Subversion Repositories ALCASAR

Rev

Rev 2933 | Rev 2938 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2933 Rev 2937
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2933 2021-03-27 10:17:40Z rexy $
2
#  $Id: alcasar.sh 2937 2021-04-05 22:17:52Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 733... Line 733...
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
735
# load ipt_NETFLOW module
735
# load ipt_NETFLOW module
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
738
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
738
	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
742
#
742
#
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
744
} # End of network()
744
} # End of network()
Line 801... Line 801...
801
	do
801
	do
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
	done
803
	done
804
	chown -R root:apache $DIR_SAVE
804
	chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
806
	[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
806
	[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
807
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
807
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
810
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
811
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
Line 871... Line 871...
871
	fi
871
	fi
872
# Creation of ACC certs links
872
# Creation of ACC certs links
873
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
874
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
875
# Run lighttpd after coova (in order waiting tun0 to be up)
875
# Run lighttpd after coova (in order waiting tun0 to be up)
-
 
876
	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
876
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
877
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
877
	# Log file for ACC access imputability
878
	# Log file for ACC access imputability
878
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
879
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
879
	chown root:apache $DIR_SAVE/security/acc_access.log
880
	chown root:apache $DIR_SAVE/security/acc_access.log
880
	chmod 664 $DIR_SAVE/security/acc_access.log
881
	chmod 664 $DIR_SAVE/security/acc_access.log
881
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
882
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
Line 957... Line 958...
957
# Create 'radius' database
958
# Create 'radius' database
958
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
959
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
959
# Add an empty radius database structure
960
# Add an empty radius database structure
960
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
961
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
961
# modify the start script in order to close accounting connexion when the system is comming down or up
962
# modify the start script in order to close accounting connexion when the system is comming down or up
962
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
963
	cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
963
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
964
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
964
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
965
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
965
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
966
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
966
	/usr/bin/systemctl daemon-reload
967
	/usr/bin/systemctl daemon-reload
967
} # End of init_db()
968
} # End of init_db()
968
 
969
 
969
###################################################################
970
###################################################################
Line 1042... Line 1043...
1042
# sqlcounter modifications
1043
# sqlcounter modifications
1043
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1044
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1044
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1045
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1045
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1046
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1046
# make certain that mysql is up before freeradius start
1047
# make certain that mysql is up before freeradius start
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1048
	cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1049
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
1049
	/usr/bin/systemctl daemon-reload
1050
	/usr/bin/systemctl daemon-reload
1050
# Allow apache to change some conf files (ie : ldap on/off)
1051
# Allow apache to change some conf files (ie : ldap on/off)
1051
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1053
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1053
} # End of freeradius()
1054
} # End of freeradius()
Line 1058... Line 1059...
1058
## - Adapt the authentication web page (intercept.php)                     ##
1059
## - Adapt the authentication web page (intercept.php)                     ##
1059
#############################################################################
1060
#############################################################################
1060
chilli()
1061
chilli()
1061
{
1062
{
1062
# chilli unit for systemd
1063
# chilli unit for systemd
1063
	cat << EOF > /lib/systemd/system/chilli.service
1064
	cat << EOF > /etc/systemd/system/chilli.service
1064
#  This file is part of systemd.
1065
#  This file is part of systemd.
1065
#
1066
#
1066
#  systemd is free software; you can redistribute it and/or modify it
1067
#  systemd is free software; you can redistribute it and/or modify it
1067
#  under the terms of the GNU General Public License as published by
1068
#  under the terms of the GNU General Public License as published by
1068
#  the Free Software Foundation; either version 2 of the License, or
1069
#  the Free Software Foundation; either version 2 of the License, or
Line 1258... Line 1259...
1258
## - Set the parameters of this HTML proxy (as controler)     ##
1259
## - Set the parameters of this HTML proxy (as controler)     ##
1259
################################################################
1260
################################################################
1260
e2guardian()
1261
e2guardian()
1261
{
1262
{
1262
# Adapt systemd unit
1263
# Adapt systemd unit
1263
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1264
	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
1264
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1265
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
1265
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1266
	$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
1266
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
-
 
1267
# Adapt the main conf file
1267
# Adapt the main conf file
-
 
1268
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1268
# French deny HTML page
1269
# French deny HTML page
1269
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1270
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1270
# 2 filtergroups (8080 & 8090)
1271
# 2 filtergroups (8080 & 8090)
1271
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1272
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1272
# Listen on 8080 (HTTP for BL users) only on LAN side
1273
# Listen on 8080 (HTTP for BL users) only on LAN side
Line 1368... Line 1369...
1368
##                     Function "antivirus"                     ##
1369
##                     Function "antivirus"                     ##
1369
## - Set the parameters of clamav and freshclam                 ##
1370
## - Set the parameters of clamav and freshclam                 ##
1370
##################################################################
1371
##################################################################
1371
antivirus()
1372
antivirus()
1372
{
1373
{
1373
# Clamd adaptation to e2guardian
1374
# Clamd unit adaptation to e2guardian
1374
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1375
	cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
1375
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1376
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1376
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1377
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1377
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1378
	cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
1378
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1379
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1379
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1380
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1380
	
-
 
-
 
1381
# Clamd conf adaptation to e2guardian
1381
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1382
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1382
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1383
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1383
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1384
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1384
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1385
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1385
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1386
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
Line 1408... Line 1409...
1408
# Three instances of ulogd (three different logfiles)
1409
# Three instances of ulogd (three different logfiles)
1409
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1410
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1410
	nl=1
1411
	nl=1
1411
	for log_type in traceability ssh ext-access
1412
	for log_type in traceability ssh ext-access
1412
	do
1413
	do
1413
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1414
		cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
1414
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1415
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1415
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1416
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1416
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1417
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1417
		cat << EOF >> /etc/ulogd-$log_type.conf
1418
		cat << EOF >> /etc/ulogd-$log_type.conf
1418
[emu1]
1419
[emu1]
1419
file="/var/log/firewall/$log_type.log"
1420
file="/var/log/firewall/$log_type.log"
1420
sync=1
1421
sync=1
1421
EOF
1422
EOF
1422
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1423
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
1423
		nl=`expr $nl + 1`
1424
		nl=`expr $nl + 1`
1424
	done
1425
	done
1425
	chown -R root:apache /var/log/firewall
1426
	chown -R root:apache /var/log/firewall
1426
	chmod 750 /var/log/firewall
1427
	chmod 750 /var/log/firewall
1427
	chmod 640 /var/log/firewall/*
1428
	chmod 640 /var/log/firewall/*
Line 1435... Line 1436...
1435
nfsen()
1436
nfsen()
1436
{
1437
{
1437
	groupadd -f nfcapd
1438
	groupadd -f nfcapd
1438
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1439
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1439
# nfcapd unit for systemd
1440
# nfcapd unit for systemd
1440
	cat << EOF > /lib/systemd/system/nfcapd.service
1441
	cat << EOF > /etc/systemd/system/nfcapd.service
1441
#  This file is part of systemd.
1442
#  This file is part of systemd.
1442
#
1443
#
1443
#  systemd is free software; you can redistribute it and/or modify it
1444
#  systemd is free software; you can redistribute it and/or modify it
1444
#  under the terms of the GNU General Public License as published by
1445
#  under the terms of the GNU General Public License as published by
1445
#  the Free Software Foundation; either version 2 of the License, or
1446
#  the Free Software Foundation; either version 2 of the License, or
Line 1477... Line 1478...
1477
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1478
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1478
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1479
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1479
	$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
1480
	$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
1480
	# vnstat-dashboard
1481
	# vnstat-dashboard
1481
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1482
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1482
	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
1483
	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
1483
	$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
1484
	$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
1484
} # End of vnstat()
1485
} # End of vnstat()
1485
 
1486
 
1486
###################################################################
1487
###################################################################
1487
##                     Function "dnsmasq"                        ##
1488
##                     Function "dnsmasq"                        ##
1488
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1489
## - creation of the conf files of dnsmasq (whitelist for ipset )##
Line 1507... Line 1508...
1507
filterwin2k
1508
filterwin2k
1508
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1509
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1509
server=$DNS1
1510
server=$DNS1
1510
server=$DNS2
1511
server=$DNS2
1511
EOF
1512
EOF
1512
	# Create dnsmasq-whitelist unit
1513
	# Don't run dnsmasq service. Create dnsmasq-whitelist unit
1513
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1514
	systemctl disable dnsmasq.service
1514
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1515
	cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
1515
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1516
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
1516
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1517
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
1517
} # End of dnsmasq()
1518
} # End of dnsmasq()
1518
 
1519
 
1519
#########################################################
1520
#########################################################
1520
##              Function "unbound"                     ##
1521
##              Function "unbound"                     ##
1521
## - create the conf files for 4 unbound services      ##
1522
## - create the conf files for 4 unbound services      ##
Line 1680... Line 1681...
1680
	include: /etc/unbound/conf.d/common/local-forward/*
1681
	include: /etc/unbound/conf.d/common/local-forward/*
1681
	include: /etc/unbound/conf.d/common/local-dns/*
1682
	include: /etc/unbound/conf.d/common/local-dns/*
1682
	include: /etc/unbound/conf.d/blackhole/*
1683
	include: /etc/unbound/conf.d/blackhole/*
1683
EOF
1684
EOF
1684
 
1685
 
1685
	if [ ! -e /lib/systemd/system/unbound.service.default ]
-
 
1686
	then
-
 
1687
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1686
	cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
1688
	fi
-
 
1689
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1687
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
1690
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1688
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
1691
	for list in blacklist blackhole whitelist
1689
	for list in blacklist blackhole whitelist
1692
	do
1690
	do
1693
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1691
		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
1694
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1692
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
1695
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1693
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
1696
	done
1694
	done
1697
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1695
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
1698
} # End of unbound()
1696
} # End of unbound()
1699
 
1697
 
1700
##################################################
1698
##################################################
1701
##              Function "dhcpd"                ##
1699
##              Function "dhcpd"                ##
1702
##################################################
1700
##################################################
Line 1939... Line 1937...
1939
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1937
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1940
	chmod 644 /var/log/fail2ban.log
1938
	chmod 644 /var/log/fail2ban.log
1941
	chmod 644 $DIR_SAVE/security/watchdog.log
1939
	chmod 644 $DIR_SAVE/security/watchdog.log
1942
	/usr/bin/touch /var/log/auth.log
1940
	/usr/bin/touch /var/log/auth.log
1943
# fail2ban unit
1941
# fail2ban unit
1944
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1942
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1945
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1943
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1946
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1944
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1947
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1945
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
1948
} # End of fail2ban()
1946
} # End of fail2ban()
1949
 
1947
 
1950
#########################################################
1948
#########################################################
1951
##                   Fonction "gammu_smsd"             ##
1949
##                   Fonction "gammu_smsd"             ##
1952
## - Creating of SMS management database               ##
1950
## - Creating of SMS management database               ##
Line 2003... Line 2001...
2003
CheckBattery = 0
2001
CheckBattery = 0
2004
EOF
2002
EOF
2005
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2003
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2006
 
2004
 
2007
# Create the systemd unit
2005
# Create the systemd unit
2008
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2006
	cat << EOF > /etc/systemd/system/gammu-smsd.service
2009
[Unit]
2007
[Unit]
2010
Description=SMS daemon for Gammu
2008
Description=SMS daemon for Gammu
2011
Documentation=man:gammu-smsd(1)
2009
Documentation=man:gammu-smsd(1)
2012
After=network.target mysql.service
2010
After=network.target mysql.service
2013
 
2011
 
Line 2191... Line 2189...
2191
	for dir in firewall e2guardian lighttpd
2189
	for dir in firewall e2guardian lighttpd
2192
	do
2190
	do
2193
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2191
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2194
	done
2192
	done
2195
# create the alcasar-load_balancing unit
2193
# create the alcasar-load_balancing unit
2196
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2194
	cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
2197
#  This file is part of systemd.
2195
#  This file is part of systemd.
2198
#
2196
#
2199
#  systemd is free software; you can redistribute it and/or modify it
2197
#  systemd is free software; you can redistribute it and/or modify it
2200
#  under the terms of the GNU General Public License as published by
2198
#  under the terms of the GNU General Public License as published by
2201
#  the Free Software Foundation; either version 2 of the License, or
2199
#  the Free Software Foundation; either version 2 of the License, or
Line 2373... Line 2371...
2373
	-\? | -h* | --h*)
2371
	-\? | -h* | --h*)
2374
		echo "$usage"
2372
		echo "$usage"
2375
		exit 0
2373
		exit 0
2376
		;;
2374
		;;
2377
	-i | --install)
2375
	-i | --install)
2378
		for func in license testing_system
2376
		for func in license testing_system testing_network
2379
		do
2377
		do
2380
			header_install
2378
			header_install
2381
			$func
2379
			$func
2382
			if [ $DEBUG_ALCASAR == "on" ]
2380
			if [ $DEBUG_ALCASAR == "on" ]
2383
			then
2381
			then
Line 2449... Line 2447...
2449
				then echo "#### Installation avec mise à jour ####";
2447
				then echo "#### Installation avec mise à jour ####";
2450
				else echo "#### Installation with update     ####";
2448
				else echo "#### Installation with update     ####";
2451
			fi
2449
			fi
2452
			mode="update"
2450
			mode="update"
2453
		fi
2451
		fi
2454
		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2452
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2455
		do
2453
		do
2456
			$func
2454
			$func
2457
			if [ $DEBUG_ALCASAR == "on" ]
2455
			if [ $DEBUG_ALCASAR == "on" ]
2458
			then
2456
			then
2459
				echo "*** 'debug' : end of function '$func' ***"
2457
				echo "*** 'debug' : end of function '$func' ***"