WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2195 2017-05-02 14:51:01Z richard $
+#  $Id: alcasar.sh 2202 2017-05-06 13:35:14Z richard $
 # alcasar.sh
 # ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
 # Ce programme est un logiciel libre ; This software is free and open source
 #	vnstat			: little network stat daemon
 #	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
 #	cron			: Logs export + watchdog + connexion statistics
 #	fail2ban		: Fail2ban IDS installation and configuration
 #	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
+#	msec			: Mandriva security package configuration
 #	post_install		: Security, log rotation, etc.
 DATE=`date '+%d %B %Y - %Hh%M'`
 DATE_SHORT=`date '+%d/%m/%Y'`
 Lang=`echo $LANG|cut -c 1-2`
 KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
 EOF
 } # END gammu_smsd()
+##################################################################
+##			Fonction "msec"				##
+## - Application du niveau de sécurité fileserver 		##
+## - Désactiver l'autorisation de redémarrage			##
+## - forcer les permissions sur les configurations		##
+## - forcer les permissions sur les log				##
+##################################################################
+msec()
+{
+# Apply fileserver security level
+$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
+# Disable Magic SysReq Keys
+$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
+# Configure permissions monitoring and enforcement
+cat <<EOF > /etc/security/msec/perm.local
+/var/log/firefwall/                     root.apache     750
+/var/log/firewall/*                     root.apache     640
+/etc/security/msec/perm.local           root.root       640
+/etc/security/msec/level.local          root.root       640
+/etc/freeradius-web                     root.apache     750
+/etc/freeradius-web/admin.conf          root.apache     640
+/etc/raddb/dictionnary                  root.apache     640
+/etc/raddb/ldap.attrmap                 root.radius     640
+/etc/raddb/hints                        root.radius     640
+/etc/raddb/huntgroups                   root.radius     640
+/etc/raddb/attrs.access_reject          root.radius     640
+/etc/raddb/attrs.accounting_response    root.radius     640
+/etc/raddb/acct_users                   root.raidus     640
+/etc/raddb/preproxy_users               root.radius     640
+/etc/raddb/modules/ldap                 radius.apache   660
+/etc/raddb/sites-available/alcasar      radius.apache   660
+/etc/pki/*                              root.apache     750
+/var/log/netflow/porttracker            apache.apache   770
+/var/log/netflow/porttracker/*          apache.apache   770
+EOF
+/usr/sbin/msec
+} # END msec()
-##########################################################
+##################################################################
 ##		Fonction "post_install"			##
 ## - Modifying banners (locals et ssh) & prompts	##
 ## - SSH config						##
 ## - sudoers config & files security			##
 ## - log rotate & ANSSI security parameters		##
 			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
 			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
 			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
 			mode="update"
 		fi
-		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
+		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec post_install
 		do
 			$func
 # echo "*** 'debug' : end of function $func ***"; read a
 		done
 		;;

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2981 – Rev 2195 → 2202