901,6 → 901,11 |
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures) |
$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
# on supprime le fichier 'main.cld' si 'main.cvd' existe (cas d'une mise à jour) |
if ([ -e /var/lib/clamav/main.cld ] && [ -e /var/lib/clamav/main.cvd ]) |
then |
rm -f /var/lib/clamav/main.cld |
fi |
} |
|
################################################################################## |
1225,8 → 1230,53 |
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf |
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 ) |
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver |
# On supprime les log_martians |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
|
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible) |
# Apply French Security Agency rules (sysctl + msec when possible) |
# ignorer les broadcast ICMP. (attaque smurf) |
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
# ignorer les erreurs ICMP bogus |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
# désactiver l’envoi et la réponse aux ICMP redirects |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
if [ "$accept_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
fi |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l` |
if [ "$send_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
fi |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
sysctl -w net.ipv4.conf.all.send_redirects=0 |
# activer les SYN Cookies (attaque syn flood) |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l` |
if [ "$tcp_syncookies" == "0" ] |
then |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
fi |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
sysctl -w net.ipv4.tcp_syncookies=1 |
# activer l’antispoofing niveau Noyau |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.conf.all.rp_filter=1 |
# ignorer le source routing |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l` |
if [ "$accept_source_route" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
fi |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
sysctl -w net.ipv4.conf.all.accept_source_route=0 |
# On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée') |
sysctl -w net.ipv4.conf.all.log_martians=0 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
|
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
# On mets en place la sécurité sur les fichiers |