49,9 → 49,8 |
DIR_DEST_BIN="/usr/local/bin" # répertoire des scripts |
DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin |
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf |
FIC_CONF="$DIR_DEST_ETC/alcasar.conf" # fichier de conf d'alcasar |
FIC_PARAM="/root/ALCASAR-parameters.txt" # fichier texte résumant les paramètres d'installation |
FIC_PASSWD="/root/ALCASAR-passwords.txt" # fichier texte contenant les mots de passe et secrets partagés |
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # fichier de conf d'alcasar |
PASSWD_FILE="/root/ALCASAR-passwords.txt" # fichier texte contenant les mots de passe et secrets partagés |
# ******* DBMS parameters - paramètres SGBD ******** |
DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius |
DB_USER="radius" # nom de l'utilisateur de la base de données |
210,26 → 209,26 |
done |
fi |
# On crée aléatoirement les mots de passe et les secrets partagés |
rm -f $FIC_PASSWD |
rm -f $PASSWD_FILE |
grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de protection du menu Grub |
echo -n "Password to protect the boot menu (GRUB) : " > $FIC_PASSWD |
echo "$grubpwd" >> $FIC_PASSWD |
echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE |
echo "$grubpwd" >> $PASSWD_FILE |
md5_grubpwd=`/usr/bin/md5pass $grubpwd` |
$SED "/^password.*/d" /boot/grub/menu.lst |
$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'administrateur Mysqld |
echo -n "Name and password of MYSQL administrator : " >> $FIC_PASSWD |
echo "root / $mysqlpwd" >> $FIC_PASSWD |
echo -n "Name and password of MYSQL administrator : " >> $PASSWD_FILE |
echo "root / $mysqlpwd" >> $PASSWD_FILE |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius) |
echo -n "Name and password of MYSQL user : " >> $FIC_PASSWD |
echo "$DB_USER / $radiuspwd" >> $FIC_PASSWD |
echo -n "Name and password of MYSQL user : " >> $PASSWD_FILE |
echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre intercept.php et coova-chilli |
echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $FIC_PASSWD |
echo "$secretuam" >> $FIC_PASSWD |
echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE |
echo "$secretuam" >> $PASSWD_FILE |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` # secret partagé entre coova-chilli et FreeRadius |
echo -n "Shared secret between coova-chilli and FreeRadius : " >> $FIC_PASSWD |
echo "$secretradius" >> $FIC_PASSWD |
chmod 640 $FIC_PASSWD |
echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE |
echo "$secretradius" >> $PASSWD_FILE |
chmod 640 $PASSWD_FILE |
# On installe les scripts et fichiers de configuration d'ALCASAR |
# - dans /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log-clean.sh,log-export.sh,mondo.sh,watchdog.sh} |
cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar* |
241,8 → 240,8 |
$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh |
$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh |
$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh |
# generate FIC_PARAM and FIC_CONF |
cat <<EOF > $FIC_PARAM |
# generate central conf file |
cat <<EOF > $CONF_FILE |
########################################## |
## ## |
## ALCASAR Parameters ## |
249,22 → 248,11 |
## ## |
########################################## |
|
- Install date : $DATE |
- Version : $VERSION |
- Organism : $ORGANISME |
EOF |
cat <<EOF > $FIC_CONF |
########################################## |
## ## |
## ALCASAR Parameters ## |
## ## |
########################################## |
|
INSTALL_DATE=$DATE |
VERSION=$VERSION |
ORGANISM=$ORGANISME |
EOF |
chmod o-rwx $FIC_PARAM $FIC_CONF |
chmod o-rwx $CONF_FILE |
} # End of init () |
|
################################################################## |
311,7 → 299,6 |
fi |
# Définition de la config réseau côté "LAN de consultation" |
hostname $HOSTNAME |
echo "- Hostname : $HOSTNAME" >> $FIC_PARAM |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation) |
342,19 → 329,14 |
PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_CONF |
echo "GW=$PUBLIC_GATEWAY" >> $FIC_CONF |
echo "DNS1=$DNS1" >> $FIC_CONF |
echo "DNS2=$DNS2" >> $FIC_CONF |
echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $FIC_CONF |
echo "DHCP=on" >> $FIC_CONF |
echo "DHCP_FIRST=$PRIVATE_DYN_FIRST_IP" >> $FIC_CONF |
echo "DHCP_LAST=$PRIVATE_DYN_LAST_IP" >> $FIC_CONF |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE |
echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE |
echo "DNS1=$DNS1" >> $CONF_FILE |
echo "DNS2=$DNS2" >> $CONF_FILE |
echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE |
echo "DHCP=on" >> $CONF_FILE |
echo "DHCP_FIRST=$PRIVATE_DYN_FIRST_IP" >> $CONF_FILE |
echo "DHCP_LAST=$PRIVATE_DYN_LAST_IP" >> $CONF_FILE |
[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default |
# Configuration réseau |
cat <<EOF > /etc/sysconfig/network |
462,7 → 444,6 |
$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
$SED "s?^\$private_ip =.*?\$private_ip = \"$PRIVATE_IP\";?g" $DIR_WEB/index.php |
$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php |
chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php |
chown -R apache:apache $DIR_WEB/* |
494,7 → 475,6 |
</body> |
</html> |
EOF |
echo "- ALCASAR Control Center URL : http://$HOSTNAME" >> $FIC_PARAM |
# Définition du premier compte lié au profil 'admin' |
header_install |
if [ "$mode" = "install" ] |
522,7 → 502,6 |
admin_portal=! |
fi |
done |
echo "- Name of the first account of the admin profile : $admin_portal" >> $FIC_PARAM |
# Création du fichier de clés de ce compte dans le profil "admin" |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
546,7 → 525,6 |
echo -n "Account : " |
fi |
read admin_portal |
echo "- Name of the first account of the admin profile : $admin_portal" >> $FIC_PARAM |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
794,7 → 772,6 |
ErrorDocument 404 https://$HOSTNAME |
</Directory> |
EOF |
echo "- User change password URL : https://$HOSTNAME/pass/" >> $FIC_PARAM |
} # End of param_web_radius () |
|
########################################################################################## |
857,7 → 834,6 |
touch $DIR_DEST_ETC/alcasar-macallowed $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain |
chown root:apache $DIR_DEST_ETC/alcasar-* |
chmod 660 $DIR_DEST_ETC/alcasar-* |
echo "- User disconnect URL : http://alcasar:3990/logoff" >> $FIC_PARAM |
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli et nom d'organisme) |
$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php |
$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php |
1277,12 → 1253,12 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on) |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $FIC_CONF |
echo "QOS=off" >> $FIC_CONF |
echo "LDAP=off" >> $FIC_CONF |
echo "PROTOCOLS_FILTERING=off" >> $FIC_CONF |
echo "DNS_FILTERING=off" >> $FIC_CONF |
echo "WEB_ANTIVIRUS=on" >> $FIC_CONF |
echo "SSH=off" >> $CONF_FILE |
echo "QOS=off" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE |
echo "DNS_FILTERING=off" >> $CONF_FILE |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
# Coloration des prompts |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc |
1401,10 → 1377,13 |
/usr/sbin/userdel -f $rm_users |
fi |
done |
# Load the previous conf file |
# Load and update the previous conf file |
if [ "$mode" = "update" ] |
then |
$DIR_DEST_BIN/alcasar-conf.sh --load |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE |
$SED "s?^ORGANISM=.*?ORGANISM=$ORGANISM?g" $CONF_FILE |
fi |
rm -f /tmp/alcasar-conf* |
chown -R root:apache $DIR_DEST_ETC/* |