Subversion Repositories ALCASAR

Rev

Rev 854 | Rev 861 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
672 richard 1
#!/bin/bash
57 franck 2
#  $Id: alcasar.sh 860 2012-04-20 17:51:24Z richard $ 
1 root 3
 
4
# alcasar.sh
5
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
6
# This script is distributed under the Gnu General Public License (GPL)
7
 
672 richard 8
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
9
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants :
1 root 10
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
11
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares :
672 richard 12
#
806 richard 13
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav  and firewalleyes
1 root 14
 
15
# Options :
376 franck 16
#       -i or --install
17
#       -u or --uninstall
1 root 18
 
376 franck 19
# Functions :
29 richard 20
#	testing		: Tests de connectivité et de téléchargement avant installation
1 root 21
#	init		: Installation des RPM et des scripts
22
#	network		: Paramètrage du réseau
23
#	gestion		: Installation de l'interface de gestion
24
#	AC		: Initialisation de l'autorité de certification. Création des certificats
25
#	init_db		: Création de la base 'radius' sur le serveur MySql
26
#	param_radius	: Configuration du serveur d'authentification FreeRadius
27
#	param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
28
#	param_chilli	: Configuration du daemon 'coova-chilli' et de la page d'authentification
29
#	param_squid	: Configuration du proxy squid en mode 'cache'
30
#	param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479 richard 31
#	antivirus	: Installation havp + libclamav
1 root 32
#	param_awstats	: Configuration de l'interface des statistiques de consultation WEB
297 richard 33
#	dnsmasq		: Configuration du serveur de noms et du serveur dhcp de secours
308 richard 34
#	BL		: Configuration de la BlackList
1 root 35
#	cron		: Mise en place des exports de logs (+ chiffrement)
532 richard 36
#	post_install	: Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1 root 37
 
38
DATE=`date '+%d %B %Y - %Hh%M'`
39
DATE_SHORT=`date '+%d/%m/%Y'`
595 richard 40
Lang=`echo $LANG|cut -c 1-2`
1 root 41
# ******* Files parameters - paramètres fichiers *********
832 richard 42
DIR_INSTALL=`pwd`				# install directory 
1 root 43
DIR_CONF="$DIR_INSTALL/conf"			# répertoire d'installation contenant les fichiers de configuration
44
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# répertoire d'installation contenant les scripts
806 richard 45
DIR_SAVE="/var/Save"				# répertoire de sauvegarde (system_backup, user_db_backup, logs)
316 richard 46
DIR_WEB="/var/www/html"				# répertoire racine APACHE
648 richard 47
DIR_DG="/etc/dansguardian"			# répertoire de config de DansGuardian
316 richard 48
DIR_ACC="$DIR_WEB/acc"				# répertoire du centre de gestion 'ALCASAR Control Center'
1 root 49
DIR_DEST_BIN="/usr/local/bin"			# répertoire des scripts
50
DIR_DEST_SBIN="/usr/local/sbin"			# répertoire des scripts d'admin
51
DIR_DEST_ETC="/usr/local/etc"			# répertoire des fichiers de conf
628 richard 52
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# fichier de conf d'alcasar
53
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# fichier texte contenant les mots de passe et secrets partagés 
1 root 54
# ******* DBMS parameters - paramètres SGBD ********
55
DB_RADIUS="radius"				# nom de la base de données utilisée par le serveur FreeRadius
56
DB_USER="radius"				# nom de l'utilisateur de la base de données
57
# ******* Network parameters - paramètres réseau *******
503 richard 58
HOSTNAME="alcasar"				# 
1 root 59
DOMAIN="localdomain"				# domaine local
60
EXTIF="eth0"					# ETH0 est l'interface connectée à Internet (Box FAI)
61
INTIF="eth1"					# ETH1 est l'interface connectée au réseau local de consultation
597 richard 62
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1 root 63
# ****** Paths - chemin des commandes *******
64
SED="/bin/sed -i"
65
# ****************** End of global parameters *********************
66
 
67
header_install ()
68
{
69
	clear
70
	echo "-----------------------------------------------------------------------------"
460 richard 71
	echo "                     ALCASAR V$VERSION Installation"
1 root 72
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
73
	echo "-----------------------------------------------------------------------------"
74
} # End of header_install ()
75
 
76
##################################################################
29 richard 77
##			Fonction TESTING			##
78
## - Test de la connectivité Internet				##
79
##################################################################
80
testing ()
81
{
595 richard 82
	if [ $Lang == "fr" ]
784 richard 83
		then echo -n "Tests des paramètres réseau : "
595 richard 84
		else echo -n "Network parameters tests : "
85
	fi
784 richard 86
# We test eth0 config files
87
	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
88
	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
89
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
90
		then
91
		if [ $Lang == "fr" ]
92
		then 
93
			echo "Échec"
94
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
95
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830 richard 96
			echo "Appliquez les changements : 'service network restart'"
784 richard 97
		else
98
			echo "Failed"
99
			echo "The Internet connected network card ($EXTIF) isn't well configured."
100
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830 richard 101
			echo "Apply the new configuration 'service network restart'"
784 richard 102
		fi
830 richard 103
		echo "DEVICE=$EXTIF"
784 richard 104
		echo "IPADDR="
105
		echo "NETMASK="
106
		echo "GATEWAY="
107
		echo "DNS1="
108
		echo "DNS2="
830 richard 109
		echo "ONBOOT=yes"
784 richard 110
		exit 0
111
	fi
112
	echo -n "."
460 richard 113
# We test the Ethernet links state
29 richard 114
	for i in $EXTIF $INTIF
115
	do
294 richard 116
		/sbin/ip link set $i up
306 richard 117
		sleep 3
808 franck 118
		CMD=`/usr/sbin/ethtool $i |grep Link | awk '{print $NF}'`
119
		CMD2=`/sbin/mii-tool $i | grep -i link | awk '{print $NF}'`
120
		if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29 richard 121
			then
595 richard 122
			if [ $Lang == "fr" ]
123
			then 
124
				echo "Échec"
125
				echo "Le lien réseau de la carte $i n'est pas actif."
126
				echo "Réglez ce problème puis relancez ce script."
127
			else
128
				echo "Failed"
129
				echo "The link state of $i interface id down."
130
				echo "Resolv this problem, then restart this script."
131
			fi
29 richard 132
			exit 0
133
		fi
308 richard 134
	echo -n "."
29 richard 135
	done
136
# On teste la présence d'un routeur par défaut (Box FAI)
784 richard 137
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
595 richard 138
		if [ $Lang == "fr" ]
139
		then 
140
			echo "Échec"
141
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
142
			echo "Réglez ce problème puis relancez ce script."
143
		else
144
			echo "Failed"
145
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
146
			echo "Resolv this problem, then restart this script."
147
		fi
29 richard 148
		exit 0
149
	fi
308 richard 150
	echo -n "."
151
# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines version de BIOS et de VirtualBox)
784 richard 152
	if [ `ip route list|grep ^default|grep -c eth1` -eq "1" ] ; then
595 richard 153
		if [ $Lang == "fr" ]
154
			then echo "La configuration des cartes réseau va être corrigée."
155
			else echo "The Ethernet card configuration will be corrected."
156
		fi
29 richard 157
		/etc/init.d/network stop
158
		mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
159
		$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
160
		/etc/init.d/network start
161
		echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
162
		sleep 2
595 richard 163
		if [ $Lang == "fr" ]
164
			then echo "Configuration corrigée"
165
			else echo "Configuration updated"
166
		fi
29 richard 167
		sleep 2
595 richard 168
		if [ $Lang == "fr" ]
169
			then echo "Vous pouvez relancer ce script."
170
			else echo "You can restart this script."
171
		fi
29 richard 172
		exit 0
173
	fi
308 richard 174
	echo -n "."
175
# On test le lien vers le routeur par default
176
	IP_GW=`ip route list|grep ^default|cut -d" " -f3`
177
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW|grep response|cut -d" " -f2`
527 richard 178
	if [ $(expr $arp_reply) -eq 0 ]
308 richard 179
	       	then
595 richard 180
		if [ $Lang == "fr" ]
181
		then 
182
			echo "Échec"
183
			echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
184
			echo "Réglez ce problème puis relancez ce script."
185
		else
186
			echo "Failed"
187
			echo "The Internet gateway doesn't answered"
188
			echo "Resolv this problem, then restart this script."
189
		fi
308 richard 190
		exit 0
191
	fi
192
	echo -n "."
421 franck 193
# On teste la connectivité Internet
29 richard 194
	rm -rf /tmp/con_ok.html
308 richard 195
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29 richard 196
	if [ ! -e /tmp/con_ok.html ]
197
	then
595 richard 198
		if [ $Lang == "fr" ]
199
		then 
200
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
201
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
202
			echo "Vérifiez la validité des adresses IP des DNS."
203
		else
204
			echo "The Internet connection try failed (google.fr)."
205
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
206
			echo "Verify the DNS IP addresses"
207
		fi
29 richard 208
		exit 0
209
	fi
210
	rm -rf /tmp/con_ok.html
308 richard 211
	echo ". : ok"
302 richard 212
} # end of testing
213
 
214
##################################################################
215
##			Fonction INIT				##
216
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
217
## - Installation et modification des scripts du portail	##
218
##################################################################
219
init ()
220
{
527 richard 221
	if [ "$mode" != "update" ]
302 richard 222
	then
223
# On affecte le nom d'organisme
597 richard 224
		header_install
302 richard 225
		ORGANISME=!
226
		PTN='^[a-zA-Z0-9-]*$'
580 richard 227
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302 richard 228
                do
595 richard 229
			if [ $Lang == "fr" ]
597 richard 230
			       	then echo -n "Entrez le nom de votre organisme : "
231
				else echo -n "Enter the name of your organism : "
595 richard 232
			fi
330 franck 233
			read ORGANISME
613 richard 234
			if [ "$ORGANISME" == "" ]
330 franck 235
				then
236
				ORGANISME=!
237
			fi
238
		done
302 richard 239
	fi
1 root 240
# On crée aléatoirement les mots de passe et les secrets partagés
628 richard 241
	rm -f $PASSWD_FILE
59 richard 242
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de protection du menu Grub
628 richard 243
	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
244
	echo "$grubpwd" >> $PASSWD_FILE
59 richard 245
	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384 richard 246
	$SED "/^password.*/d" /boot/grub/menu.lst
247
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1 root 248
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'administrateur Mysqld
628 richard 249
	echo -n "Name and password of MYSQL administrator : " >> $PASSWD_FILE
250
	echo "root / $mysqlpwd" >> $PASSWD_FILE
1 root 251
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
628 richard 252
	echo -n "Name and password of MYSQL user : " >> $PASSWD_FILE
253
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1 root 254
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre intercept.php et coova-chilli
628 richard 255
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
256
	echo "$secretuam" >> $PASSWD_FILE
1 root 257
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`	# secret partagé entre coova-chilli et FreeRadius
628 richard 258
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
259
	echo "$secretradius" >> $PASSWD_FILE
260
	chmod 640 $PASSWD_FILE
453 franck 261
# On installe les scripts et fichiers de configuration d'ALCASAR 
806 richard 262
#  - dans /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log-clean.sh,log-export.sh,watchdog.sh}
5 franck 263
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
453 franck 264
#  - dans /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5 franck 265
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
453 franck 266
#  - des fichiers de conf dans /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,ethers,iptables-local.sh,services}
648 richard 267
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1 root 268
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
269
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5 franck 270
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
271
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628 richard 272
# generate central conf file
273
	cat <<EOF > $CONF_FILE
612 richard 274
##########################################
275
##                                      ##
276
##          ALCASAR Parameters          ##
277
##                                      ##
278
##########################################
1 root 279
 
612 richard 280
INSTALL_DATE=$DATE
281
VERSION=$VERSION
282
ORGANISM=$ORGANISME
283
EOF
628 richard 284
	chmod o-rwx $CONF_FILE
1 root 285
} # End of init ()
286
 
287
##################################################################
288
##			Fonction network			##
289
## - Définition du plan d'adressage du réseau de consultation	##
595 richard 290
## - Nommage DNS du système 					##
1 root 291
## - Configuration de l'interface eth1 (réseau de consultation)	##
292
## - Modification du fichier /etc/hosts				##
293
## - Configuration du serveur de temps (NTP)			##
294
## - Renseignement des fichiers hosts.allow et hosts.deny	##
295
##################################################################
296
network ()
297
{
298
	header_install
636 richard 299
	if [ "$mode" != "update" ]
300
		then
301
		if [ $Lang == "fr" ]
302
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
303
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
304
		fi
305
		response=0
306
		PTN='^[oOyYnN]$'
307
		until [[ $(expr $response : $PTN) -gt 0 ]]
1 root 308
		do
595 richard 309
			if [ $Lang == "fr" ]
659 richard 310
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618 richard 311
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595 richard 312
			fi
1 root 313
			read response
314
		done
636 richard 315
		if [ "$response" = "n" ] || [ "$response" = "N" ]
316
		then
317
			PRIVATE_IP_MASK="0"
318
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
319
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1 root 320
			do
595 richard 321
				if [ $Lang == "fr" ]
597 richard 322
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
323
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595 richard 324
				fi
597 richard 325
				read PRIVATE_IP_MASK
1 root 326
			done
636 richard 327
		else
328
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
329
		fi
595 richard 330
	else
637 richard 331
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
332
		rm -rf conf/etc/alcasar.conf
1 root 333
	fi
841 richard 334
# Define Lan side parameters
1 root 335
	hostname $HOSTNAME
837 richard 336
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network address (ie.: 192.168.182.0)
337
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`			# private network mask (ie.: 255.255.255.0)
338
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`					# ALCASAR private ip address (consultation LAN side)
339
	private_prefix=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`				# network prefix (ie. 24)
340
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$private_prefix					# ie.: 192.168.182.0/24
341
	classe=$((private_prefix/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2`		# ie.: 2=classe B, 3=classe C
342
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.			# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
343
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`		# private network broadcast (ie.: 192.168.182.255)
344
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`		# last octet of LAN address
345
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`		# last octet of LAN broadcast
346
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`		# First network address (ex.: 192.168.182.1)
347
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
841 richard 348
# Define Internet parameters
14 richard 349
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
350
	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 1er DNS
351
	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 2ème DNS
70 franck 352
	DNS1=${DNS1:=208.67.220.220}
353
	DNS2=${DNS2:=208.67.222.222}
597 richard 354
	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
784 richard 355
	DEFAULT_PUBLIC_NETMASK=`ipcalc -m 192.168.182.2 | cut -d"=" -f2`
356
	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
357
	PUBLIC_PREFIX=`/bin/ipcalc -p 192.168.182.2 $PUBLIC_NETMASK|cut -d"=" -f2`
765 stephane 358
	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
359
	echo "PUBLIC_MTU=1500" >> $CONF_FILE
628 richard 360
	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
361
	echo "DNS1=$DNS1" >> $CONF_FILE
362
	echo "DNS2=$DNS2" >> $CONF_FILE
363
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
364
	echo "DHCP=on" >> $CONF_FILE
597 richard 365
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
841 richard 366
# config network
1 root 367
	cat <<EOF > /etc/sysconfig/network
368
NETWORKING=yes
369
HOSTNAME="$HOSTNAME"
370
FORWARD_IPV4=true
371
EOF
841 richard 372
# config /etc/hosts
1 root 373
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
374
	cat <<EOF > /etc/hosts
503 richard 375
127.0.0.1	localhost
376
$PRIVATE_IP	$HOSTNAME 
1 root 377
EOF
841 richard 378
# Config eth0 (Internet)
14 richard 379
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
380
DEVICE=$EXTIF
381
BOOTPROTO=static
597 richard 382
IPADDR=$PUBLIC_IP
383
NETMASK=$PUBLIC_NETMASK
384
GATEWAY=$PUBLIC_GATEWAY
14 richard 385
DNS1=127.0.0.1
386
ONBOOT=yes
387
METRIC=10
388
NOZEROCONF=yes
389
MII_NOT_SUPPORTED=yes
390
IPV6INIT=no
391
IPV6TO4INIT=no
392
ACCOUNTING=no
393
USERCTL=no
394
EOF
841 richard 395
# Config eth1 (consultation LAN) in normal mode
396
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
397
DEVICE=$INTIF
398
BOOTPROTO=static
399
ONBOOT=yes
400
NOZEROCONF=yes
401
MII_NOT_SUPPORTED=yes
402
IPV6INIT=no
403
IPV6TO4INIT=no
404
ACCOUNTING=no
405
USERCTL=no
406
EOF
407
# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793 richard 408
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1 root 409
DEVICE=$INTIF
410
BOOTPROTO=static
411
IPADDR=$PRIVATE_IP
604 richard 412
NETMASK=$PRIVATE_NETMASK
1 root 413
ONBOOT=yes
414
METRIC=10
415
NOZEROCONF=yes
416
MII_NOT_SUPPORTED=yes
14 richard 417
IPV6INIT=no
418
IPV6TO4INIT=no
419
ACCOUNTING=no
420
USERCTL=no
1 root 421
EOF
440 franck 422
# Mise à l'heure du serveur
423
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
424
	cat <<EOF > /etc/ntp/step-tickers
455 franck 425
0.fr.pool.ntp.org	# adapt to your country
426
1.fr.pool.ntp.org
427
2.fr.pool.ntp.org
440 franck 428
EOF
429
# Configuration du serveur de temps (sur lui même)
1 root 430
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
431
	cat <<EOF > /etc/ntp.conf
456 franck 432
server 0.fr.pool.ntp.org	# adapt to your country
447 franck 433
server 1.fr.pool.ntp.org
434
server 2.fr.pool.ntp.org
435
server 127.127.1.0   		# local clock si NTP internet indisponible ...
411 richard 436
fudge 127.127.1.0 stratum 10
604 richard 437
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1 root 438
restrict 127.0.0.1
310 richard 439
driftfile /var/lib/ntp/drift
1 root 440
logfile /var/log/ntp.log
441
EOF
440 franck 442
 
310 richard 443
	chown -R ntp:ntp /var/lib/ntp
1 root 444
# Renseignement des fichiers hosts.allow et hosts.deny
445
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
446
	cat <<EOF > /etc/hosts.allow
447
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604 richard 448
sshd: ALL
1 root 449
ntpd: $PRIVATE_NETWORK_SHORT
450
EOF
451
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
452
	cat <<EOF > /etc/hosts.deny
453
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
454
EOF
604 richard 455
# Firewall config
790 richard 456
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
457
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
458
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860 richard 459
# create the filter exception file and ip_bloqued file
790 richard 460
	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860 richard 461
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
462
	echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790 richard 463
# load conntrack ftp module
464
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
465
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
860 richard 466
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1 root 467
} # End of network ()
468
 
469
##################################################################
470
##			Fonction gestion			##
471
## - installation du centre de gestion				##
472
## - configuration du serveur web (Apache)			##
473
## - définition du 1er comptes de gestion 			##
474
## - sécurisation des accès					##
475
##################################################################
476
gestion()
477
{
478
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
479
	mkdir $DIR_WEB
480
# Copie et configuration des fichiers du centre de gestion
316 richard 481
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
1 root 482
	echo "$VERSION du $DATE" > $DIR_WEB/VERSION
316 richard 483
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
484
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
485
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
486
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498 richard 487
	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316 richard 488
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5 franck 489
	chown -R apache:apache $DIR_WEB/*
840 richard 490
	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1 root 491
	do
492
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
493
	done
5 franck 494
	chown -R root:apache $DIR_SAVE
71 richard 495
# Configuration et sécurisation php
496
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
534 richard 497
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
498
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411 richard 499
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
500
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71 richard 501
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
502
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
503
# Configuration et sécurisation Apache
790 richard 504
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1 root 505
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580 richard 506
	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303 richard 507
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1 root 508
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
509
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
510
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790 richard 511
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
512
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
513
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
514
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
515
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
516
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
1 root 517
	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
518
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
519
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
520
	[ -e /var/www/error/include/bottom.html.default ] || mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
521
	cat <<EOF > /var/www/error/include/bottom.html
522
</body>
523
</html>
524
EOF
525
# Définition du premier compte lié au profil 'admin'
509 richard 526
	header_install
510 richard 527
	if [ "$mode" = "install" ]
528
	then
613 richard 529
		admin_portal=!
530
		PTN='^[a-zA-Z0-9-]*$'
531
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
532
                	do
533
			header_install
534
			if [ $Lang == "fr" ]
535
			then 
536
				echo ""
537
				echo "Définissez un premier compte d'administration du portail :"
538
				echo
539
				echo -n "Nom : "
540
			else
541
				echo ""
542
				echo "Define the first account allow to administrate the portal :"
543
				echo
544
				echo -n "Account : "
545
			fi
546
			read admin_portal
547
			if [ "$admin_portal" == "" ]
548
				then
549
				admin_portal=!
550
			fi
551
			done
1 root 552
# Création du fichier de clés de ce compte dans le profil "admin"
510 richard 553
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
554
		mkdir -p $DIR_DEST_ETC/digest
555
		chmod 755 $DIR_DEST_ETC/digest
556
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
557
			do
613 richard 558
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510 richard 559
			done
560
		$DIR_DEST_SBIN/alcasar-profil.sh --list
595 richard 561
	else   # mise à jour des versions < 2.1
510 richard 562
		if ([ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 1 ]))
563
			then
613 richard 564
			if [ $Lang == "fr" ]
565
			then 
566
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
567
				echo
568
				echo -n "Nom : "
569
			else
570
				echo "This update need to redefine the first admin account"
571
				echo
572
				echo -n "Account : "
573
			fi
574
			read admin_portal
510 richard 575
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
576
			mkdir -p $DIR_DEST_ETC/digest
577
			chmod 755 $DIR_DEST_ETC/digest
578
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
579
			do
613 richard 580
				/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510 richard 581
			done
582
			$DIR_DEST_SBIN/alcasar-profil.sh --list
583
		fi
584
	fi
434 richard 585
# synchronisation horaire
586
	ntpd -q -g &
1 root 587
# Sécurisation du centre
588
	rm -f /etc/httpd/conf/webapps.d/*
589
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316 richard 590
<Directory $DIR_ACC>
1 root 591
	SSLRequireSSL
592
	AllowOverride None
593
	Order deny,allow
594
	Deny from all
595
	Allow from 127.0.0.1
596
	Allow from $PRIVATE_NETWORK_MASK
597
	require valid-user
598
	AuthType digest
599
	AuthName $HOSTNAME
600
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 601
	AuthUserFile $DIR_DEST_ETC/digest/key_all
580 richard 602
	ErrorDocument 404 https://$HOSTNAME/
1 root 603
</Directory>
316 richard 604
<Directory $DIR_ACC/admin>
1 root 605
	SSLRequireSSL
606
	AllowOverride None
607
	Order deny,allow
608
	Deny from all
609
	Allow from 127.0.0.1
610
	Allow from $PRIVATE_NETWORK_MASK
611
	require valid-user
612
	AuthType digest
613
	AuthName $HOSTNAME
614
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 615
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580 richard 616
	ErrorDocument 404 https://$HOSTNAME/
1 root 617
</Directory>
344 richard 618
<Directory $DIR_ACC/manager>
1 root 619
	SSLRequireSSL
620
	AllowOverride None
621
	Order deny,allow
622
	Deny from all
623
	Allow from 127.0.0.1
624
	Allow from $PRIVATE_NETWORK_MASK
625
	require valid-user
626
	AuthType digest
627
	AuthName $HOSTNAME
628
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 629
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580 richard 630
	ErrorDocument 404 https://$HOSTNAME/
1 root 631
</Directory>
316 richard 632
<Directory $DIR_ACC/backup>
633
	SSLRequireSSL
634
	AllowOverride None
635
	Order deny,allow
636
	Deny from all
637
	Allow from 127.0.0.1
638
	Allow from $PRIVATE_NETWORK_MASK
639
	require valid-user
640
	AuthType digest
641
	AuthName $HOSTNAME
642
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 643
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580 richard 644
	ErrorDocument 404 https://$HOSTNAME/
316 richard 645
</Directory>
811 richard 646
Alias /save/ "$DIR_SAVE/"
647
<Directory $DIR_SAVE>
648
	SSLRequireSSL
649
	Options Indexes
650
	Order deny,allow
651
	Deny from all
652
	Allow from 127.0.0.1
653
	Allow from $PRIVATE_NETWORK_MASK
654
	require valid-user
655
	AuthType digest
656
	AuthName $HOSTNAME
657
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
658
	ErrorDocument 404 https://$HOSTNAME/
659
</Directory>
1 root 660
EOF
661
} # End of gestion ()
662
 
663
##########################################################################################
664
##				Fonction AC()						##
665
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
666
##########################################################################################
667
AC ()
668
{
669
	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510 richard 670
	$DIR_DEST_BIN/alcasar-CA.sh
800 richard 671
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303 richard 672
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
673
	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
674
	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679 richard 675
	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5 franck 676
	chown -R root:apache /etc/pki
1 root 677
	chmod -R 750 /etc/pki
678
} # End AC ()
679
 
680
##########################################################################################
681
##			Fonction init_db()						##
682
## - Initialisation de la base Mysql							##
683
## - Affectation du mot de passe de l'administrateur (root)				##
684
## - Suppression des bases et des utilisateurs superflus				##
685
## - Création de la base 'radius'							##
686
## - Installation du schéma de cette base						##
687
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
688
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
689
##########################################################################################
690
init_db ()
691
{
692
	mkdir -p /var/lib/mysql/.tmp
693
	chown mysql:mysql /var/lib/mysql/.tmp
227 franck 694
	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf		# prend en compte les migrations de MySQL
1 root 695
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
696
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
697
	/etc/init.d/mysqld start
698
	sleep 4
699
	mysqladmin -u root password $mysqlpwd
700
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615 richard 701
# Delete exemple databases if exist
1 root 702
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;" 
615 richard 703
# Create 'radius' database
1 root 704
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615 richard 705
# Add an empty radius database structure
364 franck 706
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615 richard 707
# modify the start script in order to close accounting connexion when the system is comming down or up
708
	[ -e /etc/init.d/mysqld.default ] || cp /etc/init.d/mysqld /etc/init.d/mysqld.default
709
	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
710
	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1 root 711
} # End init_db ()
712
 
713
##########################################################################
714
##			Fonction param_radius				##
715
## - Paramètrage des fichiers de configuration FreeRadius		##
716
## - Affectation du secret partagé entre coova-chilli et freeradius	##
717
## - Modification de fichier de conf pour l'accès à Mysql		##
718
##########################################################################
719
param_radius ()
720
{
721
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
722
	chown -R radius:radius /etc/raddb
723
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
724
# paramètrage radius.conf
725
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
726
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
727
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
728
# suppression de la fonction proxy
729
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
730
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654 richard 731
# suppression du module EAP
732
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1 root 733
# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
734
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
735
# prise en compte du module SQL et des compteurs SQL
736
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
737
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
738
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
739
# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
740
	rm -f /etc/raddb/sites-enabled/*
741
       	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
742
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
743
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
744
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
745
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384 richard 746
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1 root 747
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
748
# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
749
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
750
	cat << EOF > /etc/raddb/clients.conf
751
client 127.0.0.1 {
752
	secret = $secretradius
753
	shortname = localhost
754
}
755
EOF
756
# modif sql.conf
757
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
758
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
759
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
760
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
761
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
762
# modif dialup.conf
763
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
764
	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
765
} # End param_radius ()
766
 
767
##########################################################################
768
##			Fonction param_web_radius			##
769
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
770
## - Création du lien vers la page de changement de mot de passe        ##
771
##########################################################################
772
param_web_radius ()
773
{
774
# copie de l'interface d'origine dans la structure Alcasar
316 richard 775
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
776
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
777
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344 richard 778
# copie des fichiers modifiés
779
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316 richard 780
	chown -R apache:apache $DIR_ACC/manager/
344 richard 781
# Modification des fichiers de configuration
1 root 782
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503 richard 783
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1 root 784
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
787
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
788
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
790
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
582 richard 791
	$SED "s?^general_charset.*?general_charset: utf8?g" /etc/freeradius-web/admin.conf
344 richard 792
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
793
	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131 richard 794
	cat <<EOF > /etc/freeradius-web/naslist.conf
632 richard 795
nas1_name: alcasar-$ORGANISME
1 root 796
nas1_model: Portail captif
797
nas1_ip: $PRIVATE_IP
798
nas1_port_num: 0
799
nas1_community: public
800
EOF
801
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
802
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
803
	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114 richard 804
# Ajout du mappage des attributs chillispot
805
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
806
	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1 root 807
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
808
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
809
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
810
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5 franck 811
	chown -R apache:apache /etc/freeradius-web
1 root 812
# Ajout de l'alias vers la page de "changement de mot de passe usager"
813
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344 richard 814
<Directory $DIR_WEB/pass>
1 root 815
	SSLRequireSSL
816
	AllowOverride None
817
	Order deny,allow
818
	Deny from all
819
	Allow from 127.0.0.1
820
	Allow from $PRIVATE_NETWORK_MASK
580 richard 821
	ErrorDocument 404 https://$HOSTNAME
1 root 822
</Directory>
823
EOF
824
} # End of param_web_radius ()
825
 
799 richard 826
##################################################################################
827
##			Fonction param_chilli					##
828
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
829
## - Paramètrage de la page d'authentification (intercept.php)			##
830
##################################################################################
1 root 831
param_chilli ()
832
{
799 richard 833
# init file creation
461 richard 834
	[ -e /etc/init.d/chilli.default ] || cp /etc/init.d/chilli /etc/init.d/chilli.default
799 richard 835
	cat <<EOF > /etc/init.d/chilli
836
#!/bin/sh
837
#
838
# chilli CoovaChilli init
839
#
840
# chkconfig: 2345 65 35
841
# description: CoovaChilli
842
### BEGIN INIT INFO
843
# Provides:       chilli
844
# Required-Start: network 
845
# Should-Start: 
846
# Required-Stop:  network
847
# Should-Stop: 
848
# Default-Start:  2 3 5
849
# Default-Stop:
850
# Description:    CoovaChilli access controller
851
### END INIT INFO
852
 
853
[ -f /usr/sbin/chilli ] || exit 0
854
. /etc/init.d/functions
855
CONFIG=/etc/chilli.conf
856
pidfile=/var/run/chilli.pid
857
[ -f \$CONFIG ] || {
858
    echo "\$CONFIG Not found"
859
    exit 0
860
}
861
RETVAL=0
862
prog="chilli"
863
case \$1 in
864
    start)
865
	if [ -f \$pidfile ] ; then 
866
		gprintf "chilli is already running"
867
	else
868
        	gprintf "Starting \$prog: "
869
		rm -f /var/run/chilli* # cleaning
870
        	/sbin/modprobe tun >/dev/null 2>&1
871
        	echo 1 > /proc/sys/net/ipv4/ip_forward
872
		[ -e /dev/net/tun ] || {
873
	    	(cd /dev; 
874
			mkdir net; 
875
			cd net; 
876
			mknod tun c 10 200)
877
		}
878
		ifconfig eth1 0.0.0.0
879
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
880
        	RETVAL=$?
881
	fi
882
	;;
883
 
884
    reload)
885
	killall -HUP chilli
886
	;;
887
 
888
    restart)
889
	\$0 stop
890
        sleep 2
891
	\$0 start
892
	;;
893
 
894
    status)
895
        status chilli
896
        RETVAL=0
897
        ;;
898
 
899
    stop)
900
	if [ -f \$pidfile ] ; then  
901
        	gprintf "Shutting down \$prog: "
902
		killproc /usr/sbin/chilli
903
		RETVAL=\$?
904
		[ \$RETVAL = 0 ] && rm -f $pidfile
905
	else	
906
        	gprintf "chilli is not running"
907
	fi
908
	;;
909
 
910
    *)
911
        echo "Usage: \$0 {start|stop|restart|reload|status}"
912
        exit 1
913
esac
914
echo
915
EOF
916
 
917
# conf file creation
346 richard 918
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
919
	cat <<EOF > /etc/chilli.conf
920
# coova config for ALCASAR
921
cmdsocket	/var/run/chilli.sock
922
unixipc		chilli.eth1.ipc
923
pidfile		/var/run/chilli.eth1.pid
924
net		$PRIVATE_NETWORK_MASK
595 richard 925
dhcpif		$INTIF
841 richard 926
ethers		$DIR_DEST_ETC/alcasar-ethers
838 richard 927
#statip
346 richard 928
domain		localdomain
355 richard 929
dns1		$PRIVATE_IP
930
dns2		$PRIVATE_IP
346 richard 931
uamlisten	$PRIVATE_IP
503 richard 932
uamport		3990
837 richard 933
macauth
934
macpasswd	password
346 richard 935
locationname	$HOSTNAME
936
radiusserver1	127.0.0.1
937
radiusserver2	127.0.0.1
938
radiussecret	$secretradius
939
radiusauthport	1812
940
radiusacctport	1813
467 richard 941
uamserver	https://$HOSTNAME/intercept.php
346 richard 942
radiusnasid	$HOSTNAME
943
uamsecret	$secretuam
793 richard 944
uamallowed	alcasar
346 richard 945
coaport		3799
503 richard 946
include		$DIR_DEST_ETC/alcasar-uamallowed
947
include		$DIR_DEST_ETC/alcasar-uamdomain
346 richard 948
EOF
605 richard 949
# création du fichier d'allocation d'adresses IP statiques
950
	touch $DIR_DEST_ETC/alcasar-ethers
840 richard 951
# create files for trusted domains and urls
952
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503 richard 953
	chown root:apache $DIR_DEST_ETC/alcasar-*
954
	chmod 660 $DIR_DEST_ETC/alcasar-*
847 richard 955
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526 stephane 956
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
957
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796 richard 958
# user 'chilli' creation (in order to run conup/off and up/down scripts
959
	chilli_exist=`grep chilli /etc/passwd|wc -l`
960
	if [ "$chilli_exist" == "1" ]
961
	then
962
	      userdel -r chilli 2>/dev/null
963
	fi
964
	groupadd -f chilli
965
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1 root 966
}  # End of param_chilli ()
967
 
968
##########################################################
969
##			Fonction param_squid		##
970
## - Paramètrage du proxy 'squid' en mode 'cache'	##
971
## - Initialisation de la base de données  		##
972
##########################################################
973
param_squid ()
974
{
975
# paramètrage de Squid (connecté en série derrière Dansguardian)
976
	[ -e /etc/squid/squid.conf.default  ] || cp /etc/squid/squid.conf /etc/squid/squid.conf.default
977
# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
978
	$SED "/^acl localnet/d" /etc/squid/squid.conf
979
	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
980
	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
981
	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
982
	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
983
	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
984
# mode 'proxy transparent local'
595 richard 985
	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726 franck 986
# Configuration du cache local
749 franck 987
	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
405 franck 988
# emplacement et formatage standard des logs
419 franck 989
	echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
749 franck 990
	echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
405 franck 991
        echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
1 root 992
# compatibilité des logs avec awstats
315 richard 993
	echo "emulate_httpd_log on" >> /etc/squid/squid.conf
749 franck 994
	echo "half_closed_clients off" >> /etc/squid/squid.conf
995
	echo "server_persistent_connections off" >> /etc/squid/squid.conf
996
	echo "client_persistent_connections on" >> /etc/squid/squid.conf
997
	echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
998
	echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
999
	echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
726 franck 1000
	echo "cache_mem 256 MB" >> /etc/squid/squid.conf
749 franck 1001
	echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
1002
	echo "maximum_object_size     4096 KB" >> /etc/squid/squid.conf
835 richard 1003
# anonymisation of squid version
813 richard 1004
	echo "via off" >> /etc/squid/squid.conf
835 richard 1005
# remove the 'X_forwarded' http option
812 richard 1006
	echo "forwarded_for delete" >> /etc/squid/squid.conf
835 richard 1007
# linked squid output in HAVP input
1008
	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
1009
	echo "never_direct allow all" >> /etc/squid/squid.conf
1010
# avoid error messages on network interfaces state changes
313 richard 1011
	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
835 richard 1012
# Squid cache init
1 root 1013
	/usr/sbin/squid -z
1014
}  # End of param_squid ()
1015
 
1016
##################################################################
1017
##		Fonction param_dansguardian			##
1018
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1019
##################################################################
1020
param_dansguardian ()
1021
{
1022
	mkdir /var/dansguardian
1023
	chown dansguardian /var/dansguardian
497 richard 1024
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307 richard 1025
# Le filtrage est désactivé par défaut 
497 richard 1026
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1 root 1027
# la page d'interception est en français
497 richard 1028
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1 root 1029
# on limite l'écoute de Dansguardian côté LAN
497 richard 1030
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835 richard 1031
# on chaîne Dansguardian au proxy cache SQUID
1032
	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1 root 1033
# on remplace la page d'interception (template)
1034
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1035
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1036
# on ne loggue que les deny (pour le reste, on a squid)
497 richard 1037
	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659 richard 1038
# lauch of 10 daemons (20 in largest server)
1039
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1 root 1040
# on désactive par défaut le controle de contenu des pages html
497 richard 1041
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1042
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1043
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1 root 1044
# on désactive par défaut le contrôle d'URL par expressions régulières
497 richard 1045
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1046
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1 root 1047
# on désactive par défaut le contrôle de téléchargement de fichiers
497 richard 1048
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1049
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1050
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1051
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1052
	touch $DIR_DG/lists/bannedextensionlist
1053
	touch $DIR_DG/lists/bannedmimetypelist
1054
# 'Safesearch' regex actualisation
498 richard 1055
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497 richard 1056
# empty LAN IP list that won't be WEB filtered
1057
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1058
	touch $DIR_DG/lists/exceptioniplist
1059
# Keep a copy of URL & domain filter configuration files
1060
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1061
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1 root 1062
} # End of param_dansguardian ()
1063
 
71 richard 1064
##################################################################
1065
##			Fonction antivirus			##
479 richard 1066
## - configuration havp + libclamav				##
71 richard 1067
##################################################################
1068
antivirus ()		
1069
{
288 richard 1070
# création de l'usager 'havp'
1071
	havp_exist=`grep havp /etc/passwd|wc -l`
307 richard 1072
	if [ "$havp_exist" == "1" ]
288 richard 1073
	then
478 richard 1074
	      userdel -r havp 2>/dev/null
288 richard 1075
	fi
307 richard 1076
	groupadd -f havp
796 richard 1077
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476 richard 1078
	mkdir -p /var/tmp/havp /var/log/havp
1079
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
307 richard 1080
	$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
109 richard 1081
# configuration d'HAVP
1082
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1083
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631 richard 1084
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1085
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1086
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1087
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
659 richard 1088
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
835 richard 1089
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1090
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
481 franck 1091
# remplacement du fichier d'initialisation
335 richard 1092
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
481 franck 1093
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340 richard 1094
# on remplace la page d'interception (template)
1095
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1096
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489 richard 1097
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1098
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1099
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734 richard 1100
# Virus database update
1101
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1102
	[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
71 richard 1103
}
1104
 
1 root 1105
##################################################################################
476 richard 1106
##			param_ulogd function					##
1107
## - Ulog config for multi-log files 						##
1108
##################################################################################
1109
param_ulogd ()
1110
{
1111
# Three instances of ulogd (three different logfiles)
1112
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
478 richard 1113
	nl=1
1114
	for log_type in tracability ssh ext-access
1115
	do
1116
		[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
1117
		cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
1118
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1119
		$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
1120
		cat << EOF >> /etc/ulogd-$log_type.conf
1121
[LOGEMU]
1122
file="/var/log/firewall/$log_type.log"
1123
sync=1
1124
EOF
1125
		nl=`expr $nl + 1`
1126
	done
476 richard 1127
	chown -R root:apache /var/log/firewall
1128
	chmod 750 /var/log/firewall
1129
	chmod 640 /var/log/firewall/*
1130
	[ -e /etc/init.d/ulogd.default ] || cp /etc/init.d/ulogd /etc/init.d/ulogd.default
1131
	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
1132
}  # End of param_ulogd ()
1133
 
1134
##################################################################################
1 root 1135
##				Fonction param_awstats				##
1136
## - configuration de l'interface des logs de consultation WEB (AWSTAT)		##
1137
##################################################################################
1138
param_awstats()
1139
{
316 richard 1140
	cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
1141
	chown -R apache:apache $DIR_ACC/awstats
1 root 1142
	cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
1143
	$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
1144
	$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
1145
	$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
1146
	$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
1147
	$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
344 richard 1148
	$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
1149
	$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
1 root 1150
	$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
1151
	$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
59 richard 1152
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
580 richard 1153
	$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
1154
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1155
	$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
1156
	$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
1157
	$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
1158
	$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
1159
	$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
1160
	$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
1161
	$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
1162
	$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
1163
	$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
1164
	$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
1165
	$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
1166
	$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
1167
	$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
1168
 
1 root 1169
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
316 richard 1170
<Directory $DIR_ACC/awstats>
1 root 1171
	SSLRequireSSL
1172
	Options ExecCGI
1173
	AddHandler cgi-script .pl
1174
	DirectoryIndex awstats.pl
1175
	Order deny,allow
1176
	Deny from all
1177
	Allow from 127.0.0.1
1178
	Allow from $PRIVATE_NETWORK_MASK
1179
	require valid-user
1180
	AuthType digest
1181
	AuthName $HOSTNAME
1182
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 1183
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580 richard 1184
	ErrorDocument 404 https://$HOSTNAME/
1 root 1185
</Directory>
1186
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
1187
EOF
1188
} # End of param_awstats ()
1189
 
1190
##########################################################
235 richard 1191
##		Fonction param_dnsmasq			##
1 root 1192
##########################################################
219 jeremy 1193
param_dnsmasq ()
1194
{
1195
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
259 richard 1196
	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503 richard 1197
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520 richard 1198
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503 richard 1199
	cat << EOF > /etc/dnsmasq.conf 
520 richard 1200
# Configuration file for "dnsmasq in forward mode"
503 richard 1201
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
259 richard 1202
listen-address=$PRIVATE_IP
1203
listen-address=127.0.0.1
286 richard 1204
no-dhcp-interface=$INTIF
259 richard 1205
bind-interfaces
1206
cache-size=256
1207
domain=$DOMAIN
1208
domain-needed
1209
expand-hosts
1210
bogus-priv
1211
filterwin2k
1212
server=$DNS1
1213
server=$DNS2
498 richard 1214
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
837 richard 1215
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632 richard 1216
dhcp-option=option:router,$PRIVATE_IP
259 richard 1217
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
1218
 
291 franck 1219
# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420 franck 1220
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259 richard 1221
EOF
520 richard 1222
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
1223
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1224
	# Configuration file for "dnsmasq with blackhole"
1225
# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1226
conf-dir=$DIR_DEST_ETC/alcasar-dnsfilter-enabled
503 richard 1227
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
498 richard 1228
listen-address=$PRIVATE_IP
1229
port=54
1230
no-dhcp-interface=$INTIF
1231
bind-interfaces
1232
cache-size=256
1233
domain=$DOMAIN
1234
domain-needed
1235
expand-hosts
1236
bogus-priv
1237
filterwin2k
1238
server=$DNS1
1239
server=$DNS2
1240
EOF
718 franck 1241
 
800 richard 1242
# Init file modification
503 richard 1243
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800 richard 1244
# Start and stop a 2nd process for the "DNS blackhole"
520 richard 1245
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503 richard 1246
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800 richard 1247
# Start after chilli (65) which create tun0
1248
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
1249
# Optionnellement on active les logs DNS des clients
786 richard 1250
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
800 richard 1251
$SED "s?^OPTIONS=.*?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
308 richard 1252
} # End dnsmasq
1253
 
1254
##########################################################
1255
##		Fonction BL (BlackList)			##
1256
##########################################################
1257
BL ()
1258
{
1259
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648 richard 1260
	rm -rf $DIR_DG/lists/blacklists
1261
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1262
# on crée le répertoire de la BL secondaire et le répertoire "pureip" (catégorie virtuelle)
1263
	mkdir $DIR_DG/lists/blacklists/ossi $DIR_DG/lists/blacklists/ip
1264
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ip/domains
1265
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ip/urls
309 richard 1266
# On crée les fichiers vides de sites ou d'URL réhabilités
648 richard 1267
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673 richard 1268
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648 richard 1269
	touch $DIR_DG/lists/exceptionsitelist
1270
	touch $DIR_DG/lists/exceptionurllist
311 richard 1271
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648 richard 1272
	cat <<EOF > $DIR_DG/lists/bannedurllist
311 richard 1273
# Dansguardian filter config for ALCASAR
1274
EOF
648 richard 1275
	cat <<EOF > $DIR_DG/lists/bannedsitelist
311 richard 1276
# Dansguardian domain filter config for ALCASAR
1277
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1278
#**
1279
# block all SSL and CONNECT tunnels
1280
**s
1281
# block all SSL and CONNECT tunnels specified only as an IP
1282
*ips
1283
# block all sites specified only by an IP
1284
*ip
1285
EOF
648 richard 1286
	chown -R dansguardian:apache $DIR_DG
1287
	chmod -R g+rw $DIR_DG
304 richard 1288
# On crée la structure du DNS-blackhole :
503 richard 1289
  	mkdir $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1290
	chown -R 770 $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
1291
	chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
786 richard 1292
# On adapte la BL de Toulouse à notre structure
654 richard 1293
	if [ "$mode" != "update" ]; then
1294
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1295
	fi
308 richard 1296
}
219 jeremy 1297
 
1 root 1298
##########################################################
1299
##		Fonction cron				##
1300
## - Mise en place des différents fichiers de cron	##
1301
##########################################################
1302
cron ()
1303
{
1304
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1305
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1306
	cat <<EOF > /etc/crontab
1307
SHELL=/bin/bash
1308
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1309
MAILTO=root
1310
HOME=/
1311
 
1312
# run-parts
1313
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1314
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1315
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1316
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1317
EOF
1318
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1319
	cat <<EOF >> /etc/anacrontab
667 franck 1320
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1321
7       10      cron.logExport          nice /etc/cron.d/alcasar-export_log
1322
7       15      cron.logClean           nice /etc/cron.d/alcasar-clean_log
1323
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1 root 1324
EOF
667 franck 1325
	cat <<EOF > /etc/cron.d/alcasar-clean_log
713 franck 1326
# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
1 root 1327
30 4 * * 1 root $DIR_DEST_BIN/alcasar-log-clean.sh
1328
EOF
811 richard 1329
	cat <<EOF > /etc/cron.d/alcasar-mysql
1 root 1330
# export de la base des usagers (tous les lundi à 4h45)
671 franck 1331
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1 root 1332
EOF
667 franck 1333
	cat <<EOF > /etc/cron.d/alcasar-export_log
713 franck 1334
# export des log squid, firewall et apache (tous les lundi à 5h00)
1 root 1335
00 5 * * 1 root $DIR_DEST_BIN/alcasar-log-export.sh
1336
EOF
1337
	cat << EOF > /etc/cron.d/awstats
713 franck 1338
# mise à jour des stats de consultation WEB toutes les 30'
419 franck 1339
*/30 * * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
1 root 1340
EOF
667 franck 1341
	cat << EOF > /etc/cron.d/alcasar-clean_import
713 franck 1342
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503 richard 1343
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
168 franck 1344
EOF
722 franck 1345
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1346
# mise à jour automatique de la distribution tous les jours 3h30
762 franck 1347
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
722 franck 1348
EOF
1 root 1349
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1350
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1351
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1352
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1353
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1354
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1355
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1356
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1357
	rm -f /etc/cron.daily/freeradius-web
1358
	rm -f /etc/cron.monthly/freeradius-web
1359
	cat << EOF > /etc/cron.d/freeradius-web
1360
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1361
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1362
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1363
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1364
EOF
671 franck 1365
	cat << EOF > /etc/cron.d/alcasar-watchdog
713 franck 1366
# activation du "chien de garde" (watchdog) toutes les 3'
1 root 1367
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1368
EOF
808 franck 1369
# activation du "chien de garde des services" (watchdog) toutes les 18'
1370
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1371
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1372
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1373
EOF
522 richard 1374
# suppression des crons usagers
1375
	rm -f /var/spool/cron/*
1 root 1376
} # End cron
1377
 
1378
##################################################################
1379
##			Fonction post_install			##
1380
## - Modification des bannières (locales et ssh) et des prompts ##
1381
## - Installation de la structure de chiffrement pour root	##
1382
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1383
## - Mise en place du la rotation des logs			##
5 franck 1384
## - Configuration dans le cas d'une mise à jour		##
1 root 1385
##################################################################
1386
post_install()
1387
{
1388
# adaptation du script "chien de garde" (watchdog)
376 franck 1389
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1390
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1 root 1391
# création de la bannière locale
1392
	[ -e /etc/mandriva-release.default ]  || cp /etc/mandriva-release /etc/mandriva-release.default
589 richard 1393
	cp -f $DIR_CONF/banner /etc/mandriva-release
1394
	echo " V$VERSION" >> /etc/mandriva-release
1 root 1395
# création de la bannière SSH
1396
	cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
5 franck 1397
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1 root 1398
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1399
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1400
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793 richard 1401
# postfix banner anonymisation
1402
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604 richard 1403
# sshd écoute côté LAN et WAN
1 root 1404
	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604 richard 1405
	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config 
860 richard 1406
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1 root 1407
	/sbin/chkconfig --del sshd
628 richard 1408
	echo "SSH=off" >> $CONF_FILE
694 franck 1409
	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
628 richard 1410
	echo "QOS=off" >> $CONF_FILE
1411
	echo "LDAP=off" >> $CONF_FILE
786 richard 1412
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
628 richard 1413
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1414
	echo "DNS_FILTERING=off" >> $CONF_FILE
1415
	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
1 root 1416
# Coloration des prompts
1417
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
5 franck 1418
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630 franck 1419
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1 root 1420
# Droits d'exécution pour utilisateur apache et sysadmin
1421
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
5 franck 1422
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629 richard 1423
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
132 franck 1424
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1 root 1425
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1426
	chmod 644 /etc/logrotate.d/*
714 franck 1427
# rectification sur versions précédentes de la compression des logs
706 franck 1428
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1429
# actualisation des fichiers logs compressés
714 franck 1430
	for dir in firewall squid dansguardian httpd
706 franck 1431
	do
714 franck 1432
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706 franck 1433
	done
1434
# export des logs en 'retard' dans /var/Save/logs
1435
	/usr/local/bin/alcasar-log-export.sh
1 root 1436
# processus lancés par défaut au démarrage
796 richard 1437
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1 root 1438
	do
1439
		/sbin/chkconfig --add $i
1440
	done
595 richard 1441
# pour éviter les alertes de dépendance entre service.
384 richard 1442
	$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
497 richard 1443
	$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
595 richard 1444
	$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
1445
	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
306 richard 1446
# On affecte le niveau de sécurité du système : type "fileserver"
235 richard 1447
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
306 richard 1448
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
235 richard 1449
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
568 richard 1450
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
1451
# Apply French Security Agency rules (sysctl + msec when possible)
1452
# ignorer les broadcast ICMP. (attaque smurf) 
1453
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
1454
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1455
# ignorer les erreurs ICMP bogus
1456
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
1457
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595 richard 1458
# désactiver l'envoi et la réponse aux ICMP redirects
679 richard 1459
sysctl -w net.ipv4.conf.all.accept_redirects=0
568 richard 1460
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1461
	if [ "$accept_redirect" == "0" ]
1462
	then
679 richard 1463
		echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
1464
	else
1465
		$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568 richard 1466
	fi
679 richard 1467
sysctl -w net.ipv4.conf.all.send_redirects=0
568 richard 1468
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
1469
	if [ "$send_redirect" == "0" ]
1470
	then
679 richard 1471
		echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
1472
	else
1473
		$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568 richard 1474
	fi
1475
# activer les SYN Cookies (attaque syn flood)
679 richard 1476
sysctl -w net.ipv4.tcp_syncookies=1
568 richard 1477
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
1478
	if [ "$tcp_syncookies" == "0" ]
1479
	then
679 richard 1480
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1481
	else
1482
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568 richard 1483
	fi
595 richard 1484
# activer l'antispoofing niveau Noyau
568 richard 1485
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
1486
sysctl -w net.ipv4.conf.all.rp_filter=1
1487
# ignorer le source routing
679 richard 1488
sysctl -w net.ipv4.conf.all.accept_source_route=0
568 richard 1489
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1490
	if [ "$accept_source_route" == "0" ]
1491
	then
679 richard 1492
		echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
1493
	else
1494
		$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568 richard 1495
	fi
679 richard 1496
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1497
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
1498
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
1499
	if [ "$timeout_established" == "0" ]
1500
	then
1501
		echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
1502
	else
793 richard 1503
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679 richard 1504
	fi
1505
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
568 richard 1506
sysctl -w net.ipv4.conf.all.log_martians=0
1507
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
1508
 
793 richard 1509
 
306 richard 1510
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1511
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1 root 1512
# On mets en place la sécurité sur les fichiers
1513
# des modif par rapport à radius update
1514
	cat <<EOF > /etc/security/msec/perm.local
1515
/var/log/firewall/			root.apache	750
1516
/var/log/firewall/*			root.apache	640
1517
/etc/security/msec/perm.local		root.root	640
1518
/etc/security/msec/level.local		root.root	640
1519
/etc/freeradius-web			root.apache	750
1520
/etc/freeradius-web/admin.conf		root.apache	640
1521
/etc/freeradius-web/config.php		root.apache	640
1522
/etc/raddb/dictionnary			root.radius	640
1523
/etc/raddb/ldap.attrmap			root.radius	640
1524
/etc/raddb/hints			root.radius	640
1525
/etc/raddb/huntgroups			root.radius	640
1526
/etc/raddb/attrs.access_reject		root.radius	640
1527
/etc/raddb/attrs.accounting_response	root.radius	640
1528
/etc/raddb/acct_users			root.radius	640
1529
/etc/raddb/preproxy_users		root.radius	640
1530
/etc/raddb/modules/ldap			radius.apache	660
1531
/etc/raddb/sites-available/alcasar	radius.apache	660
1532
/etc/pki/*				root.apache	750
1533
EOF
1534
	/usr/sbin/msec
59 richard 1535
# modification /etc/inittab
1536
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
60 richard 1537
# On ne garde que 3 terminaux
59 richard 1538
	$SED "s?^4.*?#&?g" /etc/inittab
1539
	$SED "s?^5.*?#&?g" /etc/inittab
1540
	$SED "s?^6.*?#&?g" /etc/inittab
470 richard 1541
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
1542
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1543
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
532 richard 1544
# On supprime les services et les utilisateurs inutiles
793 richard 1545
for svc in alsa sound dm atd bootlogd stop-bootlogd
532 richard 1546
do
1547
	/sbin/chkconfig --del $svc
1548
done
1549
for rm_users in avahi-autoipd avahi icapd
1550
do
1551
	user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
1552
	if [ "$user" == "$rm_users" ]
1553
	then
1554
		/usr/sbin/userdel -f $rm_users
1555
	fi
1556
done
628 richard 1557
# Load and update the previous conf file
5 franck 1558
if [ "$mode" = "update" ]
1559
then
389 franck 1560
	$DIR_DEST_BIN/alcasar-conf.sh --load
628 richard 1561
	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1562
	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5 franck 1563
fi
595 richard 1564
rm -f /tmp/alcasar-conf*
434 richard 1565
chown -R root:apache $DIR_DEST_ETC/*
512 richard 1566
chmod -R 660 $DIR_DEST_ETC/*
434 richard 1567
chmod ug+x $DIR_DEST_ETC/digest $DIR_DEST_ETC/alcasar-dnsfilter*
1 root 1568
	cd $DIR_INSTALL
5 franck 1569
	echo ""
1 root 1570
	echo "#############################################################################"
638 richard 1571
	if [ $Lang == "fr" ]
1572
		then
1573
		echo "#                        Fin d'installation d'ALCASAR                       #"
1574
		echo "#                                                                           #"
1575
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1576
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1577
		echo "#                                                                           #"
1578
		echo "#############################################################################"
1579
		echo
1580
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1581
		echo
1582
		echo "- Lisez attentivement la documentation d'exploitation"
1583
		echo
1584
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1585
		echo
1586
		echo "                   Appuyez sur 'Entrée' pour continuer"
1587
	else	
1588
		echo "#                        Enf of ALCASAR install process                     #"
1589
		echo "#                                                                           #"
1590
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1591
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1592
		echo "#                                                                           #"
1593
		echo "#############################################################################"
1594
		echo
1595
		echo "- The system will be rebooted in order to operate ALCASAR"
1596
		echo
1597
		echo "- Read the exploitation documentation"
1598
		echo
1599
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1600
		echo
1601
		echo "                   Hit 'Enter' to continue"
1602
	fi
815 richard 1603
	sleep 2
1604
	if [ "$mode" != "update" ]
820 richard 1605
	then
815 richard 1606
		read a
1607
	fi
774 richard 1608
	clear
1609
# Apply and save the firewall rules
490 richard 1610
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1611
	sleep 2
1 root 1612
	reboot
1613
} # End post_install ()
1614
 
1615
#################################
1616
#  Boucle principale du script  #
1617
#################################
832 richard 1618
dir_exec=`dirname "$0"`
1619
if [ $dir_exec != "." ]
1620
then
1621
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
1622
	echo "Launch this program from the ALCASAR archive directory"
1623
	exit 0
1624
fi
1625
VERSION=`cat $DIR_INSTALL/VERSION`
291 franck 1626
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
1 root 1627
nb_args=$#
1628
args=$1
1629
if [ $nb_args -eq 0 ]
1630
then
1631
	nb_args=1
1632
	args="-h"
1633
fi
1634
case $args in
1635
	-\? | -h* | --h*)
1636
		echo "$usage"
1637
		exit 0
1638
		;;
291 franck 1639
	-i | --install)
5 franck 1640
		header_install
29 richard 1641
		testing
597 richard 1642
# Test if ALCASAR is already installed
5 franck 1643
		if [ -e $DIR_WEB/VERSION ]
1 root 1644
		then
460 richard 1645
			actual_version=`cat $DIR_WEB/VERSION`
595 richard 1646
			if [ $Lang == "fr" ]
1647
				then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
1648
				else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
1649
			fi
5 franck 1650
			response=0
460 richard 1651
			PTN='^[oOnNyY]$'
580 richard 1652
			until [[ $(expr $response : $PTN) -gt 0 ]]
5 franck 1653
			do
595 richard 1654
				if [ $Lang == "fr" ]
1655
					then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
1656
					else echo -n "Do you want to update (Y/n)?";
1657
				 fi
5 franck 1658
				read response
1659
			done
597 richard 1660
			if [ "$response" = "n" ] || [ "$response" = "N" ] 
5 franck 1661
			then
597 richard 1662
				rm -f /tmp/alcasar-conf*
1663
			else
510 richard 1664
				RUNNING_VERSION=`cat $DIR_WEB/VERSION|cut -d" " -f1`
1665
				MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
1666
				MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
1667
				UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
636 richard 1668
# Create a backup of running version importants files
5 franck 1669
				chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
389 franck 1670
				$DIR_SCRIPTS/alcasar-conf.sh --create
532 richard 1671
				mode="update"
5 franck 1672
			fi
1 root 1673
		fi
595 richard 1674
# RPMs install
1675
		$DIR_SCRIPTS/alcasar-urpmi.sh
1676
		if [ "$?" != "0" ]
1 root 1677
		then
595 richard 1678
			exit 0
1679
		fi
1680
		if [ -e $DIR_WEB/VERSION ]
1681
		then
597 richard 1682
# Uninstall the running version
532 richard 1683
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595 richard 1684
		fi
636 richard 1685
# Test if manual update	
597 richard 1686
		if [ -e /tmp/alcasar-conf.tar.gz ] && [ "$mode" != "update" ]
595 richard 1687
		then
636 richard 1688
			header_install
595 richard 1689
			if [ $Lang == "fr" ]
636 richard 1690
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
1691
				else echo "The configuration file of an old version has been found";
595 richard 1692
			fi
597 richard 1693
			response=0
1694
			PTN='^[oOnNyY]$'
1695
			until [[ $(expr $response : $PTN) -gt 0 ]]
1696
			do
1697
				if [ $Lang == "fr" ]
1698
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
1699
					else echo -n "Do you want to use it (Y/n)?";
1700
				 fi
1701
				read response
1702
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
1703
				then rm -f /tmp/alcasar-conf*
1704
				fi
1705
			done
1706
		fi
636 richard 1707
# Test if update
597 richard 1708
		if [ -e /tmp/alcasar-conf.tar.gz ] 
1709
		then
1710
			if [ $Lang == "fr" ]
1711
				then echo "#### Installation avec mise à jour ####";
1712
				else echo "#### Installation with update     ####";
1713
			fi
636 richard 1714
# Extract the central configuration file
637 richard 1715
			tar -xf /tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf 
1716
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
5 franck 1717
			mode="update"
1718
		else
1719
			mode="install"
1 root 1720
		fi
604 richard 1721
		for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
5 franck 1722
		do
1723
			$func
735 richard 1724
# echo "*** 'debug' : end of function $func ***"; read a
14 richard 1725
		done
5 franck 1726
		;;
291 franck 1727
	-u | --uninstall)
5 franck 1728
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1 root 1729
		then
597 richard 1730
			if [ $Lang == "fr" ]
1731
				then echo "ALCASAR n'est pas installé!";
1732
				else echo "ALCASAR isn't installed!";
1733
			fi
1 root 1734
			exit 0
1735
		fi
5 franck 1736
		response=0
1737
		PTN='^[oOnN]$'
580 richard 1738
		until [[ $(expr $response : $PTN) -gt 0 ]]
5 franck 1739
		do
597 richard 1740
			if [ $Lang == "fr" ]
1741
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854 richard 1742
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597 richard 1743
			fi
5 franck 1744
			read response
1745
		done
597 richard 1746
		if [ "$reponse" = "o" ] || [ "$reponse" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
1 root 1747
		then
389 franck 1748
			$DIR_SCRIPT/alcasar-conf.sh --create
498 richard 1749
		else	
1750
			rm -f /tmp/alcasar-conf*
1 root 1751
		fi
597 richard 1752
# Uninstall the running version
65 richard 1753
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1 root 1754
		;;
1755
	*)
1756
		echo "Argument inconnu :$1";
460 richard 1757
		echo "Unknown argument :$1";
1 root 1758
		echo "$usage"
1759
		exit 1
1760
		;;
1761
esac
10 franck 1762
# end of script
366 franck 1763