Adaptations pour l’envoi des logs samba

2025-06-17 09:43:30 +02:00
commit 782aee6803
4 changed files with 104 additions and 0 deletions
--- a/32
+++ b/32
@ -0,0 +1,32 @@
+#!/bin/bash
+
+ADDC_PATH="/var/lib/lxc/addc/rootfs"
+
+. /usr/lib/eole/utils.sh
+
+InstallSSLFiles rsyslog_addc syslog syslog "$ADDC_PATH/etc/rsyslog.d/ssl/"
+if [ $(CreoleGet samba_log_connexion_authentification_proxy non) == 'oui' ]
+then
+    ca_path=$(CreoleGet samba_log_connexion_ca_chemin)
+    if [ -f $ca_path ]
+    then
+        cat /etc/ssl/certs/ca_local.crt $ca_path > "$ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+    else
+        EchoRouge "Le certificat racine pour le pair rsyslog n’a pas été trouvé"
+        EchoRouge "Utilisation du mode anonyme"
+        cp /etc/ssl/certs/ca_local.crt "$ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+    fi
+else
+    cp /etc/ssl/certs/ca_local.crt "ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+fi
+
+if [ ! -e "$ADDC_PATH/var/log/rsyslog/queues" ]
+then
+    mkdir -p "$ADDC_PATH/var/log/rsyslog/queues"
+    lxc-attach -n addc chown syslog:adm /var/log/rsyslog/queues
+fi
+
+lxc-attach -n addc apt install rsyslog-gnutls
+
+lxc-attach -n addc systemctl restart rsyslog
+exit 0
--- a/60_forward_samba_logs.xml
+++ b/60_forward_samba_logs.xml
@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <file filelist='forward_samba_logs' name='/var/lib/lxc/addc/rootfs/etc/rsyslog.d/01-forward_samba.conf' source='addc-samba_logs_forward.conf' mkdir='True' rm='True'/>
+    </files>
+    <variables>
+        <family name='Samba'>
+            <variable name='activer_envoi_log_connexion' type='oui/non' description='Activer l’envoi des logs de connexion au proxy'>
+                <value>oui</value>
+            </variable>
+            <variable name="samba_log_connexion_proxy_ip" type='ip' description='Adresse IP du proxy traitant les logs' mandatory="True"/>
+            <variable name="samba_log_connexion_proxy_port" type='number' description='Port du proxy traitant les logs'>
+                <value>10514</value>
+            </variable>
+            <variable name="samba_log_connexion_authentification_proxy" type="oui/non" description="Authentifier le récepteur des logs">
+                <value>non</value>
+            </variable>
+            <variable name="samba_log_connexion_ca_chemin" type="filename" description="Chemin du certificat racine du proxy" mandatory="True"/>
+            <variable name="samba_log_connexion_proxy_nom" type="domain" description="Nom de domaine du proxy" mandatory="True"/>
+        </family>
+    </variables>
+    <constraints>
+        <condition name='disabled_if_in' source='activer_envoi_log_connexion'>
+            <param>non</param>
+            <target type='filelist'>forward_samba_logs</target>
+            <target type='variable'>samba_log_connexion_proxy_ip</target>
+            <target type='variable'>samba_log_connexion_proxy_port</target>
+            <target type='variable'>samba_log_connexion_authentification_proxy</target>
+        </condition>
+        <condition name='disabled_if_in' source='samba_log_connexion_authentification_proxy'>
+            <param>non</param>
+            <target type='variable'>samba_log_connexion_ca_chemin</target>
+            <target type='variable'>samba_log_connexion_proxy_nom</target>
+        </condition>
+    </constraints>
+    <help>
+        <variable name='activer_envoi_log_connexion'>Les logs de connexions sont utiles au proxy type Palo Alto pour en dériver les autorisations de flux réseau (relation IP/utilisateur pour déterminer les permissions).</variable>
+        <variable name="samba_log_connexion_authentification_proxy">L’authentification du récepeteur des logs nécessite la récupération du certificat racine de celui-ci pour pouvoir valider son certificat x509</variable>
+        <variable name="samba_log_connexion_ca_chemin">Le certificat racine ayant servi à signer le certificat présenté par le proxy.</variable>
+        <variable name="samba_log_connexion_proxy_nom">Nom FQDN apparaissant dans le certificat x509 présenté par le proxy.</variable>
+    </help>
+</creole>
--- a/addc-samba_logs_forward.conf
+++ b/addc-samba_logs_forward.conf
@ -0,0 +1,19 @@
+$DefaultNetstreamDriver gtls
+$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca_rsyslog.crt
+$DefaultNetstreamDriverCertFile  /etc/rsyslog.d/ssl/certs/rsyslog_addc.crt
+$DefaultNetstreamDriverKeyFile  /etc/rsyslog.d/ssl/private/rsyslog_addc.key
+        
+
+$WorkDirectory /var/log/rsyslog/queues
+$ActionQueueType LinkedList
+$ActionQueueFileName samba
+$ActionQueueSaveOnShutdown on
+                
+%if %%samba_log_connexion_authentification_proxy == 'oui'
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer %%samba_log_connexion_proxy_name
+%else
+$ActionSendStreamDriverAuthMode anon
+%end if
+$ActionSendStreamDriverMode 1
+:programname, isequal, "samba" @@%%samba_log_connexion_proxy_ip:%%samba_log_connexion_proxy_port
--- a/smb-addc.conf.patch
+++ b/smb-addc.conf.patch
@ -0,0 +1,11 @@
+ --- distrib/smb-addc.conf       2025-02-18 09:29:25.000000000 +0100
+++ modif/smb-addc.conf 2025-06-16 10:31:57.625340810 +0200
+@@ -21,6 +21,8 @@
+   usershare max shares = 0
+   restrict anonymous = 2
+   interfaces = %%ad_public_address
+  syslog = 4
+  log level = 0 auth_audit:4
+ 
+ [netlogon]
+   comment = Network Logon Service