Subversion Repositories ALCASAR

Rev

Rev 2863 | Rev 2865 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2863 Rev 2864
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2863 2020-10-05 15:51:53Z rexy $
2
#  $Id: alcasar.sh 2864 2020-10-18 09:06:17Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 1538... Line 1538...
1538
EOF
1538
EOF
1539
 
1539
 
1540
# Configuration file of ALCASAR main domains for $INTIF
1540
# Configuration file of ALCASAR main domains for $INTIF
1541
        cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1541
        cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1542
server:
1542
server:
1543
        local-zone: "$DOMAIN" static
-
 
1544
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1543
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1545
        local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1544
        local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1546
EOF
1545
EOF
1547
 
1546
 
1548
# Configuration file for lo of forward unbound
1547
# Configuration file for lo of forward unbound
Line 1550... Line 1549...
1550
server:
1549
server:
1551
        interface: 127.0.0.1@53
1550
        interface: 127.0.0.1@53
1552
        access-control-view: 127.0.0.1/8 lo
1551
        access-control-view: 127.0.0.1/8 lo
1553
view:
1552
view:
1554
        name: "lo"
1553
        name: "lo"
1555
        local-zone: "$DOMAIN" static
1554
        local-data: "$HOSTNAME A 127.0.0.1"
1556
        local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1555
        local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
-
 
1556
        local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1557
        view-first: yes
1557
        view-first: yes
1558
EOF
1558
EOF
1559
 
1559
 
1560
# Configuration file for $INTIF of forward unbound
1560
# Configuration file for $INTIF of forward unbound
1561
        cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1561
        cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
Line 1633... Line 1633...
1633
        include: /etc/unbound/conf.d/common/local-dns/*
1633
        include: /etc/unbound/conf.d/common/local-dns/*
1634
        include: /etc/unbound/conf.d/whitelist/*
1634
        include: /etc/unbound/conf.d/whitelist/*
1635
        include: /usr/local/share/unbound-wl-enabled/*
1635
        include: /usr/local/share/unbound-wl-enabled/*
1636
forward-zone:
1636
forward-zone:
1637
        name: "."
1637
        name: "."
1638
        forward-addr: 127.0.0.1@55
1638
        forward-addr: 127.0.0.1@53
1639
EOF
1639
EOF
1640
 
1640
 
1641
# Configuration file for $INTIF of blackhole unbound
1641
# Configuration file for $INTIF of blackhole unbound
1642
        cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1642
        cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1643
server:
1643
server:
Line 1645... Line 1645...
1645
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1645
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1646
view:
1646
view:
1647
        name: "$INTIF"
1647
        name: "$INTIF"
1648
        local-zone: "." redirect
1648
        local-zone: "." redirect
1649
        local-data: ". A $PRIVATE_IP"
1649
        local-data: ". A $PRIVATE_IP"
1650
        local-zone: "$DOMAIN" static
-
 
1651
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
-
 
1652
        local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
-
 
1653
EOF
1650
EOF
1654
 
1651
 
1655
# Configuration file for blackhole unbound
1652
# Configuration file for blackhole unbound
1656
        cat << EOF > /etc/unbound/unbound-blackhole.conf
1653
        cat << EOF > /etc/unbound/unbound-blackhole.conf
1657
server:
1654
server:
Line 2134... Line 2131...
2134
        for i in ulogd gpm dhcpd
2131
        for i in ulogd gpm dhcpd
2135
        do
2132
        do
2136
                /usr/bin/systemctl -q disable $i.service
2133
                /usr/bin/systemctl -q disable $i.service
2137
        done
2134
        done
2138
 
2135
 
2139
# Apply French Security Agency (ANSSI) rules
2136
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2140
# ignore ICMP broadcast (smurf attack)
2137
# ignore ICMP broadcast (smurf attack)
2141
        echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2138
        echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2142
# ignore ICMP errors bogus
2139
# ignore ICMP errors bogus
2143
        echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2140
        echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2144
# remove ICMP redirects responces
2141
# remove ICMP redirects responces
Line 2163... Line 2160...
2163
        echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2160
        echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2164
        echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2161
        echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2165
        echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2162
        echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2166
# switch to multi-users runlevel (instead of x11)
2163
# switch to multi-users runlevel (instead of x11)
2167
        ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2164
        ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
-
 
2165
# disable Core dump file
-
 
2166
        [ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
-
 
2167
        $SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
-
 
2168
 
2168
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2169
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2169
        [ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2170
        [ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2170
        $SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2171
        $SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2171
        $SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2172
        $SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2172
        [ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2173
        [ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default