WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 2864 2020-10-18 09:06:17Z rexy $
 
# alcasar.sh
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#  team@alcasar.net

EOF
 
# Configuration file of ALCASAR main domains for $INTIF
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
 
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
EOF
 
# Configuration file for lo of forward unbound

server:
	interface: 127.0.0.1@53
	access-control-view: 127.0.0.1/8 lo
view:
	name: "lo"
	local-data: "$HOSTNAME A 127.0.0.1"
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
	view-first: yes
EOF
 
# Configuration file for $INTIF of forward unbound
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf

	include: /etc/unbound/conf.d/common/local-dns/*
	include: /etc/unbound/conf.d/whitelist/*
	include: /usr/local/share/unbound-wl-enabled/*
forward-zone:
	name: "."
	forward-addr: 127.0.0.1@53
EOF
 
# Configuration file for $INTIF of blackhole unbound
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:

	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
	name: "$INTIF"
	local-zone: "." redirect
	local-data: ". A $PRIVATE_IP"
 
 
 
EOF
 
# Configuration file for blackhole unbound
	cat << EOF > /etc/unbound/unbound-blackhole.conf
server:

	for i in ulogd gpm dhcpd
	do
		/usr/bin/systemctl -q disable $i.service
	done
 
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
# ignore ICMP broadcast (smurf attack)
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
# ignore ICMP errors bogus
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
# remove ICMP redirects responces

	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
# switch to multi-users runlevel (instead of x11)
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# disable Core dump file
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
 
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default

Rev 2863	Rev 2864
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 2863 2020-10-05 15:51:53Z rexy $`	2	`# $Id: alcasar.sh 2864 2020-10-18 09:06:17Z rexy $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`	5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# team@alcasar.net`	7	`# team@alcasar.net`
Line 1538...	Line 1538...
1538	`EOF`	1538	`EOF`
1539		1539
1540	`# Configuration file of ALCASAR main domains for $INTIF`	1540	`# Configuration file of ALCASAR main domains for $INTIF`
1541	`cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`	1541	`cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf`
1542	`server:`	1542	`server:`
1543	`local-zone: "$DOMAIN" static`	-
1544	`local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"`	1543	`local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"`
1545	`local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"`	1544	`local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"`
1546	`EOF`	1545	`EOF`
1547		1546
1548	`# Configuration file for lo of forward unbound`	1547	`# Configuration file for lo of forward unbound`
Line 1550...	Line 1549...
1550	`server:`	1549	`server:`
1551	`interface: 127.0.0.1@53`	1550	`interface: 127.0.0.1@53`
1552	`access-control-view: 127.0.0.1/8 lo`	1551	`access-control-view: 127.0.0.1/8 lo`
1553	`view:`	1552	`view:`
1554	`name: "lo"`	1553	`name: "lo"`
1555	`local-zone: "$DOMAIN" static`	1554	`local-data: "$HOSTNAME A 127.0.0.1"`
1556	`local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"`	1555	`local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"`
-		1556	`local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"`
1557	`view-first: yes`	1557	`view-first: yes`
1558	`EOF`	1558	`EOF`
1559		1559
1560	`# Configuration file for $INTIF of forward unbound`	1560	`# Configuration file for $INTIF of forward unbound`
1561	`cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf`	1561	`cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf`
Line 1633...	Line 1633...
1633	`include: /etc/unbound/conf.d/common/local-dns/*`	1633	`include: /etc/unbound/conf.d/common/local-dns/*`
1634	`include: /etc/unbound/conf.d/whitelist/*`	1634	`include: /etc/unbound/conf.d/whitelist/*`
1635	`include: /usr/local/share/unbound-wl-enabled/*`	1635	`include: /usr/local/share/unbound-wl-enabled/*`
1636	`forward-zone:`	1636	`forward-zone:`
1637	`name: "."`	1637	`name: "."`
1638	`forward-addr: 127.0.0.1@55`	1638	`forward-addr: 127.0.0.1@53`
1639	`EOF`	1639	`EOF`
1640		1640
1641	`# Configuration file for $INTIF of blackhole unbound`	1641	`# Configuration file for $INTIF of blackhole unbound`
1642	`cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf`	1642	`cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf`
1643	`server:`	1643	`server:`
Line 1645...	Line 1645...
1645	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`	1645	`access-control-view: $PRIVATE_NETWORK_MASK $INTIF`
1646	`view:`	1646	`view:`
1647	`name: "$INTIF"`	1647	`name: "$INTIF"`
1648	`local-zone: "." redirect`	1648	`local-zone: "." redirect`
1649	`local-data: ". A $PRIVATE_IP"`	1649	`local-data: ". A $PRIVATE_IP"`
1650	`local-zone: "$DOMAIN" static`	-
1651	`local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"`	-
1652	`local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"`	-
1653	`EOF`	1650	`EOF`
1654		1651
1655	`# Configuration file for blackhole unbound`	1652	`# Configuration file for blackhole unbound`
1656	`cat << EOF > /etc/unbound/unbound-blackhole.conf`	1653	`cat << EOF > /etc/unbound/unbound-blackhole.conf`
1657	`server:`	1654	`server:`
Line 2134...	Line 2131...
2134	`for i in ulogd gpm dhcpd`	2131	`for i in ulogd gpm dhcpd`
2135	`do`	2132	`do`
2136	`/usr/bin/systemctl -q disable $i.service`	2133	`/usr/bin/systemctl -q disable $i.service`
2137	`done`	2134	`done`
2138		2135
2139	`# Apply French Security Agency (ANSSI) rules`	2136	`# Apply some security rules (some are from French cybersecurity Agency - ANSSI)`
2140	`# ignore ICMP broadcast (smurf attack)`	2137	`# ignore ICMP broadcast (smurf attack)`
2141	`echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf`	2138	`echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf`
2142	`# ignore ICMP errors bogus`	2139	`# ignore ICMP errors bogus`
2143	`echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf`	2140	`echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf`
2144	`# remove ICMP redirects responces`	2141	`# remove ICMP redirects responces`
Line 2163...	Line 2160...
2163	`echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf`	2160	`echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf`
2164	`echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf`	2161	`echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf`
2165	`echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf`	2162	`echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf`
2166	`# switch to multi-users runlevel (instead of x11)`	2163	`# switch to multi-users runlevel (instead of x11)`
2167	`ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target`	2164	`ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target`
-		2165	`# disable Core dump file`
-		2166	`[ -e /etc/security/limits.conf.default ] \|\| cp /etc/security/limits.conf /etc/security/limits.conf.default`
-		2167	`$SED "/^# End of file./i\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf`
-		2168
2168	`# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner`	2169	`# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner`
2169	`[ -e /etc/default/grub.default ] \|\| cp /etc/default/grub /etc/default/grub.default`	2170	`[ -e /etc/default/grub.default ] \|\| cp /etc/default/grub /etc/default/grub.default`
2170	`$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub`	2171	`$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub`
2171	`$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub`	2172	`$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub`
2172	`[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default`	2173	`[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default`

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2863 → 2864