#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # # Turn logging on or off # License # ======= # # Copyright (C) 2015-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-logging export TEXTDOMAINDIR="/usr/share/locale" WEBSERVER_LOG_LEVEL='warn' # Shredding could be used here, but especially on microSD # or SSD it's debatable how useful shredding really is. # Also the shred command can be very slow on Beaglebone Black REMOVE_FILES_COMMAND='rm -rf' source /usr/local/bin/${PROJECT_NAME}-vars UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*" for f in $UTILS_FILES do source "$f" done APP_FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*" for f in $APP_FILES do source "$f" done APPS_AVAILABLE=() function logging_get_app_names { FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*" for filename in $FILES do app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}') if grep -q "logging_on_" "${filename}"; then if grep -q "logging_off_" "${filename}"; then APPS_AVAILABLE+=("${app_name}") fi fi done } function turn_logging_on { logging_get_app_names # shellcheck disable=SC2068 for a in ${APPS_AVAILABLE[@]} do echo $"Turning on logging for ${a}" "logging_on_${a}" done } function turn_logging_off { logging_get_app_names # shellcheck disable=SC2068 for a in ${APPS_AVAILABLE[@]} do echo $"Turning off logging for ${a}" "logging_off_${a}" done } function turn_off_rsys_logging { if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then if ! grep -q '/var/log/kern.log' /etc/rsyslog.conf; then return fi fi sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.warn.*|mail.warn /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.err.*|mail.err /dev/null|g' /etc/rsyslog.conf sed -i 's|daemon.\*.*|daemon.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.\*.*|mail.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|user.\*.*|user.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|kern.\*.*|kern.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|news.none;mail.none.*|news.none;mail.none /dev/null|g' /etc/rsyslog.conf sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none /dev/null|g' /etc/rsyslog.conf sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf sed -i 's|cron.\*.*|cron.\* /dev/null|g' /etc/rsyslog.conf $REMOVE_FILES_COMMAND /var/log/wtmp* $REMOVE_FILES_COMMAND /var/log/debug* $REMOVE_FILES_COMMAND /var/log/cron.* $REMOVE_FILES_COMMAND /var/log/auth.* $REMOVE_FILES_COMMAND /var/log/mail.* $REMOVE_FILES_COMMAND /var/log/daemon.* $REMOVE_FILES_COMMAND /var/log/user.* $REMOVE_FILES_COMMAND /var/log/messages* $REMOVE_FILES_COMMAND /var/log/syslog* $REMOVE_FILES_COMMAND /var/log/alternatives* $REMOVE_FILES_COMMAND /var/log/faillog $REMOVE_FILES_COMMAND /var/log/kern.log* } function turn_on_rsys_logging { if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then return fi sed -i 's|mail,news.none.*|mail,news.none -/var/log/messages|g' /etc/rsyslog.conf sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /var/log/auth.log|g' /etc/rsyslog.conf sed -i 's|mail.info.*|mail.info -/var/log/mail.info|g' /etc/rsyslog.conf sed -i 's|mail.warn.*|mail.warn -/var/log/mail.warn|g' /etc/rsyslog.conf sed -i 's|mail.err.*|mail.err /var/log/mail.err|g' /etc/rsyslog.conf sed -i 's|daemon.\*.*|daemon.\* -/var/log/daemon.log|g' /etc/rsyslog.conf sed -i 's|mail.\*.*|mail.\* -/var/log/mail.log|g' /etc/rsyslog.conf sed -i 's|user.\*.*|user.\* -/var/log/user.log|g' /etc/rsyslog.conf sed -i 's|kern.\*.*|kern.\* -/var/log/kern.log|g' /etc/rsyslog.conf sed -i 's|news.none;mail.none.*|news.none;mail.none -/var/log/debug|g' /etc/rsyslog.conf sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none -/var/log/syslog|g' /etc/rsyslog.conf sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf sed -i 's|cron.\*.*|cron.\* /var/log/cron.log|g' /etc/rsyslog.conf } if [ ! "$1" ]; then exit 1 fi if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then turn_logging_on if [ -d /etc/tor ]; then if [ ! -d /var/log/tor ]; then mkdir /var/log/tor chown -R debian-tor:adm /var/log/tor fi if [ ! -f /var/log/tor/notices.log ]; then touch /var/log/tor/notices.log chown debian-tor:adm /var/log/tor/notices.log fi echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging fi if [ -f /etc/php/7.0/fpm/php-fpm.conf ]; then sed -i 's|error_log =.*|error_log = /var/log/php-fpm.log|g' /etc/php/7.0/fpm/php-fpm.conf fi if [ -d /etc/nginx ]; then if [ ! -d /var/log/nginx ]; then mkdir /var/log/nginx fi for filename in /etc/nginx/sites-available/* ; do filename_domain=$(echo "$filename" | awk -F '/' '{print $5}') sed -i "s|access_log.*|access_log /var/log/nginx/$filename_domain.access.log;|g" "$filename" sed -i "s|error_log.*|error_log /var/log/nginx/$filename_domain.err.log $WEBSERVER_LOG_LEVEL;|g" "$filename" done sed -i 's|access_log.*|access_log /var/log/nginx/access.log;|g' /etc/nginx/nginx.conf sed -i 's|error_log.*|error_log /var/log/nginx/error.log;|g' /etc/nginx/nginx.conf fi if [ -f /etc/init.d/spamassassin ]; then sed -i "s|DOPTIONS=\"-s null -d --pidfile=\$PIDFILE\"|DOPTIONS=\"-d --pidfile=\$PIDFILE\"|g" /etc/init.d/spamassassin fi if [ -d /etc/exim4 ]; then if [ ! -d /var/log/exim4 ]; then mkdir /var/log/exim4 fi sed -i 's|MAIN_LOG_SELECTOR = .*|MAIN_LOG_SELECTOR = +tls_peerdn|g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs sed -i 's|MAIN_LOG_SELECTOR = .*|MAIN_LOG_SELECTOR = +tls_peerdn|g' /etc/exim4/exim4.conf.template sed -i 's|log_selector =.*|log_selector = MAIN_LOG_SELECTOR|g' /etc/exim4/conf.d/main/90_exim4-config_log_selector fi if [ -f /etc/dovecot/dovecot.conf ]; then sed -i 's|log_path =.*|log_path = /var/log/dovecot.log|g' /etc/dovecot/dovecot.conf sed -i 's|info_log_path =.*|info_log_path = /var/log/dovecot-info.log|g' /etc/dovecot/dovecot.conf sed -i 's|debug_log_path =.*|debug_log_path = /var/log/dovecot-debug.log|g' /etc/dovecot/dovecot.conf fi if [ -d /etc/mysql ]; then if [ ! -d /var/log/mysql ]; then mkdir /var/log/mysql fi if [ -f /etc/mysql/my.cnf ]; then sed -i 's|log_error =.*|log_error = /var/log/mysql/error.log|g' /etc/mysql/my.cnf fi fi turn_on_rsys_logging turn_on_postgresql_logging else turn_logging_off if [ -d /etc/tor ]; then echo 'Log notice file /dev/null' > /etc/torrc.d/logging rm /var/log/tor/* fi if [ -d /var/log/radicale ]; then $REMOVE_FILES_COMMAND /var/log/radicale/* rm -rf /var/log/radicale fi if [ -f /etc/php/7.0/fpm/php-fpm.conf ]; then sed -i 's|error_log =.*|error_log = /dev/null|g' /etc/php/7.0/fpm/php-fpm.conf $REMOVE_FILES_COMMAND /var/log/php-fpm.* fi if [ -d /etc/nginx ]; then for filename in /etc/nginx/sites-available/* ; do sed -i 's|access_log.*|access_log /dev/null;|g' "$filename" sed -i 's|warn_log.*|warn_log /dev/null;|g' "$filename" sed -i 's|error_log.*|error_log /dev/null;|g' "$filename" done sed -i 's|access_log.*|access_log /dev/null;|g' /etc/nginx/nginx.conf sed -i 's|error_log.*|error_log /dev/null;|g' /etc/nginx/nginx.conf $REMOVE_FILES_COMMAND /var/log/nginx/* fi if [ -f /etc/init.d/spamassassin ]; then sed -i "s|DOPTIONS=\"-d --pidfile=\$PIDFILE\"|DOPTIONS=\"-s null -d --pidfile=\$PIDFILE\"|g" /etc/init.d/spamassassin fi if [ -d /etc/exim4 ]; then sed -i 's|MAIN_LOG_SELECTOR = .*|MAIN_LOG_SELECTOR = -all|g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs sed -i 's|MAIN_LOG_SELECTOR = .*|MAIN_LOG_SELECTOR = -all|g' /etc/exim4/exim4.conf.template sed -i 's|log_selector =.*|log_selector = -all|g' /etc/exim4/conf.d/main/90_exim4-config_log_selector $REMOVE_FILES_COMMAND /var/log/exim4/* fi if [ -f /etc/dovecot/dovecot.conf ]; then sed -i 's|log_path =.*|log_path = /dev/null|g' /etc/dovecot/dovecot.conf sed -i 's|info_log_path =.*|info_log_path = /dev/null|g' /etc/dovecot/dovecot.conf sed -i 's|debug_log_path =.*|debug_log_path = /dev/null|g' /etc/dovecot/dovecot.conf $REMOVE_FILES_COMMAND /var/log/mail.* $REMOVE_FILES_COMMAND /var/log/dovecot* fi if [ -d /etc/mysql ]; then if [ -d /var/log/mysql ]; then $REMOVE_FILES_COMMAND /var/log/mysql/* fi if [ -f /var/log/mysql.err ]; then $REMOVE_FILES_COMMAND /var/log/mysql.err fi if [ -f /var/log/mysql.log ]; then $REMOVE_FILES_COMMAND /var/log/mysql.log fi if [ -f /etc/mysql/my.cnf ]; then sed -i 's|log_error =.*|log_error = /dev/null|g' /etc/mysql/my.cnf fi fi turn_off_rsys_logging turn_off_postgresql_logging fi if [ -d /etc/exim4 ]; then update-exim4.conf.template -r update-exim4.conf dpkg-reconfigure --frontend noninteractive exim4-config fi if [[ "$2" == "--reboot"* || "$2" == "--restart"* ]]; then # if we are rebooting anyway then there is no need to # restart the daemons exit 0 fi if [ -d /etc/exim4 ]; then systemctl restart exim4 fi systemctl restart syslog if [ -d /etc/tor ]; then if [[ "$2" != "--onion" ]]; then systemctl restart tor fi fi if [ -d /etc/nginx ]; then systemctl restart php7.0-fpm systemctl restart nginx fi if [ -f /etc/init.d/spamassassin ]; then systemctl restart spamassassin fi if [ -d /etc/prosody ]; then systemctl restart prosody fi if [ -d /etc/dovecot ]; then systemctl restart dovecot fi if [ -f /etc/mumble-server.ini ]; then systemctl restart mumble-server fi if [ -d /var/www/radicale ]; then systemctl restart radicale fi if [ -d /etc/matrix ]; then systemctl restart matrix fi if [ -d /etc/postgresql ]; then systemctl restart postgresql fi exit 0