source: server/lib/security-config @ da6a7cf

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3
Last change on this file since da6a7cf was b73502c1, checked in by ramon <ramongomez@…>, 9 years ago

#736: Volver a habilitar servicio ogAdmRepo en cortafuegos y propiedad de ejecutable para script de configuración de seguridad.

git-svn-id: https://opengnsys.es/svn/branches/version1.1@4958 a21b9725-9963-47de-94b9-378ad31fedc9
  • Property mode set to 100755
File size: 2.5 KB
Line 
1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
5#@version 1.1.0 - Initial version.
6#@author  Ramón M. Gómez, ETSII Univ. Sevilla
7#@date    2016-04-18
8#*/ ##
9
10
11# Variables.
12PROG=$(basename "$0")
13OPENGNSYS=/opt/opengnsys
14# Errors control.
15if [ "$USER" != "root" ]; then
16        echo "$PROG: Need to be root." >&2
17        exit 1
18fi
19
20# UFW configuration.
21if which ufw 2>/dev/null; then
22        # Adding active services.
23        ufw allow "Apache Secure"
24        ufw allow OpenSSH
25        ufw allow Samba
26        ufw allow mysql
27        ufw allow rsync
28        ufw allow tftp
29        ufw allow 67,68/udp             # DHCP
30        ufw allow 2002,2008/tcp         # OpenGnsys services
31        ufw allow 9000:9051/udp         # Multicast
32        ufw allow 6881:6999/udp         # BitTorrent
33        # Applying configuration.
34        ufw enable
35# FirewallD configuration.
36elif which firewall-cmd 2>/dev/null; then
37        # Defining OpenGnsys services.
38        python -c "
39import firewall.core.io.service as ios
40s=ios.Service()
41s.short = 'OpenGnsys Server'
42s.name = 'ogAdmServer'
43s.ports = [('2008', 'tcp')]
44ios.service_writer(s, '/etc/firewalld/services')
45s.short = 'OpenGnsys Repository'
46s.name = 'ogAdmRepo'
47s.ports = [('2002', 'tcp')]
48ios.service_writer(s, '/etc/firewalld/services')"
49        # Adding active services.
50        firewall-cmd --permanent --add-service=dhcp
51        firewall-cmd --permanent --add-service=https
52        firewall-cmd --permanent --add-service=mysql --zone internal
53        firewall-cmd --permanent --add-service=ogAdmRepo
54        firewall-cmd --permanent --add-service=ogAdmServer
55        # Ubuntu 14.04 does not define "rsyncd" service.
56        firewall-cmd --permanent --add-service=rsyncd || \
57                firewall-cmd --permanent --add-port=873/tcp
58        firewall-cmd --permanent --add-service=samba
59        firewall-cmd --permanent --add-service=ssh
60        firewall-cmd --permanent --add-service=tftp
61        # Adding Multicast ports.
62        firewall-cmd --permanent --add-port=9000-9051/udp
63        # Adding BitTorent ports.
64        firewall-cmd --permanent --add-port=6881-6999/udp
65        # Applying configuration.
66        firewall-cmd --reload
67else
68        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
69fi
70
71# SELinux configuration.
72if which setsebool 2>/dev/null; then
73        # Configuring Apache.
74        setsebool -P httpd_can_connect_ldap on
75        semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
76        # Configuring Samba.
77        setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
78        semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
79        semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
80        # Applying configuration.
81        restorecon -R $OPENGNSYS
82else
83        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
84fi
85
Note: See TracBrowser for help on using the repository browser.