Subversion Repositories ALCASAR

#!/bin/bash

#!/bin/bash

# alcasar.sh

# alcasar.sh

# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 

# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 

# Ce programme est un logiciel libre ; This software is free and open source

# Ce programme est un logiciel libre ; This software is free and open source

#	init			: Installation of RPM and scripts

#	init			: Installation of RPM and scripts

#	network			: Network parameters

#	network			: Network parameters

#	ACC			: ALCASAR Control Center installation

#	ACC			: ALCASAR Control Center installation

#	CA			: Certification Authority initialization

#	CA			: Certification Authority initialization

#	init_db			: Initilization of radius database managed with MariaDB

#	init_db			: Initilization of radius database managed with MariaDB

#	antivirus		: HAVP + libclamav configuration

#	antivirus		: HAVP + libclamav configuration

#	dnsmasq			: Name server configuration

#	dnsmasq			: Name server configuration

#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)

#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)

#	cron			: Logs export + watchdog + connexion statistics

#	cron			: Logs export + watchdog + connexion statistics

#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)

#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)

DATE=`date '+%d %B %Y - %Hh%M'`

DATE=`date '+%d %B %Y - %Hh%M'`

DATE_SHORT=`date '+%d/%m/%Y'`

DATE_SHORT=`date '+%d/%m/%Y'`

Lang=`echo $LANG|cut -c 1-2`

Lang=`echo $LANG|cut -c 1-2`

mode="install"

mode="install"

	clear

	clear

	echo "-----------------------------------------------------------------------------"

	echo "-----------------------------------------------------------------------------"

	echo "                     ALCASAR V$VERSION Installation"

	echo "                     ALCASAR V$VERSION Installation"

	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"

	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"

	echo "-----------------------------------------------------------------------------"

	echo "-----------------------------------------------------------------------------"

##################################################################

##################################################################

##			Function "testing"			##

##			Function "testing"			##

## - Test of Mageia version					##

## - Test of Mageia version					##

## - Test of free space on /var  (>10G)				##

## - Test of free space on /var  (>10G)				##

		fi

		fi

		exit 0

		exit 0

	fi

	fi

	rm -rf /tmp/con_ok.html

	rm -rf /tmp/con_ok.html

	echo ". : ok"

	echo ". : ok"

##################################################################

##################################################################

##			Function "init"				##

##			Function "init"				##

## - Création du fichier "/root/ALCASAR_parametres.txt"		##

## - Création du fichier "/root/ALCASAR_parametres.txt"		##

## - Installation et modification des scripts du portail	##

## - Installation et modification des scripts du portail	##

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

</Directory>

EOF

EOF

# Launch after coova

# Launch after coova

$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service

$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service

##########################################################################################

##########################################################################################

##				Fonction "CA"						##

##				Fonction "CA"						##

## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##

## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##

##########################################################################################

##########################################################################################

	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL

	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL

	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL

	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL

	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL

	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL

	chown -R root:apache /etc/pki

	chown -R root:apache /etc/pki

	chmod -R 750 /etc/pki

	chmod -R 750 /etc/pki

##########################################################################################

##########################################################################################

##			Fonction "init_db"						##

##			Fonction "init_db"						##

## - Initialisation de la base Mysql							##

## - Initialisation de la base Mysql							##

## - Affectation du mot de passe de l'administrateur (root)				##

## - Affectation du mot de passe de l'administrateur (root)				##

# modify the start script in order to close accounting connexion when the system is comming down or up

# modify the start script in order to close accounting connexion when the system is comming down or up

	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default

	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default

	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service

	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service

	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service

	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service

	systemctl daemon-reload

	systemctl daemon-reload

##########################################################################

##########################################################################

## - Paramètrage des fichiers de configuration FreeRadius		##

## - Paramètrage des fichiers de configuration FreeRadius		##

## - Affectation du secret partagé entre coova-chilli et freeradius	##

## - Affectation du secret partagé entre coova-chilli et freeradius	##

## - Modification de fichier de conf pour l'accès à Mysql		##

## - Modification de fichier de conf pour l'accès à Mysql		##

##########################################################################

##########################################################################

{

{

	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/

	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/

	chown -R radius:radius /etc/raddb

	chown -R radius:radius /etc/raddb

	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default

	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default

# Set radius.conf parameters

# Set radius.conf parameters

	chown -R radius:radius /etc/raddb/sql/mysql/*

	chown -R radius:radius /etc/raddb/sql/mysql/*

# make certain that mysql is up before radius start

# make certain that mysql is up before radius start

	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default

	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default

	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service

	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service

	systemctl daemon-reload

	systemctl daemon-reload

##########################################################################

##########################################################################

## - Import, modification et paramètrage de l'interface "dialupadmin"	##

## - Import, modification et paramètrage de l'interface "dialupadmin"	##

## - Création du lien vers la page de changement de mot de passe        ##

## - Création du lien vers la page de changement de mot de passe        ##

##########################################################################

##########################################################################

{

{

# copie de l'interface d'origine dans la structure Alcasar

# copie de l'interface d'origine dans la structure Alcasar

	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/

	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/

	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 

	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 

	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html

	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html

	Allow from 127.0.0.1

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

	Allow from $PRIVATE_NETWORK_MASK

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN

</Directory>

</Directory>

EOF

EOF

##################################################################################

##################################################################################

## - Création du fichier d'initialisation et de configuration de coova-chilli	##

## - Création du fichier d'initialisation et de configuration de coova-chilli	##

## - Paramètrage de la page d'authentification (intercept.php)			##

## - Paramètrage de la page d'authentification (intercept.php)			##

##################################################################################

##################################################################################

{

{

# chilli unit for systemd

# chilli unit for systemd

cat << EOF > /lib/systemd/system/chilli.service

cat << EOF > /lib/systemd/system/chilli.service

#  This file is part of systemd.

#  This file is part of systemd.

#

#

	then

	then

	      userdel -r chilli 2>/dev/null

	      userdel -r chilli 2>/dev/null

	fi

	fi

	groupadd -f chilli

	groupadd -f chilli

	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli

	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli

##################################################################

##################################################################

## - Paramètrage du gestionnaire de contenu Dansguardian	##

## - Paramètrage du gestionnaire de contenu Dansguardian	##

##################################################################

##################################################################

{

{

	mkdir /var/dansguardian

	mkdir /var/dansguardian

	chown dansguardian /var/dansguardian

	chown dansguardian /var/dansguardian

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service

	$SED "s?^After=.*?After=network.target chilli.target?g" /lib/systemd/system/dansguardian.service

	$SED "s?^After=.*?After=network.target chilli.target?g" /lib/systemd/system/dansguardian.service

	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default

	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default

	touch $DIR_DG/lists/exceptioniplist

	touch $DIR_DG/lists/exceptioniplist

# Keep a copy of URL & domain filter configuration files

# Keep a copy of URL & domain filter configuration files

	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default

	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default

	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default

	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default

##################################################################

##################################################################

##			Fonction "antivirus"			##

##			Fonction "antivirus"			##

## - configuration of havp, libclamav and freshclam		##

## - configuration of havp, libclamav and freshclam		##

##################################################################

##################################################################

	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf

	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf

	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf

	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf

	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf

	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf

# update now

# update now

	/usr/bin/freshclam --no-warnings

	/usr/bin/freshclam --no-warnings

##################################################################################

##################################################################################

## - Ulog config for multi-log files 						##

## - Ulog config for multi-log files 						##

##################################################################################

##################################################################################

{

{

# Three instances of ulogd (three different logfiles)

# Three instances of ulogd (three different logfiles)

	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall

	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall

	nl=1

	nl=1

	for log_type in traceability ssh ext-access

	for log_type in traceability ssh ext-access

		nl=`expr $nl + 1`

		nl=`expr $nl + 1`

	done

	done

	chown -R root:apache /var/log/firewall

	chown -R root:apache /var/log/firewall

	chmod 750 /var/log/firewall

	chmod 750 /var/log/firewall

	chmod 640 /var/log/firewall/*

	chmod 640 /var/log/firewall/*

##########################################################

##########################################################

##########################################################

##########################################################

{

{

	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/

	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/

# Create a specific user and group

# Create a specific user and group

	[ `grep "^www-data:" /etc/group | wc -l` == 1 ] || groupadd www-data

	[ `grep "^www-data:" /etc/group | wc -l` == 1 ] || groupadd www-data

	[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen

	[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen

# expire delay for the profile "live"

# expire delay for the profile "live"

	nfsen -m live -e 62d 2>/dev/null

	nfsen -m live -e 62d 2>/dev/null

# clear the installation

# clear the installation

	cd $DirTmp

	cd $DirTmp

	rm -rf /tmp/nfsen-1.3.6p1/

	rm -rf /tmp/nfsen-1.3.6p1/

##########################################################

##########################################################

##########################################################

##########################################################

{

{

	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq

	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq

	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default

	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default

	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance

	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance

	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default

	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default

# Create dnsmasq-blacklist and dnsmasq-whitelist unit

# Create dnsmasq-blacklist and dnsmasq-whitelist unit

	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service

	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service

	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service

	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service

	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service

	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service

	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service

	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service

	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service

} # End dnsmasq

} # End dnsmasq

##########################################################

##########################################################

##		Fonction "BL"				##

##		Fonction "BL"				##

##########################################################

##########################################################

BL ()

BL ()

	for i in havp 

	for i in havp 

	do

	do

		/sbin/chkconfig --add $i

		/sbin/chkconfig --add $i

	done

	done

# processes launched at boot time (Systemctl)

# processes launched at boot time (Systemctl)

	do

	do

	done

	done

# Apply French Security Agency (ANSSI) rules

# Apply French Security Agency (ANSSI) rules

# ignore ICMP broadcast (smurf attack)

# ignore ICMP broadcast (smurf attack)

	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf

	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf

# ignore ICMP errors bogus

# ignore ICMP errors bogus

			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`

			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`

			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`

			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`

			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`

			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`

			mode="update"

			mode="update"

		fi

		fi

		do

		do

			$func

			$func

# echo "*** 'debug' : end of function $func ***"; read a

# echo "*** 'debug' : end of function $func ***"; read a

		done

		done

		;;

		;;