====== Linux.Astra ======
https://habr.com/ru/companies/jetinfosystems/articles/730106/ - экзамен alcsa 1.7 https://tour.astralinux.ru/
Информация по astra 1.7 https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563438 \\
https://wiki.astralinux.ru/fstec/security_measures - реализация мер защиты \\
astra-safepolicy - [[https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865#id-%D0%98%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BC%D0%B5%D0%BD%D1%82%D1%8B%D0%BA%D0%BE%D0%BC%D0%B0%D0%BD%D0%B4%D0%BD%D0%BE%D0%B9%D1%81%D1%82%D1%80%D0%BE%D0%BA%D0%B8astrasafepolicy-astra-modeswitchastra-modeswitch|управление безопасностью]] \\
sudo astra-safepolicy 3 # 0 Базовый / 1 Усиленный/ 2 Максимальный - детали смотри выше
sudo pdpl-user -i 63 username #- повышение уровня целостности
https://dl.astralinux.ru/astra/ astra common edition \\
===== Astra doc =====
* Возможности реализации мер защиты - https://wiki.astralinux.ru/pages/viewpage.action?pageId=181666113
* Установка обновлений с возможностью отката LVM - https://wiki.astralinux.ru/pages/viewpage.action?pageId=67112510
* актуальная документация ищем "Astra Linux Special Edition Эксплуатационная и дополнительная документация"
===== Astra Images =====
https://registry.astralinux.ru/latest/download/ \\
===== Astra links =====
- virt KVM - https://wiki.astralinux.ru/pages/viewpage.action?pageId=3277425
- mandat attr - https://wiki.astralinux.ru/pages/viewpage.action?pageId=41191598
- https://github.com/bioinformatics-ptp/kvmBackup/wiki/Create-a-snapshot
===== Astra migration dd / boot recovery =====
* Astra ++dd recovery |
-- Recovery AStra 1.74 from DD
sudo parted /dev/sda mklabel gpt
sudo parted /dev/sda mkpart primary 1MiB 513MiB
sudo parted /dev/sda set 1 boot on
sudo parted /dev/sda mkpart primary 513MiB 550MiB
sudo parted /dev/sda mkpart primary 550MiB 55GB
sudo sgdisk --typecode=1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B /dev/sda
sudo sgdisk --typecode=2:0657FD6D-A4AB-43C4-84E5-0933C84B4F4F /dev/sda
sudo sgdisk --typecode=3:A19D880F-05FC-4D3B-A006-743F0F84911E /dev/sda
sudo sgdisk --partition-guid=1:125CDFD1-11A6-C444-BD0A-A7161E0C6947 /dev/sda
sudo sgdisk --partition-guid=2:A690A365-B3FB-A24F-9ED1-585BFCC774F8 /dev/sda
sudo sgdisk --partition-guid=3:251F310F-56EE-694D-941A-44057D9BCFD1 /dev/sda
sudo mkfs.vfat -F 32 /dev/sda1
sudo mkswap /dev/sda2
sudo swapon /dev/sda2
sudo pvcreate /dev/sda3
# Create a volume group (VG) named "vg0" using /dev/sda3
sudo vgcreate vg0 /dev/sda3
# Create a logical volume (LV) named "root" with a size of 55GB
sudo lvcreate -L 55G -n root vg0
# Format the logical volume as ext4 (or any other filesystem)
sudo mkfs.ext4 /dev/vg0/root
mount.cifs //10.59.20.200/tmp /mnt/cifs
sudo pv /mnt/cifs/rvirt04/boot.img | sudo dd of=/dev/sda1 bs=4M status=progress
fsck /dev/sda1
sudo pv /mnt/cifs/rvirt04/vg0-root.img | sudo dd of=/dev/mapper/vg0-root bs=4M status=progress
# Optionally, mount the new logical volume to /mnt for testing
sudo mkdir -p /mnt/root
sudo mount /dev/vg0/root /mnt/root
sudo mount /dev/sda1 /mnt/root/boot/efi
sudo mount --bind /dev /mnt/root/dev
sudo mount --bind /proc /mnt/root/proc
sudo mount --bind /sys /mnt/root/sys
sudo chroot /mnt/root
grub-install --target=x86_64-efi
update-grub
new pass test rvirt04
vmadmin
ctrhtn1!
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-main/ 1.7_x86-64 main contrib non-free
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-base/ 1.7_x86-64 main contrib non-free
deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-extended/ 1.7_x86-64 main contrib non-free
++
===== Astra hint =====
* определить сборку и версию ''/etc/astra/build_version''- https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563146
* структуру репозиториев основной, базовый, расширенный (только для CE) - https://wiki.astralinux.ru/pages/viewpage.action?pageId=149062354
* инструменты командной строки - https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865
===== Astra теминология =====
* СН - ... назначение
* МКЦ - ман кон цел
* МРД - ман управ дос
* ПК СВ - прог комплекс системы виртуализации
* faq - Уровень конф, категории конф и целостность: что есть что, и как с этим работать? - https://wiki.astralinux.ru/pages/viewpage.action?pageId=27362553
* faq - метки безопасности - https://wiki.astralinux.ru/pages/viewpage.action?pageId=48763550
===== Linux.hint =====
* screen tmux killed after logout '' systemd-run --scope --user sreen''
/etc/systemd/logind.conf:
#Можно
KillUserProcesses=no
KillExcludeUsers=root
#restart systemd-logind
$ sudo systemctl restart systemd-logind
$loginctl enable-linger YOU_USER_NAME
#for start recommendation
$ systemd-run --scope --user screen -AmdS server
* Бесплатная Астра доступна http://dl.astralinux.ru/astra/stable/orel/iso/
===== Astra EMERGENCY network=====
# ethernet configure - networkmanager and networking
nmcli con add type vlan con-name eth3.201 id 201 dev eth3 vlan.parent eth3 ipv4.method auto
cat << EOF > /etc/network/interfaces.d/eth0
auto eth0
iface eth0 inet dhcp
EOF
# mount CIFS and prepare for install packages
mount.cifs //10.59.20.200/test /mnt -o username=eam
sudo cp -r /tmp/apt /etc/
sudo apt update
sudo apt install openssh-server cifs-utils
/etc/pam.d/sshd - отключаем parsec
sudo passwd astra-live # for example astra-live
sudo systemctl start ssh
export http_proxy=http://proxy.gorod.ru:3128/
export https_proxy=http://proxy.gorod.ru:3128/
curl https://getmic.ro | bash && sudo mv ./micro /usr/bin
mkdir -p ~/.config/micro/
echo '{ "clipboard": "terminal" }' > ~/.config/micro/settings.json
===== Astra partition=====
# https://internet-lab.ru/mdadm_useful - mdadm usefull
# example restore DD with pigz
sudo dd if=/dev/sda1 bs=4M | pigz -c | dd of=/path/to/image.gz bs=4M
pigz -dc sdc1_prog.gz | dd of=/dev/md0p1 bs=4M status=progress
# create RAID
sudo mdadm --create /dev/md0 --level=1 --raid-devices=1 /dev/sdd3 --force
# create LVM
pvcreate /dev/md0
vgcreate vg0 /dev/md0
lvcreate -n root -L 50G vg0
mkfs.ext4 /dev/mapper/vg0-root
# RSYNC
sudo rsync -ax /mnt/1/ /mnt/2/
# CHROOT
mount /dev/sdb2 /mnt/
mount /dev/md0p1 /mnt/2/boot/efi
for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount --bind $i /mnt$i; done
chroot /mnt
modify fstab on UUID with lsblk -fs / blkid
!comment /etc/initramfs-tools/conf.d/resume
==== Monitoring program RAID ====
# !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function
# recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync
# recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array
# Mdadm checkarray function
# https://github.com/glensc/nagios-plugin-check_raid
++++ check_linux_raid_mismatch.sh|
#!/bin/bash
#template from http://www.juliux.de/nagios-plugin-vorlage-bash
# !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function
# recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync
# recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array
# Mdadm checkarray function
# https://github.com/glensc/nagios-plugin-check_raid
WARN_LIMIT=$1
CRIT_LIMIT=$2
if [ -z $WARN_LIMIT ] || [ -z $CRIT_LIMIT ];then
echo "Usage: check_linux_raid_mismatch WARNLIMIT CRITLIMIT"
exit 3;
else
DATA=-1
for file in /sys/block/md*/md/mismatch_cnt
do
DATA2=`cat $file`
DATA=$((DATA + DATA2))
MD_NAME=`echo $file | awk 'BEGIN { FS = "/" } ; { print $4 }'`
PERF_DATA+="$MD_NAME=`cat $file` "
done
if [ $DATA -eq -1 ]; then
echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA"
exit 3;
fi
if [ $DATA -lt $WARN_LIMIT ]; then
echo "OK - all software raid mismatch_cnts are smaller than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 0;
fi
if [ $DATA -ge $WARN_LIMIT ] && [ $DATA -lt $CRIT_LIMIT ]; then
echo "WARNING - software raid mismatch_cnts are greater or equal than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 1;
fi
if [ $DATA -ge $CRIT_LIMIT ]; then
echo "CRITICAL - software raid mismatch_cnts are greater or equal than $CRIT_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA"
exit 2;
fi
if [ $DATA -eq -1 ]; then
echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA"
exit 3;
fi
fi
++++
===== Astra grub boot =====
# GRUB загрузка # https://wiki.debian.org/GrubEFIReinstall https://wiki.archlinux.org/title/GRUB
# check UEFI or Bios
[ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy boot"
sudo apt install grub-pc
sudo update-initramfs -u
sudo grub-install --recheck /dev/sda
sudo update-grub
# управление mdadm raid https://www.dmosk.ru/miniinstruktions.php?mini=mdadm#create-raid
sudo dd if=/dev/zero of=/dev/sdc bs=1M count=1
sudo partprobe /dev/sdc
# MDADM grow active raid
sudo mdadm --manage /dev/md124 --add /dev/sdc
sudo mdadm -G /dev/md124 --raid-devices=2
# информация по raid
sudo mdadm -D /dev/md124
# LVM snapshots https://www.tecmint.com/take-snapshot-of-logical-volume-and-restore-in-lvm/
lvcreate --size 1G --snapshot --name main_snap /dev/vg0/lv_name
# если нужно оставить активныфй раздел без изменений
lvremove /dev/vg0/main_snap
# если нужно откатить изменения merge
umount /data
lvconvert --merge /dev/vg0/main_snap
===== Astra migration - old =====
++++ Astra migration - old|
#-- Rvirt04
# Partition the disk using parted
parted /dev/sda mklabel gpt
parted /dev/sda mkpart primary 1MiB 1025MiB # sda1 - /boot/efi
parted /dev/sda mkpart primary 1025MiB 2049MiB # sda2 - swap
parted /dev/sda mkpart primary 2049MiB 300GB # sda3 - LVM
# Format partitions
mkfs.fat -F32 /dev/sda1 # Format sda1 as FAT32 for EFI
mkswap /dev/sda2 # Format sda2 as swap
pvcreate /dev/sda3 # Initialize sda3 as LVM physical volume
# Create LVM structure
vgcreate vg_system /dev/sda3 # Create volume group
lvcreate -L 60G -n lv_root vg_system # Create root logical volume (60GB)
lvcreate -L 100G -n lv_data vg_system # Create data logical volume (100GB)
# Format LVM partitions
mkfs.ext4 /dev/vg_system/lv_root # Format root as ext4
mkfs.ext4 /dev/vg_system/lv_data # Format data as ext4
mount /dev/vg_system/lv_data /mnt/ # Mount data to /mnt/root/data
# Restore the image to the LVM logical volume with progress
sudo pv /mnt/boot.img | sudo dd of=/dev/sda1 bs=4M status=progress
-- get data
# Mount root, boot/efi, and data partitions
mount /dev/vg_system/lv_root /mnt/root # Mount root to /mnt/root
mkdir -p /mnt/root/boot/efi # Create boot/efi directory
mount /dev/sda1 /mnt/root/boot/efi # Mount sda1 to /mnt/root/boot/efi
mkdir -p /mnt/root/data # Create data directory
mount /dev/vg_system/lv_data /mnt/root/data # Mount data to /mnt/root/data
sudo sfdisk /dev/sdX < partition_table_backup.txt
part:
label: gpt
label-id: 7F6B3CF0-40F7-504A-A0D1-9E21442B0E57
device: /dev/sdd
unit: sectors
first-lba: 2048
last-lba: 468862094
/dev/sdd1 : start= 2048, size= 1048576, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=125CDFD1-11A6-C444-BD0A-A7161E0C6947
/dev/sdd2 : start= 1050624, size= 19531776, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=A690A365-B3FB-A24F-9ED1-585BFCC774F8
/dev/sdd3 : start= 20582400, size= 419430400, type=A19D880F-05FC-4D3B-A006-743F0F84911E, uuid=251F310F-56EE-694D-941A-44057D9BCFD1
++++
===== Astra audit ufix =====
{{ :linux:pasted:ufix.zip |}}
++++Src code|
# get
mkdir -p /tmp/ufix
cd /tmp/ufix
scp user@server:/tmp/ufix.zip ./
# archive
FILENAME=$(hostname)_$(date +%Y-%m-%d).tgz; tar -czf "$FILENAME" --exclude ufix.tgz --exclude "ufix 1.sh" --exclude "$FILENAME" .
chmod 777 ./ufix
chmod u+x ./ufix
./ufix -jR /boot /bin /sbin /lib /usr /bin/ /lib/security /etc/init.d /etc/opt/drweb.com /etc/opt/kaspersky > ListFile.txt
./ufix -e ./ListFile.txt
./ufix -h ./ListFile.prj
systemctl list-dependencies > services.txt
lsb_release -a > lsb.txt
apt list --installed > astra_apt_list.txt
yum list --installed > redos_yum_list.txt
dpkg -l > dpkg.txt
dpkg --get-selections | grep -v deinstall > pkgs.txt
cat /etc/ssh/sshd_config > ssh_conf.txt
cat /etc/astra/build_version > astra_build.txt
cat /etc/audit/auditd.conf > audit1.txt
cat /etc/audit/audit.rules > auditrul.txt
cat /etc/audit/audit.rules.prev > audrulpr.txt
cat /etc/audit/audit-stop.rules > audstop.txt
cat /etc/audit/rules.d > rules.txt
ip a > ip.txt
uname -a > uname.txt # Информация о ядре и системе
uptime > uptime.txt # Время работы системы
hostnamectl > hostname.txt # Информация о хосте
dmesg > dmesg.txt # Запись сообщений ядра
lsblk > lsblk.txt # Информация о блоковых устройствах
df -h > disk_usage.txt # Информация о свободном месте на дисках
free -h > memory_usage.txt # Информация о потреблении памяти
top -b -n 1 > top.txt # Состояние процессов
ps aux > processes.txt # Список запущенных процессов
ip route > ip_route.txt # Таблица маршрутизации
cat /etc/hosts > hosts.txt # Содержимое файла hosts
cat /etc/network/interfaces > interfaces.txt # Настройки сетевых интерфейсов
netstat -tuln > netstat.txt # Состояние сетевых соединений
ss -tuln > ss_list.txt # Альтернативная команда для сетевых соединений
iptables -L -v -n > iptables.txt # Правила iptables
firewall-cmd --list-all > firewall.txt # Настройки Firewall (если используется firewalld)
tcpdump -i any -c 100 > tcpdump.txt # Сниффинг трафика
cat /etc/passwd > passwd.txt # Список пользователей
cat /etc/shadow > shadow.txt # Хеши паролей
cat /etc/group > group.txt # Список групп
last > last_logins.txt # Последние входы в систему
auditctl -l > audit_current_rules.txt # Текущие правила аудита
ausearch -m avc -ts recent > selinux.txt # Логи SELinux
find /etc/ -perm -4000 -o -perm -2000 > setuid_setgid.txt # Поиск SUID/SGID файлов
chkconfig --list > services_runlevel.txt # Уровни запуска служб
rpm -qa > rpm_installed.txt # Установленные пакеты RPM
snap list > snap_installed.txt # Установленные пакеты Snap
cat /var/log/auth.log > auth_log.txt # Логи аутентификации (на Ubuntu)
cat /var/log/secure > secure_log.txt # Логи безопасности (на CentOS)
cat /var/log/syslog > syslog.txt # Общая информация о системе
cat /var/log/messages > messages_log.txt # Основные системные сообщения
cat /etc/ssh/ssh_config > ssh_client_conf.txt # Конфигурация клиента SSH
++++
===== Astra config =====
* Astra Set ++timezone|
timedatectl status
timedatectl set-timezone Asia/Yekaterinburg
++