Subversion Repositories ALCASAR

Rev

Rev 2886 | Rev 2888 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2886 Rev 2887
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2886 2020-11-23 22:50:01Z rexy $
2
#  $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 795... Line 795...
795
# create the log & backup structure :
795
# create the log & backup structure :
796
# - base = users database
796
# - base = users database
797
# - archive = tarball of "base + http firewall + netflow"
797
# - archive = tarball of "base + http firewall + netflow"
798
# - security = watchdog log
798
# - security = watchdog log
799
# - conf_file = archive conf file (usefull in updating process)
799
# - conf_file = archive conf file (usefull in updating process)
800
	for i in base archive security activity_report conf_file;
800
	for i in base archive security activity_report iot_captures;
801
	do
801
	do
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
	done
803
	done
804
	chown -R root:apache $DIR_SAVE
804
	chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
-
 
806
	[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
-
 
807
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
-
 
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
806
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
807
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
-
 
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
-
 
809
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
814
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
Line 872... Line 873...
872
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
# Run lighttpd after coova (in order waiting tun0 to be up)
875
# Run lighttpd after coova (in order waiting tun0 to be up)
875
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
	# Log file for ACC access imputability
877
	# Log file for ACC access imputability
877
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
878
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
878
	chown root:apache /var/Save/security/acc_access.log
879
	chown root:apache $DIR_SAVE/security/acc_access.log
879
	chmod 664 /var/Save/security/acc_access.log
880
	chmod 664 $DIR_SAVE/security/acc_access.log
880
} # End of ACC()
881
} # End of ACC()
881
 
882
 
882
#############################################################
883
#############################################################
883
##               Function "time_server"                    ##
884
##               Function "time_server"                    ##
884
## - Configuring NTP server                                ##
885
## - Configuring NTP server                                ##
Line 1929... Line 1930...
1929
ignoreregex =
1930
ignoreregex =
1930
EOF
1931
EOF
1931
 
1932
 
1932
# allow reading of 2 log files (fail2ban & watchdog).
1933
# allow reading of 2 log files (fail2ban & watchdog).
1933
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1934
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1934
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1935
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1935
	chmod 644 /var/log/fail2ban.log
1936
	chmod 644 /var/log/fail2ban.log
1936
	chmod 644 /var/Save/security/watchdog.log
1937
	chmod 644 $DIR_SAVE/security/watchdog.log
1937
	/usr/bin/touch /var/log/auth.log
1938
	/usr/bin/touch /var/log/auth.log
1938
# fail2ban unit
1939
# fail2ban unit
1939
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1940
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1940
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1941
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1941
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1942
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
Line 2277... Line 2278...
2277
	fi
2278
	fi
2278
	/usr/bin/update-grub2
2279
	/usr/bin/update-grub2
2279
# Load and apply the previous conf file
2280
# Load and apply the previous conf file
2280
	if [ "$mode" = "update" ]
2281
	if [ "$mode" = "update" ]
2281
	then
2282
	then
2282
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2283
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2283
		$DIR_DEST_BIN/alcasar-conf.sh --load
2284
		$DIR_DEST_BIN/alcasar-conf.sh --load
2284
		PARENT_SCRIPT=`basename $0`
2285
		PARENT_SCRIPT=`basename $0`
2285
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2286
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2286
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2287
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2287
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2288
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf