diff options
| author | ramon <ramongomez@us.es> | 2016-09-23 11:49:08 +0000 |
|---|---|---|
| committer | ramon <ramongomez@us.es> | 2016-09-23 11:49:08 +0000 |
| commit | 3e7d77bcb994ac729b36133becfd0db9e54c49cd (patch) | |
| tree | be83e559a332a4901deb0c7cb87f87e47648ffde /server/lib | |
| parent | 8fc7ce11e115961476d6113db3ba7fd46a70b46d (diff) | |
#736: Revertir movimiento de fichero de revisión r5011 y modificar instalador y actualizador para copiar el contenido del directorio {{{server/lib}}} al servidor.
git-svn-id: https://opengnsys.es/svn/branches/version1.1@5014 a21b9725-9963-47de-94b9-378ad31fedc9
Diffstat (limited to 'server/lib')
| -rwxr-xr-x | server/lib/security-config | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/server/lib/security-config b/server/lib/security-config new file mode 100755 index 00000000..eb8bf5cf --- /dev/null +++ b/server/lib/security-config @@ -0,0 +1,86 @@ +#!/bin/bash +#/** +#@file security-config +#@brief OpenGnsys Server security configuration. +#@note Security configuration tipsx for UFW, FirewallD and SELinux. +#@version 1.1.0 - Initial version. +#@author Ramón M. Gómez, ETSII Univ. Sevilla +#@date 2016-04-18 +#*/ ## + + +# Variables. +PROG=$(basename "$0") +OPENGNSYS=/opt/opengnsys +# Errors control. +if [ "$USER" != "root" ]; then + echo "$PROG: Need to be root." >&2 + exit 1 +fi + +# UFW configuration. +if which ufw 2>/dev/null; then + # Adding active services. + ufw allow "Apache Secure" + ufw allow OpenSSH + ufw allow Samba + ufw allow mysql + ufw allow rsync + ufw allow tftp + ufw allow 67,68/udp # DHCP + ufw allow 2002,2008/tcp # OpenGnsys services + ufw allow 9000:9051/udp # Multicast + ufw allow 6881:6999/udp # BitTorrent + # Applying configuration. + ufw enable +# FirewallD configuration. +elif which firewall-cmd 2>/dev/null; then + # Defining OpenGnsys services. + python -c " +import firewall.core.io.service as ios +s=ios.Service() +s.short = 'OpenGnsys Server' +s.name = 'ogAdmServer' +s.ports = [('2008', 'tcp')] +ios.service_writer(s, '/etc/firewalld/services') +s.short = 'OpenGnsys Repository' +s.name = 'ogAdmRepo' +s.ports = [('2002', 'tcp')] +ios.service_writer(s, '/etc/firewalld/services')" + # Adding active services. + firewall-cmd --permanent --add-service=dhcp + firewall-cmd --permanent --add-service=https + firewall-cmd --permanent --add-service=mysql --zone internal + firewall-cmd --permanent --add-service=ogAdmRepo + firewall-cmd --permanent --add-service=ogAdmServer + # Ubuntu 14.04 does not define "rsyncd" service. + firewall-cmd --permanent --add-service=rsyncd || \ + firewall-cmd --permanent --add-port=873/tcp + firewall-cmd --permanent --add-service=samba + firewall-cmd --permanent --add-service=ssh + firewall-cmd --permanent --add-service=tftp + # Adding Multicast ports. + firewall-cmd --permanent --add-port=9000-9051/udp + # Adding BitTorent ports. + firewall-cmd --permanent --add-port=6881-6999/udp + # Applying configuration. + firewall-cmd --reload +else + echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)." +fi + +# SELinux configuration. +if which setsebool 2>/dev/null; then + # Configuring Apache. + setsebool -P httpd_can_connect_ldap on + semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" + # Configuring Samba. + setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 + semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" + semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" + # Applying configuration. + restorecon -R $OPENGNSYS +else + echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)." +fi + |