Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 39 → Rev 40

/scripts/etc/alcasar-filter-exceptions
0,0 → 1,0
/scripts/etc/alcasar-services
0,0 → 1,5
#icmp -
#ssh 22
#smtp 25
#pop 110
#https 443
/scripts/sbin/alcasar-bl.sh
0,0 → 1,77
#/bin/sh
# Gestion des Blacklists/Whitelists
 
DIR_tmp="/root/blacklists"
DIR_DANSGUARDIAN="/etc/dansguardian/lists/"
BL_SERVER="cri.univ-tlse1.fr"
SED="/bin/sed -i"
 
function transfert () {
mkdir -p $DIR_tmp
cd $DIR_tmp
wget http://$BL_SERVER/blacklists/download/blacklists.tar.gz
}
 
function install () {
[ -d $DIR_DANSGUARDIAN ] || mkdir -p $DIR_DANSGUARDIAN
[ -d $DIR_DANSGUARDIAN/blacklists/ossi ] && mv -f $DIR_DANSGUARDIAN/blacklists/ossi $DIR_tmp
tar zxvf $DIR_tmp/blacklists.tar.gz --directory=$DIR_DANSGUARDIAN
[ -d $DIR_tmp/ossi ] && mv -f $DIR_tmp/ossi $DIR_DANSGUARDIAN/blacklists/
cd /root
rm -rf $DIR_tmp
}
 
usage="Usage: alcasar-bl.sh -on | -off | -download| -reload"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-on)
# activation du filtrage
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf
service dansguardian reload
;;
-off)
# désactivation du filtrage
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf
service dansguardian reload
;;
-download)
# Mise a jour de la blacklist 'Toulouse' et compilation de la base
rm -rf /tmp/con_ok.html
`/usr/bin/curl $BL_SERVER -# -o /tmp/con_ok.html`
if [ ! -e /tmp/con_ok.html ]
then
echo "Erreur : le serveur de blacklist ($BL_SERVER) n'est pas joignable"
else
transfert
install
chown -R dansguardian:apache $DIR_DANSGUARDIAN
chmod -R g+w $DIR_DANSGUARDIAN
service dansguardian reload
DATE=`date '+%d %B %Y - %Hh%M'`
echo "Univ-tlse du $DATE " > /var/www/html/VERSION-BL
rm -rf /tmp/con_ok.html
fi
;;
-reload)
# regénération de la base OSSI/RSSI
chown -R dansguardian:apache $DIR_DANSGUARDIAN/blacklists/ossi
chmod -R g+w $DIR_DANSGUARDIAN/blacklists/ossi
service dansguardian reload
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-nf.sh
0,0 → 1,47
#/bin/sh
# active ou desactive le filtrage réseau
# by rexy
 
SED="/bin/sed -i"
FIC_SERVICES="/usr/local/etc/alcasar-services"
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions"
 
usage="Usage: alcasar-nf.sh -on | -off "
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-on)
# activation du filtrage réseau
$SED "s?^FILTERING.*?FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh
# tri du fichier de services
sort -k2n $FIC_SERVICES > /tmp/alcasar-services-sort
mv -f /tmp/alcasar-services-sort $FIC_SERVICES
chown root:apache $FIC_SERVICES
chmod 660 $FIC_SERVICES
# vérification de présence du fichier d'exception
[ -e $FIC_EXCEPTIONS ] || touch $FIC_EXCEPTIONS
chown root:apache $FIC_EXCEPTIONS
chmod 664 $FIC_EXCEPTIONS
/usr/local/bin/alcasar-iptables.sh
;;
-off)
# désactivation du filtrage réseau
$SED "s?^FILTERING.*?FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-profil.sh
0,0 → 1,120
#/bin/sh
# Gestion des comptes liés aux profils
ADM_PROFIL="admin"
PROFILS="backup manager"
ALL_PROFILS=`echo $ADM_PROFIL $PROFILS`
DIR_KEY="/var/www/html/digest"
SED="/bin/sed -i"
HOSTNAME=`uname -n`
# liste les comptes de chaque profile
function list () {
for i in $ALL_PROFILS
do
echo "Comptes liés au profil '$i' :"
cat $DIR_KEY/key_only_$i | cut -d':' -f1|sort
done
}
# ajoute les comptes du profil "admin" aux autres profils
function concat () {
for i in $PROFILS
do
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$i
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_$i
done
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$ADM_PROFIL
chown -R root:apache $DIR_KEY
chmod 640 $DIR_KEY/key_*
}
 
usage="Usage: alcasar-profil.sh -list -add | -del | -pass"
nb_args=$#
args=$1
 
# on met en place la structure minimale
if [ ! -e $DIR_KEY/key_$ADM_PROFIL ]
then
touch $DIR_KEY/key_$ADM_PROFIL
fi
cp -f $DIR_KEY/key_$ADM_PROFIL $DIR_KEY/key_only_$ADM_PROFIL
for i in $PROFILS
do
if [ ! -e $DIR_KEY/key_only_$i ]
then
touch $DIR_KEY/key_only_$i
fi
done
concat
if [ $nb_args -eq 0 ]
then
echo $usage
exit 0
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-add)
# ajout d'un compte
list
echo -n "Choisissez un profil ($ALL_PROFILS) : "
read profil
echo -n "Entrez le nom du compte à créer (profil '$profil') : "
read account
# on teste s'il n'existe pas déjà
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then echo "Ce compte existe déjà"
exit 0
fi
done
done
/usr/sbin/htdigest $DIR_KEY/key_only_$profil $HOSTNAME $account
concat
list
;;
-del)
# suppression d'un compte
list
echo -n "entrez le nom du compte à supprimer : "
read account
for i in $ALL_PROFILS
do
$SED "/^$account:/d" $DIR_KEY/key_only_$i
done
concat
list
;;
-pass)
# changement du mot de passe d'un compte
list
echo "Changement de mot de passe"
echo -n "Entrez le nom du compte : "
read account
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then
/usr/sbin/htdigest $DIR_KEY/key_only_$i $HOSTNAME $account
fi
done
done
concat
;;
-list)
# liste des comptes par profile
list
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-uninstall.sh
0,0 → 1,143
#!/bin/sh
# alcasar-uninstall.sh
# by 3abtux, angel95 and rexy
# This script is distributed under the Gnu General Public License (GPL)
clear
echo "-----------------------------------------------------------------------------"
echo "** Désinstallation d'ALCASAR **"
echo "-----------------------------------------------------------------------------"
echo
#services_stop
for i in ntpd iptables ulogd dansguardian squid chilli httpd radiusd named
do
/sbin/chkconfig --del $i
/etc/init.d/$i stop
done
echo "Réinitialisation des fonctions : "
#init
echo -en "\n-1 init(1) : "
#les script /usr/local/bin alcasar* sont supprimés à la fin car encore utiles ici
rm -f /root/ALCASAR* && echo -n "1,"
sleep 1
# network
echo -en "\n-2 network(9) : "
hostname localhost
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth1 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "1, "
[ -e /etc/sysconfig/network.default ] && mv /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "2, "
[ -e /etc/hosts.default ] && mv /etc/hosts.default /etc/hosts && echo -n "3, "
[ -e /etc/sysconfig/network-scripts/ifcfg-eth1 ] && rm -f /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "4, "
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "5, "
[ -e /etc/dhcpd.conf.default ] && mv /etc/dhcpd.conf.default /etc/dhcpd.conf && echo -n "6, "
[ -e /etc/sysconfig/dhcpd.default ] && mv /etc/sysconfig/dhcpd.default /etc/sysconfig/dhcpd && echo -n "7, "
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "8, "
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "9"
sleep 1
# gestion
echo -en "\n-3 gestion(4) : "
[ -d /var/www/html ] && rm -rf /var/www/html && echo -n "1, "
[ -e /etc/httpd/conf/httpd.conf.default ] && mv /etc/httpd/conf/httpd.conf.default /etc/httpd/conf/httpd.conf && echo -n "2, "
[ -e /etc/httpd/conf/webapps.d/alcasar.conf ] && rm -f /etc/httpd/conf/webapps.d/alcasar.conf && echo -n "3, "
[ -e /var/www/error/include/bottom.html.default ] && mv /var/www/error/include/bottom.html.default /var/www/error/include/bottom.html && echo -n "4 "
sleep 1
# CA
echo -en "\n-4 AC(4) : "
[ -e /etc/pki/CA/alcasar-ca.crt ] && rm -f /etc/pki/CA/alcasar-ca.crt && echo -n "1, "
[ -e /etc/pki/CA/private/alcasar-ca.key ] && rm -f /etc/pki/CA/private/alcasar-ca.key && echo -n "2, "
[ -e /etc/pki/tls/certs/alcasar.crt ] && rm -f /etc/pki/tls/certs/alcasar.crt && echo -n "3, "
[ -e /etc/pki/tls/private/alcasar.key ] && rm -f /etc/pki/tls/private/alcasar.key && echo -n "4"
sleep 1
#init_db
echo -en "\n-5 init_db(2) : 1, "
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "2 "
/sbin/chkconfig --del mysqld
/etc/init.d/mysqld stop
/usr/bin/killall mysqld 2>/dev/null
rm -rf /var/lib/mysql*
sleep 1
#param_radius
echo -en "\n-6 param_radius(7) : "
[ -e /etc/raddb/radiusd-db-vierge.sql ] && rm -f /etc/raddb/radiusd-db-vierge.sql && echo -n "1, "
[ -e /etc/raddb/radiusd.conf.default ] && mv /etc/raddb/radiusd.conf.default /etc/raddb/radiusd.conf && echo -n "2, "
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar && echo -n "3, "
[ -e /etc/raddb/sites-available/alcasar ] && rm /etc/raddb/sites-available/alcasar && echo -n "4, "
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "5, "
[ -e /etc/raddb/sql.conf.default ] && mv /etc/raddb/sql.conf.default /etc/raddb/sql.conf && echo -n "6, "
[ -e /etc/raddb/sql/mysql/dialup.conf.default ] && mv /etc/raddb/sql/mysql/dialup.conf.default /etc/raddb/sql/mysql/dialup.conf && echo -n "7"
sleep 1
#param_web_radius
echo -en "\n-7 param_web_radius(3) : "
[ -e /etc/freeradius-web/admin.conf.default ] && mv /etc/freeradius-web/admin.conf.default /etc/freeradius-web/admin.conf && echo -n "1, "
[ -e /etc/freeradius-web/naslist.conf ] && rm /etc/freeradius-web/naslist.conf && echo -n "2, "
[ -e /etc/freeradius-web/user_edit.attrs.default ] && mv /etc/freeradius-web/user_edit.attrs.default /etc/freeradius-web/user_edit.attrs && echo -n "3"
sleep 1
#param_chilli
echo -en "\n-8 param_chilli(5) : "
[ -e /etc/chilli/functions.default ] && mv /etc/chilli/functions.default /etc/chilli/functions && echo -n "1, "
[ -e /etc/init.d/chilli.default ] && mv /etc/init.d/chilli.default /etc/init.d/chilli && echo -n "2, "
[ -e /etc/chilli/config ] && rm /etc/chilli/config && echo -n "3, "
[ -e /etc/chilli/alcasar-uamallowed ] && rm /etc/chilli/alcasar-uamallowed && echo -n "4, "
[ -e /etc/chilli/alcasar-uamdomain ] && rm /etc/chilli/alcasar-uamdomain && echo -n "5"
sleep 1
#param_squid
echo -en "\n-9 param_squid(2) : "
[ -e /etc/squid/squid.conf.default ] && mv /etc/squid/squid.conf.default /etc/squid/squid.conf && echo -n "1, "
[ -d /var/spool/squid ] && rm -rf /var/spool/squid/* && echo -n "2"
#param_dansguardian
echo -en "\n-10 param_dansguardian(10) : "
[ -e /etc/init.d/dansguardian.default ] && mv /etc/init.d/dansguardian.default /etc/init.d/dansguardian && echo -n "1, "
[ -d /var/dansguardian ] && rm -rf /var/dansguardian && echo -n "2, "
[ -e /etc/dansguardian/dansguardian.conf.default ] && mv /etc/dansguardian/dansguardian.conf.default /etc/dansguardian/dansguardian.conf && echo -n "3, "
[ -e /etc/dansguardian/lists/bannedphraselist.default ] && mv /etc/dansguardian/lists/bannedphraselist.default /etc/dansguardian/lists/bannedphraselist && echo -n "4, "
[ -e /etc/dansguardian/dansguardianf1.conf.default ] && mv /etc/dansguardian/dansguardianf1.conf.default /etc/dansguardian/dansguardianf1.conf && echo -n "5, "
[ -e /etc/dansguardian/lists/bannedextensionlist.default ] && mv /etc/dansguardian/lists/bannedextensionlist.default /etc/dansguardian/lists/bannedextensionlist && echo -n "6, "
[ -e /etc/dansguardian/lists/bannedmimetypelist.default ] && mv /etc/dansguardian/lists/bannedmimetypelist.default /etc/dansguardian/lists/bannedmimetypelist && echo -n "7, "
[ -e /etc/dansguardian/lists/exceptioniplist.default ] && mv /etc/dansguardian/lists/exceptioniplist.default /etc/dansguardian/lists/exceptioniplist && echo -n "8, "
[ -e /etc/dansguardian/lists/bannedsitelist.default ] && mv /etc/dansguardian/lists/bannedsitelist.default /etc/dansguardian/lists/bannedsitelist && echo -n "9, "
[ -d /etc/dansguardian/lists/blacklists.default ] && mv -f /etc/dansguardian/lists/blacklists.default /etc/dansguardian/lists/blacklists && echo -n "10"
sleep 1
#firewall
echo -en "\n-11 firewall(1) : "
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "1"
sleep 1
#awstats
echo -en "\n-12 awstats(1) : "
[ -e /etc/awstats/awstats.conf.default ] && mv /etc/awstats/awstats.conf.default /etc/awstats/awstats.conf && echo -n "1"
sleep 1
#Bind
echo -en "\n-13 bind(4) : "
[ -e /var/lib/named/etc/named.conf.default ] && mv /var/lib/named/etc/named.conf.default /var/lib/named/etc/named.conf && echo -n "1, "
[ -e /var/lib/named/etc/trusted_networks_acl.conf.default ] && mv /var/lib/named/etc/trusted_networks_acl.conf.default /var/lib/named/etc/trusted_networks_acl.conf && echo -n "2, "
[ -e /var/lib/named/var/named/master/localdomain.zone.default ] && mv /var/lib/named/var/named/master/localdomain.zone.default /var/lib/named/var/named/master/localdomain.zone && echo -n "3, "
[ -e /var/lib/named/var/named/reverse/localdomain.rev ] && rm /var/lib/named/var/named/reverse/localdomain.rev && echo -n "4"
sleep 1
#cron
echo -en "\n-13 cron(9) : "
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "1, "
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "2, "
[ -e /etc/cron.d/mysql ] && rm -f /etc/cron.d/mysql && echo -n "3, "
[ -e /etc/cron.d/export_log ] && rm -f /etc/cron.d/export_log && echo -n "4, "
[ -e /etc/cron.d/clean_log ] && rm -f /etc/cron.d/clean_log && echo -n "5, "
[ -e /etc/cron.d/awstats ] && rm -f /etc/cron.d/awstats && echo -n "6, "
[ -e /etc/cron.d/freeradius-web ] && rm -f /etc/cron.d/freeradius-web && echo -n "7, "
[ -e /etc/cron.d/coova ] && rm -f /etc/cron.d/coova && echo -n "8, "
[ -e /etc/cron.d/watchdog ] && rm -f /etc/cron.d/watchdog && echo -n "9"
sleep 1
#plugin_ldap
[ -e /etc/raddb/ldap.attrmap.default ] && mv /etc/raddb/ldap.attrmap.default /etc/raddb/ldap.attrmap
[ -e /etc/raddb/ldap.default ] && mv /etc/raddb/ldap.default /etc/raddb/modules/ldap
sleep 1
#post_install
echo -en "\n-14 post_install(11) : "
[ -e /etc/mandriva-release.default ] && mv /etc/mandriva-release.default /etc/mandriva-release && echo -n "1, "
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, "
[ -e /etc/ssh/sshd_config.default ] && mv /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, "
[ -e /etc/bashrc.default ] && mv /etc/bashrc.default /etc/bashrc && echo -n "4, "
[ -e /etc/sudoers.default ] && mv /etc/sudoers.default /etc/sudoers && echo -n "5, "
[ -e /etc/logrotate.d/mysqld ] && rm -f /etc/logrotate.d/mysqld && echo -n "6, "
[ -e /etc/logrotate.d/httpd ] && rm -f /etc/logrotate.d/httpd && echo -n "7, "
[ -e /etc/logrotate.d/squid ] && rm -f /etc/logrotate.d/squid && echo -n "8, "
[ -e /etc/logrotate.d/radiusd ] && rm -f /etc/logrotate.d/radiusd && echo -n "9, "
[ -e /etc/logrotate.d/ulogd ] && rm -f /etc/logrotate.d/ulogd && echo -n "10, "
[ -e /usr/local/sbin/alcasar-uninstall.sh ] && rm -f /usr/local/sbin/alcasar* && rm -f /usr/local/bin/alcasar* && echo -n "11"
sleep 1
echo
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-mysql.sh
0,0 → 1,53
#! /bin/bash
## Script de sauvegarde de la base MySQL 'radius' (by rexy)
 
LANG="fr_FR@euro" # choix de la langue
rep_tr="/var/Save/base" # répertoire d'accueil des sauvegardes
ext="sql" # extention des fichiers de sauvegarde
DB_RADIUS="db_radius" # nom de la base
DB_USER="db_user" # nom d'utilisateur mysql (base des usagers)
radiuspwd="radius_pwd" # mot de passe d'accès
new="$(date +%F-%Hh%M)" # date et heure des fichiers
fichier="$DB_RADIUS-$new.$ext" # nom du fichier de sauvegarde
 
usage="Usage: alcasar-mysql.sh -dump | -import | -raz"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-dump)
[ -d $rep_tr ] || mkdir -p $rep_tr
if [ -e $fichier ];
then rm -f $fichier
fi
echo "Export de la base 'db_radius' dans le fichier : $fichier"
mysqldump -u $DB_USER -p$radiuspwd --opt -BcQC $DB_RADIUS > $rep_tr/$fichier
echo "Fin de Sauvegarde mysql $( date "+%Hh %Mmn" )"
;;
-import)
if [ $nb_args -ne 2 ]
then
echo "Entrez le nom d'un fichier SQL (.sql)"
exit 0
else
mysql -u $DB_USER -p$radiuspwd < $2
fi
;;
-raz)
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < /etc/raddb/radiusd-db-vierge.sql
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-logout.sh
0,0 → 1,23
#/bin/sh
# deconnexion d'un usager
 
radiussecret=""
 
usage="Usage: alcasar-logout.sh nom_d'usager"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
*)
echo "User-Name = $args" | /usr/bin/radclient 127.0.0.1:3799 40 $radiussecret
;;
esac
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/sbin/alcasar-bypass.sh
0,0 → 1,45
#!/bin/sh
# Script portail-bypass
# Permet d'activer ou de désactiver le contournement de l'authentification et du filtrage WEB
usage="Usage: alcasar-bypass.sh -on | -off"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-on)
# activation du contournement
for i in chilli squid dansguardian httpd mysqld radiusd
do
if (pgrep $i) > /dev/null ; then /etc/init.d/$i stop ; fi
done
echo "Configure eth1 ..."
ifup eth1
sh /usr/local/bin/alcasar-iptables-bypass.sh
if ! (pgrep dhcpd) > /dev/null ; then /etc/init.d/dhcpd start ; fi
echo "Le contournement du module d'authentification et de filtrage WEB est activé"
echo "les journaux du parefeu continuent néanmoins d'être enregistrés"
;;
-off)
# désactivation du contournement
if (pgrep dhcpd) > /dev/null ; then /etc/init.d/dhcpd stop ; fi
for i in chilli squid dansguardian httpd mysqld radiusd
do
if ! (pgrep $i) > /dev/null ; then /etc/init.d/$i start ; fi
done
sh /usr/local/bin/alcasar-iptables.sh
echo "L'authentification et le filtrage WEB sont de nouveau activés"
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-conf.sh
0,0 → 1,99
#/bin/sh
# by rexy
# Ce script permet de créer ou de charger l'archive des fichiers de configuration (/tmp/alcasar-conf.tar.gz)
DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour
DIR_WEB="/var/www/html" # répertoire du centre de gestion
DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf
DB_USER="db_user" # nom d'utilisateur mysql (base usagers)
radiuspwd="radius_pwd" # mot de passe d'accès
 
usage="Usage: alcasar-conf.sh -create | -load"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-create)
DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# Sauvegarde des certificats (serveur et CA)
cert_date=`/usr/bin/openssl x509 -noout -in /etc/pki/tls/certs/alcasar.crt -dates|grep After|cut -d"=" -f2`
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
# Sauvegarde de la base des usagers
/usr/local/sbin/alcasar-mysql.sh -dump
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE
# Sauvegarde des comptes de gestion
cp -rf $DIR_WEB/digest $DIR_UPDATE
# Sauvegarde du nom d'organisme
echo `hostname` > $DIR_UPDATE/hostname
# Sauvegarde du logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# Sauvegarde des fichiers d'exceptions (urls, domains et mac)
cp -f /etc/chilli/alcasar-* $DIR_UPDATE
# Sauvegarde des listes de filtrage
echo "sauvegarde de l'ancienne blacklist ..."
cp -rf /etc/dansguardian/lists/ $DIR_UPDATE
# sauvegarde des fichiers de filtrage réseau
mkdir $DIR_UPDATE/etc/
cp -rf $DIR_DEST_ETC/* $DIR_UPDATE/etc/
# création de l'archive
cd /tmp
tar -cf alcasar-conf.tar conf/
gzip -f alcasar-conf.tar
rm -rf $DIR_UPDATE
;;
-load)
cd /tmp
tar -xf /tmp/alcasar-conf.tar.gz
# Récupération du nom d'organisme
ORGANISME=`cat $DIR_UPDATE/hostname|cut -b 9-`
hostname `cat $DIR_UPDATE/hostname`
# Récupération du logo
cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php
# Récupération des certificats (CA et serveur)
cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
# Import de la dernière base usagers
mysql -u$DB_USER -p$radiuspwd < `ls $DIR_UPDATE/radius*`
# Récupération des uamallowed
cp -f $DIR_UPDATE/alcasar-uam* /etc/chilli/.
chown root:apache /etc/chilli/alcasar-uam*
chmod 660 /etc/chilli/alcasar-uam*
# Récupération des listes de filtrage (BL principale et secondaire, @IP non filtrés, etc.)
rm -rf /etc/dansguardian/lists
cp -rf $DIR_UPDATE/lists /etc/dansguardian/
chown -R dansguardian:apache /etc/dansguardian/lists
chmod -R g+rw /etc/dansguardian/lists
# Récupération des comptes de gestion (admin + manager + backup)
cp -rf $DIR_UPDATE/digest $DIR_WEB/
$DIR_DEST_SBIN/alcasar-profil.sh -list
# Récupération des règles de filtrage réseau
cp -f $DIR_UPDATE/etc/* $DIR_DEST_ETC/
chown root:apache $DIR_DEST_ETC/*
chmod 660 $DIR_DEST_ETC/*
rm -rf $DIR_UPDATE
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
/scripts/alcasar-iptables-filter.sh
0,0 → 1,62
#!/bin/sh
# by rexy (version 1.9 du 12/2009)
 
# a voir la relation avec nf_nat_ftp
# modprobe ip_conntrack_irc
# modprobe ip_conntrack_ftp
 
################## FILTRAGE PARTICULIER ##################
# Administration à distance par exemple :
## Autoriser SSH depuis l'extérieur sur le port 12222 ####
## Ne pas oublier la règle de PAT sur le modem/routeur (box ADSL) ! ainsi que l'adresse IP de votre machine distante dans /etc/hosts.allow
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -m state --state NEW -j ULOG --ulog-prefix "RULE Admin2 -- ACCEPT
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -j REDIRECT --to-port 22
# $IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT
##########################################################
 
################# FILTRAGE APPLICATIF ####################
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins
if [ $FILTERING = "yes" ]
then
# si le fichier d'exception est renseigné on le traite
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
then
while read ip_exception
do
echo $ip_exception
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
fi
# On autorise les protoles non commentés
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT
# else if [ $svc_name = "ftp-passif" ]
# then
# /sbin/modprobe nf_nat_ftp
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# fi
else
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT
fi
fi
done < /usr/local/etc/alcasar-services
#tout le reste est bloqué
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-urpmi.sh
0,0 → 1,43
#!/bin/sh
# script d'ajout des medias logiciels
# 3abtux & rexy
# changelog :
# + prise en compte dynamique de la version de la distribution
# + prise en compte de la nouvelle struture RPM
# + test avant sortie
 
fic=`cat /etc/product.id`
old="$IFS"
IFS=","
set $fic
for i in $*
do
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
then
ARCH=`echo $i|cut -d"=" -f2`
fi
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
then
VERSION=`echo $i|cut -d"=" -f2`
fi
done
IFS="$old"
 
# For International install
# MIRRORLIST="http://api.mandriva.com/mirrors/basic.$VERSION.$ARCH.list"
 
# For french ALCASARistes
MIRRORLIST="http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/$VERSION/$ARCH"
 
urpmi.removemedia -a
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST main /media/main/release
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST main_updates /media/main/updates
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST contrib /media/contrib/release
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST contrib_updates /media/contrib/updates
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l`
if [ "$nb_repository" != "4" ]
then
exit 1
else exit 0
fi
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-watchdog.sh
0,0 → 1,51
#/bin/sh
# by rexy
# Ce script permet de déconnecter les usagers dont
# - les équipementis réseau ne répondent plus
# - les adresses MAC sont usurpées
# The aim of this script is to disconnect users whose
# - PCs are quiet
# - MAC address are in used by other systems (usurped)
 
INTIF="eth1"
PRIVATE_IP="192.168.182.1"
tmp_file="/tmp/watchdog.txt"
IFS=$'\n'
# lecture du fichier contenant les adresses IP des stations muettes
if [ -e $tmp_file ]; then
cat $tmp_file | while read noresponse
do
noresponse_ip=`echo $noresponse | cut -d" " -f1`
noresponse_mac=`echo $noresponse | cut -d" " -f2`
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 $noresponse_ip|grep response|cut -d" " -f2`
if [[ $(expr $arp_reply) -eq 0 ]]
then
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) reste muette. On déconnecte."
/usr/sbin/chilli_query logout $noresponse_mac
fi
done
rm $tmp_file
fi
# on traite chaque équipements connus de chilli
for system in `/usr/sbin/chilli_query list`
do
active_ip=`echo $system |cut -d" " -f2`
active_session=`echo $system |cut -d" " -f5`
active_mac=`echo $system | cut -d" " -f1`
# on ne traite que les équipements exploitées par un usager authentifié
if [[ $(expr $active_session) -eq 1 ]]
then
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 $active_ip|grep response|cut -d" " -f2`
# on stocke les adresses IP des stations muettes
if [[ $(expr $arp_reply) -eq 0 ]]
then
echo "$active_ip $active_mac" >> $tmp_file
fi
# on deconnecte l'usager d'une stations usurpée (@MAC)
if [[ $(expr $arp_reply) -gt 2 ]]
then
logger "alcasar-watchdog : $active_ip est usurpée ($active_mac). On déconnecte."
/usr/sbin/chilli_query logout $active_mac
fi
fi
done
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-iptables.sh
0,0 → 1,118
#!/bin/sh
# script de mise en place des regles du parefeu d'Alcasar (mode normal)
# Rexy - 3abtux - CPN
# version 1.8 (12/2009)
# changelog :
# + prise en compte des règles de "filtrage réseau" (alcasar-iptables-filter.sh)
# + suppression log vers syslog
# + suppression des broadcast sur EXTIF et INTIF
# + suppression du filtrage par la table "NAT" -> utilisation de la table "MANGLE"
 
IPTABLES="/sbin/iptables"
FILTERING="no"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
PRIVATE_IP="192.168.182.1"
 
# On vide (flush) toutes les règles existantes
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
 
# On indique les politiques par défaut
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# On efface toutes les chaines qui ne sont pas par défaut dans les tables filter et nat
$IPTABLES -X
$IPTABLES -t nat -X
 
# On autorise tout sur loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# on autorise les requêtes dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 
# On ferme INTIF (tout passe par TUNIF)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
# Règles d'antispoofing
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP
 
# On drop le broadcast et le multicast sur les interfaces (sans Log)
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
# On ajoute ici les règles de filtrage réseau
if [ -f /usr/local/bin/alcasar-iptables-filter.sh ]; then
. /usr/local/bin/alcasar-iptables-filter.sh
fi
# On autorise le transfert de flux dans les deux sens (avec log sur les demandes de connexion sortantes)
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert1 -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $TUNIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# On autorise les flux entrant dns, ntp, https, ssh et le port 3990 (connexion/deconnexion des usagers). Retour autorisé par politique accept en OUTPUT
$IPTABLES -A INPUT -i $TUNIF -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 3990 -j ACCEPT
 
# On autorise le retour des connexions sortantes (politique ouput accept)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On redirige les requêtes DNS sortantes sur BIND local
# log DNS query present dans log du service BIND query.log --> pas de log dans firewall.log
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp ! -d $PRIVATE_IP -m udp --dport domain -j ULOG --ulog-prefix "RULE direct-DNS -- REDIRECT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp ! -d $PRIVATE_IP --dport domain -j REDIRECT --to-port domain
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP -m tcp --dport domain -j ULOG --ulog-prefix "RULE direct-DNS -- REDIRECT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport domain -j REDIRECT --to-port domain
 
# On interdit les connexions directes sur le port de DansGuardian (8080)
# les paquets concernés sont marqués par une règle de PREROUTING (cf. ci-après)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP
# On autorise les connexions sur DansGuardian
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 
# On log les requêtes HTTP sortantes (demande de connexion seulement)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert2 -- ACCEPT "
# On redirige les requête http sortantes vers DansGuardian (mode "proxy transparent")
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080
# On traite les tentatives de contournement par accès direct à DansGuardian (marquage des paquets)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1
 
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $TUNIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
# On sauvegarde les règles
/etc/init.d/iptables save
 
# On ne log pas les Log_martians (pour la mdv 2009 seulement)
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
 
# Fin du script des règles du parefeu
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-CA.sh
0,0 → 1,246
#!/bin/sh
#
# alcasar-CA.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
 
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVKEY=$DIR_CERT/private/alcasar.key
SRVREQ=$DIR_CERT/alcasar.req
FIC_PARAM="/root/ALCASAR-parameters.txt"
 
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
 
mkdir $DIR_TMP || exit 1
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE = $HOME/.rnd
#
[ ca ]
default_ca = AlcasarCA
 
[ AlcasarCA ]
dir = $DIR_TMP # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
 
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
 
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
 
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
 
policy = policy_anything
 
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
 
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
 
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
 
localityName = Locality Name (eg, city)
localityName_default = Lyon
 
0.organizationName = Organization Name (eg, company)
0.organizationName_default = your organization name
 
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
 
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
 
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
 
emailAddress = Email Address
emailAddress_max = 255
 
# SET-ex3 = SET extension number 3
 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType = nsCertType
# For normal client use this is typical
# nsCertType = client, email
nsCertType = server
 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=email:copy
 
# Copy subject details
issuerAltName=issuer:copy
 
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
basicConstraints = critical,CA:true
# So we do this instead.
#basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
EOF
 
hostname=`hostname`
if [ -z "$hostname" ];
then
echo "Impossible de déterminer le nom d'hôte !!!"
exit 1
fi
 
# The value for organizationalUnitName must be 64 chars or less;
# thus, hostname must be 36 chars or less. If it's too big,
# try removing domain (merci REXY ;-) ).
hostname_len=`echo $hostname| wc -c`
 
if [ $hostname_len -gt 36 ];
then
hostname=`echo $hostname | cut -d '.' -f 1`
fi
 
if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ]
then
echo "Impossible de déterminer l'@-IP"
exit 1
fi
IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 |grep IPADDR|cut -d"=" -f2`
CAMAIL=ca@$hostname
SRVMAIL=apache@$hostname
 
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
 
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log
 
# CA certificate
rm -f $CACERT
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $hostname
ALCASAR-local-CA
$CAMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
 
# Server key
rm -f $SRVKEY
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log
 
# Server certificate "request"
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $hostname
$IPADDR
$SRVMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
 
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
chmod a+r $CACERT $SRVCERT
 
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM
echo " Certificat = $CACERT" >> $FIC_PARAM
echo " Clée privée = $CAKEY" >> $FIC_PARAM
echo "- Certificat du serveur : " >> $FIC_PARAM
echo " Certificat = $SRVCERT" >> $FIC_PARAM
echo " Clée privée = $SRVKEY" >> $FIC_PARAM
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
rm -f $DIR_WEB/certs/*
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.pem
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.pem
rm -rf $DIR_TMP
exit 0
else
echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM
exit 1
fi
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-iptables-bypass.sh
0,0 → 1,80
#!/bin/sh
# script d'initialisation des regles du parefeu en mode ByPass
# Rexy - 3abtux
# version 1.8 - 12/2009
# changelog :
# + prise en compte optionnelle d'un fichier iptables 'personnel' permettant de bloquer certains flux/services
# + suppression log vers syslog
# + suppression du broadcast et du multicast sur les interfaces
 
IPTABLES="/sbin/iptables"
 
EXTIF="eth0"
INTIF="eth1"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
 
# On vide (flush) toutes les règles existantes
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
 
# On indique les politiques par défaut
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
$IPTABLES -X
$IPTABLES -t nat -X
 
# On autorise tout sur loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# on autorise les requêtes dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 
# Règles d'antispoofing
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP
 
# On drop le broadcast et le multicasat sur les interfaces (sans Log)
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
# On autorise le tranfert des requête DNS (sans LOG)
$IPTABLES -A FORWARD -i $INTIF -p udp --dport domain -j ACCEPT
 
# On autorise le flux dans les deux sens (avec Log sur les demandes de connexion).
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise les flux entrant ntp et ssh via INTIF
$IPTABLES -A INPUT -i $INTIF -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p tcp --dport ssh -j ACCEPT
 
# On autorise les flux entrant des connexions déjà établies (ping à partir du portail par exemple)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
/etc/init.d/iptables save
# Fin du script des regles du parefeu
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-mondo.sh
0,0 → 1,28
#!/bin/sh
# by 3abtux (with debug helps by Michel GAUDET)
DIR_TMP="/var/log/mondo"
DIR_ISO="/var/Save/ISO"
date=`date +%F-%Hh%M`
HOSTNAME=`hostname -s`
ROOT="root"
ISOFile=$HOSTNAME-$date
EXCLUDE="$DIR_ISO $DIR_TMP /tmp /mnt /media"
 
echo "Les répertoires exclus de l'image ISO sont : $EXCLUDE "
echo "##################################################"
echo "# Création de l'archive ISO système d'Alcasar ! #"
echo "##################################################"
echo ""
echo "--------------------------------------------------------"
echo "Les ISOs seront disponibles dans le répertoire suivant :"
echo "==--> $DIR_ISO"
/bin/touch $DIR_ISO/creation-of-the-current-archive
mkdir $DIR_TMP
/bin/nice -n 19 /usr/sbin/mondoarchive -p $ISOFile -Oi -s 4300m -d $DIR_ISO -T $DIR_TMP -S $DIR_TMP -E "$EXCLUDE"
cd $DIR_ISO
for i in `ls *.iso` ;do
/usr/bin/md5sum $i > $i.md5
done
rm -rf $DIR_TMP/mondo.scratch.* $DIR_TMP/tmp.mondo.* $DIR_TMP/.*.dat
rm -f $DIR_ISO/creation-of-the-current-archive
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-log-export.sh
0,0 → 1,36
#!/bin/sh
#
# alcasar-log-export.sh
# by Franck BOUIJOUX
# This script is distributed under the Gnu General Public License (GPL)
 
# Script permettant d'exporter des logs des répertoires /var/log/(squid-firewall-httpd ) à des fins d'archivages.
# Une fonction EXPERIMENTALE de chiffrement et de signature des logs a été implémentée dans ce script. Son activation par la mise à '1' de la variable 'CHIFFREMENT' et/ou 'SIGNATURE' permet de chiffrer-signer ou signer les logs contenus dans /var/Save/logs/.
# Il est nécessaire de détenir la passphrase de la clé privée de l'utilisateur 'admin-chillispot' pour rendre ces logs lisibles (la passphrase est actuellement détenue par l'équipe projet.
 
# changelog :
# - 20080114 - implémentation de la signature des archives logs
 
date=`date +%F`
TO_SAVE="/var/Save/logs" # répertoire accessible par webs
REP_SAVE="/var/log" # répertoire local des logs
REP_SERVICE="squid httpd firewall" # liste des répertoires contenant des logs à exporter
CHIFFREMENT="0" # chiffrement des logs ( 0=non / 1=oui )
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Son biclé est inclus dans le portefeuille gnupg de root (/root/.gnupg)
 
for i in $REP_SERVICE ; do
[ -d $TO_SAVE/$i ] || mkdir -p $TO_SAVE/$i # utile une seule fois mais crée le répertoire si nécessaire
cd $REP_SAVE/$i
if [ $CHIFFREMENT -eq "1" ]
then
# chiffrement des logs dans /var/Save/logs/(squid|firewall|httpd)
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \;
else
# copie simple des logs dans /var/Save/logs/(squid|firewall|httpd)
 
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \;
fi
done
chown -R apache.apache $TO_SAVE
exit 0
 
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
/scripts/alcasar-log-clean.sh
0,0 → 1,14
#!/bin/sh
# script de nettoyage des archives supérieures à 1 an ( 365 jours)
 
DATE=`date +%F`
REP="/var/log/squid/ /var/log/httpd/ /var/log/firewall/ /var/Save/base/ /var/Save/logs/firewall/ /var/Save/logs/squid/ /var/Save/logs/httpd/"
delay=365
 
for i in $REP
do
find $i -mtime +$delay -name '*.gz' -exec rm -f {} \;
find $i -mtime +$delay -name '*.sql' -exec rm -f {} \;
done
 
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable