Tips-Of-Mine/Hardening-Linux-Debian-Ubuntu
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Good : full update

Browse Source
This commit is contained in:
Hubert Cornet 2025-04-25 08:46:09 +02:00
parent f9723e6b9c
commit 193689ed13
64 changed files with 6 additions and 2674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
-01-ssh/00-basic
View File

@ -1,66 +0,0 @@
#!/bin/bash
# get load averages
IFS=" " read LOAD1 LOAD5 LOAD15 <<<$(awk '{ print $1,$2,$3 }' /proc/loadavg)
# get free memory
IFS=" " read USED AVAIL TOTAL <<<$(free -htm | awk '/Mem/ { print $3,$7,$2 }')
# get processes
PROCESS=$(ps -eo user=|sort|uniq -c | awk '{ print $2 " " $1 }')
PROCESS_ALL=$(echo "$PROCESS"| awk {'print $2'} | awk '{ SUM += $1} END { print SUM }')
PROCESS_ROOT=$(echo "$PROCESS" | awk '/root/ { print $2}')
PROCESS_USER=$(echo "$PROCESS" | awk '!/root/ { SUM += $2} END { print SUM }')
# get processors
PROCESSOR_NAME=$(awk -F": " '/model name/ { print $2 }' /proc/cpuinfo | head -1)
PROCESSOR_COUNT=$(grep -ioPc 'processor\t:' /proc/cpuinfo)
# colors
W="\e[0;39m"
G="\e[1;32m"
R="\e[1;31m"
dim="\e[2m"
undim="\e[0m"
echo -e "${W}System info:
$W Hostname$dim····$undim: $W${HOSTNAME}
$W Distro$dim······$undim: $W$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
$W Kernel$dim······$undim: $W$(uname -sr)
$W Uptime$dim······$undim: $W$(uptime -p)
$W Load$dim········$undim: $G$LOAD1$W (1m), $G$LOAD5$W (5m), $G$LOAD15$W (15m)
$W Processes$dim···$undim: $G$PROCESS_ROOT$W (root), $G$PROCESS_USER$W (user), $G$PROCESS_ALL$W (total)
$W CPU$dim·········$undim: $W$PROCESSOR_NAME ($G$PROCESSOR_COUNT$W vCPU)
$W Memory$dim······$undim: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total"
# config
max_usage=90
bar_width=50
# disk usage: ignore zfs, squashfs & tmpfs
printf "\nDisk usage:\n"
while read line; do
# get disk usage
usage=$(echo "$line" | awk '{print $2}' | sed 's/%//')
used_width=$((($usage*$bar_width)/100))
# color is green if usage < max_usage, else red
if [ "${usage}" -ge "${max_usage}" ]; then
color=$R
else
color=$G
fi
# print green/red bar until used_width
bar="[${color}"
for ((i=0; i<$used_width; i++)); do
bar+="="
done
# print dimmmed bar until end
bar+="${W}${dim}"
for ((i=$used_width; i<$bar_width; i++)); do
bar+="·"
done
bar+="${undim}]"
# print usage line & bar
echo "${line}" | awk '{ printf("%-31s%+3s used out of %+4s\n", $1, $2, $3); }' | sed -e 's/^/ /'
echo -e "${bar}" | sed -e 's/^/ /'
done < <(df -H -x zfs -x squashfs -x tmpfs -x devtmpfs -x overlay -x nfs -x nfs4 -x cifs --output=target,pcent,size | tail -n+2)
printf "\n"

1
-01-ssh/authorized_keys
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQA

25
-01-ssh/banner
View File

@ -1,25 +0,0 @@
_______ _
|__ __| (_)
| | __ _ _ __ _ ___
| |/ _` | '_ \| / __|
| | (_| | |_) | \__ \
|_|\__,_| .__/|_|___/
_____ | |_ _ __ __ _
/ ____| |_(_) | | | \/ | | |
| (___ __ _ _ _ __ | |_ __ | \ / | __ _ ___| | ___ _ _
\___ \ / _` | | '_ \| __||__|| |\/| |/ _` |/ __| |/ _ \| | | |
____) | (_| | | | | | |_ | | | | (_| | (__| | (_) | |_| |
|_____/ \__,_|_|_| |_|\__| |_| |_|\__,_|\___|_|\___/ \__,_|
AVERTISSEMENT : L'accès à ce système est réservé aux utilisateurs
dûment autorisés.
Toute tentative d'accès, d'accès à ce système sans autorisation ou
de maintien frauduleux dans ce système fera l'objet de poursuites
conformément à la politique de Tapis-Saint-Maclou.
Tout utilisateur autorisé est informé et reconnaît que ses actions
peuvent être enregistrées, conservées et auditées conformément aux
chartes/politiques internes de aux chartes/politiques internes de
Tapis-Saint-Maclou.

98
-01-ssh/script.sh
View File

@ -1,98 +0,0 @@
#!/bin/sh
# Pour la configuration du ssh
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 01-ssh"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Controle des persmissions"
echo "${NOCOLOR}"
check_permissions
echo "${YELLOW} * ${NOCOLOR} Controle des persmissions : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Controle des pre requis"
echo "${NOCOLOR}"
check_requirements
echo "${YELLOW} * ${NOCOLOR} Controle des pre requis : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Sauvegarde ancien fichiers"
echo "${NOCOLOR}"
backup_files
echo "${YELLOW} * ${NOCOLOR} Sauvegarde ancien fichiers : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Update du systeme"
echo "${NOCOLOR}"
update_system
echo "${YELLOW} * ${NOCOLOR} Update du systeme : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : authorized_keys"
echo "${NOCOLOR}"
cp 01-ssh/authorized_keys /root/.ssh/authorized_keys >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : authorized_keys : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie des fichiers : ssh"
echo "${NOCOLOR}"
cp 01-ssh/ssh_config /etc/ssh/ssh_config >> /dev/null
cp 01-ssh/sshd_config /etc/ssh/sshd_config >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie des fichiers : ssh : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : banner"
echo "${NOCOLOR}"
cp 01-ssh/banner /etc/banner >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : banner : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 00-basic"
echo "${NOCOLOR}"
cp 01-ssh/00-basic /etc/update-motd.d/00-basic >> /dev/null
chmod +x /etc/update-motd.d/00-basic >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 00-basic : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Création du lien synbolique"
echo "${NOCOLOR}"
mkdir -p /etc/ssh/authorized_keys/ >> /dev/null
cd /etc/ssh/authorized_keys/ >> /dev/null
ln -s /root/.ssh/authorized_keys root >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Création du lien synbolique : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Relance du service sshd"
echo "${NOCOLOR}"
systemctl restart sshd >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Relance du service sshd : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 01-ssh"
echo "${NOCOLOR}"

53
-01-ssh/ssh_config
View File

@ -1,53 +0,0 @@
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Include /etc/ssh/ssh_config.d/*.conf
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes

124
-01-ssh/sshd_config
View File

@ -1,124 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 3
MaxSessions 5
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
Banner /etc/banner
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

3
-02-apt/02proxy
View File

@ -1,3 +0,0 @@
Acquire::http::proxy "http://serv-proxy.fr.dgs.group:3128";
Acquire::https::proxy "http://serv-proxy.fr.dgs.group:3128";
Acquire::ftp::proxy "http://serv-proxy.fr.dgs.group:3128";

36
-02-apt/script.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Pour la configuration de l'APT d'utiliser le proxy
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 02-apt"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 02proxy"
echo "${NOCOLOR}"
cp 02-apt/02proxy /etc/apt/apt.conf.d/02proxy >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 02proxy : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Référence update"
echo "${NOCOLOR}"
apt update >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Référence update : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Mise à jour"
echo "${NOCOLOR}"
apt full-upgrade -y >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Mise à jour : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 02-apt"
echo "${NOCOLOR}"

2
-03-antivirus/etc/panw/cortex.conf
View File

@ -1,2 +0,0 @@
--distribution-id 896dc20f132a45369e53e479b245d244
--distribution-server https://distributions.traps.paloaltonetworks.com/

44
-03-antivirus/script.sh
View File

@ -1,44 +0,0 @@
#!/bin/sh
# Pour installer Cortex sur un serveur Debian
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 03-cortex"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Création du dossier"
echo "${NOCOLOR}"
mkdir -p /etc/panw >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Création du dossier : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : cortex.conf"
echo "${NOCOLOR}"
cp 03-cortex/etc/panw/cortex.conf /etc/panw/cortex.conf >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : cortex.conf : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation iptables"
echo "${NOCOLOR}"
apt install -y iptables >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation iptables : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation Cortex"
echo "${NOCOLOR}"
dpkg -i 03-cortex/cortex-8.7.0.131661.deb
echo "${YELLOW} * ${NOCOLOR} Installation Cortex : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 03-cortex"
echo "${NOCOLOR}"

48
-04-agent-glpi/root-ca.cer
View File

@ -1,48 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIUakLbjyx8At7pHJM9JixKNMb3JGMwDQYJKoZIhvcNAQEL
BQAwgdMxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDAROT1JEMRIwEAYDVQQHDAlXYXR0
cmVsb3MxGzAZBgNVBAoMElRhcGlzLVNhaW50LU1hY2xvdTEeMBwGA1UECwwVVGFw
aXMtU2FpbnQtTWFjbG91IElUMTYwNAYDVQQDDC1UYXBpcy1TYWludC1NYWNsb3Ug
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMjQxLDAqBgkqhkiG9w0BCQEWHWV4cGxv
aXRhdGlvbkBzYWludC1tYWNsb3UuY29tMB4XDTI0MDcwNDEzMjcwMloXDTI1MDcw
NDEzMjcwMlowgYkxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDAROb3JkMRIwEAYDVQQH
DAlXYXR0cmVsb3MxGzAZBgNVBAoMElRhcGlzLVNhaW50LU1hY2xvdTEeMBwGA1UE
CwwVVGFwaXMtU2FpbnQtTWFjbG91IElUMRowGAYDVQQDDBFnbHBpLmZyLmRncy5n
cm91cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKB0/EZL2sT6OGrL
5c3cDCZDVSHKBgCDVo/GeMXQRdrpCnZpjKJhE2uP3LJlSwy2h5jgriS23+pF1Smd
Kc7jZEYQGkSYLspgUqkVdtnNjqzxn7wKkr8g6QSKgtNGXg2/xy1iF9aVpf654Cl6
8r4n68vPcAVO1WqQPAIHKpO9FYseSb8On4t+7dzOF7tUPPjl4CA9pC8Iv683MMSC
f48OqWRrvrxMnEzTmCb0IZvR1n7gB2t8u7iN8s/Qn22GKelnhMW8o5/zik6HXu48
tXGDUUvC8O7qKFVxE9q/WmZsgsNGkLZUbwY3M0oVI+D1foBr5UCLf2NGVwM4unr/
e/AzLzsCAwEAAaNgMF4wHAYDVR0RBBUwE4IRZ2xwaS5mci5kZ3MuZ3JvdXAwHQYD
VR0OBBYEFMREv0D1AVXfvSBtfPji6f3/SB2QMB8GA1UdIwQYMBaAFO1nBqs3suJm
RmXwdUV89xkG9BygMA0GCSqGSIb3DQEBCwUAA4IBAQAmksi0sDQCKa/EfELK9l3D
j51yO54CGJNPaqUBIpXrJmzO5WlJhQI6QMvsQzWURwVAes8UA5Uhl4H9+yqIzFnF
F79m12n6HiOSXwQqzpbVFnT4T/i7/xpyGLiaeIL9JKKGGaxLNAa0sxCCE28aP0an
/+JOIOu2Gxj8taC7mk+PuespT8Fvw7x8RLYFsrenL/XKij7NK4hpLig8Z74MvsS5
aNdzfA3RdZHX0xygl69CJB2+d/Q9UNh0Q39VBWCBj/B0LWmF+80jaVBQHjbzx2HI
JnA1zci9IuBuZPwtLShtKgjp7SvdjtwATkzqvvUJdnp8jm+/GTBj6WrQIbWGVdlg
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIQM71UEU7HOKBCy4ZKr6IUQjANBgkqhkiG9w0BAQsFADBQ
MRUwEwYKCZImiZPyLGQBGRYFZ3JvdXAxEzARBgoJkiaJk/IsZAEZFgNkZ3MxEjAQ
BgoJkiaJk/IsZAEZFgJmcjEOMAwGA1UEAxMFZnItQ0EwHhcNMjIwMzE2MDkyMzEz
WhcNMzIwMzE2MDkzMzEyWjBQMRUwEwYKCZImiZPyLGQBGRYFZ3JvdXAxEzARBgoJ
kiaJk/IsZAEZFgNkZ3MxEjAQBgoJkiaJk/IsZAEZFgJmcjEOMAwGA1UEAxMFZnIt
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMpNPLuf+6HONRTnTv
R3DYPnmu3mal/L3FQTedkSPq0Ht+ucY9dJMaIVLtbm6boC9+8miNW2nndEn0Ny2k
DKs5PAUUxNVb8FNRF0j8j4ltVbD6fPvtNhGUclyV10++4VLLKOll9WAcqopu9box
CvmlIgJUK4yet3A8SPHcYwyIoFPIzlCkKLCJRT4exD2t+oiMhBbHZKIBjp659Zxy
XQMj9yV2piUw3+70KiyCuFiSScp7kLqyQC6nFPGb+D1ixXJV5p5auOpS0l2henKG
jlzqpnblunoX5TTfrQoXykAUAwOls3/3kwo7oxKmjG7zbLj+O7nvk7AxXgwfbXT/
MW4xAgMBAAGjeDB2MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBRas1Zc/+1piP2D1Rl9bSWFlamEEjASBgkrBgEEAYI3FQEEBQIDAgACMCMG
CSsGAQQBgjcVAgQWBBR2qW7vDPnF71yDtFU+OQ8B6zFSTDANBgkqhkiG9w0BAQsF
AAOCAQEAZCWITXnbPNOb7Vk39BYexrm0aufKsDj1L5H4P45P2V9RuSEsx+xi6sEu
mrgqnO7KqGG1T64xUbQ7Uv+SzZrP47Zsuov4hNGbEbSH7X+gXHPDMD/G6fOgubpj
boBEnnjOKXXKdskL1Zn6ntQfUA1JC67OxX9kdzgtzaJnkPCm9PuZ1swj3tm61xDv
1h9hQ+wVaZEPSrjSI6kPu/O25WaHeHkFbbwH/MWHi36Z3Mlm9qzQCrWeDUqLnMUM
aPdfxkaS+G92Rgb/RS6g1AJdPWwZTjVVJDf+qY3v6NNgjdRZKP6z2QID+8UhxcG0
7wdLPp2QNon+RCXITakOlyPx6LxbEQ==
-----END CERTIFICATE-----

54
-04-agent-glpi/script.sh
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Pour install l'agent GLPI
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 04-glpi"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Déclaration du proxy"
echo "${NOCOLOR}"
export http_proxy='http://serv-proxy.fr.dgs.group:3128'
export https_proxy='http://serv-proxy.fr.dgs.group:3128'
export ftp_proxy='http://serv-proxy.fr.dgs.group:3128'
echo "${YELLOW} * ${NOCOLOR} Déclaration du proxy : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation Wget"
echo "${NOCOLOR}"
apt install -y wget >> /dev/null
echo "${YELLOW} * ${NOCOLOR}Installation Wget : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du certificat"
echo "${NOCOLOR}"
cp 04-agent-glpi/root-ca.cer /etc/ssl/certs/root-ca.cer >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du certificat : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Telechargement de l'installer"
echo "${NOCOLOR}"
wget https://github.com/glpi-project/glpi-agent/releases/download/1.11/glpi-agent-1.11-linux-installer.pl >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Telechargement de l'installer : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation"
echo "${NOCOLOR}"
perl glpi-agent-1.11-linux-installer.pl --reinstall -s "https://glpi.fr.dgs.group/marketplace/glpiinventory/" -t "ServeurProd" --ca-cert-file=/etc/ssl/certs/root-ca.cer --type=all -v >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 04-glpi"
echo "${NOCOLOR}"

22
-05-manageengine/DMRootCA-Server.crt
View File

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIIX4tkL0r71OIwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UE
BhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQLDAxNYW5hZ2VFbmdpbmUxGTAXBgNV
BAoMEFpvaG8gQ29ycG9yYXRpb24xFzAVBgNVBAMMDk1hbmFnZUVuZ2luZUNBMCAX
DTIzMTEyNzA5NDU1MloYDzIxMjMxMTI3MDk0NTUyWjBlMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExFTATBgNVBAsMDE1hbmFnZUVuZ2luZTEZMBcGA1UECgwQWm9o
byBDb3Jwb3JhdGlvbjEXMBUGA1UEAwwOTWFuYWdlRW5naW5lQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYtJmarYc7ha7LbrwE5BlOlGP1zzzZcOTn
oglnnAg898yx+AOc0sjIf55OFESU919nqqD1+tyZ6GmuFtNhDhrM7znLLMECMjbC
CvvJHcoXZ3iO/gSjhiXfQuKiU1vvRjfz/+9A+76PW+Y4gM0BGe+z68L/dHYaZ5ys
NwOwtDDR55eM1c0K0AUNkQuQd9wgP/T25N2e5HpY/2gLDUTzZuAdd3ytjpMvtDwV
5jFp2SXa37sguMlWf1nMvEmp+U+JteYRWMHjFkA3jnd46vTwcU7dxt2XE7hfkpKZ
9cyUVRawxrEpMqiAGRicjxC8TAjdmbQND78SI6QsnUGXsnnMA7h1AgMBAAGjXTBb
MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIVVLITsk2JL4QxDgF2Gp7Y+nSTlMB8G
A1UdIwQYMBaAFIVVLITsk2JL4QxDgF2Gp7Y+nSTlMAsGA1UdDwQEAwIBpjANBgkq
hkiG9w0BAQsFAAOCAQEAdowKymGU89QBpliVMvDcdtZJL1KceYbFB5C+lTiQI7H3
CQSD0w7MHOrZc4gc3GqhCeEpNxf2XQ09eDwY8iVixKv+JeQOyp+eyXd2QisXzI93
KOi5sej4DMQ7llszQyN508u0742ZqdfSk+Sc/QNRazsTHkYet/TxaYFDZrdCCRT5
12FB1ny8S0DbhjXRaSSylTwl7Lt3aQu7cXvvMuUyfZRjdvBEQlQhfd7viRgwf7Tg
lbjgSUZrW0U1gg/4O2FAQlet9N3hQwRHLCYNV+IFe6CbnN8HZC5awN9kMUaZv+Kt
QyCF8AJ4rD8SLiM4LpLYH5igWo7S5irxFpPSMGKDeg==
-----END CERTIFICATE-----

25
-05-manageengine/DMRootCA.crt
View File

@ -1,25 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIIFzT5z/ZF2ukwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UECwwMTWFuYWdlRW5naW5lMRkwFwYD
VQQKDBBab2hvIENvcnBvcmF0aW9uMRcwFQYDVQQDDA5NYW5hZ2VFbmdpbmVDQTEd
MBsGA1UEAwwUTWFuYWdlRW5naW5lQ0EtRFMtQ0ExGzAZBgNVBAsMEk1hbmFnZUVu
Z2luZS1EUy1DQTAgFw0yMzExMjcwOTU0MTdaGA8yMTIzMTEyNzA5NTQxN1owgaEx
CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UECwwMTWFuYWdlRW5naW5l
MRkwFwYDVQQKDBBab2hvIENvcnBvcmF0aW9uMRcwFQYDVQQDDA5NYW5hZ2VFbmdp
bmVDQTEdMBsGA1UEAwwUTWFuYWdlRW5naW5lQ0EtRFMtQ0ExGzAZBgNVBAsMEk1h
bmFnZUVuZ2luZS1EUy1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKbxxy6hEEt/q4eiVB8a+q6QQb8p3wCh9pIgGctZ9BKiVTmtBUZDKHjny4Aj9Qm1
Ry6+FwBRozlwHcSlMp71y9SSd1ZMaKhLDNWORGDCymzH+dXipUT4ArMXqW+uHyxc
Re0jd+Zqdl9xakVz16DjDyFTEuAQl00MmCc10tr2GOUDdmfSCSWSm+fUNsI0SyG2
/Jkef+qzENUYdjaL6ye+uYZD8chPxVdsKUskgfUhD93Wxf3+C3wXl9jr0W8W16mD
SBQnMgRXjei3X+8joyYPDKISjg8gmJ3w+BzR+T4OZz8SeAEbNVKvx70UOXGN9PJD
/S0wOKRinu8S6IF+YQei6qECAwEAAaNdMFswDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
FgQUNiYnU17lxyB30CeJ/FZL8/AoA5kwHwYDVR0jBBgwFoAUNiYnU17lxyB30CeJ
/FZL8/AoA5kwCwYDVR0PBAQDAgGmMA0GCSqGSIb3DQEBCwUAA4IBAQB/MQesQM9K
Ujrosp/I3+nxhBoSWrsySLenklsDOeCGG1yHOOj73C0D1CuEIU8/4ATuZFhnv//j
o/DSw7/6gfNd1MFMXZJt9gtsTQiKSiCe6BIRvSYvUih9EcBXwJfAZGHdG3kgEPkN
LNwWoI2AcsyUit15MTe6XXr1xIVVa89xYUoqyj1+ypmbdLzEtpFuJvVlqPivYcA3
PQshDBESmsPmZOXsjJMadM4YGo9Huczhpo7URqYqLPsWxZC+gv9AKkyy/FSZ8D5b
zJKHdiMLkEJLjsGqjjq/9VOZIrZdZ+F+nn5m5Y+HOgGCbRdhk+vuzte9Gp1dkwW9
RzeVkfMHgMNo
-----END CERTIFICATE-----

78
-05-manageengine/LINUX_README.txt
View File

@ -1,78 +0,0 @@
# README
Administrators can use Endpoint Central to manage computers running Linux operating system. This document will explain you on the following:
- Supported Linux OS
- Installing Endpoint Central Agents
- Installing Endpoint Central Agent Remotely
- Uninstalling Endpoint Central Agents
# Supported Linux OS
--------------------
Endpoint Central currently supports the following Linux versions:
- Ubuntu 10.04 and later versions
- RedHat Enterprise Linux 6 and later versions
- CentOS 6 and later versions
- Fedora 19 and later versions
- Mandriva 2010 and later versions
- Debian 7 and later versions
- Linux Mint 13 and later versions
- OpenSuSE 11 and later
- SuSE Enterprise Linux 11 and later
# Installing Endpoint Central Agents
-----------------------------------
Linux agents can be installed manually in the computers that need to be managed. Agents should be downloaded on the Linux computer manually before initiating the installation process. Follow the steps mentioned below.
1. Go to the terminal as a root user. If you do not login as a root user, open the terminal and use sudo command to perform each operation mentioned below and enter password whenever prompted. This provides you the root privilege.
2. Move to the Directory where you have downloaded the Agent, and verify "UEMS_LinuxAgent.bin" and serverinfo.json" are there.
3. Execute the Command, "chmod +x UEMS_LinuxAgent.bin" as a root user. This prepares the executable for installation.
4. Run the Installer using "./UEMS_LinuxAgent.bin". Agent will be installed by default in "/usr/local/desktopcentralagent" directory.
5. If you wanted to change the installation location of the agent, use this command "./UEMS_LinuxAgent.bin -d <new_location>" .
You can see that the Endpoint Central agent is successfully installed on the Linux computer. You need to install the agents manually on the computers, which needs to be managed using Endpoint Central. Once the agent installation is completed, the computer will be scanned automatically and the following details will be updated to the Endpoint Central server:
~ System Details : All details about the comptuer, like Users, Groups and Services. This does not include details on the network shares mapped to the computer.
~ Hardware Details : All hardware details of the computer like, BIOS, Disk Drives, Physical Memory, Processors, Network Adapters etc. This does not include details on Printers and Ports.
~ Software Details : All details on the software that is installed on the managed computer, with the version of the application and installation date etc.
# Installing Endpoint Central Agent Remotely
-------------------------------------------
When you wanted to install Endpoint Central agent remotely on Linux computers, you can install them using SSH. Follow the steps mentioned below to install Endpoint Central agent using SSH:
- Copy the downloaded Endpoint Central agent to the remote computer on which the agent needs to be installed
1. Go to terminal as root user
2. Navigate to the location where the agent is being copied/downloaded
3. Type "scp DCLinuxAgent.zip username@hostname:<Path_To_Storage_Directory_If_Needed>" to copy the agent to the target computer, enter password if prompted
where username refers to the root user name of the target computer
hostname refers to the local host name of the target computer
If no path is specified, then the agent will be copied to "/home/username" in the target computer
- Install the agent by following the steps mentioned below:
1. Go to the terminal and Type "ssh rootusername@hostname" to login to the target computer
2. Login as a root user. If you do not login as rootuser, open the terminal and use sudo command to perform each operation mentioned below and enter password whenever prompted. This provides you the root privilege.
3. Navigate to the location, where the agent is downloaded/copied, if the downloaded agent is a remote office agent, then extract <Remote_Office_Name>.zip and navigate to Unzip the DCLinuxAgent.zip by using the command "unzip -e DCLinuxAgent.zip".
4. Verify if, "UEMS_LinuxAgent.bin" & "serverinfo.json" are located in the same path
5. Execute the Command, "chmod +x UEMS_LinuxAgent.bin" as a root user. This prepares the executable for installation.
6. Run the Installer using "./UEMS_LinuxAgent.bin". Ensure that the Property File "severinfo.json" exists in the Same Directory as "UEMS_LinuxAgent.bin". Agent will be installed by default in "/usr/local/desktopcentralagent" directory.
7. If you wanted to change the installation location of the agent, use this command "./UEMS_LinuxAgent.bin -d <new_location>" .
You have successfully installed the Endpoint Central agent on a remote computer using SSH.
# Uninstalling Endpoint Central Agents
-------------------------------------
If you do not want to manage a computer, you can follow the steps mentioned below to uninstall the Endpoint Central agent. Once Endpoint Central agent is uninstalled, all the details related to the computer will be removed from Endpoint Central server. If you wanted to manage this computer again, then you will have to re-install Endpoint Central agent in it. However the previous details related to the computer will not be available. To uninstall the agents from the computers, follow the steps mentioned below:
1. Go to the terminal as a root user. If you do not login as root user, open the terminal and use sudo command to perform each operation mentioned below and enter password whenever prompted. This provides you the root privilege.
2. Navigate to the location, where the agent is installed, (default Location : /usr/local/desktopcentralagent) execute this command to "chmod +x RemoveDCAgent.sh" to initiate the uninstaller. You need to have root privilege to uninstall the agent.
3. Execute this command "./RemoveDCAgent.sh" to uninstall the agent.
You can see that the Endpoint Central agent has been uninstalled successfully from the computer.

36
-05-manageengine/script.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Pour install l'agent ManageEngine
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 05-manageengine"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y xz-utils >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Mise en place des droits sur fichiers"
echo "${NOCOLOR}"
chmod +x 05-manageengine/UEMS_LinuxAgent.bin >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Mise en place des droits sur fichiers : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation"
echo "${NOCOLOR}"
./05-manageengine/UEMS_LinuxAgent.bin
echo "${YELLOW} * ${NOCOLOR} Installation : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 05-manageengine"
echo "${NOCOLOR}"

1
-05-manageengine/serverinfo.json
View File

@ -1 +0,0 @@
{"branchid":"303","productcode":"DCEE","performpostinstall":"yes","value2":"013de50e0ca7020a3c1da5f834f859e5","value1":"cb9c1566f735d8a2c0b1a41b4cfa2278d3ad01ded23363b0c9bb2e1a8bb159b476da39fb1868f7cc91a82fb13f1477b3","serverflatname":"SWEPCEVEP01","unique_id_status_linux":"false","data_transfer_rate":"0","unique_id_param":"SERVICE_TAG","directdownloadenabled":"false","serverprotocol":"https","enableproxy":"no","linux_ad_domain":"linuxosgroup","linuxagentversion":"11.3.2416.28.L","usejson":"true","unique_id_status":"false","enable_captcha":"yes","uemsproductcode":"[DCEE]","customername":"DC_CUSTOMER","performassetscan":"yes","DID":"901","serveripaddress":"sgepc.saint-maclou.com","autodetect_proxy":"false","serversecipaddress":"10.78.56.39","serverrootcert":"-----BEGIN CERTIFICATE-----\r\nMIIDqzCCApOgAwIBAgIIX4tkL0r71OIwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UE\r\nBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQLDAxNYW5hZ2VFbmdpbmUxGTAXBgNV\r\nBAoMEFpvaG8gQ29ycG9yYXRpb24xFzAVBgNVBAMMDk1hbmFnZUVuZ2luZUNBMCAX\r\nDTIzMTEyNzA5NDU1MloYDzIxMjMxMTI3MDk0NTUyWjBlMQswCQYDVQQGEwJVUzEL\r\nMAkGA1UECAwCQ0ExFTATBgNVBAsMDE1hbmFnZUVuZ2luZTEZMBcGA1UECgwQWm9o\r\nbyBDb3Jwb3JhdGlvbjEXMBUGA1UEAwwOTWFuYWdlRW5naW5lQ0EwggEiMA0GCSqG\r\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYtJmarYc7ha7LbrwE5BlOlGP1zzzZcOTn\r\noglnnAg898yx+AOc0sjIf55OFESU919nqqD1+tyZ6GmuFtNhDhrM7znLLMECMjbC\r\nCvvJHcoXZ3iO/gSjhiXfQuKiU1vvRjfz/+9A+76PW+Y4gM0BGe+z68L/dHYaZ5ys\r\nNwOwtDDR55eM1c0K0AUNkQuQd9wgP/T25N2e5HpY/2gLDUTzZuAdd3ytjpMvtDwV\r\n5jFp2SXa37sguMlWf1nMvEmp+U+JteYRWMHjFkA3jnd46vTwcU7dxt2XE7hfkpKZ\r\n9cyUVRawxrEpMqiAGRicjxC8TAjdmbQND78SI6QsnUGXsnnMA7h1AgMBAAGjXTBb\r\nMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIVVLITsk2JL4QxDgF2Gp7Y+nSTlMB8G\r\nA1UdIwQYMBaAFIVVLITsk2JL4QxDgF2Gp7Y+nSTlMAsGA1UdDwQEAwIBpjANBgkq\r\nhkiG9w0BAQsFAAOCAQEAdowKymGU89QBpliVMvDcdtZJL1KceYbFB5C+lTiQI7H3\r\nCQSD0w7MHOrZc4gc3GqhCeEpNxf2XQ09eDwY8iVixKv+JeQOyp+eyXd2QisXzI93\r\nKOi5sej4DMQ7llszQyN508u0742ZqdfSk+Sc/QNRazsTHkYet/TxaYFDZrdCCRT5\r\n12FB1ny8S0DbhjXRaSSylTwl7Lt3aQu7cXvvMuUyfZRjdvBEQlQhfd7viRgwf7Tg\r\nlbjgSUZrW0U1gg/4O2FAQlet9N3hQwRHLCYNV+IFe6CbnN8HZC5awN9kMUaZv+Kt\r\nQyCF8AJ4rD8SLiM4LpLYH5igWo7S5irxFpPSMGKDeg==\r\n-----END CERTIFICATE-----\r\n","currentcertificatetype":"2","linux_domain":"linuxosgroup","agentpollinginterval":"30","rosummaryenabled":"true","serverport":"8383","remoteofficeid":"303","performpatchscan":"yes","mspname":"DC_MSP","servername":"SWEPCEVEP01.fr.dgs.group","customerid":"1","installtime":"1701078855","customerrootcert":"-----BEGIN CERTIFICATE-----\r\nMIIEJTCCAw2gAwIBAgIIFzT5z/ZF2ukwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNV\r\nBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UECwwMTWFuYWdlRW5naW5lMRkwFwYD\r\nVQQKDBBab2hvIENvcnBvcmF0aW9uMRcwFQYDVQQDDA5NYW5hZ2VFbmdpbmVDQTEd\r\nMBsGA1UEAwwUTWFuYWdlRW5naW5lQ0EtRFMtQ0ExGzAZBgNVBAsMEk1hbmFnZUVu\r\nZ2luZS1EUy1DQTAgFw0yMzExMjcwOTU0MTdaGA8yMTIzMTEyNzA5NTQxN1owgaEx\r\nCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UECwwMTWFuYWdlRW5naW5l\r\nMRkwFwYDVQQKDBBab2hvIENvcnBvcmF0aW9uMRcwFQYDVQQDDA5NYW5hZ2VFbmdp\r\nbmVDQTEdMBsGA1UEAwwUTWFuYWdlRW5naW5lQ0EtRFMtQ0ExGzAZBgNVBAsMEk1h\r\nbmFnZUVuZ2luZS1EUy1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\r\nAKbxxy6hEEt/q4eiVB8a+q6QQb8p3wCh9pIgGctZ9BKiVTmtBUZDKHjny4Aj9Qm1\r\nRy6+FwBRozlwHcSlMp71y9SSd1ZMaKhLDNWORGDCymzH+dXipUT4ArMXqW+uHyxc\r\nRe0jd+Zqdl9xakVz16DjDyFTEuAQl00MmCc10tr2GOUDdmfSCSWSm+fUNsI0SyG2\r\n/Jkef+qzENUYdjaL6ye+uYZD8chPxVdsKUskgfUhD93Wxf3+C3wXl9jr0W8W16mD\r\nSBQnMgRXjei3X+8joyYPDKISjg8gmJ3w+BzR+T4OZz8SeAEbNVKvx70UOXGN9PJD\r\n/S0wOKRinu8S6IF+YQei6qECAwEAAaNdMFswDAYDVR0TBAUwAwEB/zAdBgNVHQ4E\r\nFgQUNiYnU17lxyB30CeJ/FZL8/AoA5kwHwYDVR0jBBgwFoAUNiYnU17lxyB30CeJ\r\n/FZL8/AoA5kwCwYDVR0PBAQDAgGmMA0GCSqGSIb3DQEBCwUAA4IBAQB/MQesQM9K\r\nUjrosp/I3+nxhBoSWrsySLenklsDOeCGG1yHOOj73C0D1CuEIU8/4ATuZFhnv//j\r\no/DSw7/6gfNd1MFMXZJt9gtsTQiKSiCe6BIRvSYvUih9EcBXwJfAZGHdG3kgEPkN\r\nLNwWoI2AcsyUit15MTe6XXr1xIVVa89xYUoqyj1+ypmbdLzEtpFuJvVlqPivYcA3\r\nPQshDBESmsPmZOXsjJMadM4YGo9Huczhpo7URqYqLPsWxZC+gv9AKkyy/FSZ8D5b\r\nzJKHdiMLkEJLjsGqjjq/9VOZIrZdZ+F+nn5m5Y+HOgGCbRdhk+vuzte9Gp1dkwW9\r\nRzeVkfMHgMNo\r\n-----END CERTIFICATE-----\r\n","sc_value":"1","remoteofficeauthkey":"013de50e0ca7020a3c1da5f834f859e5","enabledistributionserver":"no","serversecureport":"8383","remoteofficename":"Serveur-Tiers1"}

36
-06-snmp/script.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Pour la configuration SNMP
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 06-snmp"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y snmp snmpd >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : snmpd.conf"
echo "${NOCOLOR}"
cp 06-snmp/snmpd.conf /etc/snmp/ >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : snmpd.conf : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Relance de service"
echo "${NOCOLOR}"
systemctl restart snmpd
echo "${YELLOW} * ${NOCOLOR} Relance de service : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 06-snmp"
echo "${NOCOLOR}"

6
-06-snmp/snmpd.conf
View File

@ -1,6 +0,0 @@
rocommunity eveagroup 10.78.56.100
rocommunity SUP-TSM-PRIV 10.78.56.16
rocommunity public 10.78.56.100
rocommunity SUP-TSM-PRIV 10.78.56.45
extend docker /etc/snmp/docker-stats.py

3
00-proxy/02proxy
View File

@ -1,3 +0,0 @@
Acquire::http::proxy "http://serv-proxy.fr.dgs.group:3128";
Acquire::https::proxy "http://serv-proxy.fr.dgs.group:3128";
Acquire::ftp::proxy "http://serv-proxy.fr.dgs.group:3128";

36
00-proxy/script.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Pour la configuration de l'APT d'utiliser le proxy
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 02-apt"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 02proxy"
echo "${NOCOLOR}"
cp 02-apt/02proxy /etc/apt/apt.conf.d/02proxy >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : 02proxy : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Référence update"
echo "${NOCOLOR}"
apt update >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Référence update : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Mise à jour"
echo "${NOCOLOR}"
apt full-upgrade -y >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Mise à jour : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 02-apt"
echo "${NOCOLOR}"

1
01-key/authorized_keys
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQA

66
02-prompt/00-basic
View File

@ -1,66 +0,0 @@
#!/bin/bash
# get load averages
IFS=" " read LOAD1 LOAD5 LOAD15 <<<$(awk '{ print $1,$2,$3 }' /proc/loadavg)
# get free memory
IFS=" " read USED AVAIL TOTAL <<<$(free -htm | awk '/Mem/ { print $3,$7,$2 }')
# get processes
PROCESS=$(ps -eo user=|sort|uniq -c | awk '{ print $2 " " $1 }')
PROCESS_ALL=$(echo "$PROCESS"| awk {'print $2'} | awk '{ SUM += $1} END { print SUM }')
PROCESS_ROOT=$(echo "$PROCESS" | awk '/root/ { print $2}')
PROCESS_USER=$(echo "$PROCESS" | awk '!/root/ { SUM += $2} END { print SUM }')
# get processors
PROCESSOR_NAME=$(awk -F": " '/model name/ { print $2 }' /proc/cpuinfo | head -1)
PROCESSOR_COUNT=$(grep -ioPc 'processor\t:' /proc/cpuinfo)
# colors
W="\e[0;39m"
G="\e[1;32m"
R="\e[1;31m"
dim="\e[2m"
undim="\e[0m"
echo -e "${W}System info:
$W Hostname$dim····$undim: $W${HOSTNAME}
$W Distro$dim······$undim: $W$(grep "PRETTY_NAME" /etc/*release | cut -d "=" -f 2- | sed 's/"//g')
$W Kernel$dim······$undim: $W$(uname -sr)
$W Uptime$dim······$undim: $W$(uptime -p)
$W Load$dim········$undim: $G$LOAD1$W (1m), $G$LOAD5$W (5m), $G$LOAD15$W (15m)
$W Processes$dim···$undim: $G$PROCESS_ROOT$W (root), $G$PROCESS_USER$W (user), $G$PROCESS_ALL$W (total)
$W CPU$dim·········$undim: $W$PROCESSOR_NAME ($G$PROCESSOR_COUNT$W vCPU)
$W Memory$dim······$undim: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total"
# config
max_usage=90
bar_width=50
# disk usage: ignore zfs, squashfs & tmpfs
printf "\nDisk usage:\n"
while read line; do
# get disk usage
usage=$(echo "$line" | awk '{print $2}' | sed 's/%//')
used_width=$((($usage*$bar_width)/100))
# color is green if usage < max_usage, else red
if [ "${usage}" -ge "${max_usage}" ]; then
color=$R
else
color=$G
fi
# print green/red bar until used_width
bar="[${color}"
for ((i=0; i<$used_width; i++)); do
bar+="="
done
# print dimmmed bar until end
bar+="${W}${dim}"
for ((i=$used_width; i<$bar_width; i++)); do
bar+="·"
done
bar+="${undim}]"
# print usage line & bar
echo "${line}" | awk '{ printf("%-31s%+3s used out of %+4s\n", $1, $2, $3); }' | sed -e 's/^/ /'
echo -e "${bar}" | sed -e 's/^/ /'
done < <(df -H -x zfs -x squashfs -x tmpfs -x devtmpfs -x overlay -x nfs -x nfs4 -x cifs --output=target,pcent,size | tail -n+2)
printf "\n"

25
02-prompt/banner
View File

@ -1,25 +0,0 @@
_______ _
|__ __| (_)
| | __ _ _ __ _ ___
| |/ _` | '_ \| / __|
| | (_| | |_) | \__ \
|_|\__,_| .__/|_|___/
_____ | |_ _ __ __ _
/ ____| |_(_) | | | \/ | | |
| (___ __ _ _ _ __ | |_ __ | \ / | __ _ ___| | ___ _ _
\___ \ / _` | | '_ \| __||__|| |\/| |/ _` |/ __| |/ _ \| | | |
____) | (_| | | | | | |_ | | | | (_| | (__| | (_) | |_| |
|_____/ \__,_|_|_| |_|\__| |_| |_|\__,_|\___|_|\___/ \__,_|
AVERTISSEMENT : L'accès à ce système est réservé aux utilisateurs
dûment autorisés.
Toute tentative d'accès, d'accès à ce système sans autorisation ou
de maintien frauduleux dans ce système fera l'objet de poursuites
conformément à la politique de Tapis-Saint-Maclou.
Tout utilisateur autorisé est informé et reconnaît que ses actions
peuvent être enregistrées, conservées et auditées conformément aux
chartes/politiques internes de aux chartes/politiques internes de
Tapis-Saint-Maclou.

7
03-Fail2ban/defaults-debian-ssh.conf
View File

@ -1,7 +0,0 @@
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

7
03-Fail2ban/jail.local
View File

@ -1,7 +0,0 @@
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

31
03-Fail2ban/script.sh
View File

@ -1,31 +0,0 @@
#!/bin/sh
# Pour la configuration Fail2Ban
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 10-Fail2Ban"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y fail2ban >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
cp 10-Fail2ban/jail.local /etc/fail2ban/jail.local >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Relance de service"
echo "${NOCOLOR}"
systemctl enable fail2ban
systemctl start fail2ban
echo "${YELLOW} * ${NOCOLOR} Relance de service : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 10-Fail2Ban"
echo "${NOCOLOR}"

2
04-clamav/etc/panw/cortex.conf
View File

@ -1,2 +0,0 @@
--distribution-id 896dc20f132a45369e53e479b245d244
--distribution-server https://distributions.traps.paloaltonetworks.com/

44
04-clamav/script.sh
View File

@ -1,44 +0,0 @@
#!/bin/sh
# Pour installer Cortex sur un serveur Debian
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 03-cortex"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Création du dossier"
echo "${NOCOLOR}"
mkdir -p /etc/panw >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Création du dossier : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : cortex.conf"
echo "${NOCOLOR}"
cp 03-cortex/etc/panw/cortex.conf /etc/panw/cortex.conf >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : cortex.conf : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation iptables"
echo "${NOCOLOR}"
apt install -y iptables >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation iptables : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation Cortex"
echo "${NOCOLOR}"
dpkg -i 03-cortex/cortex-8.7.0.131661.deb
echo "${YELLOW} * ${NOCOLOR} Installation Cortex : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 03-cortex"
echo "${NOCOLOR}"

36
05-snmp/script.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Pour la configuration SNMP
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 06-snmp"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y snmp snmpd >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : snmpd.conf"
echo "${NOCOLOR}"
cp 06-snmp/snmpd.conf /etc/snmp/ >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Copie du fichier : snmpd.conf : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Relance de service"
echo "${NOCOLOR}"
systemctl restart snmpd
echo "${YELLOW} * ${NOCOLOR} Relance de service : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 06-snmp"
echo "${NOCOLOR}"

6
05-snmp/snmpd.conf
View File

@ -1,6 +0,0 @@
rocommunity eveagroup 10.78.56.100
rocommunity SUP-TSM-PRIV 10.78.56.16
rocommunity public 10.78.56.100
rocommunity SUP-TSM-PRIV 10.78.56.45
extend docker /etc/snmp/docker-stats.py

5
07-DNS/resolv.conf
View File

@ -1,5 +0,0 @@
nameserver 10.78.56.8
nameserver 10.78.56.9
search fr.dgs.group
domain fr.dgs.group

20
07-DNS/script.sh
View File

@ -1,20 +0,0 @@
#!/bin/sh
# Pour la configuration DNS
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 07-DNS"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Configuration DNS"
echo "${NOCOLOR}"
cp 07-DNS/resolv.conf /etc/resolv.conf >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Configuration DNS : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 07-DNS"
echo "${NOCOLOR}"

20
08-NRPE/script.sh
View File

@ -1,20 +0,0 @@
#!/bin/sh
# Pour la configuration NRPE
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 08-nrpe"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y nagios-nrpe-server nagios-nrpe-plugin >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 08-nrpe"
echo "${NOCOLOR}"

31
09-Firewall/script.sh
View File

@ -1,31 +0,0 @@
#!/bin/sh
# Pour la configuration firewall
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 09-Firewall"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Installation composant"
echo "${NOCOLOR}"
apt install -y ufw >> /dev/null
echo "${YELLOW} * ${NOCOLOR} Installation composant : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} * ${NOCOLOR} Configuration"
echo "${NOCOLOR}"
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp # Votre port SSH
ufw enable
echo "${YELLOW} * ${NOCOLOR} Configuration : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 09-Firewall"
echo "${NOCOLOR}"

22
11-RemoveService/script.sh
View File

@ -1,22 +0,0 @@
#!/bin/sh
# Pour la configuration Remove Service
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 11-Remove Service"
echo "${NOCOLOR}"
systemctl list-unit-files --state=enabled
echo "${YELLOW} * ${NOCOLOR} Arret du service : "
echo "${NOCOLOR}"
# systemctl disable service_name
# systemctl stop service_name
echo "${YELLOW} * ${NOCOLOR} Arret du service : : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 11-Remove Service"
echo "${NOCOLOR}"

3
12-hardening/limits.conf
View File

@ -1,3 +0,0 @@
* hard core 0
* soft nproc 1000
* hard nproc 2000

18
12-hardening/script.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
# Pour la configuration Hardening
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NOCOLOR='\033[0m'
echo "${YELLOW} ** ${NOCOLOR} Début du script : 12-Hardening"
echo "${NOCOLOR}"
cp 12-hardening/sysctl.conf /etc/sysctl.conf >> /dev/null
sysctl -p
cp 12-hardening/limits.conf /etc/security/limits.conf >> /dev/null
echo "${YELLOW} ** ${NOCOLOR} Fin du script : 12-Hardening"
echo "${NOCOLOR}"

12
12-hardening/sysctl.conf
View File

@ -1,12 +0,0 @@
# Protection contre les attaques de type spoofing
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
# Désactivation du routage IP
net.ipv4.ip_forward=0
# Protection contre les attaques SYN flood
net.ipv4.tcp_syncookies=1
# Ignorer les pings
net.ipv4.icmp_echo_ignore_all=1

4
README.md
View File

@ -15,9 +15,9 @@ Depuis un terminal, faire un copié/collé du code ci-dessous
```shell ```shell
cd ./Linux-Template/ cd ./Linux-Template/
chmod +x script.sh chmod +x * -R
./script.sh sudo ./main.sh
``` ```
## 01-ssh ## 01-ssh

0
test/common.sh → common.sh
View File

0
test/custom/custom_dns → custom/custom_dns
View File

0
test/custom/custom_glpi → custom/custom_glpi
View File

0
test/custom/custom_key → custom/custom_key
View File

0
test/custom/custom_monitoring → custom/custom_monitoring
View File

0
test/custom/custom_wazuh → custom/custom_wazuh
View File

562
dsq
View File

@ -1,562 +0,0 @@
#!/bin/bash
# Global variables
VERSION="2.0"
VERBOSE=false
BACKUP_DIR="/root/security_backup_$(date +%Y%m%d_%H%M%S)"
LOG_FILE="/var/log/security_hardening.log"
SCRIPT_NAME=$(basename "$0")
# Function for logging
log() {
local message="$(date '+%Y-%m-%d %H:%M:%S'): $1"
echo "$message" | sudo tee -a "$LOG_FILE"
$VERBOSE && echo "$message"
}
# Function for error handling
handle_error() {
log "Error: $1"
exit 1
}
# Function to install packages
install_package() {
log "Installing $1..."
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y "$1" || handle_error "Failed to install $1"
}
# Function to backup files
backup_files() {
sudo mkdir -p "$BACKUP_DIR" || handle_error "Failed to create backup directory"
local files_to_backup=(
"/etc/default/grub"
"/etc/ssh/sshd_config"
"/etc/pam.d/common-password"
"/etc/login.defs"
"/etc/sysctl.conf"
)
for file in "${files_to_backup[@]}"; do
if [ -f "$file" ]; then
sudo cp "$file" "$BACKUP_DIR/" || log "Warning: Failed to backup $file"
else
log "Warning: $file not found, skipping backup"
fi
done
log "Backup created in $BACKUP_DIR"
}
# Function to restore from backup
restore_backup() {
if [ -d "$BACKUP_DIR" ]; then
for file in "$BACKUP_DIR"/*; do
sudo cp "$file" "$(dirname "$(readlink -f "$file")")" || log "Warning: Failed to restore $(basename "$file")"
done
log "Restored configurations from $BACKUP_DIR"
else
log "Backup directory not found. Cannot restore."
fi
}
# Function to check permissions
check_permissions() {
if [ "$EUID" -ne 0 ]; then
echo "This script must be run with sudo privileges."
echo "Please run it again using: sudo $0"
exit 1
fi
}
# Function to display help
display_help() {
echo "Usage: sudo ./$SCRIPT_NAME [OPTIONS]"
echo "Options:"
echo " -h, --help Display this help message"
echo " -v, --verbose Enable verbose output"
echo " --version Display script version"
echo " --dry-run Perform a dry run without making changes"
echo " --restore Restore system from the most recent backup"
exit 0
}
# Function to display version
display_version() {
echo "Enhanced Ubuntu Linux Security Hardening Script v$VERSION"
exit 0
}
# Function to check system requirements
check_requirements() {
if ! command -v lsb_release &> /dev/null; then
handle_error "lsb_release command not found. This script requires an Ubuntu-based system."
fi
local os_name=$(lsb_release -si)
local os_version=$(lsb_release -sr)
if [[ "$os_name" != "Ubuntu" && "$os_name" != "Debian" ]]; then
handle_error "This script is designed for Ubuntu or Debian-based systems. Detected OS: $os_name"
if [[ $(echo "$os_version < 18.04" | bc) -eq 1 ]]; then
handle_error "This script requires Ubuntu 18.04 or later. Detected version: $os_version"
elif [[ "$os_name" == "Debian" && $(echo "$os_version < 12.0" | bc) -eq 1 ]]; then
handle_error "This script requires Debian 12.0 or later. Detected version: $os_version"
fi
fi
log "System requirements check passed. OS: $os_name $os_version"
}
# Function to update system
update_system() {
log "Updating System..."
sudo apt-get update -y || handle_error "System update failed"
sudo DEBIAN_FRONTEND=noninteractive apt-get upgrade -y || handle_error "System upgrade failed"
}
# Function to setup firewall
setup_firewall() {
log "Installing and Configuring Firewall..."
install_package "ufw"
sudo ufw default deny incoming || handle_error "Failed to set UFW default incoming policy"
sudo ufw default allow outgoing || handle_error "Failed to set UFW default outgoing policy"
sudo ufw limit ssh comment 'Allow SSH with rate limiting' || handle_error "Failed to configure SSH in UFW"
sudo ufw allow 80/tcp comment 'Allow HTTP' || handle_error "Failed to allow HTTP in UFW"
sudo ufw allow 443/tcp comment 'Allow HTTPS' || handle_error "Failed to allow HTTPS in UFW"
local apply_ipv6_rules
read -p "Do you want to apply IPv6-specific firewall rules? (y/N): " apply_ipv6_rules
case $apply_ipv6_rules in
[Yy]* )
log "Applying IPv6-specific firewall rules..."
sudo ufw allow in on lo || handle_error "Failed to allow loopback traffic"
sudo ufw allow out on lo || handle_error "Failed to allow loopback traffic"
sudo ufw deny in from ::/0 || handle_error "Failed to deny all incoming IPv6 traffic"
sudo ufw allow out to ::/0 || handle_error "Failed to allow all outgoing IPv6 traffic"
log "IPv6 firewall rules applied"
;;
* )
log "Skipping IPv6-specific firewall rules"
;;
esac
sudo ufw logging on || handle_error "Failed to enable UFW logging"
sudo ufw --force enable || handle_error "Failed to enable UFW"
log "Firewall configured and enabled"
}
# Function to setup Fail2Ban
setup_fail2ban() {
log "Installing and Configuring Fail2Ban..."
install_package "fail2ban"
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local || handle_error "Failed to create Fail2Ban local config"
sudo sed -i 's/bantime = 10m/bantime = 1h/' /etc/fail2ban/jail.local || handle_error "Failed to set Fail2Ban bantime"
sudo sed -i 's/maxretry = 5/maxretry = 3/' /etc/fail2ban/jail.local || handle_error "Failed to set Fail2Ban maxretry"
sudo systemctl enable fail2ban || handle_error "Failed to enable Fail2Ban service"
sudo systemctl start fail2ban || handle_error "Failed to start Fail2Ban service"
log "Fail2Ban configured and started"
}
# Function to setup ClamAV
setup_clamav() {
log "Installing and Updating ClamAV..."
install_package "clamav"
install_package "clamav-daemon"
sudo systemctl stop clamav-freshclam || log "Warning: Failed to stop clamav-freshclam"
sudo freshclam || log "Warning: ClamAV database update failed"
sudo systemctl start clamav-freshclam || handle_error "Failed to start clamav-freshclam"
sudo systemctl enable clamav-freshclam || handle_error "Failed to enable clamav-freshclam"
log "ClamAV installed and updated"
}
# Function to disable root login
disable_root() {
log "Checking for non-root users with sudo privileges..."
# Get the list of users with sudo privileges
sudo_users=$(getent group sudo | cut -d: -f4 | tr ',' '\n' | grep -v "^root$")
# Check if there are any non-root users with sudo privileges
if [ -z "$sudo_users" ]; then
log "Warning: No non-root users with sudo privileges found. Skipping root login disable for safety."
echo "Please create a non-root user with sudo privileges before disabling root login."
return
fi
log "Non-root users with sudo privileges found. Proceeding to disable root login..."
# Disable root login
if sudo passwd -l root; then
log "Root login disabled successfully."
else
handle_error "Failed to lock root account"
fi
# Disable root SSH login as an additional precaution
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || handle_error "Failed to disable root SSH login in sshd_config"
else
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config > /dev/null || handle_error "Failed to add PermitRootLogin no to sshd_config"
fi
# Restart SSH service to apply changes
sudo systemctl restart sshd || handle_error "Failed to restart SSH service"
log "Root login has been disabled and SSH root login has been explicitly prohibited."
}
# Function to remove unnecessary packages
remove_packages() {
log "Removing unnecessary packages..."
sudo DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y telnetd nis yp-tools rsh-client rsh-redone-client xinetd || log "Warning: Failed to remove some packages"
sudo apt-get autoremove -y || log "Warning: autoremove failed"
log "Unnecessary packages removed"
}
# Function to setup audit
setup_audit() {
log "Configuring audit rules..."
install_package "auditd"
local audit_rules=(
"-w /etc/passwd -p wa -k identity"
"-w /etc/group -p wa -k identity"
"-w /etc/shadow -p wa -k identity"
"-w /etc/sudoers -p wa -k sudoers"
"-w /var/log/auth.log -p wa -k auth_log"
"-w /sbin/insmod -p x -k modules"
"-w /sbin/rmmod -p x -k modules"
"-w /sbin/modprobe -p x -k modules"
"-w /var/log/faillog -p wa -k logins"
"-w /var/log/lastlog -p wa -k logins"
"-w /var/run/utmp -p wa -k session"
"-w /var/log/wtmp -p wa -k session"
"-w /var/log/btmp -p wa -k session"
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
"-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
"-a always,exit -F arch=b64 -S clock_settime -k time-change"
"-a always,exit -F arch=b32 -S clock_settime -k time-change"
"-w /etc/localtime -p wa -k time-change"
)
for rule in "${audit_rules[@]}"; do
echo "$rule" | sudo tee -a /etc/audit/rules.d/audit.rules > /dev/null || handle_error "Failed to add audit rule: $rule"
done
sudo systemctl enable auditd || handle_error "Failed to enable auditd service"
sudo systemctl start auditd || handle_error "Failed to start auditd service"
log "Audit rules configured and auditd started"
}
# Function to disable unused filesystems
disable_filesystems() {
log "Disabling Unused Filesystems..."
local filesystems=("cramfs" "freevxfs" "jffs2" "hfs" "hfsplus" "squashfs" "udf" "vfat")
for fs in "${filesystems[@]}"; do
echo "install $fs /bin/true" | sudo tee -a /etc/modprobe.d/CIS.conf > /dev/null || handle_error "Failed to disable filesystem: $fs"
done
log "Unused filesystems disabled"
}
# Function to secure boot settings
secure_boot() {
log "Securing Boot Settings..."
# Secure GRUB configuration file
if [ -f /boot/grub/grub.cfg ]; then
sudo chown root:root /boot/grub/grub.cfg || handle_error "Failed to change ownership of grub.cfg"
sudo chmod 600 /boot/grub/grub.cfg || handle_error "Failed to change permissions of grub.cfg"
log "GRUB configuration file secured"
else
log "Warning: /boot/grub/grub.cfg not found. Skipping GRUB file permissions."
fi
# Modify kernel parameters
if [ -f /etc/default/grub ]; then
# Backup original file
sudo cp /etc/default/grub /etc/default/grub.bak || handle_error "Failed to backup grub file"
# Add or modify kernel parameters
local kernel_params="audit=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.send_redirects=0"
# Ask if user wants to disable SACK
local disable_sack
read -p "Do you want to disable TCP SACK? This is generally not recommended. (y/N): " disable_sack
case $disable_sack in
[Yy]* )
kernel_params+=" net.ipv4.tcp_sack=0"
log "TCP SACK will be disabled"
;;
* )
log "TCP SACK will remain enabled"
;;
esac
sudo sed -i "s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"$kernel_params\"/" /etc/default/grub || handle_error "Failed to modify kernel parameters"
# Update GRUB
if command -v update-grub &> /dev/null; then
sudo update-grub || handle_error "Failed to update GRUB"
elif command -v grub2-mkconfig &> /dev/null; then
sudo grub2-mkconfig -o /boot/grub2/grub.cfg || handle_error "Failed to update GRUB"
else
log "Warning: Neither update-grub nor grub2-mkconfig found. Please update GRUB manually."
fi
log "Kernel parameters updated"
else
log "Warning: /etc/default/grub not found. Skipping kernel parameter modifications."
fi
log "Boot settings secured"
}
# Function to configure IPv6
configure_ipv6() {
local disable_ipv6
read -p "Do you want to disable IPv6? (y/N): " disable_ipv6
case $disable_ipv6 in
[Yy]* )
log "Disabling IPv6..."
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf || handle_error "Failed to disable IPv6 (all)"
echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf || handle_error "Failed to disable IPv6 (default)"
echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf || handle_error "Failed to disable IPv6 (lo)"
sudo sysctl -p || handle_error "Failed to apply sysctl changes"
log "IPv6 has been disabled"
;;
* )
log "IPv6 will remain enabled"
;;
esac
}
# Function to setup AppArmor
setup_apparmor() {
log "Setting up AppArmor..."
if ! command -v apparmor_status &> /dev/null; then
install_package "apparmor"
install_package "apparmor-utils"
else
log "AppArmor is already installed. Skipping installation."
fi
sudo systemctl enable apparmor || handle_error "Failed to enable AppArmor service"
sudo systemctl start apparmor || handle_error "Failed to start AppArmor service"
sudo aa-enforce /etc/apparmor.d/* || log "Warning: Failed to enforce some AppArmor profiles"
log "AppArmor setup complete. All profiles are in enforce mode."
log "Monitor /var/log/syslog and /var/log/auth.log for any AppArmor-related issues."
}
# Function to setup NTP
setup_ntp() {
log "Setting up time synchronization..."
# Check if systemd-timesyncd is available (modern Ubuntu systems)
if systemctl list-unit-files | grep -q systemd-timesyncd.service; then
log "Using systemd-timesyncd for time synchronization"
sudo systemctl enable systemd-timesyncd.service || handle_error "Failed to enable systemd-timesyncd service"
sudo systemctl start systemd-timesyncd.service || handle_error "Failed to start systemd-timesyncd service"
log "systemd-timesyncd setup complete"
else
# Fall back to traditional NTP if systemd-timesyncd is not available
log "Using traditional NTP for time synchronization"
install_package "ntp"
sudo systemctl enable ntp || handle_error "Failed to enable NTP service"
sudo systemctl start ntp || handle_error "Failed to start NTP service"
log "NTP setup complete"
fi
}
# Function to setup AIDE
setup_aide() {
log "Setting up AIDE..."
install_package "aide"
sudo aideinit || handle_error "Failed to initialize AIDE database"
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db || handle_error "Failed to move AIDE database"
log "AIDE setup complete"
}
# Function to configure sysctl
configure_sysctl() {
log "Configuring sysctl settings..."
local sysctl_config=(
"# IP Spoofing protection"
"net.ipv4.conf.all.rp_filter = 1"
"net.ipv4.conf.default.rp_filter = 1"
""
"# Ignore ICMP broadcast requests"
"net.ipv4.icmp_echo_ignore_broadcasts = 1"
""
"# Disable source packet routing"
"net.ipv4.conf.all.accept_source_route = 0"
"net.ipv6.conf.all.accept_source_route = 0"
""
"# Ignore send redirects"
"net.ipv4.conf.all.send_redirects = 0"
"net.ipv4.conf.default.send_redirects = 0"
""
"# Block SYN attacks"
"net.ipv4.tcp_syncookies = 1"
"net.ipv4.tcp_max_syn_backlog = 2048"
"net.ipv4.tcp_synack_retries = 2"
"net.ipv4.tcp_syn_retries = 5"
""
"# Log Martians"
"net.ipv4.conf.all.log_martians = 1"
"net.ipv4.icmp_ignore_bogus_error_responses = 1"
""
"# Ignore ICMP redirects"
"net.ipv4.conf.all.accept_redirects = 0"
"net.ipv6.conf.all.accept_redirects = 0"
""
"# Ignore Directed pings"
"net.ipv4.icmp_echo_ignore_all = 1"
""
"# Enable ASLR"
"kernel.randomize_va_space = 2"
""
"# Increase system file descriptor limit"
"fs.file-max = 65535"
""
"# Allow for more PIDs"
"kernel.pid_max = 65536"
""
"# Protect against kernel pointer leaks"
"kernel.kptr_restrict = 1"
""
"# Restrict dmesg access"
"kernel.dmesg_restrict = 1"
""
"# Restrict kernel profiling"
"kernel.perf_event_paranoid = 2"
)
printf "%s\n" "${sysctl_config[@]}" | sudo tee -a /etc/sysctl.conf || handle_error "Failed to update sysctl.conf"
sudo sysctl -p || handle_error "Failed to apply sysctl changes"
log "sysctl settings configured"
}
# Function for additional security measures
additional_security() {
log "Applying additional security measures..."
# Disable core dumps
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf || handle_error "Failed to disable core dumps"
# Set proper permissions on sensitive files
sudo chmod 600 /etc/shadow || handle_error "Failed to set permissions on /etc/shadow"
sudo chmod 600 /etc/gshadow || handle_error "Failed to set permissions on /etc/gshadow"
# Enable process accounting
install_package "acct"
sudo /usr/sbin/accton on || handle_error "Failed to enable process accounting"
# Restrict SSH
sudo sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || handle_error "Failed to disable root login via SSH"
sudo sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config || handle_error "Failed to disable password authentication for SSH"
sudo sed -i 's/^#Protocol.*/Protocol 2/' /etc/ssh/sshd_config || handle_error "Failed to set SSH protocol version"
sudo systemctl restart sshd || handle_error "Failed to restart SSH service"
# Configure strong password policy
sudo sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs || handle_error "Failed to set password max days"
sudo sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs || handle_error "Failed to set password min days"
sudo sed -i 's/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=14 remember=5/' /etc/pam.d/common-password || handle_error "Failed to configure password policy"
log "Additional security measures applied"
}
# Function to setup automatic updates
setup_automatic_updates() {
log "Setting up automatic security updates..."
install_package "unattended-upgrades"
sudo dpkg-reconfigure -plow unattended-upgrades || handle_error "Failed to configure unattended-upgrades"
log "Automatic security updates configured"
}
# Main function
main() {
local dry_run=false
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
display_help
;;
-v|--verbose)
VERBOSE=true
shift
;;
--version)
display_version
;;
--dry-run)
dry_run=true
shift
;;
--restore)
restore_backup
exit 0
;;
*)
echo "Unknown option: $1"
display_help
;;
esac
done
check_permissions
check_requirements
backup_files
if $dry_run; then
log "Performing dry run. No changes will be made."
else
update_system
setup_firewall
setup_fail2ban
setup_clamav
# setup_snmp
# setup_nrpe
# setup_glpi
disable_root
remove_packages
setup_audit
disable_filesystems
secure_boot
configure_ipv6
setup_apparmor
setup_ntp
setup_aide
configure_sysctl
additional_security
setup_automatic_updates
fi
log "Enhanced Security Configuration executed! Script by captainzero93"
if ! $dry_run; then
# Ask user if they want to restart
read -p "Do you want to restart the system now to apply all changes? (y/N): " restart_now
case $restart_now in
[Yy]* )
log "Restarting system..."
sudo reboot
;;
* )
log "Please restart your system manually to apply all changes."
;;
esac
fi
}
# Run the main function
main "$@"

0
test/main.sh → main.sh
View File

0
test/modules/additional_hardening.sh → modules/additional_hardening.sh
View File

0
test/modules/antivirus.sh → modules/antivirus.sh
View File

0
test/modules/auditing.sh → modules/auditing.sh
View File

0
test/modules/auto_updates.sh → modules/auto_updates.sh
View File

0
test/modules/custom_prompt.sh → modules/custom_prompt.sh
View File

3
test/modules/dns_config.sh → modules/dns_config.sh
View File

@ -65,6 +65,9 @@ nameserver 1.1.1.1
nameserver 8.8.4.4 nameserver 8.8.4.4
nameserver 1.0.0.1 nameserver 1.0.0.1
options edns0 timeout:2 rotate options edns0 timeout:2 rotate
# search
# domain
EOF EOF
log_message "SUCCESS" "Static resolv.conf created" log_message "SUCCESS" "Static resolv.conf created"

0
test/modules/fail2ban.sh → modules/fail2ban.sh
View File

0
test/modules/firewall.sh → modules/firewall.sh
View File

0
test/modules/glpi_agent.sh → modules/glpi_agent.sh
View File

2
test/modules/monitoring.sh → modules/monitoring.sh
View File

@ -120,7 +120,7 @@ configure_nrpe() {
# Install NRPE if not already installed # Install NRPE if not already installed
if ! is_package_installed "nagios-nrpe-server"; then if ! is_package_installed "nagios-nrpe-server"; then
log_message "INFO" "Installing NRPE and monitoring plugins" log_message "INFO" "Installing NRPE and monitoring plugins"
apt-get install -y nagios-nrpe-server nagios-plugins apt-get install -y nagios-nrpe-server nagios-plugins nagios-nrpe-plugin
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
log_message "ERROR" "Failed to install NRPE" log_message "ERROR" "Failed to install NRPE"

0
test/modules/ntp.sh → modules/ntp.sh
View File

0
test/modules/package_management.sh → modules/package_management.sh
View File

0
test/modules/ssh_hardening.sh → modules/ssh_hardening.sh
View File

0
test/modules/wazuh_agent.sh → modules/wazuh_agent.sh
View File

858
script-global.sh
View File

@ -1,858 +0,0 @@
#!/bin/bash
# Variables Global
VERSION="1.2"
VERBOSE=false
BACKUP_DIR="/root/security-backup-$(date +%Y%m%d_%H%M%S)"
LOG_FILE="/var/log/security-hardening.log"
SCRIPT_NAME=$(basename "$0")
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\[\033[0;34m\]'
PINK='\[\033[0;35m\]'
NOCOLOR='\033[0m'
# Fonction pour la présentatation du script
start() {
echo -e " " | tee -a "$LOG_FILE"
echo -e " ############################################################################## " | tee -a "$LOG_FILE"
echo -e " # " | tee -a "$LOG_FILE"
echo -e " # ██ ██ █████ ██████ ██████ ███████ ███ ██ ██ ███ ██ ██████ " | tee -a "$LOG_FILE"
echo -e " # ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ████ ██ ██ " | tee -a "$LOG_FILE"
echo -e " # ███████ ███████ ██████ ██ ██ █████ ██ ██ ██ ██ ██ ██ ██ ██ ███ " | tee -a "$LOG_FILE"
echo -e " # ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ " | tee -a "$LOG_FILE"
echo -e " # ██ ██ ██ ██ ██ ██ ██████ ███████ ██ ████ ██ ██ ████ ██████ " | tee -a "$LOG_FILE"
echo -e " # " | tee -a "$LOG_FILE"
echo -e " # Script de renforcement de la sécurité Linux v$VERSION" | tee -a "$LOG_FILE"
echo -e " # " | tee -a "$LOG_FILE"
echo -e " ############################################################################## " | tee -a "$LOG_FILE"
echo -e " " | tee -a "$LOG_FILE"
}
# Fonction pour l'enregistrement des logs
log() {
local message="${YELLOW} $(date '+%Y-%m-%d %H:%M:%S') ${NOCOLOR} : ${GREEN} $1 ${NOCOLOR}"
echo -e "$message" | tee -a "$LOG_FILE"
$VERBOSE && echo -e " ${BLUE} * $message"
}
# Fonction pour la gestion des warnings
handle_warning() {
log "${PINK} - Avertissement : $1 ${NOCOLOR}"
}
# Fonction pour la gestion des erreurs
handle_error() {
log "${RED} - Erreur : $1 ${NOCOLOR}"
exit 1
}
# Fonction d'installation des paquets
install_package() {
log "Installion $1 ..."
DEBIAN_FRONTEND=noninteractive apt install -y "$1" || handle_error "Échec de l'installation $1"
}
# Fonction de sauvegarde des fichiers
backup_files() {
log "Sauvegarde des fichiers ..."
mkdir -p "$BACKUP_DIR" || handle_error "Échec de la création du répertoire de sauvegarde"
local files_to_backup=(
"/etc/default/grub"
"/etc/ssh/sshd_config"
"/etc/ssh/ssh_config"
"/etc/snmp/snmpd.conf"
"/etc/pam.d/common-password"
"/etc/login.defs"
"/etc/sysctl.conf"
)
for file in "${files_to_backup[@]}"; do
if [ -f "$file" ]; then
cp "$file" "$BACKUP_DIR/" || log "Avertissement : Échec de la sauvegarde $file"
else
log "Avertissement: $file introuvable, sauvegarde ignorée"
fi
done
log " * Sauvegarde créée en $BACKUP_DIR"
}
# Fonction de restauration à partir d'une sauvegarde
restore_backup() {
if [ -d "$BACKUP_DIR" ]; then
for file in "$BACKUP_DIR"/*; do
cp "$file" "$(dirname "$(readlink -f "$file")")" || log "Avertissement : Échec de la restauration $(basename "$file")"
done
log "Configurations rétablies à partir de $BACKUP_DIR"
else
log "Répertoire de sauvegarde introuvable. Impossible de restaurer."
fi
}
# Fonction d'affichage de l'aide
display_help() {
echo "Usage: sudo ./$SCRIPT_NAME [OPTIONS]"
echo "Options:"
echo " -h, --help Display this help message"
echo " -v, --verbose Enable verbose output"
echo " --version Display script version"
echo " --dry-run Perform a dry run without making changes"
echo " --restore Restore system from the most recent backup"
exit 0
}
# Fonction d'affichage de la version
display_version() {
echo "Script de renforcement de la sécurité Linux v$VERSION"
exit 0
}
# Fonction de vérification des autorisations pour Ubuntu
check_permissions() {
if [ "$EUID" -ne 0 ]; then
echo -e "${RED} * Ce script doit être exécuté avec les privilèges sudo."
echo -e "${RED} * Veuillez l'exécuter à nouveau en utilisant : sudo $0"
exit 1
fi
}
# Fonction de controle de la présence d'un proxy web
check_proxy() {
log "Test présence proxy web ..."
if apt update > /dev/null 2>&1; then
log " * Aucune configuration proxy requise. La mise à jour des paquets a réussi."
else
log " * Erreur lors de la mise à jour des paquets. Vérification des besoins en proxy web ..."
# Tester la connectivité Internet
if ping -c 1 google.com > /dev/null 2>&1; then
log "La connectivité Internet est présente, mais apt ne fonctionne pas. Configuration du proxy requise."
cp 00-proxy/02proxy /etc/apt/apt.conf.d/02proxy || handle_error "Échec de la copie du fichier de configuration du proxy"
log " * Configuration du proxy appliquée."
handle_warning "Essayez de nouveau la mise à jour des paquets avec 'apt update'."
else
handle_error "Aucune connectivité Internet. Vérifiez votre connexion réseau."
fi
fi
}
# Fonction de vérification des exigences du système
check_requirements() {
log "Identification du système ..."
if ! command -v lsb_release &> /dev/null; then
handle_error "La commande lsb_release n'a pas été trouvée. Ce script nécessite un système basé sur Ubuntu et Debian."
fi
local os_name=$(lsb_release -si)
local os_version=$(lsb_release -sr)
if [[ "$os_name" != "Ubuntu" && "$os_name" != "Debian" ]]; then
handle_error "Ce script est conçu pour les systèmes basés sur Ubuntu ou Debian. OS detecté : $os_name"
if [[ $(echo "$os_version < 18.04" | bc) -eq 1 ]]; then
handle_error "Ce script nécessite Ubuntu 18.04 ou une version ultérieure. Version detecté : $os_version"
elif [[ "$os_name" == "Debian" && $(echo "$os_version < 12.0" | bc) -eq 1 ]]; then
handle_error "Ce script nécessite Debian 12.0 ou une version ultérieure. Version detecté : $os_version"
fi
fi
log " * La vérification de la configuration requise a été effectuée. OS: $os_name VERSION: $os_version"
}
# Fonction de mise à jour du système
update_system() {
log "Mise à jour du système ..."
# Mise à jour de la liste des paquets
apt update -y || handle_error "Échec de la mise à jour du système"
# Mise à niveau du système
DEBIAN_FRONTEND=noninteractive apt full-upgrade -y || handle_error "Échec de la mise à niveau du système"
}
# Fonction de mise en place de clé SSH
setup_ssh() {
log "Installation et configuration des clés SSH ..."
# Demande à l'utilisateur s'il souhaite appliquer les clé SSH
local apply_key_ssh
read -p "Voulez-vous appliquer les clé SSH ? (y/N): " apply_key_ssh
#
case $apply_key_ssh in
[Yy]* )
log "Application des clé ssh ..."
# Copie du fichier des clés SSH
cp 01-key/authorized_keys /root/.ssh/authorized_keys || handle_error "Échec de la copie de authorized_keys"
# Mise en place des droits
chmod 600 /root/.ssh/authorized_keys || handle_error "Échec de la mise en place des droits sur le fichier authorized_keys"
chmod 700 /root/.ssh || handle_error "Échec de la mise en place des droits sur le répertoire .ssh"
# Création du répertoire authorized_keys
mkdir -p /etc/ssh/authorized_keys/ || handle_error "Échec de la création du répertoire authorized_keys"
cd /etc/ssh/authorized_keys/ >> /dev/null
# Création du lien symbolique
ln -s /root/.ssh/authorized_keys root || handle_error "Échec de la création du lien symbolique"
#
local file="/etc/ssh/sshd_config"
local line=`grep -n "^.*AuthorizedKeysFile.*authorized_keys.*" $file | cut -d ":" -f 1`
#echo $line
# Vérification de la présence de la ligne AuthorizedKeysFile
if [ -z "$line" ]; then
echo "AuthorizedKeysFile .ssh/authorized_keys" | tee -a $file
else
sed -i ''$line'c\AuthorizedKeysFile .ssh/authorized_keys' $file > /dev/null || handle_error "Échec de "
fi
#
line=`grep -n "^.*AuthorizedKeysFile.*authorized_keys.*" $file | cut -d ":" -f 1` || handle_error "Échec de "
# Redémarrage du service sshd
systemctl restart sshd || handle_error "Échec du redémarrage du service SSH"
log " * Mise en place de clé SSH "
;;
* )
log " * Sauter la mise en place de clé SSH"
;;
esac
}
# Fonction de configuration du prompt de connexion
setup_prompt() {
log "Installation et configuration du prompt de connexion ..."
# Demande à l'utilisateur s'il souhaite appliquer le prompt de connexion
local apply_prompt
read -p "Voulez-vous appliquer le prompt de connexion ? (y/N): " apply_prompt
#
case $apply_prompt in
[Yy]* )
log "Application du prompt ..."
# Copie des fichiers de configuration
cp 02-prompt/banner /etc/banner || handle_error "Échec de la copie de banner"
cp 02-prompt/00-basic /etc/update-motd.d/00-basic || handle_error "Échec de la copie de 00-basic"
# Mise en place des droits
chmod +x /etc/update-motd.d/00-basic || handle_error "Échec de la mise en place des droits sur 00-basic"
# Redémarrage du service sshd
systemctl restart sshd >> /dev/null
log " * Mise en place du prompt de connexion"
;;
* )
log " * Sauter la mise en place du prompt de connexion"
;;
esac
}
# Fonction de configuration du pare-feu
setup_firewall() {
log "Installation et configuration du pare-feu ..."
# Demande à l'utilisateur s'il souhaite appliquer le prompt de connexion
local apply_firewall
read -p "Voulez-vous appliquer la configuration firewall ? (y/N): " apply_firewall
#
case $apply_firewall in
[Yy]* )
log "Application du prompt ..."
# Vérification de la présence de UFW
install_package "ufw"
# Vérification de la présence de iptables
ufw default deny incoming || handle_error "Échec de la définition de la politique de réception par défaut de l'UFW"
ufw default allow outgoing || handle_error "Échec de la définition de la politique de sortie par défaut de l'UFW"
ufw limit ssh comment 'Allow SSH with rate limiting' || handle_error "Échec de la configuration de SSH dans UFW"
ufw allow 80/tcp comment 'Allow HTTP' || handle_error "Échec de l'autorisation de HTTP dans l'UFW"
ufw allow 443/tcp comment 'Allow HTTPS' || handle_error "Échec de l'autorisation de HTTPS dans l'UFW"
ufw allow 22/tcp comment 'Allow HTTPS' || handle_error "Échec de l'autorisation de SSH dans l'UFW"
# Demande à l'utilisateur s'il souhaite appliquer des règles de pare-feu spécifiques à IPv6
local apply_ipv6_rules
read -p "Voulez-vous appliquer des règles de pare-feu spécifiques à IPv6 ? (y/N): " apply_ipv6_rules
# Application des règles de pare-feu spécifiques à IPv6
case $apply_ipv6_rules in
[Yy]* )
log "Application de règles de pare-feu spécifiques à IPv6 ..."
ufw allow in on lo || handle_error "Échec de l'autorisation du trafic de bouclage"
ufw allow out on lo || handle_error "Échec de l'autorisation du trafic de bouclage"
ufw deny in from ::/0 || handle_error "Échec du refus de l'ensemble du trafic IPv6 entrant"
ufw allow out to ::/0 || handle_error "Échec de l'autorisation de tout le trafic IPv6 sortant"
log "Règles de pare-feu IPv6 appliquées"
;;
* )
log "Sauter les règles de pare-feu spécifiques à IPv6"
;;
esac
# Activation de la journalisation UFW
ufw logging on || handle_error "Échec de l'activation de la journalisation UFW"
ufw --force enable || handle_error "Échec de l'activation de l'UFW"
log " * Pare-feu configuré et activé"
;;
* )
log " * Sauter la mise en place du pare-feu"
;;
esac
}
# Fonction de configuration de Fail2Ban
setup_fail2ban() {
log "Installation et configuration de Fail2Ban ..."
# Demande à l'utilisateur s'il souhaite installer Fail2Ban
local apply_fail2ban
read -p "Voulez-vous appliquer la configuration Fail2Ban ? (y/N): " apply_fail2ban
#
case $apply_fail2ban in
[Yy]* )
# Vérification de la présence de Fail2Ban
install_package "fail2ban"
# Copie de la configuration locale de Fail2Ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local || handle_error "Échec de la création de la configuration locale de Fail2Ban"
cp 03-Fail2ban/etc/fail2ban/jail.conf /etc/fail2ban/jail.d/ || handle_error "Échec de la ccopie des configurations Fail2Ban"
# Configuration de Fail2Ban
sed -i 's/bantime = 10m/bantime = 1h/' /etc/fail2ban/jail.local || handle_error "Échec de la mise en place de Fail2Ban bantime"
sed -i 's/maxretry = 5/maxretry = 3/' /etc/fail2ban/jail.local || handle_error "Échec de la définition de Fail2Ban maxretry"
#
systemctl enable fail2ban || handle_error "Échec de l'activation du service Fail2Ban"
systemctl start fail2ban || handle_error "Échec du démarrage du service Fail2Ban"
log "Fail2Ban configuré et démarré"
;;
* )
log " * Sauter de l'installation de fail2ban"
;;
esac
}
# Fonction de configuration de ClamAV
setup_clamav() {
log "Installation et mise à jour de ClamAV ..."
# Demande à l'utilisateur s'il souhaite installer ClamAV
local apply_clamav
read -p "Voulez-vous appliquer la configuration firewall ? (y/N): " apply_clamav
#
case $apply_clamav in
[Yy]* )
# Vérification de la présence de ClamAV
install_package "clamav"
install_package "clamav-daemon"
# Vérification de la présence de Freshclam
systemctl stop clamav-freshclam || log "Avertissement : Échec de l'arrêt de clamav-freshclam"
freshclam || log "Avertissement : La mise à jour de la base de données de ClamAV a échoué"
# Configuration de Freshclam
systemctl start clamav-freshclam || handle_error "Échec du démarrage de clamav-freshclam"
systemctl enable clamav-freshclam || handle_error "Échec de l'activation de clamav-freshclam"
log "ClamAV installé et mis à jour"
;;
* )
log " * Sauter de l'installation de ClamAV"
;;
esac
}
# Fonction de configuration de SNMP
setup_snmp() {
log "Installation et configuration de SNMP ..."
# Demande à l'utilisateur s'il souhaite installer SNMP
local apply_snmp
read -p "Voulez-vous appliquer la configuration SNMP ? (y/N): " apply_snmp
#
case $apply_snmp in
[Yy]* )
# Vérification de la présence de SNMP
install_package "snmpd"
install_package "snmp"
# Copie de la configuration SNMP
cp 05-snmp/snmpd.conf /etc/snmp/snmpd.conf >> /dev/null
systemctl reload daemon
systemctl enable snmpd || handle_error "Échec de l'activation du service SNMP"
systemctl start snmpd || handle_error "Échec du démarrage du service SNMP"
log "SNMP installé et configuré"
;;
* )
log " * Sauter de l'installation de SNMP"
;;
esac
}
# Fonction permettant de désactiver l'accès à la racine
disable_root() {
log "Vérification de la présence d'utilisateurs non root ayant des privilèges sudo ..."
# Obtenir la liste des utilisateurs ayant des privilèges sudo
sudo_users=$(getent group sudo | cut -d: -f4 | tr ',' '\n' | grep -v "^root$")
# Vérifier s'il y a des utilisateurs non root avec des privilèges sudo
if [ -z "$sudo_users" ]; then
log "Attention : Aucun utilisateur non-root avec des privilèges sudo n'a été trouvé. Sauter la désactivation de la connexion root pour plus de sécurité."
echo "Veuillez créer un utilisateur non root avec les privilèges sudo avant de désactiver la connexion root."
return
fi
log "Des utilisateurs non root avec des privilèges sudo ont été trouvés. Procédure de désactivation de l'accès à la racine ..."
# Désactiver l'accès à root
if passwd -l root; then
log "La connexion à root a été désactivée avec succès."
else
handle_error "Échec du verrouillage du compte root"
fi
# Désactiver la connexion SSH de root à titre de précaution supplémentaire
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || handle_error "Échec de la désactivation de la connexion SSH de root dans sshd_config"
else
echo "PermitRootLogin no" | tee -a /etc/ssh/sshd_config > /dev/null || handle_error "Échec de l'ajout de PermitRootLogin no à sshd_config"
fi
# Redémarrer le service SSH pour appliquer les changements
systemctl reload daemon
systemctl restart sshd || handle_error "Échec du redémarrage du service SSH"
log "La connexion de root a été désactivée et la connexion à root par SSH a été explicitement interdite."
}
# Fonction de suppression des paquets inutiles
remove_packages() {
log "Suppression des paquets inutiles ..."
DEBIAN_FRONTEND=noninteractive apt remove --purge -y telnetd nis yp-tools rsh-client rsh-redone-client xinetd || log "Avertissement : Échec de la suppression de certains paquets"
apt autoremove -y || log "Avertissement : échec de l'autoremove"
log "Suppression des paquets inutiles"
}
# Fonction de mise en place de l'audit
setup_audit() {
log "Configuration des règles d'audit ..."
# Vérification de la présence d'auditd
install_package "auditd"
local audit_rules=(
"-w /etc/passwd -p wa -k identity"
"-w /etc/group -p wa -k identity"
"-w /etc/shadow -p wa -k identity"
"-w /etc/sudoers -p wa -k sudoers"
"-w /var/log/auth.log -p wa -k auth_log"
"-w /sbin/insmod -p x -k modules"
"-w /sbin/rmmod -p x -k modules"
"-w /sbin/modprobe -p x -k modules"
"-w /var/log/faillog -p wa -k logins"
"-w /var/log/lastlog -p wa -k logins"
"-w /var/run/utmp -p wa -k session"
"-w /var/log/wtmp -p wa -k session"
"-w /var/log/btmp -p wa -k session"
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
"-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
"-a always,exit -F arch=b64 -S clock_settime -k time-change"
"-a always,exit -F arch=b32 -S clock_settime -k time-change"
"-w /etc/localtime -p wa -k time-change"
)
for rule in "${audit_rules[@]}"; do
echo "$rule" | tee -a /etc/audit/rules.d/audit.rules > /dev/null || handle_error "Échec de l'ajout d'une règle d'audit : $rule"
done
systemctl enable auditd || handle_error "Échec de l'activation du service auditd"
systemctl start auditd || handle_error "Échec du démarrage du service auditd"
log "Règles d'audit configurées et auditd démarré"
}
# Fonction permettant de désactiver les systèmes de fichiers inutilisés
disable_filesystems() {
log "Désactivation des systèmes de fichiers inutilisés ..."
local filesystems=("cramfs" "freevxfs" "jffs2" "hfs" "hfsplus" "squashfs" "udf" "vfat")
for fs in "${filesystems[@]}"; do
echo "install $fs /bin/true" | sudo tee -a /etc/modprobe.d/CIS.conf > /dev/null || handle_error "Échec de la désactivation du système de fichiers : $fs"
done
log "Systèmes de fichiers inutilisés désactivés"
}
# Fonction de sécurisation des paramètres de démarrage
secure_boot() {
log "Sécurisation des paramètres de démarrage ..."
# Fichier de configuration GRUB sécurisé
if [ -f /boot/grub/grub.cfg ]; then
chown root:root /boot/grub/grub.cfg || handle_error "Échec du changement de propriétaire de grub.cfg"
chmod 600 /boot/grub/grub.cfg || handle_error "Échec de la modification des permissions de grub.cfg"
log "Fichier de configuration GRUB sécurisé"
else
log "Avertissement : /boot/grub/grub.cfg n'a pas été trouvé. Ignorer les permissions du fichier GRUB."
fi
# Modifier les paramètres du noyau
if [ -f /etc/default/grub ]; then
# Sauvegarde du fichier original
cp /etc/default/grub /etc/default/grub.bak || handle_error "Échec de la sauvegarde du fichier grub"
# Ajouter ou modifier les paramètres du noyau
local kernel_params="audit=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.send_redirects=0"
# Demande si l'utilisateur souhaite désactiver SACK
local disable_sack
read -p "Voulez-vous désactiver TCP SACK ? Ce n'est généralement pas recommandé. (y/N): " disable_sack
case $disable_sack in
[Yy]* )
kernel_params+=" net.ipv4.tcp_sack=0"
log "TCP SACK sera désactivée"
;;
* )
log "TCP SACK restera activée"
;;
esac
sed -i "s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"$kernel_params\"/" /etc/default/grub || handle_error "Échec de la modification des paramètres du noyau"
# Update GRUB
if command -v update-grub &> /dev/null; then
update-grub || handle_error "Échec de la mise à jour du GRUB"
elif command -v grub2-mkconfig &> /dev/null; then
grub2-mkconfig -o /boot/grub2/grub.cfg || handle_error "Échec de la mise à jour du GRUB"
else
log "Avertissement : Ni update-grub ni grub2-mkconfig n'ont été trouvés. Veuillez mettre à jour GRUB manuellement."
fi
log "Mise à jour des paramètres du noyau"
else
log "Avertissement : /etc/default/grub n'a pas été trouvé. Sauter les modifications des paramètres du noyau."
fi
log "Paramètres de démarrage sécurisés"
}
# Fonction de configuration d'IPv6
configure_ipv6() {
local disable_ipv6
read -p "Voulez-vous désactiver IPv6 ? (y/N): " disable_ipv6
case $disable_ipv6 in
[Yy]* )
log "Désactivation IPv6 ..."
echo "net.ipv6.conf.all.disable_ipv6 = 1" | tee -a /etc/sysctl.conf || handle_error "Échec de la désactivation d'IPv6 (all)"
echo "net.ipv6.conf.default.disable_ipv6 = 1" | tee -a /etc/sysctl.conf || handle_error "Échec de la désactivation d'IPv6 (default)"
echo "net.ipv6.conf.lo.disable_ipv6 = 1" | tee -a /etc/sysctl.conf || handle_error "Échec de la désactivation d'IPv6 (lo)"
sysctl -p || handle_error "Échec de l'application des changements sysctl"
log "IPv6 a été désactivé"
;;
* )
log "IPv6 reste activé"
;;
esac
}
# Fonction de configuration d'AppArmor
setup_apparmor() {
log "Configuration d'AppArmor ..."
if ! command -v apparmor_status &> /dev/null; then
install_package "apparmor"
install_package "apparmor-utils"
else
log "AppArmor est déjà installé. Sauter l'installation."
fi
systemctl reload daemon
systemctl enable apparmor || handle_error "Échec de l'activation du service AppArmor"
systemctl start apparmor || handle_error "Échec du démarrage du service AppArmor"
aa-enforce /etc/apparmor.d/* || log "Avertissement : Échec de l'application de certains profils AppArmor"
log "L'installation d'AppArmor est terminée. Tous les profils sont en mode exécution."
log "Moniteur /var/log/syslog and /var/log/auth.log pour tout problème lié à AppArmor."
}
# Fonction de configuration de NTP
setup_ntp() {
log "Configuration de la synchronisation de l'heure ..."
# Vérifier si systemd-timesyncd est disponible (systèmes Ubuntu modernes)
if systemctl list-unit-files | grep -q systemd-timesyncd.service; then
log "Utilisation de systemd-timesyncd pour la synchronisation temporelle"
systemctl reload daemon
systemctl enable systemd-timesyncd.service || handle_error "Échec de l'activation du service systemd-timesyncd"
systemctl start systemd-timesyncd.service || handle_error "Échec du démarrage du service systemd-timesyncd"
log "systemd-timesyncd installation terminée"
else
# Revenir au protocole NTP traditionnel si systemd-timesyncd n'est pas disponible
log "Utilisation du protocole NTP traditionnel pour la synchronisation du temps"
install_package "ntp"
systemctl reload daemon
systemctl enable ntp || handle_error "Échec de l'activation du service NTP"
systemctl start ntp || handle_error "Échec du démarrage du service NTP"
log "Configuration NTP terminée"
fi
}
# Fonction de configuration de l'AIDE
setup_aide() {
log "Mise en place d'AIDE ..."
install_package "aide"
aideinit || handle_error "Échec de l'initialisation de la base de données AIDE"
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db || handle_error "Échec du transfert de la base de données AIDE"
log "L'installation d'AIDE est terminée et la base de données a été initialisée."
}
# Fonction de configuration de sysctl
configure_sysctl() {
log "Configuration des paramètres sysctl ..."
local sysctl_config=(
"# IP Spoofing protection"
"net.ipv4.conf.all.rp_filter = 1"
"net.ipv4.conf.default.rp_filter = 1"
""
"# Ignore ICMP broadcast requests"
"net.ipv4.icmp_echo_ignore_broadcasts = 1"
""
"# Disable source packet routing"
"net.ipv4.conf.all.accept_source_route = 0"
"net.ipv6.conf.all.accept_source_route = 0"
""
"# Ignore send redirects"
"net.ipv4.conf.all.send_redirects = 0"
"net.ipv4.conf.default.send_redirects = 0"
""
"# Block SYN attacks"
"net.ipv4.tcp_syncookies = 1"
"net.ipv4.tcp_max_syn_backlog = 2048"
"net.ipv4.tcp_synack_retries = 2"
"net.ipv4.tcp_syn_retries = 5"
""
"# Log Martians"
"net.ipv4.conf.all.log_martians = 1"
"net.ipv4.icmp_ignore_bogus_error_responses = 1"
""
"# Ignore ICMP redirects"
"net.ipv4.conf.all.accept_redirects = 0"
"net.ipv6.conf.all.accept_redirects = 0"
""
"# Ignore Directed pings"
"net.ipv4.icmp_echo_ignore_all = 1"
""
"# Enable ASLR"
"kernel.randomize_va_space = 2"
""
"# Increase system file descriptor limit"
"fs.file-max = 65535"
""
"# Allow for more PIDs"
"kernel.pid_max = 65536"
""
"# Protect against kernel pointer leaks"
"kernel.kptr_restrict = 1"
""
"# Restrict dmesg access"
"kernel.dmesg_restrict = 1"
""
"# Restrict kernel profiling"
"kernel.perf_event_paranoid = 2"
)
printf "%s\n" "${sysctl_config[@]}" | sudo tee -a /etc/sysctl.conf || handle_error "Échec de la mise à jour sysctl.conf"
sysctl -p || handle_error "Échec de l'application des changements sysctl"
log "Paramètres sysctl configurés"
}
# Fonction pour des mesures de sécurité supplémentaires
additional_security() {
log "Appliquer des mesures de sécurité supplémentaires ..."
# Désactiver les vidages de noyau
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf || handle_error "Échec de la désactivation des vidages de noyau"
# Définir des autorisations appropriées pour les fichiers sensibles
chmod 600 /etc/shadow || handle_error "Échec de la définition des autorisations sur /etc/shadow"
chmod 600 /etc/gshadow || handle_error "Échec de la définition des autorisations sur /etc/gshadow"
# Permettre la comptabilisation des processus
install_package "acct"
/usr/sbin/accton on || handle_error "Échec de l'activation de la comptabilité des processus"
# Restreindre SSH
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || handle_error "Échec de la désactivation de la connexion root via SSH"
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config || handle_error "Échec de la désactivation de l'authentification par mot de passe pour SSH"
sed -i 's/^#Protocol.*/Protocol 2/' /etc/ssh/sshd_config || handle_error "Échec de la définition de la version du protocole SSH"
systemctl reload daemon
systemctl restart sshd || handle_error "Échec du redémarrage du service SSH"
# Configurer une politique de mot de passe fort
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs || handle_error "Échec de la définition du nombre maximal de jours pour le mot de passe"
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs || handle_error "Échec de la définition du mot de passe (nombre de jours minimum)"
sed -i 's/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=14 remember=5/' /etc/pam.d/common-password || handle_error "Échec de la configuration de la politique de mot de passe"
log "Mesures de sécurité supplémentaires appliquées"
}
# Fonction de mise à jour automatique
setup_automatic_updates() {
log "Mise en place de mises à jour de sécurité automatiques ..."
install_package "unattended-upgrades"
dpkg-reconfigure -plow unattended-upgrades || handle_error "Échec de la configuration des mises à jour sans surveillance"
log "Configuration des mises à jour de sécurité automatiques"
}
# Fonction principale
main() {
local dry_run=false
# Analyse des arguments de la ligne de commande
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
display_help
;;
-v|--verbose)
VERBOSE=true
shift
;;
--version)
display_version
;;
--dry-run)
dry_run=true
shift
;;
--restore)
restore_backup
exit 0
;;
*)
echo "Option inconnue : $1"
display_help
;;
esac
done
start
check_permissions
check_proxy
check_requirements
backup_files
if $dry_run; then
log "Exécution d'un 'dry run'. Aucune modification ne sera apportée."
else
update_system
setup_ssh
setup_prompt
setup_firewall
setup_fail2ban
setup_clamav
setup_snmp
# setup_nrpe
# setup_glpi
disable_root
remove_packages
setup_audit
disable_filesystems
secure_boot
configure_ipv6
setup_apparmor
setup_ntp
setup_aide
configure_sysctl
additional_security
setup_automatic_updates
fi
log "Configuration de la sécurité renforcée exécutée !!!"
log "Script by Tips-Of-Mine"
if ! $dry_run; then
# Demander à l'utilisateur s'il souhaite redémarrer
read -p "Voulez-vous redémarrer le système maintenant pour appliquer tous les changements ? (y/N): " restart_now
case $restart_now in
[Yy]* )
log "Redémarrage du système ..."
reboot
;;
* )
log "Veuillez redémarrer votre système manuellement pour appliquer tous les changements."
;;
esac
fi
}
# Exécuter la fonction principale
main "$@"

98
script.sh
View File

@ -1,98 +0,0 @@
#!/bin/sh
# Pour install global
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[1;31m'
NOCOLOR='\033[0m'
echo "${YELLOW} *** ${NOCOLOR} Mise en place des droits sur les scripts"
echo "${NOCOLOR}"
chmod +x ./01-ssh/script.sh >> /dev/null
chmod +x ./02-apt/script.sh >> /dev/null
chmod +x ./03-antivirus/script.sh >> /dev/null
chmod +x ./04-agent-glpi/script.sh >> /dev/null
chmod +x ./05-manageengine/script.sh >> /dev/null
chmod +x ./06-snmp/script.sh >> /dev/null
chmod +x ./07-DNS/script.sh >> /dev/null
chmod +x ./08-NRPE/script.sh >> /dev/null
chmod +x ./09-Firewall/script.sh >> /dev/null
chmod +x ./10-Fail2ban/script.sh >> /dev/null
chmod +x ./11-RemoveService/script.sh >> /dev/null
chmod +x ./12-hardening/script.sh >> /dev/null
echo "${YELLOW} *** ${NOCOLOR} Mise en place des droits : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : SSH"
echo "${NOCOLOR}"
./01-ssh/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : SSH : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : APT"
echo "${NOCOLOR}"
./02-apt/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : APT : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : Antivirus"
echo "${NOCOLOR}"
./03-antivirus/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : Antivirus : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : GLPI"
echo "${NOCOLOR}"
./04-agent-glpi/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : GLPI : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : SNMP"
echo "${NOCOLOR}"
./06-snmp/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : SNMP : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : DNS"
echo "${NOCOLOR}"
./07-DNS/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : DNS : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : NRPE"
echo "${NOCOLOR}"
./08-NRPE/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : NRPE : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : Firewall"
echo "${NOCOLOR}"
./09-Firewall/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : Firewall : ${GREEN} OK"
echo "${NOCOLOR}"
echo "${YELLOW} *** ${NOCOLOR} Lancement du script : Fail2Ban"
echo "${NOCOLOR}"
./10-Fail2ban/script.sh
echo "${YELLOW} *** ${NOCOLOR} Fin du script : Fail2Ban : ${GREEN} OK"
echo "${NOCOLOR}"