| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-archive.sh 1909 2016-05-24 08:38:21Z raphael.pion $
|
2 |
# $Id: alcasar-archive.sh 2454 2017-12-09 18:59:31Z tom.houdayer $
|
| 3 |
|
3 |
|
| 4 |
# alcasar-archive.sh
|
4 |
# alcasar-archive.sh
|
| 5 |
# by Franck BOUIJOUX and REXY
|
5 |
# by Franck BOUIJOUX and REXY
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| 8 |
# Script permettant
|
8 |
# Script permettant
|
| 9 |
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages).
|
9 |
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages).
|
| 10 |
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer.
|
10 |
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer.
|
| 11 |
# - nettoyage des archives supérieures à 1 an (365 jours)
|
11 |
# - nettoyage des archives supérieures à 1 an (365 jours)
|
| 12 |
|
12 |
|
| 13 |
# This script allows
|
13 |
# This script allows
|
| 14 |
# - export in one file the log files and user's base (in order to archive them).
|
14 |
# - export in one file the log files and user's base (in order to archive them).
|
| 15 |
# - a cypher fonction allows to protect these files. Read the exploitation documentation to enable it.
|
15 |
# - a cypher fonction allows to protect these files. Read the exploitation documentation to enable it.
|
| 16 |
# - delete backup files older than one year (365 days)
|
16 |
# - delete backup files older than one year (365 days)
|
| 17 |
|
17 |
|
| 18 |
DIR_SAVE="/var/Save" # répertoire accessible par webs
|
18 |
DIR_SAVE="/var/Save" # répertoire accessible par webs
|
| 19 |
DIR_LOG="/var/log" # répertoire local des log
|
19 |
DIR_LOG="/var/log" # répertoire local des log
|
| 20 |
|
20 |
|
| 21 |
#DIR_SERVICE="squid httpd firewall" # répertoires contenant des logs utiles à exporter
|
21 |
#DIR_SERVICE="squid httpd firewall" # répertoires contenant des logs utiles à exporter
|
| 22 |
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers
|
22 |
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers
|
| 23 |
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log
|
23 |
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log
|
| 24 |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
|
24 |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
|
| 25 |
DIR_TMP="/tmp/traceability-$NOW" # Répertoire temporaire d'export
|
25 |
DIR_TMP="/tmp/traceability-$NOW" # Répertoire temporaire d'export
|
| 26 |
FILE="traceability-$NOW.tar.gz" # Nom du fichier de l'archive
|
26 |
FILE="traceability-$NOW.tar.gz" # Nom du fichier de l'archive
|
| 27 |
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux
|
27 |
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux
|
| 28 |
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui) --> Si oui alors la signature est automatiquement activée
|
28 |
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui) --> Si oui alors la signature est automatiquement activée
|
| 29 |
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled
|
29 |
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled
|
| 30 |
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!!
|
30 |
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!!
|
| 31 |
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!!
|
31 |
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!!
|
| 32 |
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
|
32 |
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
|
| 33 |
# user allowed to decrypt the log files. Its public key must be known in the root keyring (/root/.gnupg)
|
33 |
# user allowed to decrypt the log files. Its public key must be known in the root keyring (/root/.gnupg)
|
| 34 |
|
34 |
|
| 35 |
usage="Usage: alcasar-archive.sh {--live or -l} | {--now or -n} | {--clean or -c}"
|
35 |
usage="Usage: alcasar-archive.sh {--live or -l} | {--now or -n} | {--clean or -c}"
|
| 36 |
|
36 |
|
| Line 42... |
Line 42... |
| 42 |
args="-h"
|
42 |
args="-h"
|
| 43 |
fi
|
43 |
fi
|
| 44 |
|
44 |
|
| 45 |
|
45 |
|
| 46 |
function cleanup() {
|
46 |
function cleanup() {
|
| 47 |
# Nettoyage des fichiers archives
|
47 |
# Nettoyage des fichiers archives
|
| 48 |
cd $DIR_SAVE
|
48 |
cd $DIR_SAVE
|
| 49 |
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \;
|
49 |
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \;
|
| 50 |
} # end function cleanup
|
50 |
} # end function cleanup
|
| 51 |
|
51 |
|
| 52 |
|
52 |
|
| 53 |
function crypt() {
|
53 |
function crypt() {
|
| 54 |
# Chiffrement des logs dans /var/Save/
|
54 |
# Chiffrement des logs dans /var/Save/
|
| 55 |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*log-*.gz' \) -exec gpg --output $DIR_ARCHIVE/$file/{}.gpg --encrypt --recipient $GPG_USER {} \;
|
55 |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*log-*.gz' \) -exec gpg --output $DIR_ARCHIVE/$file/{}.gpg --encrypt --recipient $GPG_USER {} \;
|
| 56 |
} # end function crypt
|
56 |
} # end function crypt
|
| 57 |
|
57 |
|
| 58 |
function archive() {
|
58 |
function archive() {
|
| 59 |
mkdir -p $DIR_ARCHIVE
|
59 |
mkdir -p $DIR_ARCHIVE
|
| 60 |
mkdir -p $DIR_TMP
|
60 |
mkdir -p $DIR_TMP
|
| 61 |
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w`
|
61 |
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w`
|
| 62 |
if [ $nb_files -ne 0 ]; then
|
62 |
if [ $nb_files -ne 0 ]; then
|
| 63 |
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz
|
63 |
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz
|
| 64 |
fi
|
64 |
fi
|
| 65 |
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w`
|
65 |
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w`
|
| 66 |
if [ $nb_files -ne 0 ]; then
|
66 |
if [ $nb_files -ne 0 ]; then
|
| 67 |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/
|
67 |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/
|
| 68 |
fi
|
68 |
fi
|
| 69 |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
|
69 |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
|
| 70 |
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l`
|
70 |
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l`
|
| 71 |
if [ $nb_files -ne 0 ]; then
|
71 |
if [ $nb_files -ne 0 ]; then
|
| 72 |
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar;
|
72 |
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar;
|
| 73 |
fi
|
73 |
fi
|
| 74 |
cd /tmp/
|
74 |
cd /tmp/
|
| 75 |
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w`
|
75 |
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w`
|
| 76 |
if [ $nb_files -ne 0 ]; then
|
76 |
if [ $nb_files -ne 0 ]; then
|
| 77 |
tar cvzf /tmp/$FILE traceability-$NOW/*
|
77 |
tar cvzf /tmp/$FILE traceability-$NOW/*
|
| 78 |
else echo "no file to archive"
|
78 |
else echo "no file to archive"
|
| 79 |
fi
|
79 |
fi
|
| 80 |
} # end archive
|
80 |
} # end archive
|
| 81 |
|
81 |
|
| 82 |
# Core script
|
82 |
# Core script
|
| 83 |
case $args in
|
83 |
case $args in
|
| 84 |
-\? | -h* | --h*)
|
84 |
-\? | -h* | --h*)
|
| 85 |
echo "$usage"
|
85 |
echo "$usage"
|
| 86 |
exit 0
|
86 |
exit 0
|
| 87 |
;;
|
87 |
;;
|
| Line 96... |
Line 96... |
| 96 |
# make an archive
|
96 |
# make an archive
|
| 97 |
archive
|
97 |
archive
|
| 98 |
# Saving of the database
|
98 |
# Saving of the database
|
| 99 |
/usr/local/bin/alcasar-mysql.sh --dump
|
99 |
/usr/local/bin/alcasar-mysql.sh --dump
|
| 100 |
# Encryption of the archive
|
100 |
# Encryption of the archive
|
| 101 |
if [ -e /tmp/$FILE ]; then
|
101 |
if [ -e /tmp/$FILE ]; then
|
| 102 |
if [ $CRYPT -eq "1" ]; then
|
102 |
if [ $CRYPT -eq "1" ]; then
|
| 103 |
{
|
103 |
{
|
| 104 |
# 1 ) chiffrement/signature =1 ==> gpg --encrypt avec test de la clé présente
|
104 |
# 1 ) chiffrement/signature =1 ==> gpg --encrypt avec test de la clé présente
|
| 105 |
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE
|
105 |
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE
|
| 106 |
}
|
106 |
}
|
| 107 |
elif [ $SIGN -eq "1" ]; then
|
107 |
elif [ $SIGN -eq "1" ]; then
|
| 108 |
{
|
108 |
{
|
| 109 |
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente
|
109 |
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente
|
| 110 |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE
|
110 |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE
|
| 111 |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE
|
111 |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE
|
| 112 |
}
|
112 |
}
|
| 113 |
else
|
113 |
else
|
| 114 |
{
|
114 |
{
|
| 115 |
# 3) chiffrement/signature = 0 --> cp simple avec suppression des droits d'écriture
|
115 |
# 3) chiffrement/signature = 0 --> cp simple avec suppression des droits d'écriture
|
| 116 |
cp /tmp/$FILE $DIR_ARCHIVE/.
|
116 |
cp /tmp/$FILE $DIR_ARCHIVE/.
|
| Line 120... |
Line 120... |
| 120 |
rm -rf /tmp/traceability-*
|
120 |
rm -rf /tmp/traceability-*
|
| 121 |
chown root:apache $DIR_ARCHIVE/*
|
121 |
chown root:apache $DIR_ARCHIVE/*
|
| 122 |
;;
|
122 |
;;
|
| 123 |
--live | -l)
|
123 |
--live | -l)
|
| 124 |
mkdir -p $DIR_ARCHIVE
|
124 |
mkdir -p $DIR_ARCHIVE
|
| 125 |
mkdir -p /tmp/live
|
125 |
mkdir -p /tmp/live
|
| 126 |
gap=7
|
126 |
gap=7
|
| 127 |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
|
127 |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
|
| 128 |
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar;
|
128 |
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar;
|
| 129 |
# Saving of the database
|
129 |
# Saving of the database
|
| 130 |
/usr/local/bin/alcasar-mysql.sh --dump
|
130 |
/usr/local/bin/alcasar-mysql.sh --dump
|
| 131 |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) /tmp/live/
|
131 |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) /tmp/live/
|
| 132 |
cp /var/log/firewall/traceability.log /tmp/live/traceability-HTTP-$NOW.log
|
132 |
cp /var/log/firewall/traceability.log /tmp/live/traceability-HTTP-$NOW.log
|
| 133 |
tar -czf $DIR_ARCHIVE/traceability-$NOW.tar.gz /tmp/live/*
|
133 |
tar -czf $DIR_ARCHIVE/traceability-$NOW.tar.gz /tmp/live/*
|