Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2933 → Rev 2937

/alcasar.sh
735,8 → 735,8
# load ipt_NETFLOW module
echo "ipt_NETFLOW" >> /etc/modprobe.preload
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
#
803,7 → 803,7
done
chown -R root:apache $DIR_SAVE
# Configuring & securing php
[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
873,7 → 873,8
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
# Run lighttpd after coova (in order waiting tun0 to be up)
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
# Log file for ACC access imputability
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
chown root:apache $DIR_SAVE/security/acc_access.log
959,9 → 960,9
# Add an empty radius database structure
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
# modify the start script in order to close accounting connexion when the system is comming down or up
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
/usr/bin/systemctl unset-environment MYSQLD_OPTS
/usr/bin/systemctl daemon-reload
} # End of init_db()
1044,8 → 1045,8
cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
chown -R radius:radius /etc/raddb/mods-available/sqlcounter
# make certain that mysql is up before freeradius start
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
/usr/bin/systemctl daemon-reload
# Allow apache to change some conf files (ie : ldap on/off)
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1060,7 → 1061,7
chilli()
{
# chilli unit for systemd
cat << EOF > /lib/systemd/system/chilli.service
cat << EOF > /etc/systemd/system/chilli.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
1260,11 → 1261,11
e2guardian()
{
# Adapt systemd unit
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
# Adapt the main conf file
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
# Adapt the main conf file
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# 2 filtergroups (8080 & 8090)
1370,14 → 1371,14
##################################################################
antivirus()
{
# Clamd adaptation to e2guardian
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
# Clamd unit adaptation to e2guardian
cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
# Clamd conf adaptation to e2guardian
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1410,7 → 1411,7
nl=1
for log_type in traceability ssh ext-access
do
[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1419,7 → 1420,7
file="/var/log/firewall/$log_type.log"
sync=1
EOF
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
nl=`expr $nl + 1`
done
chown -R root:apache /var/log/firewall
1437,7 → 1438,7
groupadd -f nfcapd
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
# nfcapd unit for systemd
cat << EOF > /lib/systemd/system/nfcapd.service
cat << EOF > /etc/systemd/system/nfcapd.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
1479,8 → 1480,8
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
# vnstat-dashboard
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
} # End of vnstat()
 
###################################################################
1509,11 → 1510,11
server=$DNS1
server=$DNS2
EOF
# Create dnsmasq-whitelist unit
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
systemctl disable dnsmasq.service
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
} # End of dnsmasq()
 
#########################################################
1682,19 → 1683,16
include: /etc/unbound/conf.d/blackhole/*
EOF
 
if [ ! -e /lib/systemd/system/unbound.service.default ]
then
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
fi
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
for list in blacklist blackhole whitelist
do
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
done
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
} # End of unbound()
 
##################################################
1941,10 → 1939,10
chmod 644 $DIR_SAVE/security/watchdog.log
/usr/bin/touch /var/log/auth.log
# fail2ban unit
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
} # End of fail2ban()
 
#########################################################
2005,7 → 2003,7
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
 
# Create the systemd unit
cat << EOF > /lib/systemd/system/gammu-smsd.service
cat << EOF > /etc/systemd/system/gammu-smsd.service
[Unit]
Description=SMS daemon for Gammu
Documentation=man:gammu-smsd(1)
2193,7 → 2191,7
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
done
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
2375,7 → 2373,7
exit 0
;;
-i | --install)
for func in license testing_system
for func in license testing_system testing_network
do
header_install
$func
2451,7 → 2449,7
fi
mode="update"
fi
for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]