# Config eth0 (Internet)
380
# Config eth0 (Internet)
395
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
381
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
396
DEVICE=$EXTIF
382
DEVICE=$EXTIF
397
BOOTPROTO=static
383
BOOTPROTO=static
398
IPADDR=$PUBLIC_IP
384
IPADDR=$PUBLIC_IP
399
NETMASK=$PUBLIC_NETMASK
385
NETMASK=$PUBLIC_NETMASK
400
GATEWAY=$PUBLIC_GATEWAY
386
GATEWAY=$PUBLIC_GATEWAY
401
DNS1=127.0.0.1
387
DNS1=127.0.0.1
402
ONBOOT=yes
388
ONBOOT=yes
403
METRIC=10
389
METRIC=10
404
NOZEROCONF=yes
390
NOZEROCONF=yes
405
MII_NOT_SUPPORTED=yes
391
MII_NOT_SUPPORTED=yes
406
IPV6INIT=no
392
IPV6INIT=no
407
IPV6TO4INIT=no
393
IPV6TO4INIT=no
408
ACCOUNTING=no
394
ACCOUNTING=no
409
USERCTL=no
395
USERCTL=no
410
EOF
396
EOF
411
# Config eth1 (consultation LAN) in normal mode
397
# Config eth1 (consultation LAN) in normal mode
412
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
398
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
413
DEVICE=$INTIF
399
DEVICE=$INTIF
414
BOOTPROTO=static
400
BOOTPROTO=static
415
ONBOOT=yes
401
ONBOOT=yes
416
NOZEROCONF=yes
402
NOZEROCONF=yes
417
MII_NOT_SUPPORTED=yes
403
MII_NOT_SUPPORTED=yes
418
IPV6INIT=no
404
IPV6INIT=no
419
IPV6TO4INIT=no
405
IPV6TO4INIT=no
420
ACCOUNTING=no
406
ACCOUNTING=no
421
USERCTL=no
407
USERCTL=no
422
EOF
408
EOF
423
# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
409
# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
424
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
410
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
425
DEVICE=$INTIF
411
DEVICE=$INTIF
426
BOOTPROTO=static
412
BOOTPROTO=static
427
IPADDR=$PRIVATE_IP
413
IPADDR=$PRIVATE_IP
428
NETMASK=$PRIVATE_NETMASK
414
NETMASK=$PRIVATE_NETMASK
429
ONBOOT=yes
415
ONBOOT=yes
430
METRIC=10
416
METRIC=10
431
NOZEROCONF=yes
417
NOZEROCONF=yes
432
MII_NOT_SUPPORTED=yes
418
MII_NOT_SUPPORTED=yes
433
IPV6INIT=no
419
IPV6INIT=no
434
IPV6TO4INIT=no
420
IPV6TO4INIT=no
435
ACCOUNTING=no
421
ACCOUNTING=no
436
USERCTL=no
422
USERCTL=no
437
EOF
423
EOF
438
# Mise à l'heure du serveur
424
# Mise à l'heure du serveur
439
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
425
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
440
	cat <<EOF > /etc/ntp/step-tickers
426
	cat <<EOF > /etc/ntp/step-tickers
441
0.fr.pool.ntp.org	# adapt to your country
427
0.fr.pool.ntp.org	# adapt to your country
442
1.fr.pool.ntp.org
428
1.fr.pool.ntp.org
443
2.fr.pool.ntp.org
429
2.fr.pool.ntp.org
444
EOF
430
EOF
445
# Configuration du serveur de temps (sur lui même)
431
# Configuration du serveur de temps (sur lui même)
446
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
432
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
447
	cat <<EOF > /etc/ntp.conf
433
	cat <<EOF > /etc/ntp.conf
448
server 0.fr.pool.ntp.org	# adapt to your country
434
server 0.fr.pool.ntp.org	# adapt to your country
449
server 1.fr.pool.ntp.org
435
server 1.fr.pool.ntp.org
450
server 2.fr.pool.ntp.org
436
server 2.fr.pool.ntp.org
451
server 127.127.1.0   		# local clock si NTP internet indisponible ...
437
server 127.127.1.0   		# local clock si NTP internet indisponible ...
452
fudge 127.127.1.0 stratum 10
438
fudge 127.127.1.0 stratum 10
453
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
439
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
454
restrict 127.0.0.1
440
restrict 127.0.0.1
455
driftfile /var/lib/ntp/drift
441
driftfile /var/lib/ntp/drift
456
logfile /var/log/ntp.log
442
logfile /var/log/ntp.log
457
EOF
443
EOF
458
 
444
 
459
	chown -R ntp:ntp /var/lib/ntp
445
	chown -R ntp:ntp /var/lib/ntp
460
# Renseignement des fichiers hosts.allow et hosts.deny
446
# Renseignement des fichiers hosts.allow et hosts.deny
461
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
447
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
462
	cat <<EOF > /etc/hosts.allow
448
	cat <<EOF > /etc/hosts.allow
463
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
449
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
464
sshd: ALL
450
sshd: ALL
465
ntpd: $PRIVATE_NETWORK_SHORT
451
ntpd: $PRIVATE_NETWORK_SHORT
466
EOF
452
EOF
467
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
453
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
468
	cat <<EOF > /etc/hosts.deny
454
	cat <<EOF > /etc/hosts.deny
469
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
455
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
470
EOF
456
EOF
471
# Firewall config
457
# Firewall config
472
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
458
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
473
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
459
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
474
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
460
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
475
# create the filter exception file and ip_bloqued file
461
# create the filter exception file and ip_bloqued file
476
	touch $DIR_DEST_ETC/alcasar-filter-exceptions
462
	touch $DIR_DEST_ETC/alcasar-filter-exceptions
477
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
463
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
478
	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
464
	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
479
# load conntrack ftp module
465
# load conntrack ftp module
480
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
466
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
481
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
467
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
482
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
468
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
483
} # End of network ()
469
} # End of network ()
484
 
470
 
485
##################################################################
471
##################################################################
486
##			Fonction gestion			##
472
##			Fonction gestion			##
487
## - installation du centre de gestion				##
473
## - installation du centre de gestion				##
488
## - configuration du serveur web (Apache)			##
474
## - configuration du serveur web (Apache)			##
489
## - définition du 1er comptes de gestion 			##
475
## - définition du 1er comptes de gestion 			##
490
## - sécurisation des accès					##
476
## - sécurisation des accès					##
491
##################################################################
477
##################################################################
492
gestion()
478
gestion()
493
{
479
{
494
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
480
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
495
	mkdir $DIR_WEB
481
	mkdir $DIR_WEB
496
# Copie et configuration des fichiers du centre de gestion
482
# Copie et configuration des fichiers du centre de gestion
497
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
483
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
498
	echo "$VERSION du $DATE" > $DIR_WEB/VERSION
484
	echo "$VERSION du $DATE" > $DIR_WEB/VERSION
499
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
485
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
500
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
486
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
501
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
487
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
502
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
488
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
503
	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
489
	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
504
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
490
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
505
	chown -R apache:apache $DIR_WEB/*
491
	chown -R apache:apache $DIR_WEB/*
506
	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
492
	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
507
	do
493
	do
508
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
494
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
509
	done
495
	done
510
	chown -R root:apache $DIR_SAVE
496
	chown -R root:apache $DIR_SAVE
511
# Configuration et sécurisation php
497
# Configuration et sécurisation php
512
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
498
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
513
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
499
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
514
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
500
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
515
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
501
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
516
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
502
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
517
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
503
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
518
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
504
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
519
# Configuration et sécurisation Apache
505
# Configuration et sécurisation Apache
520
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
506
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
521
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
507
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
522
	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
508
	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
523
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
509
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
524
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
510
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
525
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
511
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
526
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
512
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
527
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
513
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
528
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
514
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
529
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
515
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
530
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
516
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
531
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
517
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
532
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
518
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
533
	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
519
	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
534
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
520
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
535
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
521
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
536
	[ -e /var/www/error/include/bottom.html.default ] || mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
522
	[ -e /var/www/error/include/bottom.html.default ] || mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
537
	cat <<EOF > /var/www/error/include/bottom.html
523
	cat <<EOF > /var/www/error/include/bottom.html
538
</body>
524
</body>
539
</html>
525
</html>
540
EOF
526
EOF
541
# Définition du premier compte lié au profil 'admin'
527
# Définition du premier compte lié au profil 'admin'
542
	header_install
528
	header_install
543
	if [ "$mode" = "install" ]
529
	if [ "$mode" = "install" ]
544
	then
530
	then
545
		admin_portal=!
531
		admin_portal=!
546
		PTN='^[a-zA-Z0-9-]*$'
532
		PTN='^[a-zA-Z0-9-]*$'
547
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
533
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
548
                	do
534
                	do
549
			header_install
535
			header_install
550
			if [ $Lang == "fr" ]
536
			if [ $Lang == "fr" ]
551
			then 
537
			then 
552
				echo ""
538
				echo ""
553
				echo "Définissez un premier compte d'administration du portail :"
539
				echo "Définissez un premier compte d'administration du portail :"
554
				echo
540
				echo
555
				echo -n "Nom : "
541
				echo -n "Nom : "
556
			else
542
			else
557
				echo ""
543
				echo ""
558
				echo "Define the first account allow to administrate the portal :"
544
				echo "Define the first account allow to administrate the portal :"
559
				echo
545
				echo
560
				echo -n "Account : "
546
				echo -n "Account : "
561
			fi
547
			fi
562
			read admin_portal
548
			read admin_portal
563
			if [ "$admin_portal" == "" ]
549
			if [ "$admin_portal" == "" ]
564
				then
550
				then
565
				admin_portal=!
551
				admin_portal=!
566
			fi
552
			fi
567
			done
553
			done
568
# Création du fichier de clés de ce compte dans le profil "admin"
554
# Création du fichier de clés de ce compte dans le profil "admin"
569
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
555
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
570
		mkdir -p $DIR_DEST_ETC/digest
556
		mkdir -p $DIR_DEST_ETC/digest
571
		chmod 755 $DIR_DEST_ETC/digest
557
		chmod 755 $DIR_DEST_ETC/digest
572
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
558
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
573
			do
559
			do
574
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
560
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
575
			done
561
			done
576
		$DIR_DEST_SBIN/alcasar-profil.sh --list
562
		$DIR_DEST_SBIN/alcasar-profil.sh --list
577
	else   # mise à jour des versions < 2.1
563
	else   # mise à jour des versions < 2.1
578
		if ([ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 1 ]))
564
		if ([ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 1 ]))
579
			then
565
			then
580
			if [ $Lang == "fr" ]
566
			if [ $Lang == "fr" ]
581
			then 
567
			then 
582
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
568
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
583
				echo
569
				echo
584
				echo -n "Nom : "
570
				echo -n "Nom : "
585
			else
571
			else
586
				echo "This update need to redefine the first admin account"
572
				echo "This update need to redefine the first admin account"
587
				echo
573
				echo
588
				echo -n "Account : "
574
				echo -n "Account : "
589
			fi
575
			fi
590
			read admin_portal
576
			read admin_portal
591
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
577
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
592
			mkdir -p $DIR_DEST_ETC/digest
578
			mkdir -p $DIR_DEST_ETC/digest
593
			chmod 755 $DIR_DEST_ETC/digest
579
			chmod 755 $DIR_DEST_ETC/digest
594
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
580
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
595
			do
581
			do
596
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
582
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
597
			done
583
			done
598
			$DIR_DEST_SBIN/alcasar-profil.sh --list
584
			$DIR_DEST_SBIN/alcasar-profil.sh --list
599
		fi
585
		fi
600
	fi
586
	fi
601
# synchronisation horaire
587
# synchronisation horaire
602
	ntpd -q -g &
588
	ntpd -q -g &
603
# Sécurisation du centre
589
# Sécurisation du centre
604
	rm -f /etc/httpd/conf/webapps.d/*
590
	rm -f /etc/httpd/conf/webapps.d/*
605
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
591
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
606
<Directory $DIR_ACC>
592
<Directory $DIR_ACC>
607
	SSLRequireSSL
593
	SSLRequireSSL
608
	AllowOverride None
594
	AllowOverride None
609
	Order deny,allow
595
	Order deny,allow
610
	Deny from all
596
	Deny from all
611
	Allow from 127.0.0.1
597
	Allow from 127.0.0.1
612
	Allow from $PRIVATE_NETWORK_MASK
598
	Allow from $PRIVATE_NETWORK_MASK
613
	require valid-user
599
	require valid-user
614
	AuthType digest
600
	AuthType digest
615
	AuthName $HOSTNAME
601
	AuthName $HOSTNAME
616
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
602
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
617
	AuthUserFile $DIR_DEST_ETC/digest/key_all
603
	AuthUserFile $DIR_DEST_ETC/digest/key_all
618
	ErrorDocument 404 https://$HOSTNAME/
604
	ErrorDocument 404 https://$HOSTNAME/
619
</Directory>
605
</Directory>
620
<Directory $DIR_ACC/admin>
606
<Directory $DIR_ACC/admin>
621
	SSLRequireSSL
607
	SSLRequireSSL
622
	AllowOverride None
608
	AllowOverride None
623
	Order deny,allow
609
	Order deny,allow
624
	Deny from all
610
	Deny from all
625
	Allow from 127.0.0.1
611
	Allow from 127.0.0.1
626
	Allow from $PRIVATE_NETWORK_MASK
612
	Allow from $PRIVATE_NETWORK_MASK
627
	require valid-user
613
	require valid-user
628
	AuthType digest
614
	AuthType digest
629
	AuthName $HOSTNAME
615
	AuthName $HOSTNAME
630
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
616
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
631
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
617
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
632
	ErrorDocument 404 https://$HOSTNAME/
618
	ErrorDocument 404 https://$HOSTNAME/
633
</Directory>
619
</Directory>
634
<Directory $DIR_ACC/manager>
620
<Directory $DIR_ACC/manager>
635
	SSLRequireSSL
621
	SSLRequireSSL
636
	AllowOverride None
622
	AllowOverride None
637
	Order deny,allow
623
	Order deny,allow
638
	Deny from all
624
	Deny from all
639
	Allow from 127.0.0.1
625
	Allow from 127.0.0.1
640
	Allow from $PRIVATE_NETWORK_MASK
626
	Allow from $PRIVATE_NETWORK_MASK
641
	require valid-user
627
	require valid-user
642
	AuthType digest
628
	AuthType digest
643
	AuthName $HOSTNAME
629
	AuthName $HOSTNAME
644
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
630
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
645
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
631
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
646
	ErrorDocument 404 https://$HOSTNAME/
632
	ErrorDocument 404 https://$HOSTNAME/
647
</Directory>
633
</Directory>
648
<Directory $DIR_ACC/backup>
634
<Directory $DIR_ACC/backup>
649
	SSLRequireSSL
635
	SSLRequireSSL
650
	AllowOverride None
636
	AllowOverride None
651
	Order deny,allow
637
	Order deny,allow
652
	Deny from all
638
	Deny from all
653
	Allow from 127.0.0.1
639
	Allow from 127.0.0.1
654
	Allow from $PRIVATE_NETWORK_MASK
640
	Allow from $PRIVATE_NETWORK_MASK
655
	require valid-user
641
	require valid-user
656
	AuthType digest
642
	AuthType digest
657
	AuthName $HOSTNAME
643
	AuthName $HOSTNAME
658
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
644
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
659
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
645
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
660
	ErrorDocument 404 https://$HOSTNAME/
646
	ErrorDocument 404 https://$HOSTNAME/
661
</Directory>
647
</Directory>
662
Alias /save/ "$DIR_SAVE/"
648
Alias /save/ "$DIR_SAVE/"
663
<Directory $DIR_SAVE>
649
<Directory $DIR_SAVE>
664
	SSLRequireSSL
650
	SSLRequireSSL
665
	Options Indexes
651
	Options Indexes
666
	Order deny,allow
652
	Order deny,allow
667
	Deny from all
653
	Deny from all
668
	Allow from 127.0.0.1
654
	Allow from 127.0.0.1
669
	Allow from $PRIVATE_NETWORK_MASK
655
	Allow from $PRIVATE_NETWORK_MASK
670
	require valid-user
656
	require valid-user
671
	AuthType digest
657
	AuthType digest
672
	AuthName $HOSTNAME
658
	AuthName $HOSTNAME
673
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
659
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
674
	ErrorDocument 404 https://$HOSTNAME/
660
	ErrorDocument 404 https://$HOSTNAME/
675
</Directory>
661
</Directory>
676
EOF
662
EOF
677
} # End of gestion ()
663
} # End of gestion ()
678
 
664
 
679
##########################################################################################
665
##########################################################################################
680
##				Fonction AC()						##
666
##				Fonction AC()						##
681
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
667
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
682
##########################################################################################
668
##########################################################################################
683
AC ()
669
AC ()
684
{
670
{
685
	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
671
	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
686
	$DIR_DEST_BIN/alcasar-CA.sh
672
	$DIR_DEST_BIN/alcasar-CA.sh
687
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
673
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
688
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
674
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
689
	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
675
	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
690
	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
676
	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
691
	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
677
	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
692
	chown -R root:apache /etc/pki
678
	chown -R root:apache /etc/pki
693
	chmod -R 750 /etc/pki
679
	chmod -R 750 /etc/pki
694
} # End AC ()
680
} # End AC ()
695
 
681
 
696
##########################################################################################
682
##########################################################################################
697
##			Fonction init_db()						##
683
##			Fonction init_db()						##
698
## - Initialisation de la base Mysql							##
684
## - Initialisation de la base Mysql							##
699
## - Affectation du mot de passe de l'administrateur (root)				##
685
## - Affectation du mot de passe de l'administrateur (root)				##
700
## - Suppression des bases et des utilisateurs superflus				##
686
## - Suppression des bases et des utilisateurs superflus				##
701
## - Création de la base 'radius'							##
687
## - Création de la base 'radius'							##
702
## - Installation du schéma de cette base						##
688
## - Installation du schéma de cette base						##
703
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
689
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
704
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
690
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
705
##########################################################################################
691
##########################################################################################
706
init_db ()
692
init_db ()
707
{
693
{
708
	mkdir -p /var/lib/mysql/.tmp
694
	mkdir -p /var/lib/mysql/.tmp
709
	chown mysql:mysql /var/lib/mysql/.tmp
695
	chown mysql:mysql /var/lib/mysql/.tmp
710
	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf		# prend en compte les migrations de MySQL
696
	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf		# prend en compte les migrations de MySQL
711
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
697
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
712
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
698
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
713
	/etc/init.d/mysqld start
699
	/etc/init.d/mysqld start
714
	sleep 4
700
	sleep 4
715
	mysqladmin -u root password $mysqlpwd
701
	mysqladmin -u root password $mysqlpwd
716
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
702
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
717
# Delete exemple databases if exist
703
# Delete exemple databases if exist
718
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;" 
704
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;" 
719
# Create 'radius' database
705
# Create 'radius' database
720
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
706
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
721
# Add an empty radius database structure
707
# Add an empty radius database structure
722
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
708
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
723
# modify the start script in order to close accounting connexion when the system is comming down or up
709
# modify the start script in order to close accounting connexion when the system is comming down or up
724
	[ -e /etc/init.d/mysqld.default ] || cp /etc/init.d/mysqld /etc/init.d/mysqld.default
710
	[ -e /etc/init.d/mysqld.default ] || cp /etc/init.d/mysqld /etc/init.d/mysqld.default
725
	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
711
	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
726
	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
712
	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
727
} # End init_db ()
713
} # End init_db ()
728
 
714
 
729
##########################################################################
715
##########################################################################
730
##			Fonction param_radius				##
716
##			Fonction param_radius				##
731
## - Paramètrage des fichiers de configuration FreeRadius		##
717
## - Paramètrage des fichiers de configuration FreeRadius		##
732
## - Affectation du secret partagé entre coova-chilli et freeradius	##
718
## - Affectation du secret partagé entre coova-chilli et freeradius	##
733
## - Modification de fichier de conf pour l'accès à Mysql		##
719
## - Modification de fichier de conf pour l'accès à Mysql		##
734
##########################################################################
720
##########################################################################
735
param_radius ()
721
param_radius ()
736
{
722
{
737
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
723
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
738
	chown -R radius:radius /etc/raddb
724
	chown -R radius:radius /etc/raddb
739
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
725
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
740
# paramètrage radius.conf
726
# paramètrage radius.conf
741
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
727
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
742
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
728
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
743
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
729
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
744
# suppression de la fonction proxy
730
# suppression de la fonction proxy
745
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
731
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
746
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
732
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
747
# suppression du module EAP
733
# suppression du module EAP
748
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
734
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
749
# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
735
# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
750
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
736
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
751
# prise en compte du module SQL et des compteurs SQL
737
# prise en compte du module SQL et des compteurs SQL
752
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
738
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
753
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
739
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
754
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
740
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
755
# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
741
# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
756
	rm -f /etc/raddb/sites-enabled/*
742
	rm -f /etc/raddb/sites-enabled/*
757
       	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
743
       	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
758
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
744
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
759
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
745
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
760
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
746
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
761
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
747
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
762
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
748
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
763
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
749
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
764
# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
750
# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
765
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
751
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
766
	cat << EOF > /etc/raddb/clients.conf
752
	cat << EOF > /etc/raddb/clients.conf
767
client 127.0.0.1 {
753
client 127.0.0.1 {
768
	secret = $secretradius
754
	secret = $secretradius
769
	shortname = localhost
755
	shortname = localhost
770
}
756
}
771
EOF
757
EOF
772
# modif sql.conf
758
# modif sql.conf
773
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
759
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
774
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
760
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
775
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
761
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
776
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
762
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
777
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
763
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
778
# modif dialup.conf
764
# modif dialup.conf
779
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
765
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
780
	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
766
	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
781
} # End param_radius ()
767
} # End param_radius ()
782
 
768
 
783
##########################################################################
769
##########################################################################
784
##			Fonction param_web_radius			##
770
##			Fonction param_web_radius			##
785
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
771
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
786
## - Création du lien vers la page de changement de mot de passe        ##
772
## - Création du lien vers la page de changement de mot de passe        ##
787
##########################################################################
773
##########################################################################
788
param_web_radius ()
774
param_web_radius ()
789
{
775
{
790
# copie de l'interface d'origine dans la structure Alcasar
776
# copie de l'interface d'origine dans la structure Alcasar
791
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
777
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
792
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
778
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
793
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
779
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
794
# copie des fichiers modifiés
780
# copie des fichiers modifiés
795
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
781
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
796
	chown -R apache:apache $DIR_ACC/manager/
782
	chown -R apache:apache $DIR_ACC/manager/
797
# Modification des fichiers de configuration
783
# Modification des fichiers de configuration
798
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
784
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
799
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
800
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
801
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
787
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
802
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
788
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
803
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
804
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
790
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
805
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
791
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
806
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
792
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
807
	$SED "s?^general_charset.*?general_charset: utf8?g" /etc/freeradius-web/admin.conf
793
	$SED "s?^general_charset.*?general_charset: utf8?g" /etc/freeradius-web/admin.conf
808
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
794
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
809
	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
795
	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
810
	cat <<EOF > /etc/freeradius-web/naslist.conf
796
	cat <<EOF > /etc/freeradius-web/naslist.conf
811
nas1_name: alcasar-$ORGANISME
797
nas1_name: alcasar-$ORGANISME
812
nas1_model: Portail captif
798
nas1_model: Portail captif
813
nas1_ip: $PRIVATE_IP
799
nas1_ip: $PRIVATE_IP
814
nas1_port_num: 0
800
nas1_port_num: 0
815
nas1_community: public
801
nas1_community: public
816
EOF
802
EOF
817
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
803
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
818
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
804
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
819
	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
805
	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
820
# Ajout du mappage des attributs chillispot
806
# Ajout du mappage des attributs chillispot
821
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
807
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
822
	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
808
	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
823
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
809
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
824
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
810
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
825
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
811
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
826
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
812
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
827
	chown -R apache:apache /etc/freeradius-web
813
	chown -R apache:apache /etc/freeradius-web
828
# Ajout de l'alias vers la page de "changement de mot de passe usager"
814
# Ajout de l'alias vers la page de "changement de mot de passe usager"
829
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
815
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
830
<Directory $DIR_WEB/pass>
816
<Directory $DIR_WEB/pass>
831
	SSLRequireSSL
817
	SSLRequireSSL
832
	AllowOverride None
818
	AllowOverride None
833
	Order deny,allow
819
	Order deny,allow
834
	Deny from all
820
	Deny from all
835
	Allow from 127.0.0.1
821
	Allow from 127.0.0.1
836
	Allow from $PRIVATE_NETWORK_MASK
822
	Allow from $PRIVATE_NETWORK_MASK
837
	ErrorDocument 404 https://$HOSTNAME
823
	ErrorDocument 404 https://$HOSTNAME
838
</Directory>
824
</Directory>
839
EOF
825
EOF
840
} # End of param_web_radius ()
826
} # End of param_web_radius ()
841
 
827
 
842
##################################################################################
828
##################################################################################
843
##			Fonction param_chilli					##
829
##			Fonction param_chilli					##
844
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
830
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
845
## - Paramètrage de la page d'authentification (intercept.php)			##
831
## - Paramètrage de la page d'authentification (intercept.php)			##
846
##################################################################################
832
##################################################################################
847
param_chilli ()
833
param_chilli ()
848
{
834
{
849
# init file creation
835
# init file creation
850
	[ -e /etc/init.d/chilli.default ] || cp /etc/init.d/chilli /etc/init.d/chilli.default
836
	[ -e /etc/init.d/chilli.default ] || cp /etc/init.d/chilli /etc/init.d/chilli.default
851
	cat <<EOF > /etc/init.d/chilli
837
	cat <<EOF > /etc/init.d/chilli
852
#!/bin/sh
838
#!/bin/sh
853
#
839
#
854
# chilli CoovaChilli init
840
# chilli CoovaChilli init
855
#
841
#
856
# chkconfig: 2345 65 35
842
# chkconfig: 2345 65 35
857
# description: CoovaChilli
843
# description: CoovaChilli
858
### BEGIN INIT INFO
844
### BEGIN INIT INFO
859
# Provides:       chilli
845
# Provides:       chilli
860
# Required-Start: network 
846
# Required-Start: network 
861
# Should-Start: 
847
# Should-Start: 
862
# Required-Stop:  network
848
# Required-Stop:  network
863
# Should-Stop: 
849
# Should-Stop: 
864
# Default-Start:  2 3 5
850
# Default-Start:  2 3 5
865
# Default-Stop:
851
# Default-Stop:
866
# Description:    CoovaChilli access controller
852
# Description:    CoovaChilli access controller
867
### END INIT INFO
853
### END INIT INFO
868
 
854
 
869
[ -f /usr/sbin/chilli ] || exit 0
855
[ -f /usr/sbin/chilli ] || exit 0
870
. /etc/init.d/functions
856
. /etc/init.d/functions
871
CONFIG=/etc/chilli.conf
857
CONFIG=/etc/chilli.conf
872
pidfile=/var/run/chilli.pid
858
pidfile=/var/run/chilli.pid
873
[ -f \$CONFIG ] || {
859
[ -f \$CONFIG ] || {
874
    echo "\$CONFIG Not found"
860
    echo "\$CONFIG Not found"
875
    exit 0
861
    exit 0
876
}
862
}
877
RETVAL=0
863
RETVAL=0
878
prog="chilli"
864
prog="chilli"
879
case \$1 in
865
case \$1 in
880
    start)
866
    start)
881
	if [ -f \$pidfile ] ; then 
867
	if [ -f \$pidfile ] ; then 
882
		gprintf "chilli is already running"
868
		gprintf "chilli is already running"
883
	else
869
	else
884
        	gprintf "Starting \$prog: "
870
        	gprintf "Starting \$prog: "
885
		rm -f /var/run/chilli* # cleaning
871
		rm -f /var/run/chilli* # cleaning
886
        	/sbin/modprobe tun >/dev/null 2>&1
872
        	/sbin/modprobe tun >/dev/null 2>&1
887
        	echo 1 > /proc/sys/net/ipv4/ip_forward
873
        	echo 1 > /proc/sys/net/ipv4/ip_forward
888
		[ -e /dev/net/tun ] || {
874
		[ -e /dev/net/tun ] || {
889
	    	(cd /dev; 
875
	    	(cd /dev; 
890
			mkdir net; 
876
			mkdir net; 
891
			cd net; 
877
			cd net; 
892
			mknod tun c 10 200)
878
			mknod tun c 10 200)
893
		}
879
		}
894
		ifconfig eth1 0.0.0.0
880
		ifconfig eth1 0.0.0.0
895
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
881
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
896
        	RETVAL=$?
882
        	RETVAL=$?
897
	fi
883
	fi
898
	;;
884
	;;
899
 
885
 
900
    reload)
886
    reload)
901
	killall -HUP chilli
887
	killall -HUP chilli
902
	;;
888
	;;
903
 
889
 
904
    restart)
890
    restart)
905
	\$0 stop
891
	\$0 stop
906
        sleep 2
892
        sleep 2
907
	\$0 start
893
	\$0 start
908
	;;
894
	;;
909
    
895
    
910
    status)
896
    status)
911
        status chilli
897
        status chilli
912
        RETVAL=0
898
        RETVAL=0
913
        ;;
899
        ;;
914
 
900
 
915
    stop)
901
    stop)
916
	if [ -f \$pidfile ] ; then  
902
	if [ -f \$pidfile ] ; then  
917
        	gprintf "Shutting down \$prog: "
903
        	gprintf "Shutting down \$prog: "
918
		killproc /usr/sbin/chilli
904
		killproc /usr/sbin/chilli
919
		RETVAL=\$?
905
		RETVAL=\$?
920
		[ \$RETVAL = 0 ] && rm -f $pidfile
906
		[ \$RETVAL = 0 ] && rm -f $pidfile
921
	else	
907
	else	
922
        	gprintf "chilli is not running"
908
        	gprintf "chilli is not running"
923
	fi
909
	fi
924
	;;
910
	;;
925
    
911
    
926
    *)
912
    *)
927
        echo "Usage: \$0 {start|stop|restart|reload|status}"
913
        echo "Usage: \$0 {start|stop|restart|reload|status}"
928
        exit 1
914
        exit 1
929
esac
915
esac
930
echo
916
echo
931
EOF
917
EOF
932
 
918
 
933
# conf file creation
919
# conf file creation
934
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
920
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
935
	cat <<EOF > /etc/chilli.conf
921
	cat <<EOF > /etc/chilli.conf
936
# coova config for ALCASAR
922
# coova config for ALCASAR
937
cmdsocket	/var/run/chilli.sock
923
cmdsocket	/var/run/chilli.sock
938
unixipc		chilli.eth1.ipc
924
unixipc		chilli.eth1.ipc
939
pidfile		/var/run/chilli.eth1.pid
925
pidfile		/var/run/chilli.eth1.pid
940
net		$PRIVATE_NETWORK_MASK
926
net		$PRIVATE_NETWORK_MASK
941
dhcpif		$INTIF
927
dhcpif		$INTIF
942
ethers		$DIR_DEST_ETC/alcasar-ethers
928
ethers		$DIR_DEST_ETC/alcasar-ethers
943
#nodynip
929
#nodynip
944
statip		$PRIVATE_STAT_IP
930
#statip
945
dynip		$PRIVATE_DYN_IP
931
dynip		$PRIVATE_NETWORK_MASK
946
domain		localdomain
932
domain		localdomain
947
dns1		$PRIVATE_IP
933
dns1		$PRIVATE_IP
948
dns2		$PRIVATE_IP
934
dns2		$PRIVATE_IP
949
uamlisten	$PRIVATE_IP
935
uamlisten	$PRIVATE_IP
950
uamport		3990
936
uamport		3990
951
macauth
937
macauth
952
macpasswd	password
938
macpasswd	password
953
locationname	$HOSTNAME
939
locationname	$HOSTNAME
954
radiusserver1	127.0.0.1
940
radiusserver1	127.0.0.1
955
radiusserver2	127.0.0.1
941
radiusserver2	127.0.0.1
956
radiussecret	$secretradius
942
radiussecret	$secretradius
957
radiusauthport	1812
943
radiusauthport	1812
958
radiusacctport	1813
944
radiusacctport	1813
959
uamserver	https://$HOSTNAME/intercept.php
945
uamserver	https://$HOSTNAME/intercept.php
960
radiusnasid	$HOSTNAME
946
radiusnasid	$HOSTNAME
961
uamsecret	$secretuam
947
uamsecret	$secretuam
962
uamallowed	alcasar
948
uamallowed	alcasar
963
coaport		3799
949
coaport		3799
964
include		$DIR_DEST_ETC/alcasar-uamallowed
950
include		$DIR_DEST_ETC/alcasar-uamallowed
965
include		$DIR_DEST_ETC/alcasar-uamdomain
951
include		$DIR_DEST_ETC/alcasar-uamdomain
966
EOF
952
EOF
967
# création du fichier d'allocation d'adresses IP statiques
953
# création du fichier d'allocation d'adresses IP statiques
968
	touch $DIR_DEST_ETC/alcasar-ethers
954
	touch $DIR_DEST_ETC/alcasar-ethers
969
# create files for trusted domains and urls
955
# create files for trusted domains and urls
970
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
956
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
971
	chown root:apache $DIR_DEST_ETC/alcasar-*
957
	chown root:apache $DIR_DEST_ETC/alcasar-*
972
	chmod 660 $DIR_DEST_ETC/alcasar-*
958
	chmod 660 $DIR_DEST_ETC/alcasar-*
973
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
959
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
974
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
960
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
975
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
961
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
976
# user 'chilli' creation (in order to run conup/off and up/down scripts
962
# user 'chilli' creation (in order to run conup/off and up/down scripts
977
	chilli_exist=`grep chilli /etc/passwd|wc -l`
963
	chilli_exist=`grep chilli /etc/passwd|wc -l`
978
	if [ "$chilli_exist" == "1" ]
964
	if [ "$chilli_exist" == "1" ]
979
	then
965
	then
980
	      userdel -r chilli 2>/dev/null
966
	      userdel -r chilli 2>/dev/null
981
	fi
967
	fi
982
	groupadd -f chilli
968
	groupadd -f chilli
983
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
969
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
984
}  # End of param_chilli ()
970
}  # End of param_chilli ()
985
 
971
 
986
##########################################################
972
##########################################################
987
##			Fonction param_squid		##
973
##			Fonction param_squid		##
988
## - Paramètrage du proxy 'squid' en mode 'cache'	##
974
## - Paramètrage du proxy 'squid' en mode 'cache'	##
989
## - Initialisation de la base de données  		##
975
## - Initialisation de la base de données  		##
990
##########################################################
976
##########################################################
991
param_squid ()
977
param_squid ()
992
{
978
{
993
# paramètrage de Squid (connecté en série derrière Dansguardian)
979
# paramètrage de Squid (connecté en série derrière Dansguardian)
994
	[ -e /etc/squid/squid.conf.default  ] || cp /etc/squid/squid.conf /etc/squid/squid.conf.default
980
	[ -e /etc/squid/squid.conf.default  ] || cp /etc/squid/squid.conf /etc/squid/squid.conf.default
995
# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
981
# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
996
	$SED "/^acl localnet/d" /etc/squid/squid.conf
982
	$SED "/^acl localnet/d" /etc/squid/squid.conf
997
	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
983
	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
998
	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
984
	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
999
	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
985
	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
1000
	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
986
	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
1001
	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
987
	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
1002
# mode 'proxy transparent local'
988
# mode 'proxy transparent local'
1003
	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
989
	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
1004
# Configuration du cache local
990
# Configuration du cache local
1005
	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
991
	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
1006
# emplacement et formatage standard des logs
992
# emplacement et formatage standard des logs
1007
	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
993
	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
1008
	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
994
	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
1009
        echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
995
        echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1010
# compatibilité des logs avec awstats
996
# compatibilité des logs avec awstats
1011
	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
997
	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
1012
	echo "half_closed_clients off" >> /etc/squid/squid.conf
998
	echo "half_closed_clients off" >> /etc/squid/squid.conf
1013
	echo "server_persistent_connections off" >> /etc/squid/squid.conf
999
	echo "server_persistent_connections off" >> /etc/squid/squid.conf
1014
	echo "client_persistent_connections on" >> /etc/squid/squid.conf
1000
	echo "client_persistent_connections on" >> /etc/squid/squid.conf
1015
	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
1001
	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
1016
	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
1002
	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
1017
	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
1003
	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
1018
	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
1004
	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
1019
	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
1005
	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
1020
	echo "maximum_object_size     4096 KB" >> /etc/squid/squid.conf
1006
	echo "maximum_object_size     4096 KB" >> /etc/squid/squid.conf
1021
# anonymisation of squid version
1007
# anonymisation of squid version
1022
	echo "via off" >> /etc/squid/squid.conf
1008
	echo "via off" >> /etc/squid/squid.conf
1023
# remove the 'X_forwarded' http option
1009
# remove the 'X_forwarded' http option
1024
	echo "forwarded_for delete" >> /etc/squid/squid.conf
1010
	echo "forwarded_for delete" >> /etc/squid/squid.conf
1025
# linked squid output in HAVP input
1011
# linked squid output in HAVP input
1026
	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
1012
	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
1027
	echo "never_direct allow all" >> /etc/squid/squid.conf
1013
	echo "never_direct allow all" >> /etc/squid/squid.conf
1028
# avoid error messages on network interfaces state changes
1014
# avoid error messages on network interfaces state changes
1029
	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
1015
	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
1030
# Squid cache init
1016
# Squid cache init
1031
	/usr/sbin/squid -z
1017
	/usr/sbin/squid -z
1032
}  # End of param_squid ()
1018
}  # End of param_squid ()
1033
	
1019
	
1034
##################################################################
1020
##################################################################
1035
##		Fonction param_dansguardian			##
1021
##		Fonction param_dansguardian			##
1036
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1022
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1037
##################################################################
1023
##################################################################
1038
param_dansguardian ()
1024
param_dansguardian ()
1039
{
1025
{
1040
	mkdir /var/dansguardian
1026
	mkdir /var/dansguardian
1041
	chown dansguardian /var/dansguardian
1027
	chown dansguardian /var/dansguardian
1042
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1028
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1043
# Le filtrage est désactivé par défaut 
1029
# Le filtrage est désactivé par défaut 
1044
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1030
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1045
# la page d'interception est en français
1031
# la page d'interception est en français
1046
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1032
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1047
# on limite l'écoute de Dansguardian côté LAN
1033
# on limite l'écoute de Dansguardian côté LAN
1048
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1034
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1049
# on chaîne Dansguardian au proxy cache SQUID
1035
# on chaîne Dansguardian au proxy cache SQUID
1050
	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1036
	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1051
# on remplace la page d'interception (template)
1037
# on remplace la page d'interception (template)
1052
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1038
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1053
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1039
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1054
# on ne loggue que les deny (pour le reste, on a squid)
1040
# on ne loggue que les deny (pour le reste, on a squid)
1055
	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
1041
	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
1056
# lauch of 10 daemons (20 in largest server)
1042
# lauch of 10 daemons (20 in largest server)
1057
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1043
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1058
# on désactive par défaut le controle de contenu des pages html
1044
# on désactive par défaut le controle de contenu des pages html
1059
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1045
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1060
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1046
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1061
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1047
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1062
# on désactive par défaut le contrôle d'URL par expressions régulières
1048
# on désactive par défaut le contrôle d'URL par expressions régulières
1063
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1049
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1064
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1050
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1065
# on désactive par défaut le contrôle de téléchargement de fichiers
1051
# on désactive par défaut le contrôle de téléchargement de fichiers
1066
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1052
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1067
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1053
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1068
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1054
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1069
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1055
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1070
	touch $DIR_DG/lists/bannedextensionlist
1056
	touch $DIR_DG/lists/bannedextensionlist
1071
	touch $DIR_DG/lists/bannedmimetypelist
1057
	touch $DIR_DG/lists/bannedmimetypelist
1072
# 'Safesearch' regex actualisation
1058
# 'Safesearch' regex actualisation
1073
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1059
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1074
# empty LAN IP list that won't be WEB filtered
1060
# empty LAN IP list that won't be WEB filtered
1075
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1061
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1076
	touch $DIR_DG/lists/exceptioniplist
1062
	touch $DIR_DG/lists/exceptioniplist
1077
# Keep a copy of URL & domain filter configuration files
1063
# Keep a copy of URL & domain filter configuration files
1078
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1064
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1079
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1065
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1080
} # End of param_dansguardian ()
1066
} # End of param_dansguardian ()
1081
 
1067
 
1082
##################################################################
1068
##################################################################
1083
##			Fonction antivirus			##
1069
##			Fonction antivirus			##
1084
## - configuration havp + libclamav				##
1070
## - configuration havp + libclamav				##
1085
##################################################################
1071
##################################################################
1086
antivirus ()		
1072
antivirus ()		
1087
{
1073
{
1088
# création de l'usager 'havp'
1074
# création de l'usager 'havp'
1089
	havp_exist=`grep havp /etc/passwd|wc -l`
1075
	havp_exist=`grep havp /etc/passwd|wc -l`
1090
	if [ "$havp_exist" == "1" ]
1076
	if [ "$havp_exist" == "1" ]
1091
	then
1077
	then
1092
	      userdel -r havp 2>/dev/null
1078
	      userdel -r havp 2>/dev/null
1093
	fi
1079
	fi
1094
	groupadd -f havp
1080
	groupadd -f havp
1095
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1081
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1096
	mkdir -p /var/tmp/havp /var/log/havp
1082
	mkdir -p /var/tmp/havp /var/log/havp
1097
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1083
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1098
	$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
1084
	$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
1099
# configuration d'HAVP
1085
# configuration d'HAVP
1100
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1086
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1101
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1087
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1102
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1088
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1103
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1089
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1104
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1090
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1105
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1091
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1106
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1092
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1107
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1093
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1108
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1094
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1109
# remplacement du fichier d'initialisation
1095
# remplacement du fichier d'initialisation
1110
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1096
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1111
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1097
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1112
# on remplace la page d'interception (template)
1098
# on remplace la page d'interception (template)
1113
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1099
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1114
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1100
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1115
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1101
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1116
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1102
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1117
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1103
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1118
# Virus database update
1104
# Virus database update
1119
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1105
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1120
	[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
1106
	[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
1121
}
1107
}
1122
 
1108
 
1123
##################################################################################
1109
##################################################################################
1124
##			param_ulogd function					##
1110
##			param_ulogd function					##
1125
## - Ulog config for multi-log files 						##
1111
## - Ulog config for multi-log files 						##
1126
##################################################################################
1112
##################################################################################
1127
param_ulogd ()
1113
param_ulogd ()
1128
{
1114
{
1129
# Three instances of ulogd (three different logfiles)
1115
# Three instances of ulogd (three different logfiles)
1130
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1116
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1131
	nl=1
1117
	nl=1
1132
	for log_type in tracability ssh ext-access
1118
	for log_type in tracability ssh ext-access
1133
	do
1119
	do
1134
		[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
1120
		[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
1135
		cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
1121
		cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
1136
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1122
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1137
		$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
1123
		$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
1138
		cat << EOF >> /etc/ulogd-$log_type.conf
1124
		cat << EOF >> /etc/ulogd-$log_type.conf
1139
[LOGEMU]
1125
[LOGEMU]
1140
file="/var/log/firewall/$log_type.log"
1126
file="/var/log/firewall/$log_type.log"
1141
sync=1
1127
sync=1
1142
EOF
1128
EOF
1143
		nl=`expr $nl + 1`
1129
		nl=`expr $nl + 1`
1144
	done
1130
	done
1145
	chown -R root:apache /var/log/firewall
1131
	chown -R root:apache /var/log/firewall
1146
	chmod 750 /var/log/firewall
1132
	chmod 750 /var/log/firewall
1147
	chmod 640 /var/log/firewall/*
1133
	chmod 640 /var/log/firewall/*
1148
	[ -e /etc/init.d/ulogd.default ] || cp /etc/init.d/ulogd /etc/init.d/ulogd.default
1134
	[ -e /etc/init.d/ulogd.default ] || cp /etc/init.d/ulogd /etc/init.d/ulogd.default
1149
	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
1135
	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
1150
}  # End of param_ulogd ()
1136
}  # End of param_ulogd ()
1151
 
1137
 
1152
##################################################################################
1138
##################################################################################
1153
##				Fonction param_awstats				##
1139
##				Fonction param_awstats				##
1154
## - configuration de l'interface des logs de consultation WEB (AWSTAT)		##
1140
## - configuration de l'interface des logs de consultation WEB (AWSTAT)		##
1155
##################################################################################
1141
##################################################################################
1156
param_awstats()
1142
param_awstats()
1157
{
1143
{
1158
	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
1144
	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
1159
	chown -R apache:apache $DIR_ACC/awstats
1145
	chown -R apache:apache $DIR_ACC/awstats
1160
	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
1146
	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
1161
	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
1147
	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
1162
	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
1148
	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
1163
	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
1149
	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
1164
	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
1150
	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
1165
	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
1151
	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
1166
	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
1152
	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
1167
	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1153
	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1168
	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
1154
	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
1169
	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
1155
	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
1170
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
1156
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
1171
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
1157
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
1172
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1158
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1173
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1159
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1174
	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
1160
	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
1175
	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
1161
	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
1176
	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
1162
	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
1177
	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
1163
	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
1178
	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
1164
	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
1179
	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
1165
	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
1180
	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
1166
	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
1181
	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
1167
	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
1182
	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
1168
	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
1183
	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
1169
	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
1184
	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
1170
	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
1185
	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
1171
	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
1186
 
1172
 
1187
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1173
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1188
<Directory $DIR_ACC/awstats>
1174
<Directory $DIR_ACC/awstats>
1189
	SSLRequireSSL
1175
	SSLRequireSSL
1190
	Options ExecCGI
1176
	Options ExecCGI
1191
	AddHandler cgi-script .pl
1177
	AddHandler cgi-script .pl
1192
	DirectoryIndex awstats.pl
1178
	DirectoryIndex awstats.pl
1193
	Order deny,allow
1179
	Order deny,allow
1194
	Deny from all
1180
	Deny from all
1195
	Allow from 127.0.0.1
1181
	Allow from 127.0.0.1
1196
	Allow from $PRIVATE_NETWORK_MASK
1182
	Allow from $PRIVATE_NETWORK_MASK
1197
	require valid-user
1183
	require valid-user
1198
	AuthType digest
1184
	AuthType digest
1199
	AuthName $HOSTNAME
1185
	AuthName $HOSTNAME
1200
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
1186
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
1201
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1187
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1202
	ErrorDocument 404 https://$HOSTNAME/
1188
	ErrorDocument 404 https://$HOSTNAME/
1203
</Directory>
1189
</Directory>
1204
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
1190
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
1205
EOF
1191
EOF
1206
} # End of param_awstats ()
1192
} # End of param_awstats ()
1207
 
1193
 
1208
##########################################################
1194
##########################################################
1209
##		Fonction param_dnsmasq			##
1195
##		Fonction param_dnsmasq			##
1210
##########################################################
1196
##########################################################
1211
param_dnsmasq ()
1197
param_dnsmasq ()
1212
{
1198
{
1213
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1199
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1214
	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1200
	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1215
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1201
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1216
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
1202
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
1217
	cat << EOF > /etc/dnsmasq.conf 
1203
	cat << EOF > /etc/dnsmasq.conf 
1218
# Configuration file for "dnsmasq in forward mode"
1204
# Configuration file for "dnsmasq in forward mode"
1219
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
1205
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
1220
listen-address=$PRIVATE_IP
1206
listen-address=$PRIVATE_IP
1221
listen-address=127.0.0.1
1207
listen-address=127.0.0.1
1222
no-dhcp-interface=$INTIF
1208
no-dhcp-interface=$INTIF
1223
bind-interfaces
1209
bind-interfaces
1224
cache-size=256
1210
cache-size=256
1225
domain=$DOMAIN
1211
domain=$DOMAIN
1226
domain-needed
1212
domain-needed
1227
expand-hosts
1213
expand-hosts
1228
bogus-priv
1214
bogus-priv
1229
filterwin2k
1215
filterwin2k
1230
server=$DNS1
1216
server=$DNS1
1231
server=$DNS2
1217
server=$DNS2
1232
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
1218
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
1233
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h
1219
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1234
dhcp-option=option:router,$PRIVATE_IP
1220
dhcp-option=option:router,$PRIVATE_IP
1235
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
1221
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
1236
 
1222
 
1237
# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1223
# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1238
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1224
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1239
EOF
1225
EOF
1240
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
1226
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
1241
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1227
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1242
	# Configuration file for "dnsmasq with blackhole"
1228
	# Configuration file for "dnsmasq with blackhole"
1243
# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1229
# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1244
conf-dir=$DIR_DEST_ETC/alcasar-dnsfilter-enabled
1230
conf-dir=$DIR_DEST_ETC/alcasar-dnsfilter-enabled
1245
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
1231
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
1246
listen-address=$PRIVATE_IP
1232
listen-address=$PRIVATE_IP
1247
port=54
1233
port=54
1248
no-dhcp-interface=$INTIF
1234
no-dhcp-interface=$INTIF
1249
bind-interfaces
1235
bind-interfaces
1250
cache-size=256
1236
cache-size=256
1251
domain=$DOMAIN
1237
domain=$DOMAIN
1252
domain-needed
1238
domain-needed
1253
expand-hosts
1239
expand-hosts
1254
bogus-priv
1240
bogus-priv
1255
filterwin2k
1241
filterwin2k
1256
server=$DNS1
1242
server=$DNS1
1257
server=$DNS2
1243
server=$DNS2
1258
EOF
1244
EOF
1259
 
1245
 
1260
# Init file modification
1246
# Init file modification
1261
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
1247
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
1262
# Start and stop a 2nd process for the "DNS blackhole"
1248
# Start and stop a 2nd process for the "DNS blackhole"
1263
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
1249
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
1264
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
1250
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
1265
# Start after chilli (65) which create tun0
1251
# Start after chilli (65) which create tun0
1266
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
1252
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
1267
# Optionnellement on active les logs DNS des clients
1253
# Optionnellement on active les logs DNS des clients
1268
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1254
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1269
$SED "s?^OPTIONS=.*?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
1255
$SED "s?^OPTIONS=.*?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
1270
} # End dnsmasq
1256
} # End dnsmasq
1271
 
1257
 
1272
##########################################################
1258
##########################################################
1273
##		Fonction BL (BlackList)			##
1259
##		Fonction BL (BlackList)			##
1274
##########################################################
1260
##########################################################
1275
BL ()
1261
BL ()
1276
{
1262
{
1277
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
1263
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
1278
	rm -rf $DIR_DG/lists/blacklists
1264
	rm -rf $DIR_DG/lists/blacklists
1279
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1265
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1280
# on crée le répertoire de la BL secondaire et le répertoire "pureip" (catégorie virtuelle)
1266
# on crée le répertoire de la BL secondaire et le répertoire "pureip" (catégorie virtuelle)
1281
	mkdir $DIR_DG/lists/blacklists/ossi $DIR_DG/lists/blacklists/ip
1267
	mkdir $DIR_DG/lists/blacklists/ossi $DIR_DG/lists/blacklists/ip
1282
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ip/domains
1268
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ip/domains
1283
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ip/urls
1269
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ip/urls
1284
# On crée les fichiers vides de sites ou d'URL réhabilités
1270
# On crée les fichiers vides de sites ou d'URL réhabilités
1285
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1271
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1286
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1272
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1287
	touch $DIR_DG/lists/exceptionsitelist
1273
	touch $DIR_DG/lists/exceptionsitelist
1288
	touch $DIR_DG/lists/exceptionurllist
1274
	touch $DIR_DG/lists/exceptionurllist
1289
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1275
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1290
	cat <<EOF > $DIR_DG/lists/bannedurllist
1276
	cat <<EOF > $DIR_DG/lists/bannedurllist
1291
# Dansguardian filter config for ALCASAR
1277
# Dansguardian filter config for ALCASAR
1292
EOF
1278
EOF
1293
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1279
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1294
# Dansguardian domain filter config for ALCASAR
1280
# Dansguardian domain filter config for ALCASAR
1295
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1281
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1296
#**
1282
#**
1297
# block all SSL and CONNECT tunnels
1283
# block all SSL and CONNECT tunnels
1298
**s
1284
**s
1299
# block all SSL and CONNECT tunnels specified only as an IP
1285
# block all SSL and CONNECT tunnels specified only as an IP
1300
*ips
1286
*ips
1301
# block all sites specified only by an IP
1287
# block all sites specified only by an IP
1302
*ip
1288
*ip
1303
EOF
1289
EOF
1304
	chown -R dansguardian:apache $DIR_DG
1290
	chown -R dansguardian:apache $DIR_DG
1305
	chmod -R g+rw $DIR_DG
1291
	chmod -R g+rw $DIR_DG
1306
# On crée la structure du DNS-blackhole :
1292
# On crée la structure du DNS-blackhole :
1307
  	mkdir $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1293
  	mkdir $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1308
	chown -R 770 $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1294
	chown -R 770 $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1309
	chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1295
	chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1310
# On adapte la BL de Toulouse à notre structure
1296
# On adapte la BL de Toulouse à notre structure
1311
	if [ "$mode" != "update" ]; then
1297
	if [ "$mode" != "update" ]; then
1312
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1298
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1313
	fi
1299
	fi
1314
}
1300
}
1315
 
1301
 
1316
##########################################################
1302
##########################################################
1317
##		Fonction cron				##
1303
##		Fonction cron				##
1318
## - Mise en place des différents fichiers de cron	##
1304
## - Mise en place des différents fichiers de cron	##
1319
##########################################################
1305
##########################################################
1320
cron ()
1306
cron ()
1321
{
1307
{
1322
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1308
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1323
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1309
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1324
	cat <<EOF > /etc/crontab
1310
	cat <<EOF > /etc/crontab
1325
SHELL=/bin/bash
1311
SHELL=/bin/bash
1326
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1312
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1327
MAILTO=root
1313
MAILTO=root
1328
HOME=/
1314
HOME=/
1329
 
1315
 
1330
# run-parts
1316
# run-parts
1331
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1317
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1332
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1318
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1333
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1319
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1334
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1320
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1335
EOF
1321
EOF
1336
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1322
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1337
	cat <<EOF >> /etc/anacrontab
1323
	cat <<EOF >> /etc/anacrontab
1338
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1324
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1339
7       10      cron.logExport          nice /etc/cron.d/alcasar-export_log
1325
7       10      cron.logExport          nice /etc/cron.d/alcasar-export_log
1340
7       15      cron.logClean           nice /etc/cron.d/alcasar-clean_log
1326
7       15      cron.logClean           nice /etc/cron.d/alcasar-clean_log
1341
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1327
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1342
EOF
1328
EOF
1343
	cat <<EOF > /etc/cron.d/alcasar-clean_log
1329
	cat <<EOF > /etc/cron.d/alcasar-clean_log
1344
# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
1330
# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
1345
30 4 * * 1 root $DIR_DEST_BIN/alcasar-log-clean.sh
1331
30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1346
EOF
1332
EOF
1347
	cat <<EOF > /etc/cron.d/alcasar-mysql
1333
	cat <<EOF > /etc/cron.d/alcasar-mysql
1348
# export de la base des usagers (tous les lundi à 4h45)
1334
# export de la base des usagers (tous les lundi à 4h45)
1349
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1335
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1350
EOF
1336
EOF
1351
	cat <<EOF > /etc/cron.d/alcasar-export_log
1337
	cat <<EOF > /etc/cron.d/alcasar-export_log
1352
# export des log squid, firewall et apache (tous les lundi à 5h00)
1338
# export des log squid, firewall et apache (tous les lundi à 5h00)
1353
00 5 * * 1 root $DIR_DEST_BIN/alcasar-log-export.sh
1339
00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1354
EOF
1340
EOF
1355
	cat << EOF > /etc/cron.d/awstats
1341
	cat << EOF > /etc/cron.d/awstats
1356
# mise à jour des stats de consultation WEB toutes les 30'
1342
# mise à jour des stats de consultation WEB toutes les 30'
1357
*/30 * * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1343
*/30 * * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1358
EOF
1344
EOF
1359
	cat << EOF > /etc/cron.d/alcasar-clean_import
1345
	cat << EOF > /etc/cron.d/alcasar-clean_import
1360
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1346
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1361
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1347
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1362
EOF
1348
EOF
1363
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1349
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1364
# mise à jour automatique de la distribution tous les jours 3h30
1350
# mise à jour automatique de la distribution tous les jours 3h30
1365
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1351
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1366
EOF
1352
EOF
1367
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1353
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1368
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1354
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1369
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1355
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1370
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1356
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1371
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1357
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1372
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1358
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1373
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1359
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1374
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1360
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1375
	rm -f /etc/cron.daily/freeradius-web
1361
	rm -f /etc/cron.daily/freeradius-web
1376
	rm -f /etc/cron.monthly/freeradius-web
1362
	rm -f /etc/cron.monthly/freeradius-web
1377
	cat << EOF > /etc/cron.d/freeradius-web
1363
	cat << EOF > /etc/cron.d/freeradius-web
1378
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1364
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1379
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1365
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1380
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1366
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1381
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1367
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1382
EOF
1368
EOF
1383
	cat << EOF > /etc/cron.d/alcasar-watchdog
1369
	cat << EOF > /etc/cron.d/alcasar-watchdog
1384
# activation du "chien de garde" (watchdog) toutes les 3'
1370
# activation du "chien de garde" (watchdog) toutes les 3'
1385
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1371
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1386
EOF
1372
EOF
1387
# activation du "chien de garde des services" (watchdog) toutes les 18'
1373
# activation du "chien de garde des services" (watchdog) toutes les 18'
1388
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1374
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1389
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1375
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1390
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1376
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1391
EOF
1377
EOF
1392
# suppression des crons usagers
1378
# suppression des crons usagers
1393
	rm -f /var/spool/cron/*
1379
	rm -f /var/spool/cron/*
1394
} # End cron
1380
} # End cron
1395
 
1381
 
1396
##################################################################
1382
##################################################################
1397
##			Fonction post_install			##
1383
##			Fonction post_install			##
1398
## - Modification des bannières (locales et ssh) et des prompts ##
1384
## - Modification des bannières (locales et ssh) et des prompts ##
1399
## - Installation de la structure de chiffrement pour root	##
1385
## - Installation de la structure de chiffrement pour root	##
1400
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1386
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1401
## - Mise en place du la rotation des logs			##
1387
## - Mise en place du la rotation des logs			##
1402
## - Configuration dans le cas d'une mise à jour		##
1388
## - Configuration dans le cas d'une mise à jour		##
1403
##################################################################
1389
##################################################################
1404
post_install()
1390
post_install()
1405
{
1391
{
1406
# adaptation du script "chien de garde" (watchdog)
1392
# adaptation du script "chien de garde" (watchdog)
1407
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1393
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1408
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1394
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1409
# création de la bannière locale
1395
# création de la bannière locale
1410
	[ -e /etc/mandriva-release.default ]  || cp /etc/mandriva-release /etc/mandriva-release.default
1396
	[ -e /etc/mandriva-release.default ]  || cp /etc/mandriva-release /etc/mandriva-release.default
1411
	cp -f $DIR_CONF/banner /etc/mandriva-release
1397
	cp -f $DIR_CONF/banner /etc/mandriva-release
1412
	echo " V$VERSION" >> /etc/mandriva-release
1398
	echo " V$VERSION" >> /etc/mandriva-release
1413
# création de la bannière SSH
1399
# création de la bannière SSH
1414
	cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
1400
	cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
1415
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1401
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1416
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1402
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1417
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1403
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1418
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1404
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1419
# postfix banner anonymisation
1405
# postfix banner anonymisation
1420
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1406
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1421
# sshd écoute côté LAN et WAN
1407
# sshd écoute côté LAN et WAN
1422
	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
1408
	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
1423
	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config 
1409
	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config 
1424
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1410
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1425
	/sbin/chkconfig --del sshd
1411
	/sbin/chkconfig --del sshd
1426
	echo "SSH=off" >> $CONF_FILE
1412
	echo "SSH=off" >> $CONF_FILE
1427
	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
1413
	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
1428
	echo "QOS=off" >> $CONF_FILE
1414
	echo "QOS=off" >> $CONF_FILE
1429
	echo "LDAP=off" >> $CONF_FILE
1415
	echo "LDAP=off" >> $CONF_FILE
1430
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1416
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1431
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1417
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1432
	echo "DNS_FILTERING=off" >> $CONF_FILE
1418
	echo "DNS_FILTERING=off" >> $CONF_FILE
1433
	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
1419
	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
1434
# Coloration des prompts
1420
# Coloration des prompts
1435
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1421
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1436
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1422
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1437
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1423
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1438
# Droits d'exécution pour utilisateur apache et sysadmin
1424
# Droits d'exécution pour utilisateur apache et sysadmin
1439
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1425
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1440
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1426
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1441
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1427
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1442
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1428
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1443
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1429
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1444
	chmod 644 /etc/logrotate.d/*
1430
	chmod 644 /etc/logrotate.d/*
1445
# rectification sur versions précédentes de la compression des logs
1431
# rectification sur versions précédentes de la compression des logs
1446
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1432
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1447
# actualisation des fichiers logs compressés
1433
# actualisation des fichiers logs compressés
1448
	for dir in firewall squid dansguardian httpd
1434
	for dir in firewall squid dansguardian httpd
1449
	do
1435
	do
1450
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1436
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1451
	done
1437
	done
1452
# export des logs en 'retard' dans /var/Save/logs
1438
# export des logs en 'retard' dans /var/Save/logs
1453
	/usr/local/bin/alcasar-log-export.sh
1439
	/usr/local/bin/alcasar-log.sh --export
1454
# processus lancés par défaut au démarrage
1440
# processus lancés par défaut au démarrage
1455
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1441
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1456
	do
1442
	do
1457
		/sbin/chkconfig --add $i
1443
		/sbin/chkconfig --add $i
1458
	done
1444
	done
1459
# pour éviter les alertes de dépendance entre service.
1445
# pour éviter les alertes de dépendance entre service.
1460
	$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
1446
	$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
1461
	$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
1447
	$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
1462
	$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
1448
	$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
1463
	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
1449
	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
1464
# On affecte le niveau de sécurité du système : type "fileserver"
1450
# On affecte le niveau de sécurité du système : type "fileserver"
1465
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
1451
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
1466
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
1452
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
1467
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
1453
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
1468
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
1454
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
1469
# Apply French Security Agency rules (sysctl + msec when possible)
1455
# Apply French Security Agency rules (sysctl + msec when possible)
1470
# ignorer les broadcast ICMP. (attaque smurf) 
1456
# ignorer les broadcast ICMP. (attaque smurf) 
1471
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
1457
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
1472
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1458
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1473
# ignorer les erreurs ICMP bogus
1459
# ignorer les erreurs ICMP bogus
1474
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
1460
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
1475
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
1461
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
1476
# désactiver l'envoi et la réponse aux ICMP redirects
1462
# désactiver l'envoi et la réponse aux ICMP redirects
1477
sysctl -w net.ipv4.conf.all.accept_redirects=0
1463
sysctl -w net.ipv4.conf.all.accept_redirects=0
1478
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1464
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1479
	if [ "$accept_redirect" == "0" ]
1465
	if [ "$accept_redirect" == "0" ]
1480
	then
1466
	then
1481
		echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
1467
		echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
1482
	else
1468
	else
1483
		$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
1469
		$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
1484
	fi
1470
	fi
1485
sysctl -w net.ipv4.conf.all.send_redirects=0
1471
sysctl -w net.ipv4.conf.all.send_redirects=0
1486
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
1472
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
1487
	if [ "$send_redirect" == "0" ]
1473
	if [ "$send_redirect" == "0" ]
1488
	then
1474
	then
1489
		echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
1475
		echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
1490
	else
1476
	else
1491
		$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
1477
		$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
1492
	fi
1478
	fi
1493
# activer les SYN Cookies (attaque syn flood)
1479
# activer les SYN Cookies (attaque syn flood)
1494
sysctl -w net.ipv4.tcp_syncookies=1
1480
sysctl -w net.ipv4.tcp_syncookies=1
1495
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
1481
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
1496
	if [ "$tcp_syncookies" == "0" ]
1482
	if [ "$tcp_syncookies" == "0" ]
1497
	then
1483
	then
1498
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1484
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1499
	else
1485
	else
1500
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
1486
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
1501
	fi
1487
	fi
1502
# activer l'antispoofing niveau Noyau
1488
# activer l'antispoofing niveau Noyau
1503
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
1489
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
1504
sysctl -w net.ipv4.conf.all.rp_filter=1
1490
sysctl -w net.ipv4.conf.all.rp_filter=1
1505
# ignorer le source routing
1491
# ignorer le source routing
1506
sysctl -w net.ipv4.conf.all.accept_source_route=0
1492
sysctl -w net.ipv4.conf.all.accept_source_route=0
1507
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1493
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1508
	if [ "$accept_source_route" == "0" ]
1494
	if [ "$accept_source_route" == "0" ]
1509
	then
1495
	then
1510
		echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
1496
		echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
1511
	else
1497
	else
1512
		$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
1498
		$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
1513
	fi
1499
	fi
1514
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1500
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1515
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
1501
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
1516
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
1502
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
1517
	if [ "$timeout_established" == "0" ]
1503
	if [ "$timeout_established" == "0" ]
1518
	then
1504
	then
1519
		echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
1505
		echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
1520
	else
1506
	else
1521
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
1507
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
1522
	fi
1508
	fi
1523
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
1509
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
1524
sysctl -w net.ipv4.conf.all.log_martians=0
1510
sysctl -w net.ipv4.conf.all.log_martians=0
1525
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
1511
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
1526
 
1512
 
1527
 
1513
 
1528
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1514
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1529
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1515
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1530
# On mets en place la sécurité sur les fichiers
1516
# On mets en place la sécurité sur les fichiers
1531
# des modif par rapport à radius update
1517
# des modif par rapport à radius update
1532
	cat <<EOF > /etc/security/msec/perm.local
1518
	cat <<EOF > /etc/security/msec/perm.local
1533
/var/log/firewall/			root.apache	750
1519
/var/log/firewall/			root.apache	750
1534
/var/log/firewall/*			root.apache	640
1520
/var/log/firewall/*			root.apache	640
1535
/etc/security/msec/perm.local		root.root	640
1521
/etc/security/msec/perm.local		root.root	640
1536
/etc/security/msec/level.local		root.root	640
1522
/etc/security/msec/level.local		root.root	640
1537
/etc/freeradius-web			root.apache	750
1523
/etc/freeradius-web			root.apache	750
1538
/etc/freeradius-web/admin.conf		root.apache	640
1524
/etc/freeradius-web/admin.conf		root.apache	640
1539
/etc/freeradius-web/config.php		root.apache	640
1525
/etc/freeradius-web/config.php		root.apache	640
1540
/etc/raddb/dictionnary			root.radius	640
1526
/etc/raddb/dictionnary			root.radius	640
1541
/etc/raddb/ldap.attrmap			root.radius	640
1527
/etc/raddb/ldap.attrmap			root.radius	640
1542
/etc/raddb/hints			root.radius	640
1528
/etc/raddb/hints			root.radius	640
1543
/etc/raddb/huntgroups			root.radius	640
1529
/etc/raddb/huntgroups			root.radius	640
1544
/etc/raddb/attrs.access_reject		root.radius	640
1530
/etc/raddb/attrs.access_reject		root.radius	640
1545
/etc/raddb/attrs.accounting_response	root.radius	640
1531
/etc/raddb/attrs.accounting_response	root.radius	640
1546
/etc/raddb/acct_users			root.radius	640
1532
/etc/raddb/acct_users			root.radius	640
1547
/etc/raddb/preproxy_users		root.radius	640
1533
/etc/raddb/preproxy_users		root.radius	640
1548
/etc/raddb/modules/ldap			radius.apache	660
1534
/etc/raddb/modules/ldap			radius.apache	660
1549
/etc/raddb/sites-available/alcasar	radius.apache	660
1535
/etc/raddb/sites-available/alcasar	radius.apache	660
1550
/etc/pki/*				root.apache	750
1536
/etc/pki/*				root.apache	750
1551
EOF
1537
EOF
1552
	/usr/sbin/msec
1538
	/usr/sbin/msec
1553
# modification /etc/inittab
1539
# modification /etc/inittab
1554
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
1540
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
1555
# On ne garde que 3 terminaux
1541
# On ne garde que 3 terminaux
1556
	$SED "s?^4.*?#&?g" /etc/inittab
1542
	$SED "s?^4.*?#&?g" /etc/inittab
1557
	$SED "s?^5.*?#&?g" /etc/inittab
1543
	$SED "s?^5.*?#&?g" /etc/inittab
1558
	$SED "s?^6.*?#&?g" /etc/inittab
1544
	$SED "s?^6.*?#&?g" /etc/inittab
1559
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
1545
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
1560
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1546
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1561
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
1547
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
1562
# On supprime les services et les utilisateurs inutiles
1548
# On supprime les services et les utilisateurs inutiles
1563
for svc in alsa sound dm atd bootlogd stop-bootlogd
1549
for svc in alsa sound dm atd bootlogd stop-bootlogd
1564
do
1550
do
1565
	/sbin/chkconfig --del $svc
1551
	/sbin/chkconfig --del $svc
1566
done
1552
done
1567
for rm_users in avahi-autoipd avahi icapd
1553
for rm_users in avahi-autoipd avahi icapd
1568
do
1554
do
1569
	user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
1555
	user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
1570
	if [ "$user" == "$rm_users" ]
1556
	if [ "$user" == "$rm_users" ]
1571
	then
1557
	then
1572
		/usr/sbin/userdel -f $rm_users
1558
		/usr/sbin/userdel -f $rm_users
1573
	fi
1559
	fi
1574
done
1560
done
1575
# Load and update the previous conf file
1561
# Load and update the previous conf file
1576
if [ "$mode" = "update" ]
1562
if [ "$mode" = "update" ]
1577
then
1563
then
1578
	$DIR_DEST_BIN/alcasar-conf.sh --load
1564
	$DIR_DEST_BIN/alcasar-conf.sh --load
1579
	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1565
	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1580
	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1566
	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1581
fi
1567
fi
1582
rm -f /tmp/alcasar-conf*
1568
rm -f /tmp/alcasar-conf*
1583
chown -R root:apache $DIR_DEST_ETC/*
1569
chown -R root:apache $DIR_DEST_ETC/*
1584
chmod -R 660 $DIR_DEST_ETC/*
1570
chmod -R 660 $DIR_DEST_ETC/*
1585
chmod ug+x $DIR_DEST_ETC/digest $DIR_DEST_ETC/alcasar-dnsfilter*
1571
chmod ug+x $DIR_DEST_ETC/digest $DIR_DEST_ETC/alcasar-dnsfilter*
1586
	cd $DIR_INSTALL
1572
	cd $DIR_INSTALL
1587
	echo ""
1573
	echo ""
1588
	echo "#############################################################################"
1574
	echo "#############################################################################"
1589
	if [ $Lang == "fr" ]
1575
	if [ $Lang == "fr" ]
1590
		then
1576
		then
1591
		echo "#                        Fin d'installation d'ALCASAR                       #"
1577
		echo "#                        Fin d'installation d'ALCASAR                       #"
1592
		echo "#                                                                           #"
1578
		echo "#                                                                           #"
1593
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1579
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1594
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1580
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1595
		echo "#                                                                           #"
1581
		echo "#                                                                           #"
1596
		echo "#############################################################################"
1582
		echo "#############################################################################"
1597
		echo
1583
		echo
1598
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1584
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1599
		echo
1585
		echo
1600
		echo "- Lisez attentivement la documentation d'exploitation"
1586
		echo "- Lisez attentivement la documentation d'exploitation"
1601
		echo
1587
		echo
1602
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1588
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1603
		echo
1589
		echo
1604
		echo "                   Appuyez sur 'Entrée' pour continuer"
1590
		echo "                   Appuyez sur 'Entrée' pour continuer"
1605
	else	
1591
	else	
1606
		echo "#                        Enf of ALCASAR install process                     #"
1592
		echo "#                        Enf of ALCASAR install process                     #"
1607
		echo "#                                                                           #"
1593
		echo "#                                                                           #"
1608
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1594
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1609
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1595
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1610
		echo "#                                                                           #"
1596
		echo "#                                                                           #"
1611
		echo "#############################################################################"
1597
		echo "#############################################################################"
1612
		echo
1598
		echo
1613
		echo "- The system will be rebooted in order to operate ALCASAR"
1599
		echo "- The system will be rebooted in order to operate ALCASAR"
1614
		echo
1600
		echo
1615
		echo "- Read the exploitation documentation"
1601
		echo "- Read the exploitation documentation"
1616
		echo
1602
		echo
1617
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1603
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1618
		echo
1604
		echo
1619
		echo "                   Hit 'Enter' to continue"
1605
		echo "                   Hit 'Enter' to continue"
1620
	fi
1606
	fi
1621
	sleep 2
1607
	sleep 2
1622
	if [ "$mode" != "update" ]
1608
	if [ "$mode" != "update" ]
1623
	then
1609
	then
1624
		read a
1610
		read a
1625
	fi
1611
	fi
1626
	clear
1612
	clear
1627
# Apply and save the firewall rules
1613
# Apply and save the firewall rules
1628
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1614
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1629
	sleep 2
1615
	sleep 2
1630
	reboot
1616
	reboot
1631
} # End post_install ()
1617
} # End post_install ()
1632
 
1618
 
1633
#################################
1619
#################################
1634
#  Boucle principale du script  #
1620
#  Boucle principale du script  #
1635
#################################
1621
#################################
1636
dir_exec=`dirname "$0"`
1622
dir_exec=`dirname "$0"`
1637
if [ $dir_exec != "." ]
1623
if [ $dir_exec != "." ]
1638
then
1624
then
1639
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
1625
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
1640
	echo "Launch this program from the ALCASAR archive directory"
1626
	echo "Launch this program from the ALCASAR archive directory"
1641
	exit 0
1627
	exit 0
1642
fi
1628
fi
1643
VERSION=`cat $DIR_INSTALL/VERSION`
1629
VERSION=`cat $DIR_INSTALL/VERSION`
1644
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
1630
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
1645
nb_args=$#
1631
nb_args=$#
1646
args=$1
1632
args=$1
1647
if [ $nb_args -eq 0 ]
1633
if [ $nb_args -eq 0 ]
1648
then
1634
then
1649
	nb_args=1
1635
	nb_args=1
1650
	args="-h"
1636
	args="-h"
1651
fi
1637
fi
1652
case $args in
1638
case $args in
1653
	-\? | -h* | --h*)
1639
	-\? | -h* | --h*)
1654
		echo "$usage"
1640
		echo "$usage"
1655
		exit 0
1641
		exit 0
1656
		;;
1642
		;;
1657
	-i | --install)
1643
	-i | --install)
1658
		header_install
1644
		header_install
1659
		testing
1645
		testing
1660
# Test if ALCASAR is already installed
1646
# Test if ALCASAR is already installed
1661
		if [ -e $DIR_WEB/VERSION ]
1647
		if [ -e $DIR_WEB/VERSION ]
1662
		then
1648
		then
1663
			actual_version=`cat $DIR_WEB/VERSION`
1649
			actual_version=`cat $DIR_WEB/VERSION`
1664
			if [ $Lang == "fr" ]
1650
			if [ $Lang == "fr" ]
1665
				then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
1651
				then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
1666
				else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
1652
				else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
1667
			fi
1653
			fi
1668
			response=0
1654
			response=0
1669
			PTN='^[oOnNyY]$'
1655
			PTN='^[oOnNyY]$'
1670
			until [[ $(expr $response : $PTN) -gt 0 ]]
1656
			until [[ $(expr $response : $PTN) -gt 0 ]]
1671
			do
1657
			do
1672
				if [ $Lang == "fr" ]
1658
				if [ $Lang == "fr" ]
1673
					then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
1659
					then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
1674
					else echo -n "Do you want to update (Y/n)?";
1660
					else echo -n "Do you want to update (Y/n)?";
1675
				 fi
1661
				 fi
1676
				read response
1662
				read response
1677
			done
1663
			done
1678
			if [ "$response" = "n" ] || [ "$response" = "N" ] 
1664
			if [ "$response" = "n" ] || [ "$response" = "N" ] 
1679
			then
1665
			then
1680
				rm -f /tmp/alcasar-conf*
1666
				rm -f /tmp/alcasar-conf*
1681
			else
1667
			else
1682
				RUNNING_VERSION=`cat $DIR_WEB/VERSION|cut -d" " -f1`
1668
				RUNNING_VERSION=`cat $DIR_WEB/VERSION|cut -d" " -f1`
1683
				MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
1669
				MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
1684
				MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
1670
				MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
1685
				UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
1671
				UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
1686
# Create a backup of running version importants files
1672
# Create a backup of running version importants files
1687
				chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
1673
				chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
1688
				$DIR_SCRIPTS/alcasar-conf.sh --create
1674
				$DIR_SCRIPTS/alcasar-conf.sh --create
1689
				mode="update"
1675
				mode="update"
1690
			fi
1676
			fi
1691
		fi
1677
		fi
1692
# RPMs install
1678
# RPMs install
1693
		$DIR_SCRIPTS/alcasar-urpmi.sh
1679
		$DIR_SCRIPTS/alcasar-urpmi.sh
1694
		if [ "$?" != "0" ]
1680
		if [ "$?" != "0" ]
1695
		then
1681
		then
1696
			exit 0
1682
			exit 0
1697
		fi
1683
		fi
1698
		if [ -e $DIR_WEB/VERSION ]
1684
		if [ -e $DIR_WEB/VERSION ]
1699
		then
1685
		then
1700
# Uninstall the running version
1686
# Uninstall the running version
1701
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1687
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1702
		fi
1688
		fi
1703
# Test if manual update	
1689
# Test if manual update	
1704
		if [ -e /tmp/alcasar-conf.tar.gz ] && [ "$mode" != "update" ]
1690
		if [ -e /tmp/alcasar-conf.tar.gz ] && [ "$mode" != "update" ]
1705
		then
1691
		then
1706
			header_install
1692
			header_install
1707
			if [ $Lang == "fr" ]
1693
			if [ $Lang == "fr" ]
1708
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
1694
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
1709
				else echo "The configuration file of an old version has been found";
1695
				else echo "The configuration file of an old version has been found";
1710
			fi
1696
			fi
1711
			response=0
1697
			response=0
1712
			PTN='^[oOnNyY]$'
1698
			PTN='^[oOnNyY]$'
1713
			until [[ $(expr $response : $PTN) -gt 0 ]]
1699
			until [[ $(expr $response : $PTN) -gt 0 ]]
1714
			do
1700
			do
1715
				if [ $Lang == "fr" ]
1701
				if [ $Lang == "fr" ]
1716
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
1702
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
1717
					else echo -n "Do you want to use it (Y/n)?";
1703
					else echo -n "Do you want to use it (Y/n)?";
1718
				 fi
1704
				 fi
1719
				read response
1705
				read response
1720
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
1706
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
1721
				then rm -f /tmp/alcasar-conf*
1707
				then rm -f /tmp/alcasar-conf*
1722
				fi
1708
				fi
1723
			done
1709
			done
1724
		fi
1710
		fi
1725
# Test if update
1711
# Test if update
1726
		if [ -e /tmp/alcasar-conf.tar.gz ] 
1712
		if [ -e /tmp/alcasar-conf.tar.gz ] 
1727
		then
1713
		then
1728
			if [ $Lang == "fr" ]
1714
			if [ $Lang == "fr" ]
1729
				then echo "#### Installation avec mise à jour ####";
1715
				then echo "#### Installation avec mise à jour ####";
1730
				else echo "#### Installation with update     ####";
1716
				else echo "#### Installation with update     ####";
1731
			fi
1717
			fi
1732
# Extract the central configuration file
1718
# Extract the central configuration file
1733
			tar -xf /tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf 
1719
			tar -xf /tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf 
1734
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
1720
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
1735
			mode="update"
1721
			mode="update"
1736
		else
1722
		else
1737
			mode="install"
1723
			mode="install"
1738
		fi
1724
		fi
1739
		for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
1725
		for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
1740
		do
1726
		do
1741
			$func
1727
			$func
1742
# echo "*** 'debug' : end of function $func ***"; read a
1728
# echo "*** 'debug' : end of function $func ***"; read a
1743
		done
1729
		done
1744
		;;
1730
		;;
1745
	-u | --uninstall)
1731
	-u | --uninstall)
1746
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1732
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1747
		then
1733
		then
1748
			if [ $Lang == "fr" ]
1734
			if [ $Lang == "fr" ]
1749
				then echo "ALCASAR n'est pas installé!";
1735
				then echo "ALCASAR n'est pas installé!";
1750
				else echo "ALCASAR isn't installed!";
1736
				else echo "ALCASAR isn't installed!";
1751
			fi
1737
			fi
1752
			exit 0
1738
			exit 0
1753
		fi
1739
		fi
1754
		response=0
1740
		response=0
1755
		PTN='^[oOnN]$'
1741
		PTN='^[oOnN]$'
1756
		until [[ $(expr $response : $PTN) -gt 0 ]]
1742
		until [[ $(expr $response : $PTN) -gt 0 ]]
1757
		do
1743
		do
1758
			if [ $Lang == "fr" ]
1744
			if [ $Lang == "fr" ]
1759
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
1745
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
1760
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
1746
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
1761
			fi
1747
			fi
1762
			read response
1748
			read response
1763
		done
1749
		done
1764
		if [ "$reponse" = "o" ] || [ "$reponse" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
1750
		if [ "$reponse" = "o" ] || [ "$reponse" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
1765
		then
1751
		then
1766
			$DIR_SCRIPT/alcasar-conf.sh --create
1752
			$DIR_SCRIPT/alcasar-conf.sh --create
1767
		else	
1753
		else	
1768
			rm -f /tmp/alcasar-conf*
1754
			rm -f /tmp/alcasar-conf*
1769
		fi
1755
		fi
1770
# Uninstall the running version
1756
# Uninstall the running version
1771
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1757
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1772
		;;
1758
		;;
1773
	*)
1759
	*)
1774
		echo "Argument inconnu :$1";
1760
		echo "Argument inconnu :$1";
1775
		echo "Unknown argument :$1";
1761
		echo "Unknown argument :$1";
1776
		echo "$usage"
1762
		echo "$usage"
1777
		exit 1
1763
		exit 1
1778
		;;
1764
		;;
1779
esac
1765
esac
1780
# end of script
1766
# end of script
1781
 
1767
 
1782
 
1768