1#!/bin/sh 2# 3# check_config_file - update ufdbGuard.conf for current version and new features 4# 5# $Id: check_config_file,v 1.19 2018/12/30 19:38:25 root Exp root $ 6# 7# Check ufdbGuard.conf for: 8# - new URL categories (p2p,extappl,socialnet) 9# - redirect to www.urlfilterdb.com/cgi-bin/URLblocked.cgi 10 11if [ -d /usr/xpg4/bin ] 12then 13 # to get a standard 'grep' on Solaris: 14 PATH=/usr/xpg4/bin:$PATH 15 export PATH 16fi 17 18ME=check_config_file 19 20CONFIG="$1" 21if [ ! -r "$CONFIG" ] 22then 23 echo "$ME: cannot read configuration file $CONFIG *****" 24 exit 1 25fi 26 27TMPFILE=/tmp/newUfdbGuard.conf.$$ 28touch $TMPFILE 29if [ ! -f $TMPFILE ] 30then 31 echo "cannot create temporary file $TMPFILE" 32 exit 1 33fi 34 35if [ ! -w $CONFIG ] 36then 37 chmod u+w $CONFIG 38 if [ ! -w $CONFIG ] 39 then 40 echo "$ME: this script check various parameters and updates the" 41 echo "configuration file $CONFIG" 42 echo "but it is not writable. Verify the permissions and rerun \"make install\"." 43 exit 1 44 fi 45fi 46 47SECURITYDEF=`grep -E -e '^dest.*security' -e '^cat.*security' $CONFIG` 48if [ "$SECURITYDEF" = "" ] 49then 50 echo "The configuration file does not have a category definition for " 51 echo "the URL category \"security\" (used to verify security of HTTPS connections)." 52 echo "Adding security category ..." 53 awk 'BEGIN { done = 0; } 54 done == 0 && (/^destination/ || /^category/) { 55 done = 1; 56 redirect = ""; 57 while ($0 !~ "^[ \t]*}.*") 58 { 59 if ($0 ~ "^[ \t]*redirect.*") 60 { 61 redirect = $0; 62 } 63 print $0; 64 getline; 65 } 66 print $0; 67 print ""; 68 print "# SECURITY added by the check_config_file script of ufdbGuard."; 69 print "# define the security category" 70 print "category security {"; 71 print " domainlist security/domains"; 72 print " # option enforce-https-with-hostname on "; 73 print " # option enforce-https-official-certificate on "; 74 print " # option https-prohibit-insecure-sslv2 on "; 75 print " # option allow-aim-over-https on "; 76 print " # option allow-gtalk-over-https on "; 77 print " # option allow-skype-over-https on "; 78 print " # option allow-yahoomsg-over-https on "; 79 print " # option allow-fb-chat-over-https on "; 80 print " # option allow-citrixonline-over-https on "; 81 print " # option allow-unknown-protocol-over-https on "; 82 if (redirect != "") 83 { 84 print redirect; 85 } 86 print "}"; 87 print ""; 88 next; 89 } 90 { print $0; next; } 91 ' < $CONFIG > $TMPFILE 92 cat $TMPFILE > $CONFIG 93 echo 94fi 95 96 97PROXIESDEF=`grep -E -e '^dest.*proxies' -e '^cat.*proxies' $CONFIG` 98if [ "$PROXIESDEF" = "" ] 99then 100 echo "The configuration file $CONFIG" 101 echo "lacks the definition of the URL category \"proxies\"." 102 echo "All parties who use the URL database of URLfilterDB should have" 103 echo "this URL category defined." 104 echo 105 echo "Further configuration checks are suppressed." 106 echo "If you use the URL database of URLfilterDB you need to correct this and" 107 echo "rerun \"make install\"." 108 exit 1 109fi 110 111EXTAPPLDEF=`grep -E -e '^dest.*extappl' -e '^cat.*extappl' $CONFIG` 112if [ "$EXTAPPLDEF" = "" ] 113then 114 echo "The configuration file does not have a category definition for " 115 echo "the URL category \"extappl\" (external applications)." 116 echo "Adding extappl category. Modifying ACLs to block it. ******" 117 awk '/^dest.*proxies/ || /^cat.*proxies/ { 118 redirect = ""; 119 while ($0 !~ "^[ \t]*}.*") 120 { 121 if ($0 ~ "^[ \t]*redirect.*") 122 { 123 redirect = $0; 124 } 125 print $0; 126 getline; 127 } 128 print $0; 129 print ""; 130 print "# EXTERNAL-APPLICATIONS added by the check_config_file script of ufdbGuard."; 131 print "# define the extappl category" 132 print "category extappl {"; 133 print " domainlist extappl/domains"; 134 print " expressionlist extappl/expressions"; 135 if (redirect != "") 136 { 137 print redirect; 138 } 139 print "}"; 140 print ""; 141 next; 142 } 143 /^[ \t]*pass/ && !/extappl/ { 144 gsub( "! *proxies", "!proxies !extappl", $0 ); 145 print $0; 146 next; 147 } 148 { print $0; next; } 149 ' < $CONFIG > $TMPFILE 150 cat $TMPFILE > $CONFIG 151 echo 152fi 153 154 155DYNADDRESSDEF=`grep -E -e '^dest.*dynaddress' -e '^cat.*dynaddress' $CONFIG` 156if [ "$DYNADDRESSDEF" = "" ] 157then 158 echo "The configuration file does not have a category definition for " 159 echo "the URL category \"dynaddress\" (external applications)." 160 echo "Adding dynaddress category. Verify if use of this category is required. ******" 161 awk '/^dest.*proxies/ || /^cat.*proxies/ { 162 redirect = ""; 163 while ($0 !~ "^[ \t]*}.*") 164 { 165 if ($0 ~ "^[ \t]*redirect.*") 166 { 167 redirect = $0; 168 } 169 print $0; 170 getline; 171 } 172 print $0; 173 print ""; 174 print "# DYNAMIC ADDRESS added by the check_config_file script of ufdbGuard."; 175 print "# define the dynaddress category" 176 print "category dynaddress {"; 177 print " domainlist dynaddress/domains"; 178 print " expressionlist dynaddress/expressions"; 179 if (redirect != "") 180 { 181 print redirect; 182 } 183 print "}"; 184 print ""; 185 next; 186 } 187 { print $0; next; } 188 ' < $CONFIG > $TMPFILE 189 cat $TMPFILE > $CONFIG 190 echo 191fi 192 193 194P2PDEF=`grep -E -e '^dest.*p2p' -e '^cat.*p2p' $CONFIG` 195if [ "$P2PDEF" = "" ] 196then 197 echo "The configuration file does not have a category definition for " 198 echo "the new URL category \"p2p\" (peer-to-peer)." 199 echo "Adding p2p category. Modifying ACLs to block it. ******" 200 awk '/^dest.*proxies/ || /^cat.*proxies/ { 201 redirect = ""; 202 while ($0 !~ "^[ \t]*}.*") 203 { 204 if ($0 ~ "^[ \t]*redirect.*") 205 { 206 redirect = $0; 207 } 208 print $0; 209 getline; 210 } 211 print $0; 212 print ""; 213 print "# P2P added by the check_config_file script of ufdbGuard."; 214 print "# define the P2P category" 215 print "category p2p {"; 216 print " domainlist p2p/domains"; 217 print " expressionlist p2p/expressions"; 218 if (redirect != "") 219 { 220 print redirect; 221 } 222 print "}"; 223 print ""; 224 next; 225 } 226 /^[ \t]*pass/ && !/p2p/ { 227 gsub( "! *proxies", "!p2p !proxies", $0 ); 228 print $0; 229 next; 230 } 231 { print $0; next; } 232 ' < $CONFIG > $TMPFILE 233 cat $TMPFILE > $CONFIG 234 echo 235fi 236 237 238SOCIALNETDEF=`grep -E -e '^dest.*socialnet' -e '^cat.*socialnet' $CONFIG` 239if [ "$SOCIALNETDEF" = "" ] 240then 241 echo "The configuration file does not have a category definition for " 242 echo "the URL category \"socialnet\" (social networks)." 243 echo "Adding socialnet category. Verify if use of this category is required. ******" 244 awk '/^dest.*proxies/ || /^cat.*proxies/ { 245 redirect = ""; 246 while ($0 !~ "^[ \t]*}.*") 247 { 248 if ($0 ~ "^[ \t]*redirect.*") 249 { 250 redirect = $0; 251 } 252 print $0; 253 getline; 254 } 255 print $0; 256 print ""; 257 print "# SOCIAL NETWORKS added by the check_config_file script of ufdbGuard."; 258 print "# define the socialnet category" 259 print "category socialnet {"; 260 print " domainlist socialnet/domains"; 261 print " expressionlist socialnet/expressions"; 262 if (redirect != "") 263 { 264 print redirect; 265 } 266 print "}"; 267 print ""; 268 next; 269 } 270 { print $0; next; } 271 ' < $CONFIG > $TMPFILE 272 cat $TMPFILE > $CONFIG 273 echo 274fi 275 276 277RELIGIONDEF=`grep -E -e '^dest.*religion' -e '^cat.*religion' $CONFIG` 278if [ "$RELIGIONDEF" = "" ] 279then 280 echo "The configuration file does not have a category definition for " 281 echo "the new URL category \"religion\"." 282 echo "Adding religion category. Modifying ACLs to block it. ******" 283 awk '/^dest.*proxies/ || /^cat.*proxies/ { 284 redirect = ""; 285 while ($0 !~ "^[ \t]*}.*") 286 { 287 if ($0 ~ "^[ \t]*redirect.*") 288 { 289 redirect = $0; 290 } 291 print $0; 292 getline; 293 } 294 print $0; 295 print ""; 296 print "# RELIGION added by the check_config_file script of ufdbGuard."; 297 print "# define the RELIGION category" 298 print "category religion {"; 299 print " domainlist religion/domains"; 300 print " expressionlist religion/expressions"; 301 if (redirect != "") 302 { 303 print redirect; 304 } 305 print "}"; 306 print ""; 307 next; 308 } 309 { print $0; next; } 310 ' < $CONFIG > $TMPFILE 311 cat $TMPFILE > $CONFIG 312 echo 313fi 314 315 316WEBTVDEF=`grep -E -e '^dest.*webtv' -e '^cat.*webtv' $CONFIG` 317if [ "$WEBTVDEF" = "" ] 318then 319 echo "The configuration file does not have a category definition for " 320 echo "the new URL category \"webtv\"." 321 echo "Adding webtv category. Modifying ACLs to block it. ******" 322 awk '/^dest.*proxies/ || /^cat.*proxies/ { 323 redirect = ""; 324 while ($0 !~ "^[ \t]*}.*") 325 { 326 if ($0 ~ "^[ \t]*redirect.*") 327 { 328 redirect = $0; 329 } 330 print $0; 331 getline; 332 } 333 print $0; 334 print ""; 335 print "# WEBTV added by the check_config_file script of ufdbGuard."; 336 print "# define the WEBTV category" 337 print "category webtv {"; 338 print " domainlist webtv/domains"; 339 print " expressionlist webtv/expressions"; 340 if (redirect != "") 341 { 342 print redirect; 343 } 344 print "}"; 345 print ""; 346 next; 347 } 348 { print $0; next; } 349 ' < $CONFIG > $TMPFILE 350 cat $TMPFILE > $CONFIG 351 echo 352fi 353 354 355WEBRADIODEF=`grep -E -e '^dest.*webradio' -e '^cat.*webradio' $CONFIG` 356if [ "$WEBRADIODEF" = "" ] 357then 358 echo "The configuration file does not have a category definition for " 359 echo "the new URL category \"webradio\"." 360 echo "Adding webradio category. Modifying ACLs to block it. ******" 361 awk '/^dest.*proxies/ || /^cat.*proxies/ { 362 redirect = ""; 363 while ($0 !~ "^[ \t]*}.*") 364 { 365 if ($0 ~ "^[ \t]*redirect.*") 366 { 367 redirect = $0; 368 } 369 print $0; 370 getline; 371 } 372 print $0; 373 print ""; 374 print "# WEBRADIO added by the check_config_file script of ufdbGuard."; 375 print "# define the WEBRADIO category" 376 print "category webradio {"; 377 print " domainlist webradio/domains"; 378 print " expressionlist webradio/expressions"; 379 if (redirect != "") 380 { 381 print redirect; 382 } 383 print "}"; 384 print ""; 385 next; 386 } 387 { print $0; next; } 388 ' < $CONFIG > $TMPFILE 389 cat $TMPFILE > $CONFIG 390 echo 391fi 392 393 394SAFEDEF=`grep -E -e '^dest.*safe' -e '^cat.*safe' $CONFIG` 395if [ "$SAFEDEF" = "" ] 396then 397 echo "The configuration file does not have a category definition for " 398 echo "the new URL category \"safe\"." 399 echo "Adding safe category. Modifying ACLs to block it. ******" 400 awk '/^dest.*proxies/ || /^cat.*proxies/ { 401 redirect = ""; 402 while ($0 !~ "^[ \t]*}.*") 403 { 404 if ($0 ~ "^[ \t]*redirect.*") 405 { 406 redirect = $0; 407 } 408 print $0; 409 getline; 410 } 411 print $0; 412 print ""; 413 print "# SAFE added by the check_config_file script of ufdbGuard."; 414 print "# define the SAFE category" 415 print "category safe {"; 416 print " domainlist safe/domains"; 417 print " expressionlist safe/expressions"; 418 if (redirect != "") 419 { 420 print redirect; 421 } 422 print "}"; 423 print ""; 424 next; 425 } 426 { print $0; next; } 427 ' < $CONFIG > $TMPFILE 428 cat $TMPFILE > $CONFIG 429 echo 430fi 431 432 433OLDREDIR=`grep -E -e '^[ ]*redirect.*www.urlfilterdb.com/cgi-bin/' $CONFIG` 434if [ "$OLDREDIR" != "" ] 435then 436 echo "Substituting redirects to www.urlfilterdb.com/cgi-bin/URLblocked.cgi into" 437 echo "redirects to cgibin.urlfilterdb.com to offload the main website of URLfilterDB ..." 438 sed -e 's,\(redirect.*\)www.urlfilterdb.com,\1cgibin.urlfilterdb.com,' < $CONFIG > $TMPFILE 439 cat $TMPFILE > $CONFIG 440 echo 441fi 442 443HTTPSOPT1=`grep -E -e enforce-https-with-hostname $CONFIG` 444if [ "$HTTPSOPT1" = "" ] 445then 446 echo "Notice: the configuration does not use the option enforce-https-with-hostname =====" 447fi 448 449HTTPSOPT2=`grep -E -e enforce-https-offical-certificate $CONFIG` 450if [ "$HTTPSOPT2" != "" ] 451then 452 # Oops, we have an old typo in the parameter name. fix it! 453 sed -e 's,enforce-https-offical-certificate,enforce-https-official-certificate,g' < $CONFIG > $TMPFILE 454 cat $TMPFILE > $CONFIG 455fi 456 457HTTPSOPT2=`grep -E -e enforce-https-official-certificate $CONFIG` 458if [ "$HTTPSOPT2" = "" ] 459then 460 echo "Notice: the configuration does not use the option enforce-https-official-certificate =====" 461fi 462 463HTTPSOPT3=`grep -E -e https-prohibit-insecure-sslv2 $CONFIG` 464if [ "$HTTPSOPT3" = "" ] 465then 466 echo "Notice: the configuration does not use the new option https-prohibit-insecure-sslv2 =====" 467fi 468 469SECCAT=`grep -E -e '^dest.*security' -e '^cat.*security' $CONFIG` 470if [ "$SECCAT" = "" ] 471then 472 echo "Notice: the configuration does not use the category \"security\" =====" 473fi 474 475if [ "$SECCAT" = "" -o "$HTTPSOPT1" = "" -o "$HTTPSOPT2" = "" ] 476then 477 echo "Notice: to have safer HTTPS usage it is recommended to use the security category and =====" 478 echo "Notice: the options enforce-https-with-hostname and enforce-https-official-certificate =====" 479 echo "Notice: the new option https-prohibit-insecure-sslv2 is optional =====" 480 echo 481fi 482 483if [ "$EXTAPPLDEF" = "" -o "$P2PDEF" = "" -o "$SOCIALNETDEF" = "" -o "$DYNADDRESSDEF" = "" ] 484then 485 echo "The configuration file was modified to add the categories for socialnet, extappl, dynaddress and/or p2p." 486 echo "It is recommended to verify all ACLs for the inclusion of these URL categories ******" 487fi 488 489echo 490 491exit 0 492 493