/alcasar.sh |
---|
818,7 → 818,6 |
uamserver https://$HOSTNAME/intercept.php |
radiusnasid $HOSTNAME |
papalwaysok |
#dnsparanoia |
uamsecret $secretuam |
coaport 3799 |
include /usr/local/etc/alcasar-uamallowed |
924,10 → 923,10 |
havp_exist=`grep havp /etc/passwd|wc -l` |
if [ "$havp_exist" == "1" ] |
then |
userdel -r havp |
userdel -r havp 2>/dev/null |
fi |
groupadd -f havp |
useradd -g havp havp |
useradd -M -g havp havp |
# création de la zone de travail temporaire (50Mo) en mémoire |
mkdir -p /var/tmp/havp /var/log/havp |
chown -R havp /var/tmp/havp /var/log/havp /var/run/havp |
981,32 → 980,23 |
{ |
# Three instances of ulogd (three different logfiles) |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
[ -e /var/log/firewall/tracability.log ] || touch /var/log/firewall/tracability.log |
[ -e /var/log/firewall/ssh.log ] || touch /var/log/firewall/ssh.log |
[ -e /var/log/firewall/ext-access.log ] || touch /var/log/firewall/ext-access.log |
nl=1 |
for log_type in tracability ssh ext-access |
do |
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf |
$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf |
$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf |
cat << EOF >> /etc/ulogd-$log_type.conf |
[LOGEMU] |
file="/var/log/firewall/$log_type.log" |
sync=1 |
EOF |
nl=`expr $nl + 1` |
done |
chown -R root:apache /var/log/firewall |
chmod 750 /var/log/firewall |
chmod 640 /var/log/firewall/* |
cat <<EOF > /etc/ulogd-tracability.conf |
# ulogd configuration for ALCASAR |
[global] |
nlgroup=1 |
logfile="/var/log/ulogd.log" |
loglevel=5 |
rmem=131071 |
bufsize=150000 |
plugin="/usr/lib/ulogd/ulogd_BASE.so" |
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so" |
[LOGEMU] |
file="/var/log/firewall/tracability.log" |
sync=1 |
EOF |
cp -f /etc/ulogd-tracability.conf /etc/ulogd-ssh.conf |
$SED "s?^nlgroup=.*?nlgroup=2?g" /etc/ulogd-ssh.conf |
$SED "s?^file=\"/var/log/firewall/.*?file=\"/var/log/firewall/ssh.log\"?g" /etc/ulogd-ssh.conf |
cp -f /etc/ulogd-tracability.conf /etc/ulogd-ext-access.conf |
$SED "s?^nlgroup=.*?nlgroup=3?g" /etc/ulogd-ext-access.conf |
$SED "s?^file=\"/var/log/firewall/.*?file=\"/var/log/firewall/ext-access.log\"?g" /etc/ulogd-ext-access.conf |
[ -e /etc/init.d/ulogd.default ] || cp /etc/init.d/ulogd /etc/init.d/ulogd.default |
cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd |
} # End of param_ulogd () |
/scripts/alcasar-iptables.sh |
---|
5,7 → 5,7 |
# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts, |
IPTABLES="/sbin/iptables" |
FILTERING="yes" |
FILTERING="no" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" |
/scripts/alcasar-conf.sh |
---|
5,6 → 5,7 |
# Ce script permet de créer ou de charger l'archive des fichiers de configuration (/tmp/alcasar-conf.tar.gz) |
DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
DIR_BIN="/usr/local/bin" # répertoire des scripts d'admin |
DIR_SBIN="/usr/local/sbin" # répertoire des scripts d'admin |
DIR_ETC="/usr/local/etc" # répertoire des fichiers de conf |
DB_USER="radius" |
62,10 → 63,11 |
then |
cp -rf $DIR_WEB/acc/digest $DIR_UPDATE/etc/ # version = 2.0 |
fi |
# sauvegarde du fichier alcasar-iptables-local.sh ( cas de migration vers 2.0 depuis <2.x) |
# sauvegarde du fichier alcasar-iptables.sh (et alcasar-iptables-local.sh si migration depuis V<2.x) |
cp -f $DIR_BIN/alcasar-iptables.sh $DIR_UPDATE |
if [ -e /usr/local/bin/alcasar-iptables-local.sh ] |
then |
cp -f /usr/local/bin/alcasar-iptables-local.sh $DIR_UPDATE/etc/old-version_alcasar-iptables-local.sh # versions < 2.x |
cp -f /usr/local/bin/alcasar-iptables-local.sh $DIR_UPDATE/etc/old-version_alcasar-iptables-local.sh |
fi |
# création de l'archive |
cd /tmp |
100,7 → 102,7 |
cp -rf $DIR_UPDATE/ossi /etc/dansguardian/lists/blacklists/ |
chown -R dansguardian:apache /etc/dansguardian/lists |
chmod -R g+rw /etc/dansguardian/lists |
# on active/desactive la BL |
# On active/désactive la BL |
active_bl=`cat $DIR_UPDATE/dansguardian.conf|grep ^reportinglevel|cut -d" " -f3` |
$SED "s/^reportinglevel =.*/reportinglevel = $active_bl/g" /etc/dansguardian/dansguardian.conf |
PARENT_SCRIPT=$0 |
113,6 → 115,10 |
cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
# Prise en compte des comptes de gestion (admin + manager + backup) |
$DIR_SBIN/alcasar-profil.sh --list |
# On active/désactive le filtrage de protocoles |
active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2` |
$SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh |
$DIR_BIN/alcasar-iptables.sh |
# Effacement du répertoire d'update |
rm -rf $DIR_UPDATE |
;; |
/scripts/sbin/alcasar-uninstall.sh |
---|
171,7 → 171,6 |
echo -en "\n- network(7) : " |
hostname localhost |
/sbin/ifdown eth0 |
/sbin/ifdown eth1 |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, " |
[ -e /etc/sysconfig/network.default ] && mv /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "2, " |
[ -e /etc/hosts.default ] && mv /etc/hosts.default /etc/hosts && echo -n "3, " |
/scripts/alcasar-log-export.sh |
---|
24,11 → 24,11 |
if [ $CHIFFREMENT -eq "1" ] |
then |
# chiffrement des logs dans /var/Save/logs/(squid|firewall|httpd) |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \; |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'tracability*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \; |
else |
# copie simple des logs dans /var/Save/logs/(squid|firewall|httpd) |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \; |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'tracability*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \; |
fi |
done |
chown -R apache.apache $TO_SAVE |