Ajouter une ligne entre deux balises html <Directory > et </Directory& [Résolu]

Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
- - Dernière réponse : wfipap
Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
- 28 oct. 2019 à 10:58
Bonjour à tous,
Je suis nouveau sur le forum.
J'aimerais ajouter une ligne dans un fichier de conf httpd.conf (pour ne pas le citer) entre deux balises

<Directory>
.....
ma ligne
......
</Directory),
dans un script de configuration pour plusieurs serveurs.
Quelqu'un aurait une idée?
Merci d'avance.
Bonne journée à tous.
Afficher la suite 

2 réponses

Meilleure réponse
Messages postés
37444
Date d'inscription
dimanche 7 novembre 2010
Statut
Contributeur
Dernière intervention
14 novembre 2019
4212
1
Merci
Salut,

Avec les optons d'insertion (i) ou d'ajout (a) c'est faisable, mais avec un exemple de ce que tu veux vraiment (avant/après) ce serait mieux ;-\

Si on prend tes dires :
<Directory>
.....
ma ligne
......
</Directory>
Ta ligne n'est ni après ni avant mais au milieu de quelque part… est-ce important, ou pas ?


Dire « Merci » 1

Heureux de vous avoir aidé ! Vous nous appréciez ? Donnez votre avis sur nous ! Evaluez CommentCaMarche

CCM 71473 internautes nous ont dit merci ce mois-ci

Commenter la réponse de zipe31
Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
0
Merci
Merci de ta réponse zip31
je veux remplacer :
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>


Par

<Directory />
Require all denied
</Directory>
Merci
zipe31
Messages postés
37444
Date d'inscription
dimanche 7 novembre 2010
Statut
Contributeur
Dernière intervention
14 novembre 2019
4212 -
Salut,

On n'est pas devin ;-(( Sans voir le script ;-\


Et puis c'est noté en toute lettre : hard_apache.sh: line 350: syntax error near unexpected token `newline'

Puis de toute façon, on n'exécute pas un script sans avoir testé auparavant chaque ligne de code, surtout avec sed et l'emploi de l'option "-i" ;-(
wfipap
Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
-
Oui  je suis en train de le tester  ligne par ligne mon script: 

#!/bin/bash
##Srcipt for hardening apache
#
#echo -e "Stopping httpd(Apache)"
sudo service httpd stop
#
##Backup apache config
#
sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
#
#
APACHE_PREFIX=/etc/httpd/conf

#Enable the Log Config Module

sudo httpd -M | egrep 'log_config'

if [ $? -eq 0 ]
then
echo -e "OK" >> /tmp/hard_test
else
echo -e "LoadModule log_config_module modules/mod_log_config.so" >> /etc/httpd/conf/httpd.conf
fi
#
sudo service httpd restart

#Disable WebDAV Modules
httpd -M | grep ' dav_[[:print:]]+module'

if [ $? -eq 0 ]
then
echo -e "WebDAV is correctly disabled" >> /tmp/hard-test
fi

#Disable Status Module

httpd -M | egrep 'status_module'

if [ $? -eq 0 ]

then echo -e " Syntax ok, status module is disabled" >> /tmp/hard_test
else

echo -e "##LoadModule status_module modules/mod_status.so" >> /etc/httpd/conf/httpd/httpd.conf
fi

#Disable Autoindex Module

httpd -M | grep autoindex_module

if [ $? -eq -0 ]
then echo -e "Syntax ok, Autoindex Module is disabled" >> /tmp/hard_test
else
echo -e "## LoadModule autoindex_module modules/mod_autoindex.so>>/etc/httpd/conf/httpd.conf
fi
#
#
#Disable Proxy Modules
httpd -M | grep proxy_
if [ $? -eq 0 ]
then
echo -e "Syntax Ok, Proxy Modules are disabled" >> /tmp/hard_test
fi

if [ $? -eq 0 ]
then
echo -e "syntax ok" >> /tmp/hard_test

else
echo -e "LoadModule dav_module modules/mod_dav.so" >>/etc/httpd/conf/httpd.conf/httpd.conf
fi
then
echo -e "Syntax Ok, Proxy Modules are disabled" >> /tmp/hard_test
else
echo -e "##LoadModule proxy_module modules/mod_proxy.so" >> /etc/httpd/conf/httpd/httpd.conf
echo -e "##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so" >> /etc/httpd/conf/httpd/httpd.conf


echo -e "##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so" >> /etc/httpd/conf/httpd/httpd.conf
echo -e "##LoadModule proxy_http_module modules/mod_proxy_http.so " >> /etc/httpd/conf/httpd/httpd.conf
echo -e "##LoadModule proxy_connect_module modules/mod_proxy_connect.so ">> /etc/httpd/conf/httpd/httpd.conf
echo -e "##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so" >> /etc/httpd/conf/httpd/httpd.conf

fi

#Disable User Directories Modules
httpd -M | grep userdir_
if [ $? -eq 0 ]
Then
echo -e "Modules correctly disabled " >> /tmp/hard_test

else
echo -e "##LoadModule userdir_module modules/mod_userdir.so" >>/etc/httpd/conf/httpd.conf
fi
#
#
#
#Disable Info Module

httpd -M | egrep 'info_module'
f [ $? -eq 0 ]
Then
echo -e "Modules correctly disabled " >> /tmp/hard_test

else
echo -e " ##LoadModule info_module modules/mod_info.so " >> /etc/httpd/conf/httpd.conf
fi
#
#

#Run the Apache Web Server as a non-root user

grep -i '^User' /etc/httpd/conf/httpd.conf
if [ $? -eq 0 ]

then
echo -e "User apache exists" >> /tmp/hard_test
fi
#
#
grep -i '^Group' /etc/httpd/conf/httpd.conf
if [ $? -eq 0 ]
then
echo -e "Group apache exists" >> /tmp/hard_test
fi
#
#
#2-Ensure the apache account is correct:
# id apache
sudo grep '^UID_MIN' /etc/login.defs
AP=`id -u apache`
if [ $AP -lt 500 ]
then echo -e "apache uid is les than UID_MIN"
fi

#apache similar to the following entries:
#uid=48(apache) gid=48(apache) groups=48(apache)
#APG=´id -g apache`

#3. While the web server is running check the user id for the httpd processes. The user
#name should match the configuration file.
ps axu | grep apache | grep -v '^root' >> /tmp/hard_test
if [ $? -eq 0 ]
then
echo -e "user id is apache" >> /tmp/hard_test
fi
#
#
#
#

#3.2Give the Apache User Account an Invalid Shell

#Check the apache login shell in the /etc/passwd file:
# grep apache /etc/passwd
#The apache account shell must be /sbin/nologin or /dev/null similar to the following:
#/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin
#Change the apache account to use the nologin shell or an invalid shell such as /dev/null:
# sudo chsh -s /sbin/nologin apache

#Lock the Apache User Account
#3.3 Lock the Apache User Account (Scored)

#Ensure the apache account is locked using the following:
#sudo passwd -S apache

#The results will be similar to the following:
#apache LK 2010-01-28 0 99999 7 -1 (Password locked.)
#- or -
#apache L 07/02/2012 -1 -1 -1 -1


#Set Ownership on Apache Directories and Files

#Identify files in the Apache directory not owned by root:

find /etc/httpd/conf \! -user root -ls

if [$? -eq 0 ]

then
echo "There are no files not owned by root in this directory" >> /tmp/hard_test
else

#Set ownership on the $APACHE_PREFIX directories
sudo chown -R root $/etc/httpd/conf

fi

#Set Group Id on Apache Directories and Files
#Identify files in the Apache directories other than htdocs with a group other than root:


find $APACHE_PREFIX -path /etc/httpd/conf /htdocs -prune -o \! -group root -ls

if [$? -e 0 ]

then
echo -e "NO files in the Apache directories other than htdocs with a group other than root" >> /tmp/hard_test

else

#Set ownership on the $APACHE_PREFIX directories :
sudo chgrp -R root /etc/httpd/conf
fi

#Restrict Other Write Access on Apache Directories and Files
#Identify files or directories in the Apache directory with other write access, excluding symbolic links:

find -L /etc/httpd/conf \! -type l -perm /o=w -ls

if [ $? -eq 0 ]
then
echo -e "There are no files with other acces in Apache directory" >> /tmp/hard_test
else

#Perform the following to remove other write access on the $APACHE_PREFIX directories.

sudo chmod -R o-w /etc/httpd/conf

fi

# CoreDumpDirectory is not to be within the Apache web document root ($APACHE_PREFIX/htdocs)

#2. must be owned by root and have a group ownership of the Apache group (as defined via the Group directive)


#Secure the Core Dump Directory
chown root:apache /var/log/httpd



#must have no read-write-search access permission for other users.
chmod o-rwx /var/log/httpd



#Restrict Group Write Access for the Apache Directories and Files
#Identify files or directories in the Apache directory with group write access, excluding symbolic links:
sudo find -L /etc/httpd.conf \! -type l -perm /g=w -ls
#
#
#
#Perform the following to remove group write access on the $APACHE_PREFIX directories.

sudo chmod -R g-w /etc/httpd/conf
#
#
#
#Restrict Group Write Access for the Document Root Directories and Files
#Identify files or directories in the Apache Document Root directory with Apache group write access.

## Define $GRP to be the Apache group configured

# GRP=$(grep '^Group' /etc/httpd/conf/conf/httpd.conf | cut -d' ' -f2)

# find -L $DOCROOT -group $GRP -perm /g=w -ls

#Perform the following to remove group write access on the $DOCROOT directories and files with the apache group.


#find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w


#Deny Access to OS Root Directory

#First extract root directory elements as follow:

perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/httpd.conf

#Second add the line "Require" as follow:

sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/Require all denied/}' $APACHE_PREFIX/httpd.conf

#
#
#
#
#Restrict OverRide for the OS Root Directory

sed '\#<Directory />#,\#</Directory># { //b;s/Options .*/Options None/}' /etc/httpd/conf/conf/httpd.conf
#
#
#
#Restrict OverRide for All Directories
#
grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf

if [$? -eq 0]

then
echo -e "AllowOverride None" >> $APACHE_PREFIX/httpd.conf
fi
#
#
#



#Restrict Options for the OS Root Directory
sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf
#
#
#Restrict Options for the Web Root Directory
sed -i '\#<Directory /etc/httpd/htdocs>#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf
#
#
#
#Minimize Options for Other Directories
sed -i '\#<Directory /etc/httpd/conf/cgi-bin>#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf
#
#
#
#Remove Default HTML Content
sudo yum erase httpd-manual
#
#
#
#Remove Default CGI Content printenv
sudo rm $APACHE_PREFIX/cgi-bin/printenv
#
#
#
#Remove Default CGI Content test-cgi
sudo rm $APACHE_PREFIX/cgi-bin/test-cgi
#

#Limit HTTP Request Methods
sed -i '\#<Directory /etc/httpd/conf/cgi-bin>#,\#</Directory># { //b;N;s/.*<LimitExcept GET POST OPTIONS>,Require all denied,</LimitExcept>/}' $APACHE_PREFIX/httpd.conf

#
#Disable HTTP TRACE Method
grep TraceEnable /etc/httpd/conf/httpd.conf

if [ $? -eq 1]
then
echo -e "Trace method is not disabled" >> /tmp/hard_test
else
echo -e "TraceEnable off" >> $APACHE_PREFIX/httpd.conf
fi
#
#
#
#
#Restrict HTTP Protocol Versions

grep "RewriteEngine On" $APACHE_PREFIX/httpd.conf

if [$? -eq 1 ]
then
echo -e "LoadModule rewrite_module modules/mod_rewrite.so" >> $APACHE_PREFIX/httpd.conf
echo -e "RewriteEngine On" >> $APACHE_PREFIX/httpd.conf
echo -e "RewriteCond %{THE_REQUEST} !HTTP/1\.1$" >> $APACHE_PREFIX/httpd.conf
echo -e "RewriteRule .* - [F]" >> $APACHE_PREFIX/httpd.conf
fi
#
#Restrict Access to .ht* files
#
#Configure the Error Log
grep ErrorLog $APACHE_PREFIX/httpd.con
if [ $? -eq 0 ]
then
echo -e " ErrorLog directive is implemented" >> /tmp/hard_test
fi
#
#
#
#Configure the Access Log
grep /LogFormat $APACHE_PREFIX/httpd.conf
if [$? -eq 0 ]
then
echo "Access log is implemented" >> /tmp/hard_test
fi

grep CustomLog $APACHE_PREFIX/httpd.conf

if [$? -eq 0]
then
echo -e "log files, syslog are implemented" >> /tmp/hard_test
fi
#
#
#
#Log Storage and Rotation
if [ -f /etc/logrotate.d/htpd ]
then
echo -e "web log rotation exits"
fi
#
#
#
#Apply Applicable Patches
#
#Install mod_ssl and/or mod_nss

httpd -M | grep ssl

if [$? -eq 0 ]
then
echo -e " ssl is installed" >> /tmp/hard_test
fi
#
#
#
#Install a Valid Trusted Certificate
#
#
#Protect the Servers Private Key
#
#
#
#Disable Weak SSL Protocols
grep SSLProtocol /etc/httpd/conf/httpd.conf
if [$? -eq 1 ]
then
echo -e "SSL Protocols not set " >> /tmp/hard_test
else
eho -e " SSLProtocol TLSv1.1 TLSv1.2" >> $APACHE_PREFIX/httpd.conf
fi
#
#Restrict Weak SSL Ciphers
echo -e "SSLHonorCipherOrder On" >>$APACHE_PREFIX/httpd.conf
echo -e "SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!MD5:!RC4" >>$APACHE_PREFIX/httpd.conf
echo -e "SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4" >>$APACHE_PREFIX/httpd.conf

#
#Restrict Insecure SSL Renegotiation
echo -e "SSLInsecureRenegotiation off" >> $APACHE_PREFIX/httpd.conf
#
#
#
#Ensure SSL Compression is Not Enabled

#
#
#
#
#Set ServerToken to 'Prod'
grep "ServerTokens Prod" $APACHE_PREFIX/httpd.conf
if [$? -eq 0 ]
then
echo -e "the ServerTokens directive is present in the apacheconf" >> /tmp/hard_test
else
echo -e "ServerTokens Prod" >> $APACHE_PREFIX/httpd.conf

#
#
#
#Set ServerSignature to 'Off'
grep "ServerSignature Off" $APACHE_PREFIX/httpd.conf
if [$? -eq 0 ]
then
echo -e "ServerSignature is Off" >> /tmp/hard_test
else
echo -e "ServerSignature Off" $APACHE_PREFIX/httpd.conf
fi
#
#
#
#Set the TimeOut to 10 or less
grep "Timeout 10" $APACHE_PREFIX/httpd.conf
if [[$? -eq 0 ]
then
echo -e "Timeout set at 10" >> /tmp/hard_test
else
echo -e "Timeout 10" >> $APACHE_PREFIX/httpd.conf
#
#
#
#Set the KeepAlive to On
grep "KeepAlive On" $APACHE_PREFIX/httpd.conf
if [[$? -eq 0 ]
then
echo -e "KeepAlive is set at On" >> /tmp/hard-test
else
echo -e "KeepAlive On" >> $APACHE_PREFIX/httpd.conf
fi

#
#
#
#Set the MaxKeepAliveRequests to 100 or greater
grep "MaxKeepAliveRequests" /etc/httpd/conf/httpd.conf
if [$? -eq 0 ]
then
echo -e "MaxKeepAlive is correctly set" >> /tmp/hard_test


else
echo -e "MaxKeepAliveRequests 100" >> /etc/httpd/conf/httpd.conf
fi
#
#
#
#Set the KeepAliveTimeout to 15 or less
grep "KeepAliveTimeout 15" /etc/httpd/conf/httpd.conf

if [ $? -eq 0 ]

echo -e " timeout is at 15" >> /etc/httpd/conf/httpd.conf

else
echo -e "KeepAliveTimeout 15" >> /etc/httpd/conf/httpd.conf
fi
#
#
#
#
#Set Timeout Limits for Request Headers

grep "RequestReadTimeout" /etc/httpd/conf/httpd.conf

[$? -eq 1 ]
then
echo -e "LoadModule reqtimeout_module modules/mod_reqtimeout.so" >> /etc/httpd/conf/httpd.conf
fi

echo -e "RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500" >> /etc/httpd/conf/httpd.conf
#
#
#
#Set Timeout Limits for the Request Body

egrep "mod_requesttimeout |mod_reqtimeout" /etc/httpd/conf/httpd.conf

if [ $? -eq 1 ]

then echo -e "configuration does not contain any RequestReadTimeout" >> /tmp/hard_test

else
echo -e "LoadModule reqtimeout_module modules/mod_reqtimeout.so" >> /etc/httpd/conf/httpd.conf
fi
sudo service restart httpd









zipe31
Messages postés
37444
Date d'inscription
dimanche 7 novembre 2010
Statut
Contributeur
Dernière intervention
14 novembre 2019
4212 > wfipap
Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
-
Ce n'est pas le bon script, la ligne 350 ne correspond pas à l'erreur retournée ;-(
dubcek
Messages postés
17933
Date d'inscription
lundi 15 janvier 2007
Statut
Contributeur
Dernière intervention
14 novembre 2019
4506 -
hello
il y a plusieurs if où il manque un espace
if [$? -eq 0 ]
wfipap
Messages postés
16
Date d'inscription
mercredi 23 octobre 2019
Statut
Membre
Dernière intervention
29 octobre 2019
-
Bonjour,
J'avais modifié le script:
la ligne est bien là :
sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf
Commenter la réponse de wfipap