WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2933 2021-03-27 10:17:40Z rexy $
+#  $Id: alcasar.sh 2937 2021-04-05 22:17:52Z rexy $
 # alcasar.sh
 # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 # This script is distributed under the Gnu General Public License (GPL)
 #  team@alcasar.net
 	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
 	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
 # load ipt_NETFLOW module
 	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
 # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
-	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
+	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
-	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
+	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
 	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
 	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
+#
 # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
 } # End of network()
 	do
 		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
 	done
 	chown -R root:apache $DIR_SAVE
 # Configuring & securing php
-	[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
+	[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
 	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
 	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
 	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
 	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
 	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
 	fi
 # Creation of ACC certs links
 	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
 	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
 # Run lighttpd after coova (in order waiting tun0 to be up)
+	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
-	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
+	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
 	# Log file for ACC access imputability
 	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
 	chown root:apache $DIR_SAVE/security/acc_access.log
 	chmod 664 $DIR_SAVE/security/acc_access.log
 # Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
 # Create 'radius' database
 	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
 # Add an empty radius database structure
 	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
 # modify the start script in order to close accounting connexion when the system is comming down or up
-	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
+	cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
-	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
+	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
-	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
+	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
 	/usr/bin/systemctl unset-environment MYSQLD_OPTS
 	/usr/bin/systemctl daemon-reload
 } # End of init_db()
 ###################################################################
 # sqlcounter modifications
 	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
 	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
 	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
 # make certain that mysql is up before freeradius start
-	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
+	cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
-	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
+	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
 	/usr/bin/systemctl daemon-reload
 # Allow apache to change some conf files (ie : ldap on/off)
 	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 } # End of freeradius()
 ## - Adapt the authentication web page (intercept.php)                     ##
 #############################################################################
 chilli()
+{
 # chilli unit for systemd
-	cat << EOF > /lib/systemd/system/chilli.service
+	cat << EOF > /etc/systemd/system/chilli.service
 #  This file is part of systemd.
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 ## - Set the parameters of this HTML proxy (as controler)     ##
 ################################################################
 e2guardian()
+{
 # Adapt systemd unit
-[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
+	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
-	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
-	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
+	$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
-	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 # Adapt the main conf file
+	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 # French deny HTML page
 	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
 # 2 filtergroups (8080 & 8090)
 	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
 # Listen on 8080 (HTTP for BL users) only on LAN side
 ##                     Function "antivirus"                     ##
 ## - Set the parameters of clamav and freshclam                 ##
 ##################################################################
 antivirus()
+{
-# Clamd adaptation to e2guardian
+# Clamd unit adaptation to e2guardian
-[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
+	cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
-	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
+	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
-	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
+	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
-[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
+	cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
-	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
+	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
-	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
+	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
+# Clamd conf adaptation to e2guardian
 [ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
 	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
 	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
 	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
 	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
 # Three instances of ulogd (three different logfiles)
 	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
 	nl=1
 	for log_type in traceability ssh ext-access
 	do
-		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
+		cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
 		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
 		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
 		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
 		cat << EOF >> /etc/ulogd-$log_type.conf
 [emu1]
 file="/var/log/firewall/$log_type.log"
 sync=1
 EOF
-		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
+		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
 		nl=`expr $nl + 1`
 	done
 	chown -R root:apache /var/log/firewall
 	chmod 750 /var/log/firewall
 	chmod 640 /var/log/firewall/*
 nfsen()
+{
 	groupadd -f nfcapd
 	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
 # nfcapd unit for systemd
-	cat << EOF > /lib/systemd/system/nfcapd.service
+	cat << EOF > /etc/systemd/system/nfcapd.service
 #  This file is part of systemd.
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
 	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
 	$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
 	# vnstat-dashboard
 	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
-	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
+	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
-	$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
+	$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
 } # End of vnstat()
 ###################################################################
 ##                     Function "dnsmasq"                        ##
 ## - creation of the conf files of dnsmasq (whitelist for ipset )##
 filterwin2k
 ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
 server=$DNS1
 server=$DNS2
 EOF
-	# Create dnsmasq-whitelist unit
+	# Don't run dnsmasq service. Create dnsmasq-whitelist unit
-	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
+	systemctl disable dnsmasq.service
-	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
+	cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
-	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
-	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
 } # End of dnsmasq()
 #########################################################
 ##              Function "unbound"                     ##
 ## - create the conf files for 4 unbound services      ##
 	include: /etc/unbound/conf.d/common/local-forward/*
 	include: /etc/unbound/conf.d/common/local-dns/*
 	include: /etc/unbound/conf.d/blackhole/*
 EOF
-	if [ ! -e /lib/systemd/system/unbound.service.default ]
-	then
-		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
+	cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
-	fi
-	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
-	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
+	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
 	for list in blacklist blackhole whitelist
 	do
-		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
+		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
-		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
+		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
-		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
+		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
 	done
-	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
+	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
 } # End of unbound()
 ##################################################
 ##              Function "dhcpd"                ##
 ##################################################
 	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
 	chmod 644 /var/log/fail2ban.log
 	chmod 644 $DIR_SAVE/security/watchdog.log
 	/usr/bin/touch /var/log/auth.log
 # fail2ban unit
-[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
+cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
-$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
+$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
-$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
+$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
-$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
+$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
 } # End of fail2ban()
 #########################################################
 ##                   Fonction "gammu_smsd"             ##
 ## - Creating of SMS management database               ##
 CheckBattery = 0
 EOF
 	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
 # Create the systemd unit
-	cat << EOF > /lib/systemd/system/gammu-smsd.service
+	cat << EOF > /etc/systemd/system/gammu-smsd.service
 [Unit]
 Description=SMS daemon for Gammu
 Documentation=man:gammu-smsd(1)
 After=network.target mysql.service
 	for dir in firewall e2guardian lighttpd
 	do
 		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
 	done
 # create the alcasar-load_balancing unit
-	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
+	cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
 #  This file is part of systemd.
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 	-\? | -h* | --h*)
 		echo "$usage"
 		exit 0
 		;;
 	-i | --install)
-		for func in license testing_system
+		for func in license testing_system testing_network
 		do
 			header_install
 			$func
 			if [ $DEBUG_ALCASAR == "on" ]
 			then
 				then echo "#### Installation avec mise à jour ####";
 				else echo "#### Installation with update     ####";
 			fi
 			mode="update"
 		fi
-		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
+		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
 		do
 			$func
 			if [ $DEBUG_ALCASAR == "on" ]
 			then
 				echo "*** 'debug' : end of function '$func' ***"

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2933 → 2937