suppression conf auto et ajout fichier de conf forticlient

2024-10-16 12:11:22 +02:00
parent c51cb064ef
commit 5dffcec44a
4 changed files with 403 additions and 77 deletions
--- a/VPN_Forticlient/Installation_vpn.sh
+++ b/VPN_Forticlient/Installation_vpn.sh
@@ -18,10 +18,10 @@ func_Installation_vpn()
 ##Définition des variables
 folder=$(pwd) ##dossier local
 log_erreurs="$folder/err_log.log"
 script_conf="$folder/VPN_Forticlient/configuration_vpn.sh"
 CERT_PATH1="$folder/VPN_Forticlient/client.pfx"
 CERT_PATH2="/opt/forticlient/client.pfx"
 #=======================================================================
 ##Définition des fonctions
 func_dependances(){
@@ -40,7 +40,7 @@ func_installation(){
 #=======================================================================
 ##Script
-echo "Mise a jour dependances pour l'installation du vpn"
+echo -e "\033[1m Mise a jour dependances pour l'installation du vpn\033[0m"
 	if func_dependances 2>> $log_erreurs; then
 		echo "Mise a jour dependances nécessaire à l'installation du vpn réussie"
 	else
@@ -50,7 +50,7 @@ echo "Mise a jour dependances pour l'installation du vpn"
 	fi
    sleep 2
-echo "Installation du vpn"
+echo "\033[1m Installation du vpn\033[0m"
 	if func_installation 2>> $log_erreurs; then
 		echo "Installation du vpn réussie"
 	else
@@ -60,14 +60,10 @@ echo "Installation du vpn"
 	fi
    sleep 2
-echo "Configuration du vpn"
+echo "\033[1m Configuration du vpn \033[0m"
-    chmod +x $script_conf
+echo "Pour configurer la connexion vpn, charger dans le forticlient le fichier forti_7_linux.conf"
-    if script_conf 2>> $log_erreurs; then
+echo "Emplacement du fichier /tmp/Deploiement_debian/VPN_Forticlient/forti_7_linux.conf\n"
-    	echo "Configuration du vpn réussie"
+echo "Saisir le mot de passe du certificat dans les paramètres de la connexion"
-	else
+echo "Le mot de passe est dans le keypass du service infra"
-		echo "Erreur lors de la configuration du vpn"
+
 		echo "logs d'erreurs disponibles dans le fichier: $log_erreurs"
        exit 1
 	fi
    sleep 2
 }
--- a/VPN_Forticlient/configuration_vpn.sh
+++ b/VPN_Forticlient/configuration_vpn.sh
@@ -1,63 +0,0 @@
 #!/usr/bin/expect
 #=======================================================================
 # FILE: ~configuration_vpn.sh
 # USAGE: ./~configuration_vpn.sh
 # DESCRIPTION: Installation et paramétrage du vpn-ssl forticlient sur
 # les postes Utilisateurs Debian 
 #
 # OPTIONS: ---
 # REQUIREMENTS: ---
 # BUGS: ---
 # NOTES: ---
 # AUTHOR: Maxime Tertrais
 # COMPANY: Operis
 # CREATED: 15/10/2024
 # REVISION: ---
 #=======================================================================
 ##Définition des variables
 NOM_CONNEXION="VPN-Operis"
 SERVER_VPN="champlan.operis.fr" #serveur à joindre
 PORT_VPN="10443" #port du vpn à joindre
 AUTH_TYPE="1" #demande de saisir les Id de l'AD
 CERT_PATH="/opt/forticlient/client.pfx"
 CERT_PSWD="Operis123"
 #=======================================================================
 ##Définition des fonctions
 #=======================================================================
 ##Script
 set timeout -1
 # Lancer le script fortivpn
 spawn fortivpn edit $NOM_CONNEXION
 # Fournir l'adresse du serveur
 expect "Remote Gateway"  # Le texte exact affiché par le script
 sleep 1
 send "$SERVER_VPN\r"
 # Fournir le n° de port
 expect "Port"
 sleep 1
 send "$PORT_VPN\r"
 # Fournir la méthode d'identification
 expect "Authentication"
 sleep 1
 send "$AUTH_TYPE\r"
 # Fournir le certificat client
 expect "Client Certificate"
 sleep 1
 send "$CERT_PATH\r"
 # Fournir le certificat client
 expect "Client Certificate password"
 sleep 1
 send "$CERT_PSWD\r"
 # Attendre la fin
 expect eof
 }
--- a/VPN_Forticlient/forti_7_linux.conf
+++ b/VPN_Forticlient/forti_7_linux.conf
@@ -0,0 +1,393 @@
 <?xml version="1.0" encoding="utf-8"?>
 <forticlient_configuration authentication="1031f251fdb00c34e157292485b93d7278572fe49e">
 	<forticlient_version>6.0.10.297</forticlient_version>
 	<version>6.0.10</version>
 	<date>2022/04/13</date>
 	<partial_configuration>0</partial_configuration>
 	<os_version>windows</os_version>
 	<system>
 		<ui>
 			<disable_backup>0</disable_backup>
 			<ads>1</ads>
 			<default_tab>COMP</default_tab>
 			<flashing_system_tray_icon>1</flashing_system_tray_icon>
 			<hide_system_tray_icon>0</hide_system_tray_icon>
 			<show_host_tag>0</show_host_tag>
 			<suppress_admin_prompt>0</suppress_admin_prompt>
 			<password/>
 			<culture_code>os-default</culture_code>
 			<gpu_rendering>0</gpu_rendering>
 			<hide_user_info>0</hide_user_info>
 			<lock/>
 			<replacement_messages>
 				<quarantine>
 					<title>
 						<title/>
 					</title>
 					<statement>
 						<remediation/>
 					</statement>
 					<remediation>
 						<remediation/>
 					</remediation>
 				</quarantine>
 			</replacement_messages>
 			<allow_shutdown_when_registered/>
 		</ui>
 		<log_settings>
 			<onnet_local_logging>1</onnet_local_logging>
 			<level>6</level>
 			<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,proxy,shield,endpoint,configd,vuln</log_events>
 			<remote_logging>
 				<log_upload_enabled>0</log_upload_enabled>
 				<log_upload_server/>
 				<log_upload_ssl_enabled>1</log_upload_ssl_enabled>
 				<log_retention_days>90</log_retention_days>
 				<log_upload_freq_minutes>120</log_upload_freq_minutes>
 				<log_generation_timeout_secs>900</log_generation_timeout_secs>
 				<netlog_categories>7</netlog_categories>
 				<send_os_events>
 					<enabled/>
 					<interval>120</interval>
 				</send_os_events>
 			</remote_logging>
 		</log_settings>
 		<proxy>
 			<update>0</update>
 			<online_scep>0</online_scep>
 			<virus_submission>0</virus_submission>
 			<type>http</type>
 			<address/>
 			<port>80</port>
 			<username>Enc 76675e071f1c96929d9f1d7611b457f5ed0028531e950638</username>
 			<password/>
 		</proxy>
 		<update>
 			<use_custom_server>0</use_custom_server>
 			<server/>
 			<port>80</port>
 			<timeout>60</timeout>
 			<failoverport>8000</failoverport>
 			<fail_over_to_fdn>1</fail_over_to_fdn>
 			<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>
 			<auto_patch>0</auto_patch>
 			<submit_virus_info_to_fds>1</submit_virus_info_to_fds>
 			<update_action>notify_only</update_action>
 			<restrict_services_to_regions/>
 			<use_legacy_fdn>1</use_legacy_fdn>
 			<ocsp_mode>1</ocsp_mode>
 			<scheduled_update>
 				<enabled>1</enabled>
 				<type>interval</type>
 				<daily_at>01:50</daily_at>
 				<update_interval_in_hours>1</update_interval_in_hours>
 			</scheduled_update>
 		</update>
 		<fortiproxy>
 			<enabled>0</enabled>
 			<enable_https_proxy>1</enable_https_proxy>
 			<http_timeout>60</http_timeout>
 			<client_comforting>
 				<pop3_client>1</pop3_client>
 				<pop3_server>1</pop3_server>
 				<smtp>1</smtp>
 			</client_comforting>
 			<selftest>
 				<enabled>1</enabled>
 				<last_port>65535</last_port>
 				<notify>1</notify>
 			</selftest>
 		</fortiproxy>
 		<certificates>
 			<crl>
 				<ocsp/>
 			</crl>
 			<hdd/>
 			<ca/>
 		</certificates>
 		<user_identity>
 			<enable_manually_entering>1</enable_manually_entering>
 			<enable_linkedin>1</enable_linkedin>
 			<enable_google>1</enable_google>
 			<enable_salesforce>1</enable_salesforce>
 			<notify_user/>
 		</user_identity>
 	</system>
 	<endpoint_control>
 		<enabled>1</enabled>
 		<socket_connect_timeouts>1:5</socket_connect_timeouts>
 		<disable_unregister>0</disable_unregister>
 		<disable_fgt_switch>0</disable_fgt_switch>
 		<show_bubble_notifications>1</show_bubble_notifications>
 		<silent_registration>0</silent_registration>
 		<notify_fgt_on_logoff>1</notify_fgt_on_logoff>
 		<avatar_enabled>1</avatar_enabled>
 		<send_software_inventory>0</send_software_inventory>
 		<ui>
 			<display_antivirus>1</display_antivirus>
 			<display_webfilter>1</display_webfilter>
 			<display_firewall>1</display_firewall>
 			<display_vpn>1</display_vpn>
 			<display_vulnerability_scan>1</display_vulnerability_scan>
 			<display_sandbox>1</display_sandbox>
 			<display_compliance>1</display_compliance>
 			<display_ztna>0</display_ztna>
 			<hide_compliance_warning>0</hide_compliance_warning>
 		</ui>
 		<forticloud>
 			<server/>
 			<invitation_code/>
 		</forticloud>
 		<invalid_cert_action>warn</invalid_cert_action>
 	</endpoint_control>
 	<antivirus>
 		<enabled>1</enabled>
 		<signature_expired_notification>0</signature_expired_notification>
 		<scan_on_insertion>0</scan_on_insertion>
 		<shell_integration>1</shell_integration>
 		<antirootkit>4294967295</antirootkit>
 		<fortiguard_analytics>1</fortiguard_analytics>
 		<multi_process_limit>1</multi_process_limit>
 		<block_removable_media>0</block_removable_media>
 		<on_demand_scanning>
 			<use_extreme_db>1</use_extreme_db>
 			<on_virus_found>4</on_virus_found>
 			<pause_on_battery_power>1</pause_on_battery_power>
 			<signature_load_memory_threshold>8</signature_load_memory_threshold>
 			<automatic_virus_submission>
 				<enabled>0</enabled>
 				<smtp_server>fortinetvirussubmit.com</smtp_server>
 				<username/>
 				<password/>
 			</automatic_virus_submission>
 			<compressed_files>
 				<scan>1</scan>
 				<maxsize>0</maxsize>
 			</compressed_files>
 			<riskware>
 				<enabled>1</enabled>
 			</riskware>
 			<adware>
 				<enabled>1</enabled>
 			</adware>
 			<heuristic_scanning>
 				<level>3</level>
 				<action>2</action>
 			</heuristic_scanning>
 			<exclusions>
 				<file_types>
 					<extensions/>
 				</file_types>
 			</exclusions>
 		</on_demand_scanning>
 		<real_time_protection>
 			<enabled>1</enabled>
 			<use_extreme_db>0</use_extreme_db>
 			<when>4</when>
 			<ignore_system_when>2</ignore_system_when>
 			<on_virus_found>4</on_virus_found>
 			<popup_alerts>1</popup_alerts>
 			<popup_registry_alerts>0</popup_registry_alerts>
 			<bypass_java>0</bypass_java>
 			<cloud_based_detection>
 				<on_virus_found>4</on_virus_found>
 			</cloud_based_detection>
 			<sandboxing>
 				<use_sandbox_signatures>0</use_sandbox_signatures>
 				<sandbox_server/>
 			</sandboxing>
 			<compressed_files>
 				<scan>1</scan>
 				<maxsize>10</maxsize>
 			</compressed_files>
 			<riskware>
 				<enabled>1</enabled>
 			</riskware>
 			<adware>
 				<enabled>1</enabled>
 			</adware>
 			<heuristic_scanning>
 				<level>0</level>
 				<action>3</action>
 			</heuristic_scanning>
 			<exclusions>
 				<file_types>
 					<extensions>.7z,.arj,.bzip,.bzip2,.cab,.gzip,.lzh,.msc,.rar,.tar,.tgz,.zip</extensions>
 				</file_types>
 			</exclusions>
 		</real_time_protection>
 		<email>
 			<smtp>1</smtp>
 			<pop3>1</pop3>
 			<outlook>1</outlook>
 			<wormdetection>
 				<enabled>0</enabled>
 				<action>0</action>
 			</wormdetection>
 			<heuristic_scanning>
 				<enabled>0</enabled>
 				<action>0</action>
 			</heuristic_scanning>
 			<mime_scanning>
 				<enabled>0</enabled>
 			</mime_scanning>
 		</email>
 		<quarantine>
 			<cullage>100</cullage>
 		</quarantine>
 		<server>
 			<exchange>
 				<integrate>0</integrate>
 				<action>0</action>
 				<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
 				<excludefileextensionsfromscanning>0</excludefileextensionsfromscanning>
 			</exchange>
 			<sqlserver>
 				<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
 				<excludefileextensionsfromscanning>0</excludefileextensionsfromscanning>
 			</sqlserver>
 		</server>
 		<sandboxing>
 			<use_sandbox_signatures>0</use_sandbox_signatures>
 		</sandboxing>
 		<scheduled_scans>
 			<ignore_3rd_party_av_conflicts>0</ignore_3rd_party_av_conflicts>
 			<scan_type>full</scan_type>
 			<full>
 				<enabled>0</enabled>
 				<repeat>2</repeat>
 				<day_of_month>1</day_of_month>
 				<time>12:00</time>
 				<removable_media>1</removable_media>
 				<network_drives>0</network_drives>
 				<priority>0</priority>
 				<days>7</days>
 			</full>
 			<directory>
 				<enabled>0</enabled>
 				<directory/>
 				<repeat>2</repeat>
 				<day_of_month>1</day_of_month>
 				<time>12:00</time>
 				<removable_media>1</removable_media>
 				<network_drives>0</network_drives>
 				<priority>0</priority>
 				<days>7</days>
 			</directory>
 			<quick>
 				<enabled>0</enabled>
 				<repeat>2</repeat>
 				<day_of_month>1</day_of_month>
 				<time>12:00</time>
 				<removable_media>1</removable_media>
 				<network_drives>0</network_drives>
 				<priority>0</priority>
 				<days>7</days>
 			</quick>
 		</scheduled_scans>
 	</antivirus>
 	<vulnerability_scan>
 		<enabled>1</enabled>
 		<scan_on_registration>0</scan_on_registration>
 		<scan_on_signature_update>0</scan_on_signature_update>
 		<proxy_enabled>0</proxy_enabled>
 		<auto_patch>
 			<level>high</level>
 		</auto_patch>
 		<scheduled_scans>
 			<schedule>
 				<repeat>1</repeat>
 				<day>1</day>
 				<time>19:30</time>
 			</schedule>
 		</scheduled_scans>
 		<scan_on_fgt_registration/>
 		<windows_update>1</windows_update>
 		<exempt_manual/>
 		<exemptions/>
 		<exempt_no_auto_patch/>
 	</vulnerability_scan>
 	<sandboxing>
 		<enabled>0</enabled>
 		<address/>
 		<response_timeout>0</response_timeout>
 		<when>
 			<executables_on_removable_media/>
 			<executables_on_mapped_nw_drives/>
 			<web_downloads/>
 			<email_downloads/>
 		</when>
 		<remediation>
 			<action/>
 			<on_error/>
 		</remediation>
 		<exceptions>
 			<exclude_files_from_trusted_sources/>
 			<exclude_files_and_folders/>
 			<folders/>
 			<files/>
 		</exceptions>
 	</sandboxing>
 	<removable_media_access>
 		<enabled/>
 		<show_bubble_notifications/>
 		<action>allow</action>
 	</removable_media_access>
 	<vpn>
 		<options>
 			<current_connection_name>Operis</current_connection_name>
 			<autoconnect_tunnel/>
 			<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
 			<keep_running_max_retries/>
 			<allow_personal_vpns>1</allow_personal_vpns>
 			<disable_connect_disconnect>0</disable_connect_disconnect>
 			<minimize_window_on_connect>1</minimize_window_on_connect>
 			<inherit_local_dns>0</inherit_local_dns>
 			<dns_service_resetting_interval>0</dns_service_resetting_interval>
 			<suppress_vpn_notification>0</suppress_vpn_notification>
 		</options>
 		<sslvpn>
 			<options>
 				<enabled>1</enabled>
 				<block_ipv6>0</block_ipv6>
 				<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
 				<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
 			</options>
 			<connections>
 				<connection>
 					<name>VPN-Operis</name>
 					<description/>
 					<server>champlan.operis.fr:10443</server>
 					<username/>
 					<password/>
 					<certificate>file%3A%2F%2F%2Fopt%2Fforticlient%2Fclient.pfx</certificate>
 					<prompt_certificate>0</prompt_certificate>
 					<prompt_username>1</prompt_username>
 					<keep_running>0</keep_running>
 					<fgt>0</fgt>
 					<ui>
 						<show_remember_password>0</show_remember_password>
 						<show_alwaysup>0</show_alwaysup>
 						<show_autoconnect>0</show_autoconnect>
 						<ems_allow_show_remember_password>0</ems_allow_show_remember_password>
 						<ems_allow_show_alwaysup>0</ems_allow_show_alwaysup>
 						<ems_allow_show_autoconnect>0</ems_allow_show_autoconnect>
 						<save_username>0</save_username>
 						<save_password>0</save_password>
 					</ui>
 					<disclaimer_msg/>
 					<sso_enabled>0</sso_enabled>
 					<use_external_browser>0</use_external_browser>
 					<vpn_type/>
 				</connection>
 			</connections>
 		</sslvpn>
 	</vpn>
 	<ztna>
 		<enabled/>
 		<allow_personal_rules>1</allow_personal_rules>
 		<disallow_invalid_server_certificate/>
 		<rules/>
 	</ztna>
 </forticlient_configuration>
--- a/deploiement_main.sh
+++ b/deploiement_main.sh
@@ -22,7 +22,7 @@ source "$folder/Malwarebytes_linux/malwarebytes.sh"
 source "$folder/Integration_domain/integration_domain.sh"
 source "$folder/OCS_Linux/ocs.sh"
 source "$folder/Laps_Linux/installation_laps.sh"
-source "$folder/VPN_Forticlient/installation_vpn.sh"
+source "$folder/VPN_Forticlient/Installation_vpn.sh"
 source "$folder/Agent_Wazhu/installation_wazhu.sh"
 #source "paramétrage des depots"
 #source "installation des paquets métier"