====== Linux.Astra ======
https://habr.com/ru/companies/jetinfosystems/articles/730106/ - экзамен alcsa 1.7 https://tour.astralinux.ru/
Информация по astra 1.7 https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563438 \\
https://wiki.astralinux.ru/fstec/security_measures - реализация мер защиты \\
astra-safepolicy - [[https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865#id-%D0%98%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BC%D0%B5%D0%BD%D1%82%D1%8B%D0%BA%D0%BE%D0%BC%D0%B0%D0%BD%D0%B4%D0%BD%D0%BE%D0%B9%D1%81%D1%82%D1%80%D0%BE%D0%BA%D0%B8astrasafepolicy-astra-modeswitchastra-modeswitch|управление безопасностью]] \\
sudo astra-safepolicy 3 # 0 Базовый / 1 Усиленный/ 2 Максимальный - детали смотри выше
sudo pdpl-user -i 63 username #- повышение уровня целостности
https://dl.astralinux.ru/astra/ astra common edition \\
===== Astra doc =====
* Возможности реализации мер защиты - https://wiki.astralinux.ru/pages/viewpage.action?pageId=181666113
* Установка обновлений с возможностью отката LVM - https://wiki.astralinux.ru/pages/viewpage.action?pageId=67112510
* актуальная документация ищем "Astra Linux Special Edition Эксплуатационная и дополнительная документация"
===== Astra Images =====
https://registry.astralinux.ru/latest/download/ \\
===== Astra boot recovery =====
* Astra ++recovery |
-- Recovery AStra 1.74 from DD
sudo parted /dev/sda mklabel gpt
sudo parted /dev/sda mkpart primary 1MiB 513MiB
sudo parted /dev/sda set 1 boot on
sudo parted /dev/sda mkpart primary 513MiB 550MiB
sudo parted /dev/sda mkpart primary 550MiB 55GB
sudo sgdisk --typecode=1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B /dev/sda
sudo sgdisk --typecode=2:0657FD6D-A4AB-43C4-84E5-0933C84B4F4F /dev/sda
sudo sgdisk --typecode=3:A19D880F-05FC-4D3B-A006-743F0F84911E /dev/sda
sudo sgdisk --partition-guid=1:125CDFD1-11A6-C444-BD0A-A7161E0C6947 /dev/sda
sudo sgdisk --partition-guid=2:A690A365-B3FB-A24F-9ED1-585BFCC774F8 /dev/sda
sudo sgdisk --partition-guid=3:251F310F-56EE-694D-941A-44057D9BCFD1 /dev/sda
sudo mkfs.vfat -F 32 /dev/sda1
sudo mkswap /dev/sda2
sudo swapon /dev/sda2
sudo pvcreate /dev/sda3
# Create a volume group (VG) named "vg0" using /dev/sda3
sudo vgcreate vg0 /dev/sda3
# Create a logical volume (LV) named "root" with a size of 55GB
sudo lvcreate -L 55G -n root vg0
# Format the logical volume as ext4 (or any other filesystem)
sudo mkfs.ext4 /dev/vg0/root
mount.cifs //10.59.20.200/tmp /mnt/cifs
sudo pv /mnt/cifs/rvirt04/boot.img | sudo dd of=/dev/sda1 bs=4M status=progress
fsck /dev/sda1
sudo pv /mnt/cifs/rvirt04/vg0-root.img | sudo dd of=/dev/mapper/vg0-root bs=4M status=progress
# Optionally, mount the new logical volume to /mnt for testing
sudo mkdir -p /mnt/root
sudo mount /dev/vg0/root /mnt/root
sudo mount /dev/sda1 /mnt/root/boot/efi
sudo mount --bind /dev /mnt/root/dev
sudo mount --bind /proc /mnt/root/proc
sudo mount --bind /sys /mnt/root/sys
sudo chroot /mnt/root
grub-install --target=x86_64-efi
update-grub
new pass test rvirt04
vmadmin
ctrhtn1!
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-main/ 1.7_x86-64 main contrib non-free
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-base/ 1.7_x86-64 main contrib non-free
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-extended/ 1.7_x86-64 main contrib non-free
++
===== Astra hint =====
* определить сборку и версию ''/etc/astra/build_version''- https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563146
* структуру репозиториев основной, базовый, расширенный (только для CE) - https://wiki.astralinux.ru/pages/viewpage.action?pageId=149062354
* инструменты командной строки - https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865
===== Astra теминология =====
* СН - ... назначение
* МКЦ - ман кон цел
* МРД - ман управ дос
* ПК СВ - прог комплекс системы виртуализации
* faq - Уровень конф, категории конф и целостность: что есть что, и как с этим работать? - https://wiki.astralinux.ru/pages/viewpage.action?pageId=27362553
* faq - метки безопасности - https://wiki.astralinux.ru/pages/viewpage.action?pageId=48763550
===== Linux.hint =====
* screen tmux killed after logout '' systemd-run --scope --user sreen''
/etc/systemd/logind.conf:
#Можно
KillUserProcesses=no
KillExcludeUsers=root
#restart systemd-logind
$ sudo systemctl restart systemd-logind
$loginctl enable-linger YOU_USER_NAME
#for start recommendation
$ systemd-run --scope --user screen -AmdS server
* Бесплатная Астра доступна http://dl.astralinux.ru/astra/stable/orel/iso/
===== Astra EMERGENCY network=====
# ethernet configure - networkmanager and networking
nmcli con add type vlan con-name eth3.201 id 201 dev eth3 vlan.parent eth3 ipv4.method auto
cat << EOF > /etc/network/interfaces.d/eth0
auto eth0
iface eth0 inet dhcp
EOF
# mount CIFS and prepare for install packages
mount.cifs //10.59.20.200/test /mnt -o username=eam
sudo cp -r /tmp/apt /etc/
sudo apt update
sudo apt install openssh-server cifs-utils
/etc/pam.d/sshd - отключаем parsec
sudo passwd astra-live # for example astra-live
sudo systemctl start ssh
export http_proxy=http://proxy.gorod.ru:3128/
export https_proxy=http://proxy.gorod.ru:3128/
curl https://getmic.ro | bash && sudo mv ./micro /usr/bin
mkdir -p ~/.config/micro/
echo '{ "clipboard": "terminal" }' > ~/.config/micro/settings.json
===== Astra partition=====
# https://internet-lab.ru/mdadm_useful - mdadm usefull
# example restore DD with pigz
sudo dd if=/dev/sda1 bs=4M | pigz -c | dd of=/path/to/image.gz bs=4M
pigz -dc sdc1_prog.gz | dd of=/dev/md0p1 bs=4M status=progress
# create RAID
sudo mdadm --create /dev/md0 --level=1 --raid-devices=1 /dev/sdd3 --force
# create LVM
pvcreate /dev/md0
vgcreate vg0 /dev/md0
lvcreate -n root -L 50G vg0
mkfs.ext4 /dev/mapper/vg0-root
# RSYNC
sudo rsync -ax /mnt/1/ /mnt/2/
# CHROOT
mount /dev/sdb2 /mnt/
mount /dev/md0p1 /mnt/2/boot/efi
for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount --bind $i /mnt$i; done
chroot /mnt
modify fstab on UUID with lsblk -fs / blkid
!comment /etc/initramfs-tools/conf.d/resume
==== Monitoring program RAID ====
# !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function
# recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync
# recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array
# Mdadm checkarray function
# https://github.com/glensc/nagios-plugin-check_raid
++++ check_linux_raid_mismatch.sh|
#!/bin/bash
#template from http://www.juliux.de/nagios-plugin-vorlage-bash
# !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function
# recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync
# recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array
# Mdadm checkarray function
# https://github.com/glensc/nagios-plugin-check_raid
WARN_LIMIT=$1
CRIT_LIMIT=$2
if [ -z $WARN_LIMIT ] || [ -z $CRIT_LIMIT ];then
echo "Usage: check_linux_raid_mismatch WARNLIMIT CRITLIMIT"
exit 3;
else
DATA=-1
for file in /sys/block/md*/md/mismatch_cnt
do
DATA2=`cat $file`
DATA=$((DATA + DATA2))
MD_NAME=`echo $file | awk 'BEGIN { FS = "/" } ; { print $4 }'`
PERF_DATA+="$MD_NAME=`cat $file` "
done
if [ $DATA -eq -1 ]; then
echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA"
exit 3;
fi
if [ $DATA -lt $WARN_LIMIT ]; then
echo "OK - all software raid mismatch_cnts are smaller than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 0;
fi
if [ $DATA -ge $WARN_LIMIT ] && [ $DATA -lt $CRIT_LIMIT ]; then
echo "WARNING - software raid mismatch_cnts are greater or equal than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 1;
fi
if [ $DATA -ge $CRIT_LIMIT ]; then
echo "CRITICAL - software raid mismatch_cnts are greater or equal than $CRIT_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 2;
fi
if [ $DATA -eq -1 ]; then
echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA"
exit 3;
fi
fi
++++
===== Astra grub boot =====
# GRUB загрузка # https://wiki.debian.org/GrubEFIReinstall https://wiki.archlinux.org/title/GRUB
# check UEFI or Bios
[ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy boot"
sudo apt install grub-pc
sudo update-initramfs -u
sudo grub-install --recheck /dev/sda
sudo update-grub
# управление mdadm raid https://www.dmosk.ru/miniinstruktions.php?mini=mdadm#create-raid
sudo dd if=/dev/zero of=/dev/sdc bs=1M count=1
sudo partprobe /dev/sdc
# MDADM grow active raid
sudo mdadm --manage /dev/md124 --add /dev/sdc
sudo mdadm -G /dev/md124 --raid-devices=2
# информация по raid
sudo mdadm -D /dev/md124
# LVM snapshots https://www.tecmint.com/take-snapshot-of-logical-volume-and-restore-in-lvm/
lvcreate --size 1G --snapshot --name main_snap /dev/vg0/lv_name
# если нужно оставить активныфй раздел без изменений
lvremove /dev/vg0/main_snap
# если нужно откатить изменения merge
umount /data
lvconvert --merge /dev/vg0/main_snap