| Line 1... |
Line 1... |
| 1 |
|
1 |
|
| 2 |
#!/bin/bash
|
2 |
#!/bin/bash
|
| 3 |
# $Id: alcasar.sh 1363 2014-05-26 22:07:44Z richard $
|
3 |
# $Id: alcasar.sh 1365 2014-05-28 14:38:29Z richard $
|
| 4 |
|
4 |
|
| 5 |
# alcasar.sh
|
5 |
# alcasar.sh
|
| 6 |
|
6 |
|
| 7 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
7 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
| 8 |
# Ce programme est un logiciel libre ; This software is free and open source
|
8 |
# Ce programme est un logiciel libre ; This software is free and open source
|
| Line 134... |
Line 134... |
| 134 |
# Create a backup of running version importants files
|
134 |
# Create a backup of running version importants files
|
| 135 |
$DIR_SCRIPTS/alcasar-conf.sh --create
|
135 |
$DIR_SCRIPTS/alcasar-conf.sh --create
|
| 136 |
mode="update"
|
136 |
mode="update"
|
| 137 |
fi
|
137 |
fi
|
| 138 |
else
|
138 |
else
|
| - |
|
139 |
if [ ! -d /var/log/netflow/porttracker ]
|
| - |
|
140 |
then
|
| 139 |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
|
141 |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
|
| 140 |
if [ $free_space -lt 10 ]
|
142 |
if [ $free_space -lt 10 ]
|
| 141 |
then
|
143 |
then
|
| 142 |
if [ $Lang == "fr" ]
|
144 |
if [ $Lang == "fr" ]
|
| 143 |
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
|
145 |
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
|
| 144 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
146 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
| - |
|
147 |
fi
|
| - |
|
148 |
exit 0
|
| 145 |
fi
|
149 |
fi
|
| 146 |
exit 0
|
- |
|
| 147 |
fi
|
150 |
fi
|
| 148 |
fi
|
151 |
fi
|
| 149 |
if [ $Lang == "fr" ]
|
152 |
if [ $Lang == "fr" ]
|
| 150 |
then echo -n "Tests des paramètres réseau : "
|
153 |
then echo -n "Tests des paramètres réseau : "
|
| 151 |
else echo -n "Network parameters tests : "
|
154 |
else echo -n "Network parameters tests : "
|
| 152 |
fi
|
155 |
fi
|
| Line 1123... |
Line 1126... |
| 1123 |
## - Ulog config for multi-log files ##
|
1126 |
## - Ulog config for multi-log files ##
|
| 1124 |
##################################################################################
|
1127 |
##################################################################################
|
| 1125 |
param_ulogd ()
|
1128 |
param_ulogd ()
|
| 1126 |
{
|
1129 |
{
|
| 1127 |
# Three instances of ulogd (three different logfiles)
|
1130 |
# Three instances of ulogd (three different logfiles)
|
| 1128 |
cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ssh.service
|
- |
|
| 1129 |
cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ext-access.service
|
- |
|
| 1130 |
mv /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-traceability.service
|
- |
|
| 1131 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1131 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
| 1132 |
nl=1
|
1132 |
nl=1
|
| 1133 |
for log_type in traceability ssh ext-access
|
1133 |
for log_type in traceability ssh ext-access
|
| 1134 |
do
|
1134 |
do
|
| - |
|
1135 |
[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
|
| 1135 |
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
|
1136 |
/var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
|
| 1136 |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
|
1137 |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
|
| 1137 |
$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
|
1138 |
$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
|
| 1138 |
$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
|
1139 |
$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
|
| 1139 |
cat << EOF >> /etc/ulogd-$log_type.conf
|
1140 |
cat << EOF >> /etc/ulogd-$log_type.conf
|
| 1140 |
[LOGEMU]
|
1141 |
[LOGEMU]
|
| Line 1153... |
Line 1154... |
| 1153 |
##########################################################
|
1154 |
##########################################################
|
| 1154 |
## Function "param_nfsen" ##
|
1155 |
## Function "param_nfsen" ##
|
| 1155 |
##########################################################
|
1156 |
##########################################################
|
| 1156 |
param_nfsen()
|
1157 |
param_nfsen()
|
| 1157 |
{
|
1158 |
{
|
| 1158 |
#Decompression tarball
|
- |
|
| 1159 |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
|
1159 |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
|
| 1160 |
#Création groupe et utilisteur
|
1160 |
# Create a specific user and group
|
| 1161 |
if grep "^www-data:" /etc/group > /dev/null; then
|
1161 |
[ `grep "^www-data:" /etc/group | wc -l` == 1 ] || groupadd www-data
|
| 1162 |
echo "Group already exists !"
|
- |
|
| 1163 |
else
|
- |
|
| 1164 |
groupadd www-data
|
- |
|
| 1165 |
echo "Group 'www-data' created !"
|
- |
|
| 1166 |
fi
|
- |
|
| 1167 |
if grep "^nfsen:" /etc/passwd > /dev/null; then
|
1162 |
[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -m nfsen
|
| 1168 |
echo "User already exists !"
|
- |
|
| 1169 |
else
|
- |
|
| 1170 |
useradd -m nfsen
|
- |
|
| 1171 |
echo "User 'nfsen' created !"
|
- |
|
| 1172 |
fi
|
- |
|
| 1173 |
usermod -G www-data nfsen
|
1163 |
usermod -G www-data nfsen
|
| 1174 |
#Ajout du plugin nfsen : PortTracker
|
1164 |
# Add PortTracker plugin
|
| 1175 |
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
|
1165 |
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
|
| 1176 |
chown -R nfsen:www-data /var/www/nfsen
|
1166 |
chown -R nfsen:www-data /var/www/nfsen
|
| 1177 |
chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
|
1167 |
chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
|
| 1178 |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
|
1168 |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
|
| 1179 |
#Copie du fichier de conf modifié de nfsen
|
1169 |
# use of our conf file and init unit
|
| 1180 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
|
1170 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
|
| 1181 |
#Copie du script d'initialisation de nfsen
|
- |
|
| 1182 |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
|
1171 |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
|
| 1183 |
#Installation de nfsen via le scrip Perl
|
1172 |
# Installation of nfsen
|
| 1184 |
DirTmp=$(pwd)
|
1173 |
DirTmp=$(pwd)
|
| 1185 |
cd /tmp/nfsen-1.3.6p1/
|
1174 |
cd /tmp/nfsen-1.3.6p1/
|
| 1186 |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
|
1175 |
/usr/bin/perl5 install.pl etc/nfsen.conf
|
| 1187 |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
|
1176 |
/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
|
| 1188 |
#Création de la DB pour rrdtool
|
1177 |
# Create RRD DB for porttracker (only in it still doesn't exist)
|
| 1189 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
|
1178 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
|
| 1190 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
|
1179 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
|
| 1191 |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
|
1180 |
[ d /var/log/netflow/porttracker ] || sudo -u apache nftrack -I -d /var/log/netflow/porttracker
|
| 1192 |
chown -R apache:www-data /var/log/netflow/porttracker/
|
1181 |
chown -R apache:www-data /var/log/netflow/porttracker/
|
| 1193 |
chmod -R 775 /var/log/netflow/porttracker
|
1182 |
chmod -R 775 /var/log/netflow/porttracker
|
| 1194 |
#Configuration du fichier de conf d'apache
|
1183 |
# Apache conf file
|
| 1195 |
if [ -f /etc/httpd/conf/conf.d/nfsen.conf ];then
|
- |
|
| 1196 |
rm -f /etc/httpd/conf/conf.d/nfsen.conf
|
1184 |
rm -f /etc/httpd/conf/conf.d/nfsen.conf
|
| 1197 |
fi
|
- |
|
| 1198 |
cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
|
1185 |
cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
|
| 1199 |
Alias /nfsen /var/www/nfsen
|
1186 |
Alias /nfsen /var/www/nfsen
|
| 1200 |
<Directory /var/www/nfsen/>
|
1187 |
<Directory /var/www/nfsen/>
|
| 1201 |
DirectoryIndex nfsen.php
|
1188 |
DirectoryIndex nfsen.php
|
| 1202 |
Options -Indexes
|
1189 |
Options -Indexes
|
| Line 1206... |
Line 1193... |
| 1206 |
AddType application/x-httpd-php .php
|
1193 |
AddType application/x-httpd-php .php
|
| 1207 |
php_flag magic_quotes_gpc on
|
1194 |
php_flag magic_quotes_gpc on
|
| 1208 |
php_flag track_vars on
|
1195 |
php_flag track_vars on
|
| 1209 |
</Directory>
|
1196 |
</Directory>
|
| 1210 |
EOF
|
1197 |
EOF
|
| 1211 |
#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
|
1198 |
# Add the listen port to collect netflow packet (nfcapd)
|
| 1212 |
$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
|
1199 |
$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
|
| 1213 |
#Configuration du délais d'expiration des captures du profile "live"
|
1200 |
# expire delay for the profile "live"
|
| 1214 |
nfsen -m live -e 62d 2>/dev/null
|
1201 |
nfsen -m live -e 62d 2>/dev/null
|
| 1215 |
#Suppression des sources de nfsen
|
1202 |
# clear the installation
|
| 1216 |
cd $DirTmp
|
1203 |
cd $DirTmp
|
| 1217 |
rm -rf /tmp/nfsen-1.3.6p1/
|
1204 |
rm -rf /tmp/nfsen-1.3.6p1/
|
| 1218 |
} # End of param_nfsen
|
1205 |
} # End of param_nfsen
|
| 1219 |
|
1206 |
|
| 1220 |
##########################################################
|
1207 |
##########################################################
|
| Line 1294... |
Line 1281... |
| 1294 |
address=/#/$PRIVATE_IP
|
1281 |
address=/#/$PRIVATE_IP
|
| 1295 |
EOF
|
1282 |
EOF
|
| 1296 |
# Create dnsmasq-blacklist and dnsmasq-whitelist unit
|
1283 |
# Create dnsmasq-blacklist and dnsmasq-whitelist unit
|
| 1297 |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
|
1284 |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
|
| 1298 |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
|
1285 |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
|
| 1299 |
$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
|
1286 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
|
| 1300 |
$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1287 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
| 1301 |
# TODO Start after chilli which create tun0
|
1288 |
# TODO Start after chilli which create tun0
|
| 1302 |
# $SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
|
1289 |
# $SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
|
| 1303 |
} # End dnsmasq
|
1290 |
} # End dnsmasq
|
| 1304 |
|
1291 |
|
| 1305 |
##########################################################
|
1292 |
##########################################################
|
| Line 1536... |
Line 1523... |
| 1536 |
for i in chilli havp
|
1523 |
for i in chilli havp
|
| 1537 |
do
|
1524 |
do
|
| 1538 |
/sbin/chkconfig --add $i
|
1525 |
/sbin/chkconfig --add $i
|
| 1539 |
done
|
1526 |
done
|
| 1540 |
# processes launched at boot time (Systemctl)
|
1527 |
# processes launched at boot time (Systemctl)
|
| 1541 |
for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq radiusd dansguardian freshclam
|
1528 |
for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access
|
| 1542 |
|
- |
|
| 1543 |
do
|
1529 |
do
|
| 1544 |
systemctl -q enable $i
|
1530 |
systemctl -q enable $i
|
| 1545 |
done
|
1531 |
done
|
| 1546 |
# Apply French Security Agency (ANSSI) rules
|
1532 |
# Apply French Security Agency (ANSSI) rules
|
| 1547 |
# ignore ICMP broadcast (smurf attack)
|
1533 |
# ignore ICMP broadcast (smurf attack)
|
| Line 1574... |
Line 1560... |
| 1574 |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
|
1560 |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
|
| 1575 |
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
|
1561 |
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
|
| 1576 |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
|
1562 |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
|
| 1577 |
$SED "/^gfxmenu/d" /boot/grub/menu.lst
|
1563 |
$SED "/^gfxmenu/d" /boot/grub/menu.lst
|
| 1578 |
# Remove unused services and users
|
1564 |
# Remove unused services and users
|
| 1579 |
for svc in sshd.service
|
1565 |
for svc in sshd.service alsa-state
|
| 1580 |
do
|
1566 |
do
|
| 1581 |
/bin/systemctl -q disable $svc
|
1567 |
/bin/systemctl -q disable $svc
|
| 1582 |
done
|
1568 |
done
|
| 1583 |
for rm_users in sysqdin
|
1569 |
for rm_users in sysqdin
|
| 1584 |
do
|
1570 |
do
|