Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2886 2020-11-23 22:50:01Z rexy $
|
2 |
# $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
Line 795... |
Line 795... |
795 |
# create the log & backup structure :
|
795 |
# create the log & backup structure :
|
796 |
# - base = users database
|
796 |
# - base = users database
|
797 |
# - archive = tarball of "base + http firewall + netflow"
|
797 |
# - archive = tarball of "base + http firewall + netflow"
|
798 |
# - security = watchdog log
|
798 |
# - security = watchdog log
|
799 |
# - conf_file = archive conf file (usefull in updating process)
|
799 |
# - conf_file = archive conf file (usefull in updating process)
|
800 |
for i in base archive security activity_report conf_file;
|
800 |
for i in base archive security activity_report iot_captures;
|
801 |
do
|
801 |
do
|
802 |
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
|
802 |
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
|
803 |
done
|
803 |
done
|
804 |
chown -R root:apache $DIR_SAVE
|
804 |
chown -R root:apache $DIR_SAVE
|
805 |
# Configuring & securing php
|
805 |
# Configuring & securing php
|
- |
|
806 |
[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
|
- |
|
807 |
timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
|
- |
|
808 |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
|
806 |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
|
809 |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
|
807 |
timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
|
- |
|
808 |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
|
- |
|
809 |
$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
|
810 |
$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
|
810 |
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
|
811 |
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
|
811 |
$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
|
812 |
$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
|
812 |
$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
|
813 |
$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
|
813 |
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
|
814 |
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
|
Line 872... |
Line 873... |
872 |
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
|
873 |
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
|
873 |
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
|
874 |
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
|
874 |
# Run lighttpd after coova (in order waiting tun0 to be up)
|
875 |
# Run lighttpd after coova (in order waiting tun0 to be up)
|
875 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
|
876 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
|
876 |
# Log file for ACC access imputability
|
877 |
# Log file for ACC access imputability
|
877 |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
|
878 |
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
|
878 |
chown root:apache /var/Save/security/acc_access.log
|
879 |
chown root:apache $DIR_SAVE/security/acc_access.log
|
879 |
chmod 664 /var/Save/security/acc_access.log
|
880 |
chmod 664 $DIR_SAVE/security/acc_access.log
|
880 |
} # End of ACC()
|
881 |
} # End of ACC()
|
881 |
|
882 |
|
882 |
#############################################################
|
883 |
#############################################################
|
883 |
## Function "time_server" ##
|
884 |
## Function "time_server" ##
|
884 |
## - Configuring NTP server ##
|
885 |
## - Configuring NTP server ##
|
Line 1929... |
Line 1930... |
1929 |
ignoreregex =
|
1930 |
ignoreregex =
|
1930 |
EOF
|
1931 |
EOF
|
1931 |
|
1932 |
|
1932 |
# allow reading of 2 log files (fail2ban & watchdog).
|
1933 |
# allow reading of 2 log files (fail2ban & watchdog).
|
1933 |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
|
1934 |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
|
1934 |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
|
1935 |
[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
|
1935 |
chmod 644 /var/log/fail2ban.log
|
1936 |
chmod 644 /var/log/fail2ban.log
|
1936 |
chmod 644 /var/Save/security/watchdog.log
|
1937 |
chmod 644 $DIR_SAVE/security/watchdog.log
|
1937 |
/usr/bin/touch /var/log/auth.log
|
1938 |
/usr/bin/touch /var/log/auth.log
|
1938 |
# fail2ban unit
|
1939 |
# fail2ban unit
|
1939 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1940 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1940 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1941 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1941 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1942 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
Line 2277... |
Line 2278... |
2277 |
fi
|
2278 |
fi
|
2278 |
/usr/bin/update-grub2
|
2279 |
/usr/bin/update-grub2
|
2279 |
# Load and apply the previous conf file
|
2280 |
# Load and apply the previous conf file
|
2280 |
if [ "$mode" = "update" ]
|
2281 |
if [ "$mode" = "update" ]
|
2281 |
then
|
2282 |
then
|
2282 |
$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
|
2283 |
$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
|
2283 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
2284 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
2284 |
PARENT_SCRIPT=`basename $0`
|
2285 |
PARENT_SCRIPT=`basename $0`
|
2285 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
2286 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
2286 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
2287 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
2287 |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
|
2288 |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
|