1863,22 → 1863,19 |
|
} # END gammu_smsd() |
|
################################################################## |
## Fonction "post_install" ## |
## - Modification des bannières (locales et ssh) et des prompts ## |
## - Installation de la structure de chiffrement pour root ## |
## - Mise en place du sudoers et de la sécurité sur les fichiers## |
## - Mise en place du la rotation des logs ## |
## - Configuration dans le cas d'une mise à jour ## |
################################################################## |
########################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
## - sudoers config & files security ## |
## - log rotate & ANSSI security parameters ## |
## - Apply former conf in case of an update ## |
########################################################## |
post_install() |
{ |
# création de la bannière locale |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
cp -f $DIR_CONF/banner /etc/mageia-release |
echo " V$VERSION" >> /etc/mageia-release |
# création de la bannière SSH |
cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh |
# change the SSH banner |
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh |
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
1886,11 → 1883,11 |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# sshd écoute côté LAN et WAN |
# sshd liste on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
# sshd autorise les connections root par certificat |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
# Put the default values in conf file |
# ALCASAR conf file |
echo "SSH=on" >> $CONF_FILE |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
1900,11 → 1897,11 |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE |
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE |
# Coloration des prompts |
# Prompt customisation (colors) |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc |
$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc |
# Droits d'exécution pour utilisateur apache et sysadmin |
# sudoers configuration for "apache" & "sysadmin" |
[ -e /etc/sudoers.default ] || cp /etc/sudoers /etc/sudoers.default |
cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers |
$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers |
1911,7 → 1908,7 |
# Modify some logrotate files (gammu, ulogd) |
cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/ |
chmod 644 /etc/logrotate.d/* |
# rectification sur versions précédentes de la compression des logs |
# Log compression |
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf |
# actualisation des fichiers logs compressés |
for dir in firewall dansguardian httpd |
1987,9 → 1984,7 |
# switch to multi-users runlevel (instead of x11) |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target |
# GRUB modifications (only one time) |
# limit wait time to 3s |
# create an alcasar entry instead of linux-nonfb |
# change display to 1024*768 (vga791) only if not on VM |
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner |
grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l` |
if [ $grub_already_modified == 0 ] |
then |
1996,11 → 1991,16 |
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst |
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst |
# is an virtual machine (proxmox, vmware, ) ? |
# change display to 1024*768 (vga791) only if not on VM |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l` |
if [ $vm_vga == 0 ] |
if [ $vm_vga == 0 ] # is not a virtual machine (proxmox, vmware) |
then |
$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst |
cp -f $DIR_CONF/banner /etc/mageia-release |
echo " V$VERSION" >> /etc/mageia-release |
else |
echo "ALCASAR V$VERSION" > /etc/mageia-release |
fi |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst |
$SED "/^gfxmenu/d" /boot/grub/menu.lst |