CESI: présentation + maquette Vagrant Sécurité entreprise

2018-02-01 17:35:41 +01:00
parent 1fd175b4c9
commit 708bed3a16
17 changed files with 741 additions and 0 deletions
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/common/disable_predictable_interfaces.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/common/disable_predictable_interfaces.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="net.ifnames=0"/' /etc/default/grub
+
+update-grub
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_dns.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_dns.sh
@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -xe
+
+source /vagrant/provisioning/firewall/firewall.conf
+
+apt-get update
+apt-get install -y dnsmasq
+
+systemctl stop systemd-resolved
+systemctl disable systemd-resolved
+
+
+cat > /etc/dnsmasq.d/local.conf <<EOF
+
+interface=$DEVELOPER_IFACE
+interface=$ACCOUNTING_IFACE
+
+dhcp-range=$DEVELOPER_IFACE,192.168.201.10,192.168.201.100,4h
+dhcp-range=$DEVELOPER_IFACE,192.168.200.10,192.168.200.100,4h
+EOF
+
+
+systemctl restart dnsmasq
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_firewall_rules.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_firewall_rules.sh
@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -xe
+
+source /vagrant/provisioning/firewall/firewall.conf
+
+ufw disable
+
+# Règles de pare-feu/routage
+
+ufw logging on
+
+# Règles par défaut
+ufw default deny outgoing
+ufw default deny
+
+ufw allow ssh\
+  comment "ALLOW SSH (IN)"
+ufw allow in 53,67,68/udp\
+  comment "ALLOW DNS + DHCP (IN)"
+ufw allow out 53,67,68/udp\
+  comment "ALLOW DNS + DHCP (OUT)"
+
+# Règles de routage
+
+ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\
+  comment "DEVELOPER -> 80 INTERNET"
+ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\
+  comment "DEVELOPER -> 443 INTERNET"
+
+# On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting"
+ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
+  comment "ACCOUNTING -> 80 INTERNET"
+ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
+  comment "ACCOUNTING -> 443 INTERNET"
+
+# On autorise toutes les connexions vers le réseau "services intranet" depuis le réseau "accounting"
+# et le réseau "developer"
+ufw route allow in on $ACCOUNTING_IFACE out on $INTRANET_IFACE to any from $ACCOUNTING_NETWORK\
+  comment "ACCOUNTING -> * SERVICES INTRA"
+ufw route allow in on $DEVELOPER_IFACE out on $INTRANET_IFACE to any from $DEVELOPER_NETWORK\
+  comment "DEVELOPER -> * SERVICES INTRA"
+
+# Application des règles
+ufw --force enable
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_ip_forwarding.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_ip_forwarding.sh
@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -xe
+
+source /vagrant/provisioning/firewall/firewall.conf
+
+# Activation du NAT Forwarding
+sed -i 's/^#net\/ipv4\/ip_forward.*$/net\/ipv4\/ip_forward=1/' /etc/ufw/sysctl.conf
+sed -i 's/^#net\/ipv6\/conf\/default\/forwarding.*$/net\/ipv6\/conf\/default\/forwarding=1/' /etc/ufw/sysctl.conf
+sed -i 's/^#net\/ipv6\/conf\/all\/forwarding.*$/net\/ipv6\/conf\/all\/forwarding=1/' /etc/ufw/sysctl.conf
+
+#sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"$/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
+
+# Ajout des règles de forwarding
+TMP_FILE=$(mktemp)
+cat > "$TMP_FILE" <<EOF
+*nat
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s $INTRANET_NETWORK -o $MGMT_IFACE -j MASQUERADE
+-A POSTROUTING -s $ACCOUNTING_NETWORK -o $MGMT_IFACE -j MASQUERADE
+-A POSTROUTING -s $DEVELOPER_NETWORK -o $MGMT_IFACE -j MASQUERADE
+COMMIT
+
+$(cat /etc/ufw/before.rules)
+EOF
+
+mv /etc/ufw/before.rules /etc/ufw/before.rules.bak
+mv "$TMP_FILE" /etc/ufw/before.rules
+
+rm -f "$TMP_FILE"
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/firewall.conf
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/firewall.conf
@ -0,0 +1,11 @@
+IFACES=($(ls /sys/class/net))
+
+MGMT_IFACE="${IFACES[0]}"
+PUBLIC_IFACE="eth1"
+INTRANET_IFACE="eth4"
+DEVELOPER_IFACE="eth3"
+ACCOUNTING_IFACE="eth2"
+
+INTRANET_NETWORK="192.168.202.0/24"
+DEVELOPER_NETWORK="192.168.201.0/24"
+ACCOUNTING_NETWORK="192.168.200.0/24"
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_desktop.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_desktop.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -ex
+
+apt-get update
+apt-get install -y xubuntu-desktop
--- a/cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_network.sh
+++ b/cesi/securite_entreprise/ressources/intranet-demo/provisioning/workstation/configure_network.sh
@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -ex
+
+ip route delete default
+IFACES=($(ls /sys/class/net))
+dhclient -v ${IFACES[1]}