Subversion Repositories ALCASAR

Rev

Rev 2192 | Rev 2202 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2192 Rev 2195
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 2192 2017-05-01 19:52:53Z richard $
2 
#  $Id: alcasar.sh 2195 2017-05-02 14:51:01Z richard $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
 
 5 
 
6 
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
6 
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
7 
# Ce programme est un logiciel libre ; This software is free and open source
 7 
# Ce programme est un logiciel libre ; This software is free and open source
Line 1861... Line 1861...
1861 
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
 1861 
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1862 
EOF
 1862 
EOF
1863 
 
 1863 
 
1864 
} # END gammu_smsd()
 1864 
} # END gammu_smsd()
1865 
 
 1865 
 
1866 
##################################################################
 1866 
##########################################################
1867 
##			Fonction "post_install"			##
 1867 
##		Fonction "post_install"			##
1868 
## - Modification des bannières (locales et ssh) et des prompts ##
 1868 
## - Modifying banners (locals et ssh) & prompts	##
1869 
## - Installation de la structure de chiffrement pour root	##
 1869 
## - SSH config						##
1870 
## - Mise en place du sudoers et de la sécurité sur les fichiers##
 1870 
## - sudoers config & files security			##
1871 
## - Mise en place du la rotation des logs			##
 1871 
## - log rotate & ANSSI security parameters		##
1872 
## - Configuration dans le cas d'une mise à jour		##
 1872 
## - Apply former conf in case of an update		##
1873 
##################################################################
 1873 
##########################################################
1874 
post_install()
 1874 
post_install()
1875 
{
 1875 
{
1876 
# création de la bannière locale
 1876 
# change the SSH banner
1877 
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
 - 
 
1878 
	cp -f $DIR_CONF/banner /etc/mageia-release
 1877 
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1879 
	echo " V$VERSION" >> /etc/mageia-release
 1878 
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1880 
# création de la bannière SSH
 - 
 
1881 
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
 - 
 
1882 
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
 1879 
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1883 
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
 1880 
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1884 
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 1881 
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1885 
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 1882 
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1886 
# postfix banner anonymisation
 1883 
# postfix banner anonymisation
1887 
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
 1884 
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1888 
	chown -R postfix:postfix /var/lib/postfix
 1885 
	chown -R postfix:postfix /var/lib/postfix
1889 
# sshd écoute côté LAN et WAN
 1886 
# sshd liste on EXTIF & INTIF
1890 
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
 1887 
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1891 
# sshd autorise les connections root par certificat
 1888 
# sshd authorized certificate for root login
1892 
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
 1889 
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1893 
	# Put the default values in conf file
 1890 
# ALCASAR conf file
1894 
	echo "SSH=on" >> $CONF_FILE
 1891 
	echo "SSH=on" >> $CONF_FILE
1895 
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
 1892 
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1896 
	echo "LDAP=off" >> $CONF_FILE
 1893 
	echo "LDAP=off" >> $CONF_FILE
1897 
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
 1894 
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1898 
	echo "MULTIWAN=off" >> $CONF_FILE
 1895 
	echo "MULTIWAN=off" >> $CONF_FILE
1899 
	echo "FAILOVER=30" >> $CONF_FILE
 1896 
	echo "FAILOVER=30" >> $CONF_FILE
1900 
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
 1897 
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1901 
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
 1898 
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1902 
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
 1899 
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1903 
# Coloration des prompts
 1900 
# Prompt customisation (colors)
1904 
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
 1901 
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1905 
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
 1902 
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1906 
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
 1903 
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1907 
# Droits d'exécution pour utilisateur apache et sysadmin
 1904 
# sudoers configuration for "apache" & "sysadmin"
1908 
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
 1905 
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1909 
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
 1906 
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1910 
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
 1907 
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1911 
# Modify some logrotate files (gammu, ulogd)
 1908 
# Modify some logrotate files (gammu, ulogd)
1912 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
 1909 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1913 
	chmod 644 /etc/logrotate.d/*
 1910 
	chmod 644 /etc/logrotate.d/*
1914 
# rectification sur versions précédentes de la compression des logs
 1911 
# Log compression
1915 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
 1912 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1916 
# actualisation des fichiers logs compressés
 1913 
# actualisation des fichiers logs compressés
1917 
	for dir in firewall dansguardian httpd
 1914 
	for dir in firewall dansguardian httpd
1918 
	do
 1915 
	do
1919 
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
 1916 
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
Line 1985... Line 1982...
1985 
# remove Magic SysReq Keys
 1982 
# remove Magic SysReq Keys
1986 
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
 1983 
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1987 
# switch to multi-users runlevel (instead of x11)
 1984 
# switch to multi-users runlevel (instead of x11)
1988 
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
 1985 
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1989 
#	GRUB modifications (only one time)
 1986 
#	GRUB modifications (only one time)
1990 
# limit wait time to 3s
 - 
 
1991 
# create an alcasar entry instead of linux-nonfb
 1987 
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner
1992 
# change display to 1024*768 (vga791) only if not on VM
 - 
 
1993 
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
 1988 
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1994 
	if [ $grub_already_modified == 0 ]
 1989 
	if [ $grub_already_modified == 0 ]
1995 
		then
 1990 
		then
1996 
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
 1991 
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1997 
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
 1992 
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1998 
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
 1993 
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1999 
# is an virtual machine (proxmox, vmware, ) ?
 1994 
# change display to 1024*768 (vga791) only if not on VM
- 
 
 1995 
		[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2000 
		vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l`
 1996 
		vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l`
2001 
		if [ $vm_vga == 0 ]
 1997 
		if [ $vm_vga == 0 ] # is not a virtual machine (proxmox, vmware)
2002 
		then
 1998 
		then
2003 
			$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
 1999 
			$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
- 
 
 2000 
			cp -f $DIR_CONF/banner /etc/mageia-release
- 
 
 2001 
			echo " V$VERSION" >> /etc/mageia-release
- 
 
 2002 
		else
- 
 
 2003 
			echo "ALCASAR V$VERSION" > /etc/mageia-release
2004 
		fi
 2004 
		fi
2005 
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
 2005 
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
2006 
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
 2006 
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
2007 
	fi
 2007 
	fi
2008 
# Load and apply the previous conf file
 2008 
# Load and apply the previous conf file