#!/bin/sh
#set -x
PKG="astra-safepolicy"
CMD_GETMD5="/usr/lib/$PKG/asp-getmd5"
FILE_MENULST="/boot/grub/menu.lst"
FILE_LIMITS="/etc/security/limits.conf"
FILE_FSTAB="/etc/fstab"
FILE_RESOLV="/etc/resolv.conf"
FILE_NCX="/parsecfs/nochmodx"
FILE_IPTL="/usr/lib/$PKG/ipt_low.cfg"
FILE_IPTM="/usr/lib/$PKG/ipt_mid.cfg"
FILE_IPTH="/usr/lib/$PKG/ipt_hi.cfg"
FILE_IPTABLES="/etc/iptables_rules.cfg"
FILE_LOGINDEFS="/etc/login.defs"
FILE_TALLY="/usr/share/pam-configs/tally"
FILE_CRACK="/usr/share/pam-configs/cracklib"

INITD_UNM='umountfs'
INITDSCR='astra-swap-wiper'
INITD="/etc/init.d/$INITDSCR"

TMP=`tempfile -p tmp.`
TMP1=`tempfile -p tmp1.`
TMP2=`tempfile -p tmp2.`


# out: XYY, X=0 if K, X=1 if S, YY=level
get_serv_info()
{
	local serv=$1
	local lev=$2
	local ret=0

	update-rc.d -n -f $serv remove |grep "/etc/rc*."|tr -t "/" " " > $TMP
	if [ "$?" -eq 0 ];then
	local	link=`cat $TMP | grep " rc$lev.d " |sed -e "s/^ *//"|cut -d " " -f 3`
		if [ "$?" -eq 0 ];then
			echo "Found rc$lev $serv link"
			echo $link | grep -E "^[K,S]{1}[0-9][0-9]$serv$"
			if [ "$?" -ne 0 ];then
				echo "Wrong rc$lev $serv link!"
				rm -f $TMP
				exit 1
			fi
		local	KS=`echo $link|cut -b 1`
		local	LV=`echo $link|cut -b 2-3`
			echo "KS=$KS LV=$LV"
		else
			echo "Not found rc$lev $serv link"
			rm -f $TMP
			exit 1
		fi
	else
		echo "Not found $serv links"
		rm -f $TMP
		exit 1
	fi
	if [ "$KS" = "K" ];then
		ret=0
	elif [ "$KS" = "S" ];then
		ret=1
	else
		echo "Wrong letter of link name! Must be K or S."
		rm -f $TMP
		exit 1
	fi
	ret="$ret$LV"
	echo "return=$ret"
	return $ret
}





comment()
{
	sed -i -e "s/?*/#/" $1 
	sed -i -e "s/#*/#/" $1
	return 0
}

pam_tally_in_faillock_mode()
{
	local ret=1
	local preauth="/usr/share/pam-configs/pam_tally.preauth"
	local authfail="/usr/share/pam-configs/pam_tally.authfail"

	if [ -f $preauth ] && [ -f $authfail ]; then
		ret=0
	fi

	return $ret;
}

CFG=$1
if [ ! -e $CFG ];then
	echo "ERROR! Config dosen't exist!"
fi
. $CFG

###### CODE
### GRUB

if [ ! -z "$CFG_QUOTES" ];then
	echo "Setting quotes to $CFG_QUOTES..."
fi

if [ ! -z "$CFG_GRUBPASS" ];then
	echo "Start setting GRUB password..."
	sed -i -e "s/^[\t ]*//"  $CFG
	sed -i -e 's/^password /#password /' $CFG
	mdhash=`$CMD_GETMD5 $CFG_GRUBPASS`
	echo "password --md5 $mdhash" > $TMP
	cat $FILE_MENULST >> $TMP
	cp -f $TMP $FILE_MENULST	
	n=`cat $FILE_MENULST | wc -l`
	i=1
	nadd=0
	cp -f $FILE_MENULST	$TMP
	while [ $i -le $n ]
	do
		line="`sed -n "$i p" $FILE_MENULST`"
		echo "$line" |grep -E "^title[\t ]*"
		if [ $? -eq 0 ];then
			reali=`expr $i + $nadd`
			cmd=""$reali"a"
			sed -i -e "$cmd\lock" $TMP
			nadd=`expr $nadd + 1`
		fi
		i=`expr $i + 1`
	done
	cp -f $TMP $FILE_MENULST	
	
	echo "Setting GRUB password...OK"
fi
### 
if [ ! -z "$CFG_ULIMITS" ];then
	echo "Start setting ulimits..."
	fsh=`echo $CFG_ULIMITS |cut -d " " -f 1`
	nfh=`echo $CFG_ULIMITS |cut -d " " -f 2`
	nph=`echo $CFG_ULIMITS |cut -d " " -f 3`
	comment $FILE_LIMITS
	fss=`expr $fsh / 2`
	nfs=`expr $nfh / 2`
	nps=`expr $nph / 2`
	echo "* hard fsize $fsh" >> $FILE_LIMITS
	echo "* soft fsize $fss" >> $FILE_LIMITS
	echo "* hard nofile $nfh" >> $FILE_LIMITS
	echo "* soft nofile $nfs" >> $FILE_LIMITS
	echo "* hard nproc $nph" >> $FILE_LIMITS
	echo "* soft nproc $nps" >> $FILE_LIMITS
	echo "Setting ulimits...OK"
fi


if [ "x$CFG_TALLY" != "x" ] && [ "$CFG_TALLY" != "0" ] && ! pam_tally_in_faillock_mode ;then
	echo "Start configuring pam_tally module..."
	sed -i -e "s/^FAILLOG_ENAB/\#FAILLOG_ENAB/g" $FILE_LOGINDEFS

	echo "Name: pam tally" > $FILE_TALLY
	echo "Default: yes" >> $FILE_TALLY
	echo "Priority: 300" >> $FILE_TALLY
	echo "Auth-Type: Primary" >> $FILE_TALLY
	echo "Auth:" >> $FILE_TALLY
	echo "	[success=ignore default=2]	pam_localuser.so" >> $FILE_TALLY
	echo "	[success=1 default=ignore]	pam_succeed_if.so quiet user ingroup astra-admin" >> $FILE_TALLY
	echo "	[success=ignore default=die]	pam_tally.so per_user deny=$CFG_TALLY" >> $FILE_TALLY
	echo "Auth-Initial:" >> $FILE_TALLY 
	echo "	[success=ignore default=2]	pam_localuser.so" >> $FILE_TALLY
	echo "	[success=1 default=ignore]	pam_succeed_if.so quiet user ingroup astra-admin" >> $FILE_TALLY
	echo "	[success=ignore default=die]	pam_tally.so per_user deny=$CFG_TALLY" >> $FILE_TALLY
	echo "Account-Type: Primary" >> $FILE_TALLY
	echo "Account:" >> $FILE_TALLY
	echo "	required	pam_tally.so" >> $FILE_TALLY
	echo "Account-Initial:" >> $FILE_TALLY
	echo "	required	pam_tally.so" >> $FILE_TALLY
	echo "Finish configuring pam_tally module."
fi



if [ ! -z "$CFG_CRACKLEN" ];then
	echo "Start setting cracklib..."

	echo 'Name: Cracklib password strength checking' > $FILE_CRACK 
	echo 'Default: yes' >> $FILE_CRACK 
	echo 'Priority: 1024' >> $FILE_CRACK
	echo 'Conflicts: unix-zany' >> $FILE_CRACK
	echo 'Password-Type: Primary' >> $FILE_CRACK
	echo 'Password:' >> $FILE_CRACK
		echo "requisite			pam_cracklib.so retry=3 minlen=$CFG_CRACKLEN difok=3" >> $FILE_CRACK
	echo 'Password-Initial:' >> $FILE_CRACK
		echo "requisite			pam_cracklib.so retry=3 minlen=$CFG_CRACKLEN difok=3" >> $FILE_CRACK


	echo "Setting cracklib...OK"
fi

if [ ! -z "$CFG_SECRM" ];then
	echo "Start setting secrm mode..."
	echo "$CFG_SECRM" | sed -e "s/ //g" | sed -e "s/,/\n/g" > $TMP
	n=`cat $TMP | wc -l`
	i=1
	cp -f $FILE_FSTAB $TMP1
	while [ $i -le $n ];do
		line="`sed -n "$i p" $TMP`"
		oline="`cat $FILE_FSTAB | grep -E "^$line "|sed -e "s/  */ /g"`"
		nline=`grep -En "^$line " $FILE_FSTAB|cut -d":" -f 1`
		opt="`echo "$oline"|cut -d " " -f 4`"
		newopt="secdel,$opt"
		echo "START slash replacing"
		newline="`echo "$oline" |sed -e "s/ $opt / $newopt /"`"
		linesl="`echo $line | sed -e 's|\/|\\\/|g'`"
		sed -i -e "/^$linesl /d" $TMP1
		#nline=`expr $nline - 1`
		sed -i "$nline i $newline" $TMP1
		i=`expr $i + 1`
	done
	cp -f $TMP1 /etc/fstab
	echo "Setting secrm mode...OK"
fi

if [ ! -z "$CFG_NCX" ] && [ "x$CFG_NCX" = "xtrue" ];then
	if [ -e $FILE_NCX ];then
		echo "Start setting nochmodx mode..."
		echo "Turning on nochmodx"
		echo "1" > $FILE_NCX
		echo "Setting nochmodx mode...OK"
	fi
fi

if [ ! -z "$CFG_IPT" ];then
	echo "Start setting iptables rules..."
	if [ $CFG_IPT = "Low" ];then
		cp -f $FILE_IPTL $FILE_IPTABLES
	elif [ $CFG_IPT = "Middle" ];then
		cp -f $FILE_IPTM $FILE_IPTABLES
	elif [ $CFG_IPT = "High" ];then
		cp -f $FILE_IPTH $FILE_IPTABLES
		DNSIP=`grep "nameserver " $FILE_RESOLV |sed -e "s/^.* //"`
		if [ "x$DNSIP" = "x" ];then
			echo "Can not find DNS IP in $FILE_RESOLV"
		else
			sed -i -e "s/ DNSIP / $DNSIP /" $FILE_IPTABLES
		fi
	fi
	echo "Setting iptables rules...OK"
fi

if [ ! -z "$CFG_SWAPS" ];then
	echo "Start installing swap-startup-wiper init.d script..."
	get_serv_info $INITD_UNM 0
	ret=$?
	n=`echo $ret|wc -c`
	if [ $n -eq 3 ];then
		scrKS="K" 
		scrLV=$ret
	elif [ $n -eq 4 ];then
		scrKS="S"
		scrLV=`echo $ret|cut -b 2-3`
	fi
	echo "RET rc_level=$scrKS$scrLV"
	newLV=`expr $scrLV - 1`
	echo "RET new rc_level=$scrKS$newLV"

	echo "Creating $INITDSCR..."
	echo '#!/bin/sh' > $INITD
	echo "SWAPS='$CFG_SWAPS'" >> $INITD
	echo "echo \"Start cleaning swap device...\"" >> $INITD
	echo "swaps=\"\`echo \"\$SWAPS\" | sed -e \"s/ //g\" | sed -e \"s/,/\n/g\"\`\" " >> $INITD
	echo "n=\`echo \"\$swaps\" | wc -l\`" >> $INITD
	echo 'swapoff -a > /dev/null' >> $INITD
	echo "i=1" >> $INITD
	echo "while [ \"\$i\" -le \"\$n\" ];do" >> $INITD
		echo "line=\"\`echo \"\$swaps\" | sed -n \"\$i p\" \`\"" >> $INITD
		echo "echo \"Going to erease swap \$line! (CTRL-C to abort)..Sleeping 3 sec\"" >> $INITD
		echo "sleep 3" >> $INITD
		echo "echo \"Erasing...\"" >> $INITD
		echo "dd if=/dev/zero of=\$line" >> $INITD
		echo "mkswap \$line" >> $INITD
		echo "i=\`expr \$i + 1\`" >> $INITD
		echo "echo \"Erasing compleate!\"" >> $INITD
	echo "done" >> $INITD
	echo "exit 0" >> $INITD
	chmod +x $INITD
	echo "Script $INITDSCR creation compleate."
	update-rc.d $INITDSCR  start $newLV 0 .
	echo "Script installed..."
fi
echo "Start reenabling pam-modules..."
pam-auth-update --package
echo "secure set done."
#### SWAP-WIPER

	#echo "$CFG_SWAPS" | sed -e "s/ //g" | sed -e "s/,/\n/g" > $TMP
#use /dev/zero 

### EOF


rm -f $TMP
rm -f $TMP1
rm -f $TMP2
exit 0


################## other default settings found in Inet
#IPTABLES
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
#*filter
#:INPUT ACCEPT [0:0]
#:FORWARD ACCEPT [0:0]
#:OUTPUT ACCEPT [0:0]
#:RH-Firewall-1-INPUT - [0:0]
#-A INPUT -j RH-Firewall-1-INPUT
#-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#COMMIT


