Line 1... |
Line 1... |
1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
2 |
# $Id: alcasar.sh 538 2011-04-08 20:41:28Z richard $
|
2 |
# $Id: alcasar.sh 568 2011-04-10 21:11:27Z richard $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
|
7 |
|
Line 899... |
Line 899... |
899 |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
|
899 |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
|
900 |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
|
900 |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
|
901 |
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
|
901 |
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
|
902 |
$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
|
902 |
$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
|
903 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
|
903 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
|
- |
|
904 |
# on supprime le fichier 'main.cld' si 'main.cvd' existe (cas d'une mise à jour)
|
- |
|
905 |
if ([ -e /var/lib/clamav/main.cld ] && [ -e /var/lib/clamav/main.cvd ])
|
- |
|
906 |
then
|
- |
|
907 |
rm -f /var/lib/clamav/main.cld
|
- |
|
908 |
fi
|
904 |
}
|
909 |
}
|
905 |
|
910 |
|
906 |
##################################################################################
|
911 |
##################################################################################
|
907 |
## Fonction firewall ##
|
912 |
## Fonction firewall ##
|
908 |
## - adaptation des scripts du parefeu ##
|
913 |
## - adaptation des scripts du parefeu ##
|
Line 1223... |
Line 1228... |
1223 |
$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
|
1228 |
$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
|
1224 |
# On affecte le niveau de sécurité du système : type "fileserver"
|
1229 |
# On affecte le niveau de sécurité du système : type "fileserver"
|
1225 |
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
|
1230 |
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
|
1226 |
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
|
1231 |
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
|
1227 |
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
|
1232 |
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
|
- |
|
1233 |
|
- |
|
1234 |
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
|
- |
|
1235 |
# Apply French Security Agency rules (sysctl + msec when possible)
|
- |
|
1236 |
# ignorer les broadcast ICMP. (attaque smurf)
|
- |
|
1237 |
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
|
- |
|
1238 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
- |
|
1239 |
# ignorer les erreurs ICMP bogus
|
- |
|
1240 |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
|
- |
|
1241 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
|
- |
|
1242 |
# désactiver l’envoi et la réponse aux ICMP redirects
|
- |
|
1243 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
|
- |
|
1244 |
if [ "$accept_redirect" == "0" ]
|
- |
|
1245 |
then
|
- |
|
1246 |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
|
- |
|
1247 |
fi
|
- |
|
1248 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
|
- |
|
1249 |
if [ "$send_redirect" == "0" ]
|
- |
|
1250 |
then
|
- |
|
1251 |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
|
- |
|
1252 |
fi
|
- |
|
1253 |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
|
- |
|
1254 |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
|
- |
|
1255 |
sysctl -w net.ipv4.conf.all.accept_redirects=0
|
- |
|
1256 |
sysctl -w net.ipv4.conf.all.send_redirects=0
|
- |
|
1257 |
# activer les SYN Cookies (attaque syn flood)
|
- |
|
1258 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
|
- |
|
1259 |
if [ "$tcp_syncookies" == "0" ]
|
- |
|
1260 |
then
|
- |
|
1261 |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
|
- |
|
1262 |
fi
|
- |
|
1263 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
|
- |
|
1264 |
sysctl -w net.ipv4.tcp_syncookies=1
|
- |
|
1265 |
# activer l’antispoofing niveau Noyau
|
- |
|
1266 |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
|
- |
|
1267 |
sysctl -w net.ipv4.conf.all.rp_filter=1
|
1228 |
# On supprime les log_martians
|
1268 |
# ignorer le source routing
|
- |
|
1269 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
|
- |
|
1270 |
if [ "$accept_source_route" == "0" ]
|
- |
|
1271 |
then
|
- |
|
1272 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
|
- |
|
1273 |
fi
|
- |
|
1274 |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
|
- |
|
1275 |
sysctl -w net.ipv4.conf.all.accept_source_route=0
|
- |
|
1276 |
# On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée')
|
- |
|
1277 |
sysctl -w net.ipv4.conf.all.log_martians=0
|
1229 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
|
1278 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
|
- |
|
1279 |
|
1230 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
1280 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
1231 |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|
1281 |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|
1232 |
# On mets en place la sécurité sur les fichiers
|
1282 |
# On mets en place la sécurité sur les fichiers
|
1233 |
# des modif par rapport à radius update
|
1283 |
# des modif par rapport à radius update
|
1234 |
cat <<EOF > /etc/security/msec/perm.local
|
1284 |
cat <<EOF > /etc/security/msec/perm.local
|