Subversion Repositories ALCASAR

Rev

Rev 1003 | Rev 1007 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1003 Rev 1005
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 1003 2013-01-03 18:53:02Z richard $
2 
#  $Id: alcasar.sh 1005 2013-01-04 15:11:35Z richard $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
 
 5 
 
6 
# ALCASAR - Portail captif d'accès à l'Internet -  Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...]
6 
# ALCASAR - Portail captif d'accès à l'Internet -  Copyright (C) [2005] [ALcasar team - Rexy - 3abtux - ...]
7 
# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU,
7 
# Ce programme est un logiciel libre ; vous pouvez le redistribuer et/ou le modifier au titre des clauses de la Licence Publique Générale GNU,
Line 97... Line 97...
97 
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
 97 
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
98 
	echo "-----------------------------------------------------------------------------"
 98 
	echo "-----------------------------------------------------------------------------"
99 
} # End of header_install ()
 99 
} # End of header_install ()
100 
 
 100 
 
101 
##################################################################
 101 
##################################################################
102 
##			Fonction TESTING			##
 102 
##			Function TESTING			##
103 
## - Test de la connectivité Internet				##
 103 
## - Test of Internet access					##
104 
##################################################################
 104 
##################################################################
105 
testing ()
 105 
testing ()
106 
{
 106 
{
107 
	if [ $Lang == "fr" ]
 107 
	if [ $Lang == "fr" ]
108 
		then echo -n "Tests des paramètres réseau : "
 108 
		then echo -n "Tests des paramètres réseau : "
Line 1124... Line 1124...
1124 
	fi
 1124 
	fi
1125 
	groupadd -f havp
 1125 
	groupadd -f havp
1126 
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
 1126 
	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1127 
	mkdir -p /var/tmp/havp /var/log/havp
 1127 
	mkdir -p /var/tmp/havp /var/log/havp
1128 
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
 1128 
	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1129 
	$SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
 - 
 
1130 
# configuration d'HAVP
 1129 
# configuration d'HAVP
1131 
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
 1130 
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1132 
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
 1131 
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1133 
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090
1132 
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on 8090
1134 
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
 1133 
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
Line 1138... Line 1137...
1138 
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
 1137 
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1139 
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
 1138 
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1140 
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
 1139 
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1141 
# remplacement du fichier d'initialisation
 1140 
# remplacement du fichier d'initialisation
1142 
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
 1141 
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
- 
 
 1142 
# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
1143 
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
 1143 
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1144 
# on remplace la page d'interception (template)
 1144 
# on remplace la page d'interception (template)
1145 
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
 1145 
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1146 
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
 1146 
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1147 
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
 1147 
# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
1148 
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
 1148 
	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
1149 
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
 1149 
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1150 
# Virus database update
 1150 
# Virus database update
1151 
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
 1151 
	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1152 
	[ -e /var/lib/clamav/main.cvd ] || /usr/bin/freshclam
 1152 
	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
- 
 
 1153 
	/usr/bin/freshclam
1153 
}
 1154 
}
1154 
 
 1155 
 
1155 
##################################################################################
 1156 
##################################################################################
1156 
##			param_ulogd function					##
 1157 
##			param_ulogd function					##
1157 
## - Ulog config for multi-log files 						##
 1158 
## - Ulog config for multi-log files 						##
Line 1505... Line 1506...
1505 
# processus lancés par défaut au démarrage
 1506 
# processus lancés par défaut au démarrage
1506 
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
 1507 
	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1507 
	do
 1508 
	do
1508 
		/sbin/chkconfig --add $i
 1509 
		/sbin/chkconfig --add $i
1509 
	done
 1510 
	done
- 
 
 1511 
 
1510 
# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
 1512 
	# On rajoute une tempo pour relancer radius après le redémarrage de mysqld (bug en cours d'analyse)
1511 
	cat << EOF > /etc/rc.local
 1513 
#	cat << EOF > /etc/rc.local
1512 
#!/bin/sh
 1514 
#!/bin/sh
1513 
#
 1515 
#
1514 
### BEGIN INIT INFO
 1516 
### BEGIN INIT INFO
1515 
# Provides: rc.local
 1517 
# Provides: rc.local
1516 
# X-Mandriva-Compat-Mode
 1518 
# X-Mandriva-Compat-Mode
Line 1518... Line 1520...
1518 
# Short-Description: Local initialization script
 1520 
# Short-Description: Local initialization script
1519 
# Description: This script will be executed *after* all the other init scripts.
 1521 
# Description: This script will be executed *after* all the other init scripts.
1520 
#              You can put your own initialization stuff in here if you don't
 1522 
#              You can put your own initialization stuff in here if you don't
1521 
#              want to do the full Sys V style init stuff.
 1523 
#              want to do the full Sys V style init stuff.
1522 
### END INIT INFO
 1524 
### END INIT INFO
- 
 
 1525 
#
- 
 
 1526 
#/etc/init.d/mysqld restart
- 
 
 1527 
#sleep 1
- 
 
 1528 
#/etc/init.d/radiusd restart
- 
 
 1529 
#
- 
 
 1530 
#touch /var/lock/subsys/local
- 
 
 1531 
#EOF
1523 
 
 1532 
 
1524 
/etc/init.d/mysqld restart
 - 
 
1525 
sleep 1
 - 
 
1526 
/etc/init.d/radiusd restart
 - 
 
1527 
 
 - 
 
1528 
touch /var/lock/subsys/local
 - 
 
1529 
EOF
 - 
 
1530 
# pour éviter les alertes de dépendance entre service.
 - 
 
1531 
	$SED "s?^# Required-Start.*?# Required-Start: \$local_fs \$network?g" /etc/init.d/mysqld
 - 
 
1532 
	$SED "s?^# Required-Stop.*?# Required-Stop: \$local_fs \$network?g" /etc/init.d/mysqld
 - 
 
1533 
	$SED "s?^# Should-Start.*?# Should-Start: radiusd ldap?g" /etc/init.d/httpd
 - 
 
1534 
	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
 - 
 
1535 
# On affecte le niveau de sécurité du système : type "fileserver"
 - 
 
1536 
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
 - 
 
1537 
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
 - 
 
1538 
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
 - 
 
1539 
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
 1533 
# On applique les préconisations ANSSI
1540 
# Apply French Security Agency rules (sysctl + msec when possible)
 1534 
# Apply French Security Agency rules
1541 
# ignorer les broadcast ICMP. (attaque smurf)
1535 
# ignorer les broadcast ICMP. (attaque smurf)
1542 
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
 - 
 
1543 
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
 1536 
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
1544 
# ignorer les erreurs ICMP bogus
 1537 
# ignorer les erreurs ICMP bogus
1545 
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
 - 
 
1546 
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
 1538 
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
1547 
# désactiver l'envoi et la réponse aux ICMP redirects
 1539 
# désactiver l'envoi et la réponse aux ICMP redirects
1548 
sysctl -w net.ipv4.conf.all.accept_redirects=0
 1540 
sysctl -w net.ipv4.conf.all.accept_redirects=0
1549 
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
 1541 
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
1550 
	if [ "$accept_redirect" == "0" ]
 1542 
	if [ "$accept_redirect" == "0" ]
Line 1569... Line 1561...
1569 
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
 1561 
		echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1570 
	else
 1562 
	else
1571 
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
 1563 
		$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
1572 
	fi
 1564 
	fi
1573 
# activer l'antispoofing niveau Noyau
 1565 
# activer l'antispoofing niveau Noyau
1574 
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
 - 
 
1575 
sysctl -w net.ipv4.conf.all.rp_filter=1
 1566 
sysctl -w net.ipv4.conf.all.rp_filter=1
1576 
# ignorer le source routing
 1567 
# ignorer le source routing
1577 
sysctl -w net.ipv4.conf.all.accept_source_route=0
 1568 
sysctl -w net.ipv4.conf.all.accept_source_route=0
1578 
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
 1569 
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
1579 
	if [ "$accept_source_route" == "0" ]
 1570 
	if [ "$accept_source_route" == "0" ]
Line 1591... Line 1582...
1591 
	else
 1582 
	else
1592 
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
 1583 
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
1593 
	fi
 1584 
	fi
1594 
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
1585 
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
1595 
sysctl -w net.ipv4.conf.all.log_martians=0
 1586 
sysctl -w net.ipv4.conf.all.log_martians=0
1596 
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
 - 
 
1597 
 
 - 
 
1598 
 
 - 
 
1599 
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
 1587 
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1600 
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
 1588 
# ???	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1601 
# On mets en place la sécurité sur les fichiers
 - 
 
1602 
# des modif par rapport à radius update
 - 
 
1603 
	cat <<EOF > /etc/security/msec/perm.local
 - 
 
1604 
/var/log/firewall/			root.apache	750
 - 
 
1605 
/var/log/firewall/*			root.apache	640
 - 
 
1606 
/etc/security/msec/perm.local		root.root	640
 - 
 
1607 
/etc/security/msec/level.local		root.root	640
 - 
 
1608 
/etc/freeradius-web			root.apache	750
 - 
 
1609 
/etc/freeradius-web/admin.conf		root.apache	640
 - 
 
1610 
/etc/freeradius-web/config.php		root.apache	640
 - 
 
1611 
/etc/raddb/dictionnary			root.radius	640
 - 
 
1612 
/etc/raddb/ldap.attrmap			root.radius	640
 - 
 
1613 
/etc/raddb/hints			root.radius	640
 - 
 
1614 
/etc/raddb/huntgroups			root.radius	640
 - 
 
1615 
/etc/raddb/attrs.access_reject		root.radius	640
 - 
 
1616 
/etc/raddb/attrs.accounting_response	root.radius	640
 - 
 
1617 
/etc/raddb/acct_users			root.radius	640
 - 
 
1618 
/etc/raddb/preproxy_users		root.radius	640
 - 
 
1619 
/etc/raddb/modules/ldap			radius.apache	660
 - 
 
1620 
/etc/raddb/sites-available/alcasar	radius.apache	660
 - 
 
1621 
/etc/pki/*				root.apache	750
 - 
 
1622 
EOF
 - 
 
1623 
	/usr/sbin/msec
 - 
 
1624 
# modification /etc/inittab
 1589 
# modification /etc/inittab
1625 
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
 1590 
	[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
1626 
# We keep only 3 TTYs
 1591 
# We keep only 3 TTYs
1627 
	$SED "s?^4.*?#&?g" /etc/inittab
 1592 
	$SED "s?^4.*?#&?g" /etc/inittab
1628 
	$SED "s?^5.*?#&?g" /etc/inittab
 1593 
	$SED "s?^5.*?#&?g" /etc/inittab
1629 
	$SED "s?^6.*?#&?g" /etc/inittab
 1594 
	$SED "s?^6.*?#&?g" /etc/inittab
1630 
# switch to multi-users runlevel (instead of x11)
 1595 
# switch to multi-users runlevel (instead of x11)
1631 
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
 1596 
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1632 
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
 1597 
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
- 
 
 1598 
#	GRUB modifications
- 
 
 1599 
# limit wait time to 3s
1633 
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
 1600 
# create an alcasar entry instead of linux-nonfb
- 
 
 1601 
# change display to 1024*768 (vga791)
1634 
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
 1602 
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
- 
 
 1603 
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1635 
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
 1604 
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1636 
$SED "s? vga=791??2g" /boot/grub/menu.lst
 1605 
$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
- 
 
 1606 
 
1637 
# Remove unused services and users
 1607 
# Remove unused services and users
1638 
for svc in alsa sound dm atd bootlogd stop-bootlogd
 1608 
for svc in alsa sound dm
1639 
do
 1609 
do
1640 
	/sbin/chkconfig --del $svc
 1610 
	/sbin/chkconfig --del $svc
1641 
done
 1611 
done
1642 
for rm_users in avahi-autoipd avahi icapd
 1612 
for rm_users in avahi-autoipd avahi icapd
1643 
do
 1613 
do
Line 1704... Line 1674...
1704 
	sleep 2
 1674 
	sleep 2
1705 
	reboot
 1675 
	reboot
1706 
} # End post_install ()
 1676 
} # End post_install ()
1707 
 
 1677 
 
1708 
#################################
 1678 
#################################
1709 
#  Boucle principale du script  #
 1679 
#  	Main Install loop  	#
1710 
#################################
 1680 
#################################
1711 
dir_exec=`dirname "$0"`
 1681 
dir_exec=`dirname "$0"`
1712 
if [ $dir_exec != "." ]
 1682 
if [ $dir_exec != "." ]
1713 
then
 1683 
then
1714 
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
 1684 
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"