Subversion Repositories ALCASAR

Rev

Rev 1359 | Rev 1362 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1361 richard 1
 
672 richard 2
#!/bin/bash
57 franck 3
#  $Id: alcasar.sh 1361 2014-05-25 22:08:44Z richard $ 
1 root 4
 
5
# alcasar.sh
959 franck 6
 
1157 stephane 7
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
8
# Ce programme est un logiciel libre ; This software is free and open source
959 franck 9
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
10
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
11
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
12
# Voir la Licence Publique Générale GNU pour plus de détails. 
13
 
967 franck 14
#  team@alcasar.net
959 franck 15
 
1 root 16
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
17
# This script is distributed under the Gnu General Public License (GPL)
18
 
672 richard 19
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007 richard 20
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1 root 21
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007 richard 22
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672 richard 23
#
1342 richard 24
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1 root 25
 
26
# Options :
376 franck 27
#       -i or --install
28
#       -u or --uninstall
1 root 29
 
376 franck 30
# Functions :
1221 richard 31
#	testing			: connectivity tests and downloading before intall
32
#	init			: Installation of RPM and scripts
33
#	network			: Network parameters
34
#	ACC			: ALCASAR Control Center installation
35
#	CA			: Certification Authority initialization
36
#	init_db			: Initilization of radius database managed with MariaDB
37
#	param_radius		: FreeRadius initialisation
38
#	param_web_radius	: copy ans modifiy original "freeradius web" in ACC
39
#	param_chilli		: coovachilli initialisation (+authentication page)
40
#	param_dansguardian	: DansGuardian filtering HTTP proxy configuration
41
#	antivirus		: HAVP + libclamav configuration
42
#	param_nfsen		: Configuration du grapheur nfsen pour apache 
1253 richard 43
#	dnsmasq			: Name server configuration
44
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266 richard 45
#	cron			: Logs export + watchdog + connexion statistics
1253 richard 46
#	fail2ban		: Fail2ban installation and configuration
1266 richard 47
#	post_install		: Security, log rotation, etc.
1349 richard 48
#	gammu_smsd			: Autoregister addon (gammu-smsd)
1 root 49
 
50
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE_SHORT=`date '+%d/%m/%Y'`
595 richard 52
Lang=`echo $LANG|cut -c 1-2`
1 root 53
# ******* Files parameters - paramètres fichiers *********
1015 richard 54
DIR_INSTALL=`pwd`				# current directory 
55
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
56
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
57
DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)
58
DIR_WEB="/var/www/html"				# directory of APACHE
59
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
60
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
61
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
62
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
63
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
64
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
65
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
66
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
1 root 67
# ******* DBMS parameters - paramètres SGBD ********
1243 richard 68
DB_RADIUS="radius"				# database name used by FreeRadius server
69
DB_USER="radius"				# user name allows to request the users database
1349 richard 70
DB_GAMMU="gammu"				# database name used by Gammu-smsd
1 root 71
# ******* Network parameters - paramètres réseau *******
1211 crox53 72
HOSTNAME="alcasar"				# 
1243 richard 73
DOMAIN="localdomain"				# default local domain
1336 richard 74
EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`	# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
75
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF"|cut -d" " -f2|tr -d ":"`		# INTIF is connected to the consultation network
1148 crox53 76
MTU="1500"
1157 stephane 77
ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243 richard 78
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
1 root 79
# ****** Paths - chemin des commandes *******
80
SED="/bin/sed -i"
81
# ****************** End of global parameters *********************
82
 
959 franck 83
license ()
84
{
85
	if [ $Lang == "fr" ]
967 franck 86
	then cat $DIR_INSTALL/gpl-3.0.fr.txt | more
87
	else cat $DIR_INSTALL/gpl-3.0.txt | more
959 franck 88
	fi
975 franck 89
	echo "Taper sur Entrée pour continuer !"
90
	echo "Enter to continue."
959 franck 91
	read a
92
}
93
 
1 root 94
header_install ()
95
{
96
	clear
97
	echo "-----------------------------------------------------------------------------"
460 richard 98
	echo "                     ALCASAR V$VERSION Installation"
1 root 99
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
100
	echo "-----------------------------------------------------------------------------"
101
} # End of header_install ()
102
 
1174 crox53 103
 
1 root 104
##################################################################
1221 richard 105
##			Function "testing"			##
1342 richard 106
## - Test of free space on /var  (>10G)				##
1005 richard 107
## - Test of Internet access					##
29 richard 108
##################################################################
109
testing ()
110
{
1342 richard 111
	free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
112
	if [ $free_space -lt 10 ]
113
		then
114
		if [ $Lang == "fr" ]
115
			then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
116
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
117
		fi
118
		exit 0
119
	fi
120
if [ $Lang == "fr" ]
784 richard 121
		then echo -n "Tests des paramètres réseau : "
595 richard 122
		else echo -n "Network parameters tests : "
123
	fi
1361 richard 124
# We test gw
125
	if [ "$EXTIF" == "" ]
126
		then
127
		if [ $Lang == "fr" ]
128
			then
129
			echo "L'adresse du routeur n'est pas configuré"
130
		else
131
			echo "The gateway address isn't set"
132
		fi
133
		exit 0
134
	fi
1336 richard 135
# We test EXTIF config files
784 richard 136
	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
137
	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
138
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
139
		then
140
		if [ $Lang == "fr" ]
141
		then 
142
			echo "Échec"
143
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
144
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830 richard 145
			echo "Appliquez les changements : 'service network restart'"
784 richard 146
		else
147
			echo "Failed"
148
			echo "The Internet connected network card ($EXTIF) isn't well configured."
149
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830 richard 150
			echo "Apply the new configuration 'service network restart'"
784 richard 151
		fi
830 richard 152
		echo "DEVICE=$EXTIF"
784 richard 153
		echo "IPADDR="
154
		echo "NETMASK="
155
		echo "GATEWAY="
156
		echo "DNS1="
157
		echo "DNS2="
830 richard 158
		echo "ONBOOT=yes"
784 richard 159
		exit 0
160
	fi
161
	echo -n "."
460 richard 162
# We test the Ethernet links state
29 richard 163
	for i in $EXTIF $INTIF
164
	do
294 richard 165
		/sbin/ip link set $i up
306 richard 166
		sleep 3
1031 richard 167
		CMD=`/usr/sbin/ethtool $i |egrep 'Link detected'| awk '{print $NF}'`
168
		CMD2=`/sbin/mii-tool $i | grep link | awk '{print $NF}'`
808 franck 169
		if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29 richard 170
			then
595 richard 171
			if [ $Lang == "fr" ]
172
			then 
173
				echo "Échec"
174
				echo "Le lien réseau de la carte $i n'est pas actif."
175
				echo "Réglez ce problème puis relancez ce script."
176
			else
177
				echo "Failed"
178
				echo "The link state of $i interface id down."
179
				echo "Resolv this problem, then restart this script."
180
			fi
29 richard 181
			exit 0
182
		fi
308 richard 183
	echo -n "."
29 richard 184
	done
185
# On teste la présence d'un routeur par défaut (Box FAI)
784 richard 186
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
595 richard 187
		if [ $Lang == "fr" ]
188
		then 
189
			echo "Échec"
190
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
191
			echo "Réglez ce problème puis relancez ce script."
192
		else
193
			echo "Failed"
194
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
195
			echo "Resolv this problem, then restart this script."
196
		fi
29 richard 197
		exit 0
198
	fi
308 richard 199
	echo -n "."
978 franck 200
# On teste le lien vers le routeur par defaut
308 richard 201
	IP_GW=`ip route list|grep ^default|cut -d" " -f3`
202
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW|grep response|cut -d" " -f2`
527 richard 203
	if [ $(expr $arp_reply) -eq 0 ]
308 richard 204
	       	then
595 richard 205
		if [ $Lang == "fr" ]
206
		then 
207
			echo "Échec"
208
			echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
209
			echo "Réglez ce problème puis relancez ce script."
210
		else
211
			echo "Failed"
212
			echo "The Internet gateway doesn't answered"
213
			echo "Resolv this problem, then restart this script."
214
		fi
308 richard 215
		exit 0
216
	fi
217
	echo -n "."
421 franck 218
# On teste la connectivité Internet
29 richard 219
	rm -rf /tmp/con_ok.html
308 richard 220
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29 richard 221
	if [ ! -e /tmp/con_ok.html ]
222
	then
595 richard 223
		if [ $Lang == "fr" ]
224
		then 
225
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
226
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
227
			echo "Vérifiez la validité des adresses IP des DNS."
228
		else
229
			echo "The Internet connection try failed (google.fr)."
230
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
231
			echo "Verify the DNS IP addresses"
232
		fi
29 richard 233
		exit 0
234
	fi
235
	rm -rf /tmp/con_ok.html
308 richard 236
	echo ". : ok"
302 richard 237
} # end of testing
238
 
239
##################################################################
1221 richard 240
##			Function "init"				##
302 richard 241
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
242
## - Installation et modification des scripts du portail	##
243
##################################################################
244
init ()
245
{
527 richard 246
	if [ "$mode" != "update" ]
302 richard 247
	then
248
# On affecte le nom d'organisme
597 richard 249
		header_install
302 richard 250
		ORGANISME=!
251
		PTN='^[a-zA-Z0-9-]*$'
580 richard 252
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302 richard 253
                do
595 richard 254
			if [ $Lang == "fr" ]
597 richard 255
			       	then echo -n "Entrez le nom de votre organisme : "
256
				else echo -n "Enter the name of your organism : "
595 richard 257
			fi
330 franck 258
			read ORGANISME
613 richard 259
			if [ "$ORGANISME" == "" ]
330 franck 260
				then
261
				ORGANISME=!
262
			fi
263
		done
302 richard 264
	fi
1 root 265
# On crée aléatoirement les mots de passe et les secrets partagés
628 richard 266
	rm -f $PASSWD_FILE
1350 richard 267
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
268
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628 richard 269
	echo "$grubpwd" >> $PASSWD_FILE
1348 richard 270
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384 richard 271
	$SED "/^password.*/d" /boot/grub/menu.lst
272
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350 richard 273
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
1003 richard 274
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628 richard 275
	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350 richard 276
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
1003 richard 277
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628 richard 278
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350 richard 279
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
628 richard 280
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
281
	echo "$secretuam" >> $PASSWD_FILE
1350 richard 282
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
628 richard 283
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
284
	echo "$secretradius" >> $PASSWD_FILE
285
	chmod 640 $PASSWD_FILE
977 richard 286
# Scripts and conf files copy 
287
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5 franck 288
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977 richard 289
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5 franck 290
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977 richard 291
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648 richard 292
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1 root 293
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
294
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5 franck 295
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
296
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628 richard 297
# generate central conf file
298
	cat <<EOF > $CONF_FILE
612 richard 299
##########################################
300
##                                      ##
301
##          ALCASAR Parameters          ##
302
##                                      ##
303
##########################################
1 root 304
 
612 richard 305
INSTALL_DATE=$DATE
306
VERSION=$VERSION
307
ORGANISM=$ORGANISME
923 franck 308
DOMAIN=$DOMAIN
612 richard 309
EOF
628 richard 310
	chmod o-rwx $CONF_FILE
1 root 311
} # End of init ()
312
 
313
##################################################################
1221 richard 314
##			Function "network"			##
1 root 315
## - Définition du plan d'adressage du réseau de consultation	##
595 richard 316
## - Nommage DNS du système 					##
1336 richard 317
## - Configuration de l'interface INTIF (réseau de consultation)##
1 root 318
## - Modification du fichier /etc/hosts				##
319
## - Configuration du serveur de temps (NTP)			##
320
## - Renseignement des fichiers hosts.allow et hosts.deny	##
321
##################################################################
322
network ()
323
{
324
	header_install
636 richard 325
	if [ "$mode" != "update" ]
326
		then
327
		if [ $Lang == "fr" ]
328
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
329
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
330
		fi
331
		response=0
332
		PTN='^[oOyYnN]$'
333
		until [[ $(expr $response : $PTN) -gt 0 ]]
1 root 334
		do
595 richard 335
			if [ $Lang == "fr" ]
659 richard 336
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618 richard 337
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595 richard 338
			fi
1 root 339
			read response
340
		done
636 richard 341
		if [ "$response" = "n" ] || [ "$response" = "N" ]
342
		then
343
			PRIVATE_IP_MASK="0"
344
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
345
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1 root 346
			do
595 richard 347
				if [ $Lang == "fr" ]
597 richard 348
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
349
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595 richard 350
				fi
597 richard 351
				read PRIVATE_IP_MASK
1 root 352
			done
636 richard 353
		else
354
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
355
		fi
595 richard 356
	else
637 richard 357
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
358
		rm -rf conf/etc/alcasar.conf
1 root 359
	fi
861 richard 360
# Define LAN side global parameters
1243 richard 361
	hostname $HOSTNAME.$DOMAIN
362
	echo $HOSTNAME.$DOMAIN > /etc/hostname
977 richard 363
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
364
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
365
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
366
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
367
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
368
	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2`	# ie.: 2=classe B, 3=classe C
369
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
370
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
371
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`			# last octet of LAN address
372
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`			# last octet of LAN broadcast
837 richard 373
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`		# First network address (ex.: 192.168.182.1)
977 richard 374
	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2`	# second network address (ex.: 192.168.182.2)
837 richard 375
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
1336 richard 376
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF
841 richard 377
# Define Internet parameters
14 richard 378
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
379
	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 1er DNS
380
	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 2ème DNS
70 franck 381
	DNS1=${DNS1:=208.67.220.220}
382
	DNS2=${DNS2:=208.67.222.222}
597 richard 383
	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
1052 richard 384
	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP | cut -d"=" -f2`
784 richard 385
	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052 richard 386
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
1069 richard 387
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
765 stephane 388
	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994 franck 389
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628 richard 390
	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
391
	echo "DNS1=$DNS1" >> $CONF_FILE
392
	echo "DNS2=$DNS2" >> $CONF_FILE
393
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941 richard 394
	echo "DHCP=full" >> $CONF_FILE
914 franck 395
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
396
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
397
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597 richard 398
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
841 richard 399
# config network
1 root 400
	cat <<EOF > /etc/sysconfig/network
401
NETWORKING=yes
1243 richard 402
HOSTNAME="$HOSTNAME.$DOMAIN"
1 root 403
FORWARD_IPV4=true
404
EOF
841 richard 405
# config /etc/hosts
1 root 406
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
407
	cat <<EOF > /etc/hosts
503 richard 408
127.0.0.1	localhost
1353 richard 409
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1 root 410
EOF
1336 richard 411
# Config EXTIF (Internet)
14 richard 412
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
413
DEVICE=$EXTIF
414
BOOTPROTO=static
597 richard 415
IPADDR=$PUBLIC_IP
416
NETMASK=$PUBLIC_NETMASK
417
GATEWAY=$PUBLIC_GATEWAY
14 richard 418
DNS1=127.0.0.1
419
ONBOOT=yes
420
METRIC=10
421
NOZEROCONF=yes
422
MII_NOT_SUPPORTED=yes
423
IPV6INIT=no
424
IPV6TO4INIT=no
425
ACCOUNTING=no
426
USERCTL=no
994 franck 427
MTU=$MTU
14 richard 428
EOF
1336 richard 429
# Config INTIF (consultation LAN) in normal mode
841 richard 430
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
431
DEVICE=$INTIF
432
BOOTPROTO=static
433
ONBOOT=yes
434
NOZEROCONF=yes
435
MII_NOT_SUPPORTED=yes
436
IPV6INIT=no
437
IPV6TO4INIT=no
438
ACCOUNTING=no
439
USERCTL=no
1157 stephane 440
ETHTOOL_OPTS=$ETHTOOL_OPTS
841 richard 441
EOF
1336 richard 442
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793 richard 443
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1 root 444
DEVICE=$INTIF
445
BOOTPROTO=static
446
IPADDR=$PRIVATE_IP
604 richard 447
NETMASK=$PRIVATE_NETMASK
1 root 448
ONBOOT=yes
449
METRIC=10
450
NOZEROCONF=yes
451
MII_NOT_SUPPORTED=yes
14 richard 452
IPV6INIT=no
453
IPV6TO4INIT=no
454
ACCOUNTING=no
455
USERCTL=no
1 root 456
EOF
440 franck 457
# Mise à l'heure du serveur
458
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
459
	cat <<EOF > /etc/ntp/step-tickers
455 franck 460
0.fr.pool.ntp.org	# adapt to your country
461
1.fr.pool.ntp.org
462
2.fr.pool.ntp.org
440 franck 463
EOF
464
# Configuration du serveur de temps (sur lui même)
1 root 465
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
466
	cat <<EOF > /etc/ntp.conf
456 franck 467
server 0.fr.pool.ntp.org	# adapt to your country
447 franck 468
server 1.fr.pool.ntp.org
469
server 2.fr.pool.ntp.org
470
server 127.127.1.0   		# local clock si NTP internet indisponible ...
411 richard 471
fudge 127.127.1.0 stratum 10
604 richard 472
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1 root 473
restrict 127.0.0.1
310 richard 474
driftfile /var/lib/ntp/drift
1 root 475
logfile /var/log/ntp.log
476
EOF
440 franck 477
 
310 richard 478
	chown -R ntp:ntp /var/lib/ntp
1 root 479
# Renseignement des fichiers hosts.allow et hosts.deny
480
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
481
	cat <<EOF > /etc/hosts.allow
482
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604 richard 483
sshd: ALL
1 root 484
ntpd: $PRIVATE_NETWORK_SHORT
485
EOF
486
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
487
	cat <<EOF > /etc/hosts.deny
488
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
489
EOF
604 richard 490
# Firewall config
790 richard 491
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
492
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
493
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860 richard 494
# create the filter exception file and ip_bloqued file
790 richard 495
	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860 richard 496
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069 richard 497
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790 richard 498
# load conntrack ftp module
499
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
500
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
1159 crox53 501
# load ipt_NETFLOW module
502
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
1157 stephane 503
# 
860 richard 504
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1 root 505
} # End of network ()
506
 
507
##################################################################
1221 richard 508
##			Function "ACC"				##
509
## - installation du centre de gestion (ALCASAR Control Center)	##
1 root 510
## - configuration du serveur web (Apache)			##
511
## - définition du 1er comptes de gestion 			##
512
## - sécurisation des accès					##
513
##################################################################
1221 richard 514
ACC ()
1 root 515
{
516
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
517
	mkdir $DIR_WEB
518
# Copie et configuration des fichiers du centre de gestion
316 richard 519
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972 richard 520
	echo "$VERSION" > $DIR_WEB/VERSION
316 richard 521
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
522
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
523
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
524
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
525
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5 franck 526
	chown -R apache:apache $DIR_WEB/*
1342 richard 527
	for i in system_backup base logs/firewall logs/httpd logs/security;
1 root 528
	do
529
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
530
	done
5 franck 531
	chown -R root:apache $DIR_SAVE
71 richard 532
# Configuration et sécurisation php
533
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
534 richard 534
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
535
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411 richard 536
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
537
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71 richard 538
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
539
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
540
# Configuration et sécurisation Apache
790 richard 541
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1 root 542
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243 richard 543
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303 richard 544
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1 root 545
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
546
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
547
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790 richard 548
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
549
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
550
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
551
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
552
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
553
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990 franck 554
	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359 richard 555
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
556
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
557
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
558
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
559
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
560
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1 root 561
</body>
562
</html>
563
EOF
564
# Définition du premier compte lié au profil 'admin'
509 richard 565
	header_install
510 richard 566
	if [ "$mode" = "install" ]
567
	then
613 richard 568
		admin_portal=!
569
		PTN='^[a-zA-Z0-9-]*$'
570
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
571
                	do
572
			header_install
573
			if [ $Lang == "fr" ]
574
			then 
575
				echo ""
576
				echo "Définissez un premier compte d'administration du portail :"
577
				echo
578
				echo -n "Nom : "
579
			else
580
				echo ""
581
				echo "Define the first account allow to administrate the portal :"
582
				echo
583
				echo -n "Account : "
584
			fi
585
			read admin_portal
586
			if [ "$admin_portal" == "" ]
587
				then
588
				admin_portal=!
589
			fi
590
			done
1268 richard 591
# Creation of keys file for the admin account ("admin")
510 richard 592
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
593
		mkdir -p $DIR_DEST_ETC/digest
594
		chmod 755 $DIR_DEST_ETC/digest
595
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
596
			do
1350 richard 597
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510 richard 598
			done
599
		$DIR_DEST_SBIN/alcasar-profil.sh --list
600
	fi
434 richard 601
# synchronisation horaire
602
	ntpd -q -g &
1 root 603
# Sécurisation du centre
988 franck 604
	rm -f /etc/httpd/conf/webapps.d/alcasar*
1 root 605
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316 richard 606
<Directory $DIR_ACC>
1 root 607
	SSLRequireSSL
608
	AllowOverride None
609
	Order deny,allow
610
	Deny from all
611
	Allow from 127.0.0.1
612
	Allow from $PRIVATE_NETWORK_MASK
990 franck 613
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
1 root 614
	require valid-user
615
	AuthType digest
1243 richard 616
	AuthName $HOSTNAME.$DOMAIN
1 root 617
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 618
	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243 richard 619
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1 root 620
</Directory>
316 richard 621
<Directory $DIR_ACC/admin>
1 root 622
	SSLRequireSSL
623
	AllowOverride None
624
	Order deny,allow
625
	Deny from all
626
	Allow from 127.0.0.1
627
	Allow from $PRIVATE_NETWORK_MASK
990 franck 628
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
1 root 629
	require valid-user
630
	AuthType digest
1243 richard 631
	AuthName $HOSTNAME.$DOMAIN
1 root 632
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 633
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243 richard 634
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1 root 635
</Directory>
344 richard 636
<Directory $DIR_ACC/manager>
1 root 637
	SSLRequireSSL
638
	AllowOverride None
639
	Order deny,allow
640
	Deny from all
641
	Allow from 127.0.0.1
642
	Allow from $PRIVATE_NETWORK_MASK
990 franck 643
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
1 root 644
	require valid-user
645
	AuthType digest
1243 richard 646
	AuthName $HOSTNAME.$DOMAIN
1 root 647
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 648
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243 richard 649
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1 root 650
</Directory>
316 richard 651
<Directory $DIR_ACC/backup>
652
	SSLRequireSSL
653
	AllowOverride None
654
	Order deny,allow
655
	Deny from all
656
	Allow from 127.0.0.1
657
	Allow from $PRIVATE_NETWORK_MASK
990 franck 658
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
316 richard 659
	require valid-user
660
	AuthType digest
1243 richard 661
	AuthName $HOSTNAME.$DOMAIN
316 richard 662
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434 richard 663
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243 richard 664
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316 richard 665
</Directory>
811 richard 666
Alias /save/ "$DIR_SAVE/"
667
<Directory $DIR_SAVE>
668
	SSLRequireSSL
669
	Options Indexes
670
	Order deny,allow
671
	Deny from all
672
	Allow from 127.0.0.1
673
	Allow from $PRIVATE_NETWORK_MASK
990 franck 674
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
811 richard 675
	require valid-user
676
	AuthType digest
1243 richard 677
	AuthName $HOSTNAME.$DOMAIN
811 richard 678
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243 richard 679
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811 richard 680
</Directory>
1 root 681
EOF
1221 richard 682
} # End of ACC()
1 root 683
 
684
##########################################################################################
1221 richard 685
##				Fonction "CA"						##
1 root 686
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
687
##########################################################################################
1221 richard 688
CA ()
1 root 689
{
690
	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510 richard 691
	$DIR_DEST_BIN/alcasar-CA.sh
800 richard 692
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303 richard 693
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
694
	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
695
	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679 richard 696
	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5 franck 697
	chown -R root:apache /etc/pki
1 root 698
	chmod -R 750 /etc/pki
1221 richard 699
} # End CA ()
1 root 700
 
701
##########################################################################################
1221 richard 702
##			Fonction "init_db"						##
1 root 703
## - Initialisation de la base Mysql							##
704
## - Affectation du mot de passe de l'administrateur (root)				##
705
## - Suppression des bases et des utilisateurs superflus				##
706
## - Création de la base 'radius'							##
707
## - Installation du schéma de cette base						##
708
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
709
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
710
##########################################################################################
711
init_db ()
712
{
1355 richard 713
	rm -rf /var/lib/mysql # to be sure that there is no former installation
1 root 714
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
715
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355 richard 716
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353 richard 717
	systemctl start mysqld.service
1 root 718
	sleep 4
719
	mysqladmin -u root password $mysqlpwd
720
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355 richard 721
# Secure the server
722
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
723
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
615 richard 724
# Create 'radius' database
1317 richard 725
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615 richard 726
# Add an empty radius database structure
364 franck 727
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615 richard 728
# modify the start script in order to close accounting connexion when the system is comming down or up
1357 richard 729
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
730
	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355 richard 731
	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
732
	systemctl daemon-reload
1 root 733
} # End init_db ()
734
 
735
##########################################################################
1221 richard 736
##			Fonction "param_radius"				##
1 root 737
## - Paramètrage des fichiers de configuration FreeRadius		##
738
## - Affectation du secret partagé entre coova-chilli et freeradius	##
739
## - Modification de fichier de conf pour l'accès à Mysql		##
740
##########################################################################
741
param_radius ()
742
{
743
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
744
	chown -R radius:radius /etc/raddb
745
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278 richard 746
# Set radius.conf parameters
1 root 747
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
748
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
749
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1278 richard 750
# remove the proxy function
1 root 751
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
752
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278 richard 753
# remove EAP module
654 richard 754
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278 richard 755
# listen on loopback (should be modified later if EAP enabled)
1 root 756
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278 richard 757
# enable the  SQL module (and SQL counter)
1 root 758
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
759
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
760
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278 richard 761
# remvove virtual server and copy our conf file
1 root 762
	rm -f /etc/raddb/sites-enabled/*
1278 richard 763
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1 root 764
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
765
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
766
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
767
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384 richard 768
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1 root 769
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278 richard 770
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1 root 771
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
772
	cat << EOF > /etc/raddb/clients.conf
773
client 127.0.0.1 {
774
	secret = $secretradius
775
	shortname = localhost
776
}
777
EOF
1278 richard 778
# sql.conf modification
1 root 779
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
780
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
781
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
782
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
783
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1278 richard 784
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1 root 785
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278 richard 786
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
787
# counter.conf modification (change the Max-All-Session-Time counter)
788
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
789
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
790
	chown -R radius:radius /etc/raddb/sql/mysql/*
1358 richard 791
# make certain that mysql is up before radius start
792
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
793
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
794
	systemctl daemon-reload
1 root 795
} # End param_radius ()
796
 
797
##########################################################################
1221 richard 798
##			Function "param_web_radius"			##
1 root 799
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
800
## - Création du lien vers la page de changement de mot de passe        ##
801
##########################################################################
802
param_web_radius ()
803
{
804
# copie de l'interface d'origine dans la structure Alcasar
316 richard 805
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
806
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
807
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344 richard 808
# copie des fichiers modifiés
809
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316 richard 810
	chown -R apache:apache $DIR_ACC/manager/
344 richard 811
# Modification des fichiers de configuration
1 root 812
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503 richard 813
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1 root 814
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
815
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
816
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
817
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
818
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
819
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
820
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946 richard 821
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344 richard 822
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278 richard 823
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131 richard 824
	cat <<EOF > /etc/freeradius-web/naslist.conf
632 richard 825
nas1_name: alcasar-$ORGANISME
1 root 826
nas1_model: Portail captif
827
nas1_ip: $PRIVATE_IP
828
nas1_port_num: 0
829
nas1_community: public
830
EOF
831
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
832
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278 richard 833
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114 richard 834
# Ajout du mappage des attributs chillispot
835
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278 richard 836
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1 root 837
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278 richard 838
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1 root 839
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
840
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5 franck 841
	chown -R apache:apache /etc/freeradius-web
1 root 842
# Ajout de l'alias vers la page de "changement de mot de passe usager"
843
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344 richard 844
<Directory $DIR_WEB/pass>
1 root 845
	SSLRequireSSL
846
	AllowOverride None
847
	Order deny,allow
848
	Deny from all
849
	Allow from 127.0.0.1
850
	Allow from $PRIVATE_NETWORK_MASK
1243 richard 851
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1 root 852
</Directory>
853
EOF
854
} # End of param_web_radius ()
855
 
799 richard 856
##################################################################################
1221 richard 857
##			Fonction "param_chilli"					##
799 richard 858
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
859
## - Paramètrage de la page d'authentification (intercept.php)			##
860
##################################################################################
1 root 861
param_chilli ()
862
{
799 richard 863
# init file creation
461 richard 864
	[ -e /etc/init.d/chilli.default ] || cp /etc/init.d/chilli /etc/init.d/chilli.default
799 richard 865
	cat <<EOF > /etc/init.d/chilli
866
#!/bin/sh
867
#
868
# chilli CoovaChilli init
869
#
870
# chkconfig: 2345 65 35
871
# description: CoovaChilli
872
### BEGIN INIT INFO
873
# Provides:       chilli
874
# Required-Start: network 
875
# Should-Start: 
876
# Required-Stop:  network
877
# Should-Stop: 
878
# Default-Start:  2 3 5
879
# Default-Stop:
880
# Description:    CoovaChilli access controller
881
### END INIT INFO
882
 
883
[ -f /usr/sbin/chilli ] || exit 0
884
. /etc/init.d/functions
885
CONFIG=/etc/chilli.conf
886
pidfile=/var/run/chilli.pid
887
[ -f \$CONFIG ] || {
888
    echo "\$CONFIG Not found"
889
    exit 0
890
}
891
RETVAL=0
892
prog="chilli"
893
case \$1 in
894
    start)
895
	if [ -f \$pidfile ] ; then 
896
		gprintf "chilli is already running"
897
	else
898
        	gprintf "Starting \$prog: "
899
		rm -f /var/run/chilli* # cleaning
900
        	/sbin/modprobe tun >/dev/null 2>&1
901
        	echo 1 > /proc/sys/net/ipv4/ip_forward
902
		[ -e /dev/net/tun ] || {
903
	    	(cd /dev; 
904
			mkdir net; 
905
			cd net; 
906
			mknod tun c 10 200)
907
		}
1336 richard 908
		ifconfig $INTIF 0.0.0.0
799 richard 909
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
910
        	RETVAL=$?
911
	fi
912
	;;
913
 
914
    reload)
915
	killall -HUP chilli
916
	;;
917
 
918
    restart)
919
	\$0 stop
920
        sleep 2
921
	\$0 start
922
	;;
923
 
924
    status)
925
        status chilli
926
        RETVAL=0
927
        ;;
928
 
929
    stop)
930
	if [ -f \$pidfile ] ; then  
931
        	gprintf "Shutting down \$prog: "
932
		killproc /usr/sbin/chilli
933
		RETVAL=\$?
934
		[ \$RETVAL = 0 ] && rm -f $pidfile
935
	else	
936
        	gprintf "chilli is not running"
937
	fi
938
	;;
939
 
940
    *)
941
        echo "Usage: \$0 {start|stop|restart|reload|status}"
942
        exit 1
943
esac
944
echo
945
EOF
946
 
947
# conf file creation
346 richard 948
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
949
	cat <<EOF > /etc/chilli.conf
950
# coova config for ALCASAR
951
cmdsocket	/var/run/chilli.sock
1336 richard 952
unixipc		chilli.$INTIF.ipc
953
pidfile		/var/run/chilli.$INTIF.pid
346 richard 954
net		$PRIVATE_NETWORK_MASK
595 richard 955
dhcpif		$INTIF
841 richard 956
ethers		$DIR_DEST_ETC/alcasar-ethers
861 richard 957
#nodynip
865 richard 958
#statip
959
dynip		$PRIVATE_NETWORK_MASK
1249 richard 960
domain		$DOMAIN
355 richard 961
dns1		$PRIVATE_IP
962
dns2		$PRIVATE_IP
346 richard 963
uamlisten	$PRIVATE_IP
503 richard 964
uamport		3990
837 richard 965
macauth
966
macpasswd	password
1243 richard 967
locationname	$HOSTNAME.$DOMAIN
346 richard 968
radiusserver1	127.0.0.1
969
radiusserver2	127.0.0.1
970
radiussecret	$secretradius
971
radiusauthport	1812
972
radiusacctport	1813
1243 richard 973
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
974
radiusnasid	$HOSTNAME.$DOMAIN
346 richard 975
uamsecret	$secretuam
1249 richard 976
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
346 richard 977
coaport		3799
1299 richard 978
#conup		$DIR_DEST_BIN/alcasar-conup.sh
979
#condown	$DIR_DEST_BIN/alcasar-condown.sh
503 richard 980
include		$DIR_DEST_ETC/alcasar-uamallowed
981
include		$DIR_DEST_ETC/alcasar-uamdomain
1294 richard 982
#dhcpgateway
1157 stephane 983
#dhcprelayagent
984
#dhcpgatewayport
346 richard 985
EOF
1336 richard 986
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977 richard 987
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840 richard 988
# create files for trusted domains and urls
1148 crox53 989
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503 richard 990
	chown root:apache $DIR_DEST_ETC/alcasar-*
991
	chmod 660 $DIR_DEST_ETC/alcasar-*
847 richard 992
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526 stephane 993
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
994
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796 richard 995
# user 'chilli' creation (in order to run conup/off and up/down scripts
996
	chilli_exist=`grep chilli /etc/passwd|wc -l`
997
	if [ "$chilli_exist" == "1" ]
998
	then
999
	      userdel -r chilli 2>/dev/null
1000
	fi
1001
	groupadd -f chilli
1002
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1 root 1003
}  # End of param_chilli ()
1349 richard 1004
 
1 root 1005
##################################################################
1221 richard 1006
##		Fonction "param_dansguardian"			##
1 root 1007
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1008
##################################################################
1009
param_dansguardian ()
1010
{
1011
	mkdir /var/dansguardian
1012
	chown dansguardian /var/dansguardian
497 richard 1013
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293 richard 1014
# By default the filter is off 
497 richard 1015
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293 richard 1016
# French deny HTML page
497 richard 1017
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293 richard 1018
# Listen only on LAN side
497 richard 1019
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342 richard 1020
# DG send its flow to HAVP
1021
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293 richard 1022
# replace the default deny HTML page
1 root 1023
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1024
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293 richard 1025
# Don't log
1026
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1027
# Run 10 daemons (20 in largest server)
659 richard 1028
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1 root 1029
# on désactive par défaut le controle de contenu des pages html
497 richard 1030
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1031
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1032
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1 root 1033
# on désactive par défaut le contrôle d'URL par expressions régulières
497 richard 1034
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1035
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1 root 1036
# on désactive par défaut le contrôle de téléchargement de fichiers
497 richard 1037
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1038
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1039
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1040
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1041
	touch $DIR_DG/lists/bannedextensionlist
1042
	touch $DIR_DG/lists/bannedmimetypelist
1043
# 'Safesearch' regex actualisation
498 richard 1044
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497 richard 1045
# empty LAN IP list that won't be WEB filtered
1046
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1047
	touch $DIR_DG/lists/exceptioniplist
1048
# Keep a copy of URL & domain filter configuration files
1049
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1050
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1 root 1051
} # End of param_dansguardian ()
1052
 
71 richard 1053
##################################################################
1221 richard 1054
##			Fonction "antivirus"			##
1357 richard 1055
## - configuration of havp, libclamav and freshclam		##
71 richard 1056
##################################################################
1057
antivirus ()		
1058
{
1358 richard 1059
# create 'havp' user
288 richard 1060
	havp_exist=`grep havp /etc/passwd|wc -l`
307 richard 1061
	if [ "$havp_exist" == "1" ]
288 richard 1062
	then
478 richard 1063
	      userdel -r havp 2>/dev/null
894 richard 1064
	      groupdel havp 2>/dev/null
288 richard 1065
	fi
307 richard 1066
	groupadd -f havp
796 richard 1067
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476 richard 1068
	mkdir -p /var/tmp/havp /var/log/havp
1069
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109 richard 1070
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1071
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631 richard 1072
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090			
1073
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
990 franck 1074
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
631 richard 1075
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1076
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
659 richard 1077
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
835 richard 1078
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1079
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007 richard 1080
# skip checking of youtube flow (too heavy load / risk too low)
1081
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1082
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1083
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1358 richard 1084
# replacement of init script
335 richard 1085
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
481 franck 1086
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358 richard 1087
# replace of the intercept page (template)
340 richard 1088
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1089
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358 richard 1090
# update virus database every 4 hours (24h/6)
1357 richard 1091
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1092
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489 richard 1093
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357 richard 1094
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358 richard 1095
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1096
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1355 richard 1097
# Copy of the main virus database
734 richard 1098
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005 richard 1099
	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
1357 richard 1100
	/usr/bin/freshclam
71 richard 1101
}
1102
 
1 root 1103
##################################################################################
1221 richard 1104
##			function "param_ulogd"					##
476 richard 1105
## - Ulog config for multi-log files 						##
1106
##################################################################################
1107
param_ulogd ()
1108
{
1109
# Three instances of ulogd (three different logfiles)
1359 richard 1110
	cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ssh.service
1111
	cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ext-access.service
1358 richard 1112
	mv /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-traceability.service
476 richard 1113
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
478 richard 1114
	nl=1
1358 richard 1115
	for log_type in traceability ssh ext-access
478 richard 1116
	do
1117
		[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
1118
		cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
1119
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1120
		$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
1121
		cat << EOF >> /etc/ulogd-$log_type.conf
1122
[LOGEMU]
1123
file="/var/log/firewall/$log_type.log"
1124
sync=1
1125
EOF
1358 richard 1126
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -C /etc/ulogd-$log_type.conf?g" /lib/systemd/system/ulogd-$log_type.service
478 richard 1127
		nl=`expr $nl + 1`
1128
	done
476 richard 1129
	chown -R root:apache /var/log/firewall
1130
	chmod 750 /var/log/firewall
1131
	chmod 640 /var/log/firewall/*
1132
}  # End of param_ulogd ()
1133
 
1159 crox53 1134
 
1135
##########################################################
1221 richard 1136
##              Function "param_nfsen"			##
1159 crox53 1137
##########################################################
1138
param_nfsen()
1 root 1139
{
1159 crox53 1140
#Decompression tarball
1221 richard 1141
	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159 crox53 1142
#Création groupe et utilisteur
1221 richard 1143
	if grep "^www-data:" /etc/group > /dev/null; then
1144
		echo "Group already exists !"
1145
	else
1146
		groupadd www-data
1147
		echo "Group 'www-data' created !"
1148
	fi
1149
	if grep "^nfsen:" /etc/passwd > /dev/null; then
1150
		echo "User already exists !"
1151
	else
1152
		useradd -m nfsen
1153
		echo "User 'nfsen' created !"
1154
	fi
1155
	usermod -G www-data nfsen
1159 crox53 1156
#Ajout du plugin nfsen : PortTracker
1221 richard 1157
	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1158
	chown -R nfsen:www-data /var/www/nfsen
1159
	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
1160
	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159 crox53 1161
#Copie du fichier de conf modifié de nfsen
1221 richard 1162
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159 crox53 1163
#Copie du script d'initialisation de nfsen
1221 richard 1164
	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159 crox53 1165
#Installation de nfsen via le scrip Perl
1221 richard 1166
	DirTmp=$(pwd)
1167
	cd /tmp/nfsen-1.3.6p1/
1168
	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
1169
	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159 crox53 1170
#Création de la DB pour rrdtool
1221 richard 1171
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1172
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1173
	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
1174
	chown -R apache:www-data /var/log/netflow/porttracker/
1175
	chmod -R 775 /var/log/netflow/porttracker
1159 crox53 1176
#Configuration du fichier de conf d'apache
1355 richard 1177
	if [ -f /etc/httpd/conf/conf.d/nfsen.conf ];then
1178
		rm -f /etc/httpd/conf/conf.d/nfsen.conf
1221 richard 1179
	fi
1355 richard 1180
	cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
1159 crox53 1181
Alias /nfsen /var/www/nfsen 
1182
<Directory /var/www/nfsen/> 
1183
DirectoryIndex nfsen.php 
1184
Options -Indexes 
1185
AllowOverride all 
1186
order allow,deny 
1187
allow from all 
1188
AddType application/x-httpd-php .php 
1189
php_flag magic_quotes_gpc on 
1190
php_flag track_vars on 
1 root 1191
</Directory>
1192
EOF
1223 crox53 1193
#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229 crox53 1194
$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm 
1210 crox53 1195
#Configuration du délais d'expiration des captures du profile "live"
1250 richard 1196
	nfsen -m live -e 62d 2>/dev/null
1159 crox53 1197
#Suppression des sources de nfsen
1221 richard 1198
	cd $DirTmp
1199
	rm -rf /tmp/nfsen-1.3.6p1/
1159 crox53 1200
} # End of param_nfsen
1 root 1201
 
1202
##########################################################
1221 richard 1203
##		Function "param_dnsmasq"		##
1 root 1204
##########################################################
219 jeremy 1205
param_dnsmasq ()
1206
{
1207
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1356 richard 1208
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
259 richard 1209
	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1356 richard 1210
# Option : on pré-active les logs DNS des clients
1211
	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g"  /etc/sysconfig/dnsmasq
1212
# Option : exemple de paramètre supplémentaire pour le cache memoire
1213
	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
1214
# Option : exemple de configuration avec un A.D.
1215
	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
503 richard 1216
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520 richard 1217
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503 richard 1218
	cat << EOF > /etc/dnsmasq.conf 
520 richard 1219
# Configuration file for "dnsmasq in forward mode"
503 richard 1220
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
259 richard 1221
listen-address=$PRIVATE_IP
1222
listen-address=127.0.0.1
286 richard 1223
no-dhcp-interface=$INTIF
259 richard 1224
bind-interfaces
1225
cache-size=256
1226
domain=$DOMAIN
1227
domain-needed
1228
expand-hosts
1229
bogus-priv
1230
filterwin2k
1231
server=$DNS1
1232
server=$DNS2
498 richard 1233
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865 richard 1234
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632 richard 1235
dhcp-option=option:router,$PRIVATE_IP
259 richard 1236
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
1237
 
291 franck 1238
# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420 franck 1239
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259 richard 1240
EOF
1356 richard 1241
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1242
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1243
	# Configuration file for "dnsmasq with blacklist"
520 richard 1244
# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015 richard 1245
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503 richard 1246
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
498 richard 1247
listen-address=$PRIVATE_IP
1248
port=54
1249
no-dhcp-interface=$INTIF
1250
bind-interfaces
1251
cache-size=256
1252
domain=$DOMAIN
1253
domain-needed
1254
expand-hosts
1255
bogus-priv
1256
filterwin2k
1257
server=$DNS1
1258
server=$DNS2
1259
EOF
1356 richard 1260
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelis")
1357 richard 1261
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1356 richard 1262
	# Configuration file for "dnsmasq with whitelist"
1263
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1264
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1265
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
1266
listen-address=$PRIVATE_IP
1267
port=55
1268
no-dhcp-interface=$INTIF
1269
bind-interfaces
1270
cache-size=256
1271
domain=$DOMAIN
1272
domain-needed
1273
expand-hosts
1274
bogus-priv
1275
filterwin2k
1276
address=/#/$PRIVATE_IP
1277
EOF
1278
# Create dnsmasq-blacklist and dnsmasq-whitelist unit
1361 richard 1279
	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
1280
	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
1356 richard 1281
	$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
1282
	$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1358 richard 1283
# TODO Start after chilli which create tun0
1356 richard 1284
#	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
308 richard 1285
} # End dnsmasq
1286
 
1287
##########################################################
1221 richard 1288
##		Fonction "BL"				##
308 richard 1289
##########################################################
1290
BL ()
1291
{
1292
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648 richard 1293
	rm -rf $DIR_DG/lists/blacklists
1294
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878 richard 1295
# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
1296
	mkdir $DIR_DG/lists/blacklists/ossi
1041 richard 1297
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1298
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309 richard 1299
# On crée les fichiers vides de sites ou d'URL réhabilités
648 richard 1300
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673 richard 1301
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648 richard 1302
	touch $DIR_DG/lists/exceptionsitelist
1303
	touch $DIR_DG/lists/exceptionurllist
311 richard 1304
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648 richard 1305
	cat <<EOF > $DIR_DG/lists/bannedurllist
311 richard 1306
# Dansguardian filter config for ALCASAR
1307
EOF
648 richard 1308
	cat <<EOF > $DIR_DG/lists/bannedsitelist
311 richard 1309
# Dansguardian domain filter config for ALCASAR
1310
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1311
#**
1312
# block all SSL and CONNECT tunnels
1313
**s
1314
# block all SSL and CONNECT tunnels specified only as an IP
1315
*ips
1316
# block all sites specified only by an IP
1317
*ip
1318
EOF
1000 richard 1319
# Add Bing and Youtube to the safesearch url regext list (parental control)
878 richard 1320
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1321
# Bing - add 'adlt=strict'
1322
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1323
# Youtube - add 'edufilter=your_ID' 
885 richard 1324
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
878 richard 1325
EOF
1000 richard 1326
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003 richard 1327
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648 richard 1328
	chown -R dansguardian:apache $DIR_DG
1329
	chmod -R g+rw $DIR_DG
786 richard 1330
# On adapte la BL de Toulouse à notre structure
654 richard 1331
	if [ "$mode" != "update" ]; then
1332
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1333
	fi
308 richard 1334
}
219 jeremy 1335
 
1 root 1336
##########################################################
1221 richard 1337
##		Fonction "cron"				##
1 root 1338
## - Mise en place des différents fichiers de cron	##
1339
##########################################################
1340
cron ()
1341
{
1342
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1343
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1344
	cat <<EOF > /etc/crontab
1345
SHELL=/bin/bash
1346
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1347
MAILTO=root
1348
HOME=/
1349
 
1350
# run-parts
1351
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1352
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1353
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1354
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1355
EOF
1356
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1357
	cat <<EOF >> /etc/anacrontab
667 franck 1358
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1359
7       10      cron.logExport          nice /etc/cron.d/alcasar-export_log
1360
7       15      cron.logClean           nice /etc/cron.d/alcasar-clean_log
1361
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1 root 1362
EOF
1247 crox53 1363
 
811 richard 1364
	cat <<EOF > /etc/cron.d/alcasar-mysql
868 richard 1365
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955 richard 1366
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905 franck 1367
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917 franck 1368
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1 root 1369
EOF
952 franck 1370
	cat <<EOF > /etc/cron.d/alcasar-archive
1371
# Archive des logs et de la base de données (tous les lundi à 5h35)
1372
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1373
EOF
667 franck 1374
	cat << EOF > /etc/cron.d/alcasar-clean_import
713 franck 1375
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503 richard 1376
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
168 franck 1377
EOF
722 franck 1378
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1379
# mise à jour automatique de la distribution tous les jours 3h30
762 franck 1380
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
722 franck 1381
EOF
1247 crox53 1382
	#cat << EOF > /etc/cron.d/alcasar-netflow
1159 crox53 1383
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247 crox53 1384
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1385
#EOF
1159 crox53 1386
 
1 root 1387
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1388
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1389
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1390
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1391
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1392
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1393
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1394
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1395
	rm -f /etc/cron.daily/freeradius-web
1396
	rm -f /etc/cron.monthly/freeradius-web
1397
	cat << EOF > /etc/cron.d/freeradius-web
1398
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1399
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1400
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1401
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1402
EOF
671 franck 1403
	cat << EOF > /etc/cron.d/alcasar-watchdog
713 franck 1404
# activation du "chien de garde" (watchdog) toutes les 3'
1 root 1405
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1406
EOF
808 franck 1407
# activation du "chien de garde des services" (watchdog) toutes les 18'
1408
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1409
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1410
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1411
EOF
522 richard 1412
# suppression des crons usagers
1413
	rm -f /var/spool/cron/*
1 root 1414
} # End cron
1415
 
1416
##################################################################
1221 richard 1417
## 			Fonction "Fail2Ban"			##
1163 crox53 1418
##- Modification de la configuration de fail2ban		##
1419
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1420
##################################################################
1421
fail2ban()
1422
{
1191 crox53 1423
	$DIR_CONF/fail2ban.sh
1192 crox53 1424
#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1425
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1426
	[ -e /var/Save/logs/security/watchdog.log ] || touch /var/Save/logs/security/watchdog.log
1165 crox53 1427
	chmod 644 /var/log/fail2ban.log
1192 crox53 1428
	chmod 644 /var/Save/logs/security/watchdog.log
1163 crox53 1429
} #Fin de fail2ban_install()
1430
 
1431
##################################################################
1221 richard 1432
##			Fonction "post_install"			##
1 root 1433
## - Modification des bannières (locales et ssh) et des prompts ##
1434
## - Installation de la structure de chiffrement pour root	##
1435
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1436
## - Mise en place du la rotation des logs			##
5 franck 1437
## - Configuration dans le cas d'une mise à jour		##
1 root 1438
##################################################################
1439
post_install()
1440
{
1441
# adaptation du script "chien de garde" (watchdog)
376 franck 1442
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1443
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1 root 1444
# création de la bannière locale
1007 richard 1445
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1446
	cp -f $DIR_CONF/banner /etc/mageia-release
1447
	echo " V$VERSION" >> /etc/mageia-release
1 root 1448
# création de la bannière SSH
1007 richard 1449
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5 franck 1450
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1 root 1451
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1452
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1453
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793 richard 1454
# postfix banner anonymisation
1455
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604 richard 1456
# sshd écoute côté LAN et WAN
1 root 1457
	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604 richard 1458
	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config 
860 richard 1459
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628 richard 1460
	echo "SSH=off" >> $CONF_FILE
1063 richard 1461
	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628 richard 1462
	echo "QOS=off" >> $CONF_FILE
1463
	echo "LDAP=off" >> $CONF_FILE
786 richard 1464
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1358 richard 1465
	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE # TODO to remove
1466
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE # TODO to remove
1467
	echo "DNS_FILTERING=off" >> $CONF_FILE # TODO to remove
885 richard 1468
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078 franck 1469
	echo "MULTIWAN=off" >> $CONF_FILE
1470
	echo "FAILOVER=30" >> $CONF_FILE
1471
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336 richard 1472
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1473
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1 root 1474
# Coloration des prompts
1475
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
5 franck 1476
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630 franck 1477
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1 root 1478
# Droits d'exécution pour utilisateur apache et sysadmin
1479
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
5 franck 1480
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629 richard 1481
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1342 richard 1482
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1 root 1483
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1484
	chmod 644 /etc/logrotate.d/*
714 franck 1485
# rectification sur versions précédentes de la compression des logs
706 franck 1486
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1487
# actualisation des fichiers logs compressés
1342 richard 1488
	for dir in firewall dansguardian httpd
706 franck 1489
	do
714 franck 1490
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706 franck 1491
	done
1221 richard 1492
# create the alcasar-load_balancing unit
1493
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184 crox53 1494
#  This file is part of systemd.
1495
#
1496
#  systemd is free software; you can redistribute it and/or modify it
1497
#  under the terms of the GNU General Public License as published by
1498
#  the Free Software Foundation; either version 2 of the License, or
1499
#  (at your option) any later version.
1500
 
1501
# This unit lauches alcasar-load-balancing.sh script.
1502
[Unit]
1503
Description=alcasar-load_balancing.sh execution
1504
After=network.target iptables.service
1505
 
1506
[Service]
1507
Type=oneshot
1508
RemainAfterExit=yes
1509
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1510
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1511
TimeoutSec=0
1512
SysVStartPriority=99
1513
 
1514
[Install]
1515
WantedBy=multi-user.target
1157 stephane 1516
EOF
1221 richard 1517
# processes launched at boot time (SYSV)
1358 richard 1518
	for i in chilli havp 
1221 richard 1519
	do
1520
		/sbin/chkconfig --add $i
1521
	done
1522
# processes launched at boot time (Systemctl)
1355 richard 1523
	for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq radiusd dansguardian freshclam
953 franck 1524
 
1221 richard 1525
	do
1361 richard 1526
		systemctl -q enable $i
1221 richard 1527
	done
1528
# Apply French Security Agency (ANSSI) rules
568 richard 1529
# ignorer les broadcast ICMP. (attaque smurf) 
1221 richard 1530
	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
568 richard 1531
# ignorer les erreurs ICMP bogus
1221 richard 1532
	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595 richard 1533
# désactiver l'envoi et la réponse aux ICMP redirects
1221 richard 1534
	sysctl -w net.ipv4.conf.all.accept_redirects=0
1535
	accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
568 richard 1536
	if [ "$accept_redirect" == "0" ]
1537
	then
1361 richard 1538
		echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
679 richard 1539
	else
1540
		$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568 richard 1541
	fi
1221 richard 1542
	sysctl -w net.ipv4.conf.all.send_redirects=0
1543
	send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
568 richard 1544
	if [ "$send_redirect" == "0" ]
1545
	then
679 richard 1546
		echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
1547
	else
1548
		$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568 richard 1549
	fi
1550
# activer les SYN Cookies (attaque syn flood)
1221 richard 1551
	sysctl -w net.ipv4.tcp_syncookies=1
1552
	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
568 richard 1553
	if [ "$tcp_syncookies" == "0" ]
1554
	then
679 richard 1555
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1556
	else
1557
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568 richard 1558
	fi
595 richard 1559
# activer l'antispoofing niveau Noyau
1221 richard 1560
	sysctl -w net.ipv4.conf.all.rp_filter=1
568 richard 1561
# ignorer le source routing
1221 richard 1562
	sysctl -w net.ipv4.conf.all.accept_source_route=0
1563
	 accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
568 richard 1564
	if [ "$accept_source_route" == "0" ]
1565
	then
679 richard 1566
		echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
1567
	else
1568
		$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568 richard 1569
	fi
679 richard 1570
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1221 richard 1571
	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
1572
	timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
679 richard 1573
	if [ "$timeout_established" == "0" ]
1574
	then
1575
		echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
1576
	else
793 richard 1577
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679 richard 1578
	fi
1157 stephane 1579
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1221 richard 1580
	sysctl -w net.ipv4.conf.all.log_martians=0
306 richard 1581
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005 richard 1582
# ???	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1003 richard 1583
# switch to multi-users runlevel (instead of x11)
1221 richard 1584
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005 richard 1585
#	GRUB modifications
1586
# limit wait time to 3s
1587
# create an alcasar entry instead of linux-nonfb
1588
# change display to 1024*768 (vga791)
1221 richard 1589
	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1590
	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1591
	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1592
	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
1593
	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1594
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003 richard 1595
# Remove unused services and users
1221 richard 1596
	for old_svc in alsa sound dm
1597
	do
1598
		/sbin/chkconfig --del $old_svc
1599
	done
1600
	for svc in snmpd.service sshd.service
1601
	do
1602
		/bin/systemctl disable $svc
1603
	done
1604
	for rm_users in avahi-autoipd avahi icapd
1605
	do
1606
		user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
1607
		if [ "$user" == "$rm_users" ]
1608
		then
1609
			/usr/sbin/userdel -f $rm_users
1610
		fi
1611
	done
1612
# Load and apply the previous conf file
1613
	if [ "$mode" = "update" ]
532 richard 1614
	then
1266 richard 1615
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221 richard 1616
		$DIR_DEST_BIN/alcasar-conf.sh --load
1617
		PARENT_SCRIPT=`basename $0`
1618
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1619
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1620
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1621
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269 richard 1622
		if [ $MAJ_PREVIOUS_VERSION -lt 2 ] || ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
1623
		# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
1624
		then
1625
			header_install
1626
			if [ $Lang == "fr" ]
1627
			then 
1628
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
1629
				echo
1630
				echo -n "Nom : "
1631
			else
1632
				echo "This update need to redefine the first admin account"
1633
				echo
1634
				echo -n "Account : "
1635
			fi
1636
			read admin_portal
1637
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
1638
			mkdir -p $DIR_DEST_ETC/digest
1639
			chmod 755 $DIR_DEST_ETC/digest
1640
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
1641
			do
1350 richard 1642
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269 richard 1643
			done
1644
			$DIR_DEST_SBIN/alcasar-profil.sh --list
1645
		fi
532 richard 1646
	fi
1221 richard 1647
	rm -f /tmp/alcasar-conf*
1648
	chown -R root:apache $DIR_DEST_ETC/*
1649
	chmod -R 660 $DIR_DEST_ETC/*
1650
	chmod ug+x $DIR_DEST_ETC/digest
1045 franck 1651
# Apply and save the firewall rules
1652
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1653
	sleep 2
1 root 1654
	cd $DIR_INSTALL
5 franck 1655
	echo ""
1 root 1656
	echo "#############################################################################"
638 richard 1657
	if [ $Lang == "fr" ]
1658
		then
1659
		echo "#                        Fin d'installation d'ALCASAR                       #"
1660
		echo "#                                                                           #"
1661
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1662
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1663
		echo "#                                                                           #"
1664
		echo "#############################################################################"
1665
		echo
1666
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1667
		echo
1668
		echo "- Lisez attentivement la documentation d'exploitation"
1669
		echo
1670
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1671
		echo
1672
		echo "                   Appuyez sur 'Entrée' pour continuer"
1673
	else	
1674
		echo "#                        Enf of ALCASAR install process                     #"
1675
		echo "#                                                                           #"
1676
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1677
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1678
		echo "#                                                                           #"
1679
		echo "#############################################################################"
1680
		echo
1681
		echo "- The system will be rebooted in order to operate ALCASAR"
1682
		echo
1683
		echo "- Read the exploitation documentation"
1684
		echo
1685
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1686
		echo
1687
		echo "                   Hit 'Enter' to continue"
1688
	fi
815 richard 1689
	sleep 2
1690
	if [ "$mode" != "update" ]
820 richard 1691
	then
815 richard 1692
		read a
1693
	fi
774 richard 1694
	clear
1 root 1695
	reboot
1696
} # End post_install ()
1697
 
1349 richard 1698
 
1699
##################################################################
1700
## 			Fonction "gammu_smsd"			##
1701
## - Creation de la base de donnée Gammu			##
1702
## - Creation du fichier de config: gammu_smsd_conf		##
1703
##								##
1704
##################################################################
1705
gammu_smsd()
1706
{
1707
# Create 'gammu' databse
1708
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1709
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1710
# Add a gammu database structure
1711
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1712
 
1713
 
1714
# Creation du fichier de config gammu_smsd_conf
1715
cat << EOF > /etc/gammu_smsd_conf
1716
[gammu]
1717
port = /dev/ttyUSB0
1718
connection = at115200
1719
 
1720
;########################################################
1721
 
1722
[smsd]
1723
 
1724
PIN = 1234
1725
 
1726
logfile = /var/log/gammu-smsd/gammu-smsd.log
1727
logformat = textall
1728
debuglevel = 0
1729
 
1730
service = sql
1731
driver = native_mysql
1732
user = $DB_USER
1733
password = $radiuspwd
1734
pc = localhost
1735
database = $DB_GAMMU
1736
 
1737
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1738
 
1739
StatusFrequency = 30
1740
LoopSleep = 2
1741
 
1742
;ResetFrequency = 300
1743
;HardResetFrequency = 120
1744
 
1745
CheckSecurity = 1 
1746
CheckSignal = 1
1747
CheckBattery = 0
1748
EOF
1749
 
1750
chmod 755 /etc/gammu_smsd_conf
1751
 
1752
#Creation dossier de log Gammu-smsd
1753
mkdir /var/log/gammu-smsd
1754
chmod 755 /var/log/gammu-smsd
1755
 
1756
#Edition du script sql gammu <-> radius
1757
$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
1758
$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
1759
 
1760
} # END gammu_smsd()
1761
 
1762
 
1763
 
1764
 
1 root 1765
#################################
1005 richard 1766
#  	Main Install loop  	#
1 root 1767
#################################
832 richard 1768
dir_exec=`dirname "$0"`
1769
if [ $dir_exec != "." ]
1770
then
1771
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
1772
	echo "Launch this program from the ALCASAR archive directory"
1773
	exit 0
1774
fi
1775
VERSION=`cat $DIR_INSTALL/VERSION`
291 franck 1776
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
1 root 1777
nb_args=$#
1778
args=$1
1779
if [ $nb_args -eq 0 ]
1780
then
1781
	nb_args=1
1782
	args="-h"
1783
fi
1062 richard 1784
chmod -R u+x $DIR_SCRIPTS/*
1 root 1785
case $args in
1786
	-\? | -h* | --h*)
1787
		echo "$usage"
1788
		exit 0
1789
		;;
291 franck 1790
	-i | --install)
959 franck 1791
		license
5 franck 1792
		header_install
29 richard 1793
		testing
1336 richard 1794
# Test if ALCASAR is already installed
1249 richard 1795
		if [ -e $CONF_FILE ]
1 root 1796
		then
1249 richard 1797
			current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
595 richard 1798
			if [ $Lang == "fr" ]
1249 richard 1799
				then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
1800
				else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
595 richard 1801
			fi
5 franck 1802
			response=0
460 richard 1803
			PTN='^[oOnNyY]$'
580 richard 1804
			until [[ $(expr $response : $PTN) -gt 0 ]]
5 franck 1805
			do
595 richard 1806
				if [ $Lang == "fr" ]
1807
					then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
1808
					else echo -n "Do you want to update (Y/n)?";
1809
				 fi
5 franck 1810
				read response
1811
			done
597 richard 1812
			if [ "$response" = "n" ] || [ "$response" = "N" ] 
5 franck 1813
			then
597 richard 1814
				rm -f /tmp/alcasar-conf*
1815
			else
636 richard 1816
# Create a backup of running version importants files
389 franck 1817
				$DIR_SCRIPTS/alcasar-conf.sh --create
532 richard 1818
				mode="update"
5 franck 1819
			fi
1 root 1820
		fi
595 richard 1821
# RPMs install
1822
		$DIR_SCRIPTS/alcasar-urpmi.sh
1823
		if [ "$?" != "0" ]
1 root 1824
		then
595 richard 1825
			exit 0
1826
		fi
1249 richard 1827
		if [ -e $CONF_FILE ]
595 richard 1828
		then
597 richard 1829
# Uninstall the running version
532 richard 1830
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595 richard 1831
		fi
636 richard 1832
# Test if manual update	
1057 richard 1833
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595 richard 1834
		then
636 richard 1835
			header_install
595 richard 1836
			if [ $Lang == "fr" ]
636 richard 1837
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
1838
				else echo "The configuration file of an old version has been found";
595 richard 1839
			fi
597 richard 1840
			response=0
1841
			PTN='^[oOnNyY]$'
1842
			until [[ $(expr $response : $PTN) -gt 0 ]]
1843
			do
1844
				if [ $Lang == "fr" ]
1845
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
1846
					else echo -n "Do you want to use it (Y/n)?";
1847
				 fi
1848
				read response
1849
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
1850
				then rm -f /tmp/alcasar-conf*
1851
				fi
1852
			done
1853
		fi
636 richard 1854
# Test if update
1057 richard 1855
		if [ -e /tmp/alcasar-conf* ] 
597 richard 1856
		then
1857
			if [ $Lang == "fr" ]
1858
				then echo "#### Installation avec mise à jour ####";
1859
				else echo "#### Installation with update     ####";
1860
			fi
636 richard 1861
# Extract the central configuration file
1057 richard 1862
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
637 richard 1863
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
1010 richard 1864
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
1865
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
1866
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
1867
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
5 franck 1868
			mode="update"
1869
		else
1870
			mode="install"
1 root 1871
		fi
1342 richard 1872
		for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5 franck 1873
		do
1874
			$func
1361 richard 1875
echo "*** 'debug' : end of function $func ***"; read a
14 richard 1876
		done
5 franck 1877
		;;
291 franck 1878
	-u | --uninstall)
5 franck 1879
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1 root 1880
		then
597 richard 1881
			if [ $Lang == "fr" ]
1882
				then echo "ALCASAR n'est pas installé!";
1883
				else echo "ALCASAR isn't installed!";
1884
			fi
1 root 1885
			exit 0
1886
		fi
5 franck 1887
		response=0
1888
		PTN='^[oOnN]$'
580 richard 1889
		until [[ $(expr $response : $PTN) -gt 0 ]]
5 franck 1890
		do
597 richard 1891
			if [ $Lang == "fr" ]
1892
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854 richard 1893
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597 richard 1894
			fi
5 franck 1895
			read response
1896
		done
1103 richard 1897
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
1 root 1898
		then
1103 richard 1899
			$DIR_SCRIPTS/alcasar-conf.sh --create
498 richard 1900
		else	
1901
			rm -f /tmp/alcasar-conf*
1 root 1902
		fi
597 richard 1903
# Uninstall the running version
65 richard 1904
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1 root 1905
		;;
1906
	*)
1907
		echo "Argument inconnu :$1";
460 richard 1908
		echo "Unknown argument :$1";
1 root 1909
		echo "$usage"
1910
		exit 1
1911
		;;
1912
esac
10 franck 1913
# end of script
366 franck 1914