fichier conf rsyslog

sio2/CYBER/IDS/aide

@@ -0,0 +1,8 @@
+#!/bin/bash
+aideinit  #initialisation
+/etc/cron.daily/aide  # on lance aide pour vérifier
+more /var/log/aide/aide.log  # on affiche le compte-rendu : pas de changements
+touch /etc/truc # on créée un fichier
+echo  "#########" >> /etc/hosts # on en modifie un autre
+/etc/cron.daily/aide  # on vérifie à nouveau
+more /var/log/aide/aide.log  # on constate les changements survenus ...

sio2/CYBER/IDS/aide.conf

@@ -0,0 +1,189 @@
+# AIDE conf
+
+# set environment for executable config files included by x_include
+@@x_include_setenv UPAC_settingsd /etc/aide/aide.settings.d
+
+# The daily cron job depends on these paths
+database_in=file:/var/lib/aide/aide.db
+database_out=file:/var/lib/aide/aide.db.new
+database_new=file:/var/lib/aide/aide.db.new
+gzip_dbout=yes
+
+# Set to no to disable report_summarize_changes option.
+report_summarize_changes=yes
+
+# Set to no to disable grouping of files in report.
+report_grouped=yes
+
+# Set verbosity of aide run and reports
+log_level=warning
+report_level=changed_attributes
+
+# Set to yes to print the checksums in the report in hex format
+report_base16 = no
+
+# if you want to sacrifice security for speed, remove some of these
+# checksums.
+Checksums = sha256+sha512+haval
+
+# The checksums of the databases to be printed in the report
+# Set to 'E' to disable.
+database_attrs = Checksums
+
+# check permissions, owner, group and file type
+OwnerMode = p+u+g+ftype
+
+# Check size and block count
+Size = s+b
+
+# Files that stay static
+InodeData = OwnerMode+n+i+Size+l+X
+StaticFile = m+c+Checksums
+
+# Files that stay static but are copied to a ram disk on startup
+# (causing different inode)
+RamdiskData = InodeData-i
+
+# Check everything
+Full = InodeData+StaticFile
+
+# Files that change their mtimes or ctimes but not their contents
+VarTime = InodeData+Checksums
+
+# Files that are recreated regularly but do not change their contents
+VarInode = VarTime-i
+
+# Files that change their contents during system operation
+VarFile = OwnerMode+n+l+X
+
+# Directories that change their contents during system operation
+VarDir = OwnerMode+n+i+X
+
+# Directories that are recreated regularly and change their contents
+VarDirInode = OwnerMode+n+X
+
+# Directories that change their mtimes or ctimes but not their contents
+VarDirTime = InodeData
+
+# Logs are special: they are continously written to, may be compressed
+# have their file name changed in different, mutually incompatibly ways
+# and apprear and vanish at will. Handling this is a a complex and error-
+# prone issue.
+#
+# This is best broken down in a number of small tasks:
+#
+#
+# (A)
+# While a live log is being written to, it doesn't change its mode and
+# inode and its size only increases.
+#
+# (B)
+# When a live log is rotated for the first time, it should not change
+# its mode, may change its inode, and its size decreases. The size
+# decrease may not be noticed by aide if the file had size x at the last
+# aide run, was rotated in the mean time and was written to so that it
+# had a size > x at the next aide run.
+#
+# (C)
+# When a log is compressed, this looks to aide like the uncompressed
+# file vanished (or was replaced by another file) and the compressed
+# file appeared out of the blue. There is (currently) no way to
+# associate the (gone) uncompressed file's contents with the (new)
+# compressed file's contents
+#
+# (D)
+# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
+# changing the other properties of the file
+#
+# (E)
+# If only a given number of log generations is to be kept, foo.{y}.bar may
+# vanish, but usually only when no foo.{z}.bar exists for z>y.
+#
+# (F)
+# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
+# in aide terms, with the lowest x being called the "LoSerMember" element
+# and the highest y being called the "HiSerMember" element, and the z
+# with x<z<y simple called "SerMember". The Lo and Hi members need to
+# be special cased in aide configuration.
+#
+#
+# This is an example of the normal life of a log named foo in a logrotate
+# configuration using a configuration at it is commonly used in Debian
+# (from old to new):
+#     1 logrotate deletes HiSerMember foo.{y}.gz
+#     2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
+#       z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
+#       foo.{y}.gz and foo.2.gz to foo.3.gz
+#     3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
+#     4 logrotate rotates foo to foo.1 (a simple rename)
+#     5 logrotate creates new, empty foo
+#     6 foo daemon logs to foo - foo grows in size
+#
+# we need the following rules:
+# /var/log/foo$ f Log
+# /var/log/foo$ f FreqRotLog
+#    this takes care of the growing live log (step 7). The "Log" rule
+#    is appropriate for logs that are not rotated daily as rotation
+#    might be reported (if the file size has decreased since the last
+#    aide run). For daily rotated logs, the "FreqRotLog" may be more
+#    appropriate.
+# /var/log/foo\.1$ f LowLog
+#    this takes care of step 5.
+# /var/log/foo\.2\.gz$ f LoSerMemberLog
+#    this allows yet unknown new files to appear with a \.2\.gz extension,
+#    covering step 3.
+# /var/log/foo\.[3..y-1]\.gz$ f SerMemberLog
+#    this watches the log files as they wander through the Series,
+#    changing only their file name but not their contents or metadata,
+#    covering step 2.
+#    Please note that [3..y-1] needs to be a manually crafted regexp covering
+#    all numbers between 3 and y-1.
+# /var/log/foo\.y\.gz$ f HiSerMemberLog
+#    finally, the last element of the Series is allowed to vanish without
+#    being reported, covering step 1.
+#
+# Please note that these example rules need to be adapted to the logrotate
+# configuration for the log. Compression may be disabled or lead to a different
+# extension, the dateext option may be used, old logs might be held in a
+# different place, a log series does not necessarily need to be compressed etc.
+#
+# Please note that savelog rotates the live log to .0 and not to .1 as it
+# is logrotates (changeable) default.
+
+
+# Logs grow in size. Log rotation of these logs will be reported, so
+# this should only be used for logs that are not rotated daily.
+Log = OwnerMode+n+S+X
+
+# Logs that are frequently rotated
+FreqRotLog = Log-S
+
+# The first instance of a rotated log: After the log has stopped being
+# written to, but before rotation
+LowLog = Log-S
+
+# Rotated logs change their file name but retain all their other properties
+SerMemberLog  = Full+I
+
+# The first instance of a compressed, rotated log: After a LowLog was
+# compressed.
+LoSerMemberLog = SerMemberLog+ANF
+
+# The last instance of a compressed, rotated log: After this name, a log
+# will be removed
+HiSerMemberLog = SerMemberLog+ARF
+
+# Not-yet-compressed log created by logrotate's dateext option:
+# These files appear one rotation (renamed from the live log) and are gone
+# the next rotation (being compressed)
+LowDELog = SerMemberLog+ANF+ARF
+
+# Compressed log created by logrotate's dateext option: These files appear
+# once and are not touched any more.
+SerMemberDELog = Full+ANF
+
+# For daemons that log to a variable file name and have the live log
+# hardlinked to a static file name
+LinkedLog = Log-n
+
+@@x_include /etc/aide/aide.conf.d ^[a-zA-Z0-9_-]+$

sio2/SISR/HAPROXY/haproxy.cfg

@@ -0,0 +1,42 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+listen httpProxy
+bind 192.168.0.140:80
+balance roundrobin
+option httpclose
+option httpchk HEAD / HTTP/1.0
+server web1 172.16.1.11:80 check
+server web2 172.16.1.12:80 check

sio2/SISR/LB/ipvsadm

@@ -0,0 +1,9 @@
+#!/bin/bash
+echo "1" > /proc/sys/net/ipv4/ip_forward
+ipvsadm -A -t 192.168.0.140:80 -s rr
+
+ipvsadm -a -t 192.168.0.140:80 -r 172.16.1.11:80 -m
+ipvsadm -a -t 192.168.0.140:80 -r 172.16.1.12:80 -m
+
+
+

sio2/SISR/PXE/dhcpd.conf

@@ -0,0 +1,109 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+option domain-name "192.168.1.1";
+option domain-name-servers 192.168.1.1;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+  range 192.168.1.20 192.168.1.50;
+  option routers 192.168.1.1;
+  option domain-name "sio.lan";
+  filename "pxelinux.0";
+  next-server 192.168.1.1;
+}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+# server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.example.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

sio2/SISR/PXE/enp0s3

@@ -0,0 +1,3 @@
+# generated by FAI
+auto enp0s3
+iface enp0s3 inet dhcp

sio2/SISR/PXE/enp0s8

@@ -0,0 +1,5 @@
+# generated by FAI
+auto enp0s8
+iface enp0s8 inet static
+	address 192.168.1.1/24
+	up /root/nat.sh

sio2/SISR/PXE/isc-dhcp-server

@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s8"
+INTERFACESv6=""

sio2/SISR/PXE/nat.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo "1"> /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
+iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE

sio2/SISR/RSYSLOG/rsyslog.con.emeteur

@@ -0,0 +1,71 @@
+# /etc/rsyslog.conf configuration file for rsyslog
+#
+# For more information install rsyslog-doc and see
+# /usr/share/doc/rsyslog-doc/html/configuration/index.html
+
+
+#################
+#### MODULES ####
+#################
+
+module(load="imuxsock") # provides support for local system logging
+module(load="imklog")   # provides kernel logging support
+#module(load="immark")  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#module(load="imudp") MACHINE DE RECEPTION
+#input(type="imudp" port="514") MACHINE DE RECEPTION
+
+# provides TCP syslog reception
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# Log anything besides private authentication messages to a single log file
+#
+*.*;auth,authpriv.none		-/var/log/syslog
+
+#
+# Log commonly used facilities to their own log file
+#
+auth,authpriv.*			/var/log/auth.log
+cron.*				-/var/log/cron.log
+kern.*				-/var/log/kern.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+*.* @192.168.0.21:514 # exporte tous les logs de toute gravité et de toute origine vers l'adresse 192.168.100 port UDP 514
+*.* @192.168.0.32:514 # exporte tous les logs de toute gravité et de toute origine vers l'adresse 192.168.100 port UDP 514

sio2/VAGRANT/Vagrantfile

@@ -0,0 +1,14 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+Vagrant.configure("2") do |config|
+  config.vm.provision "shell", inline: "apt-get update -y" # execute pour chacune des machines
+ 
+  config.vm.define "IDS" do |ids|#VM No'1
+    ids.vm.box = "debian/bookworm64" #Setting machine type
+    ids.vm.hostname = "IDS" #Setting machine type
+    ids.vm.network "public_network"#Set DHCP
+    ids.vm.provision "shell", inline: <<-SHELL
+     apt-get install -y wget curl vim unzip chkrootkit rkhunter fail2ban
+   SHELL
+  end
+end