Show pageOld revisionsBacklinksFold/unfold allBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Linux.Astra ====== https://habr.com/ru/companies/jetinfosystems/articles/730106/ - экзамен alcsa 1.7 https://tour.astralinux.ru/ Информация по astra 1.7 https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563438 \\ https://wiki.astralinux.ru/fstec/security_measures - реализация мер защиты \\ astra-safepolicy - [[https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865#id-%D0%98%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BC%D0%B5%D0%BD%D1%82%D1%8B%D0%BA%D0%BE%D0%BC%D0%B0%D0%BD%D0%B4%D0%BD%D0%BE%D0%B9%D1%81%D1%82%D1%80%D0%BE%D0%BA%D0%B8astrasafepolicy-astra-modeswitchastra-modeswitch|управление безопасностью]] \\ <code BASH> sudo astra-safepolicy 3 # 0 Базовый / 1 Усиленный/ 2 Максимальный - детали смотри выше sudo pdpl-user -i 63 username #- повышение уровня целостности </code> https://dl.astralinux.ru/astra/ astra common edition \\ ===== Astra doc ===== * Возможности реализации мер защиты - https://wiki.astralinux.ru/pages/viewpage.action?pageId=181666113 * Установка обновлений с возможностью отката LVM - https://wiki.astralinux.ru/pages/viewpage.action?pageId=67112510 * актуальная документация ищем "Astra Linux Special Edition Эксплуатационная и дополнительная документация" ===== Astra Images ===== https://registry.astralinux.ru/latest/download/ \\ ===== Astra links ===== - virt KVM - https://wiki.astralinux.ru/pages/viewpage.action?pageId=3277425 - mandat attr - https://wiki.astralinux.ru/pages/viewpage.action?pageId=41191598 - https://github.com/bioinformatics-ptp/kvmBackup/wiki/Create-a-snapshot ===== Astra migration dd / boot recovery ===== * Astra ++dd recovery | <code BASH> -- Recovery AStra 1.74 from DD sudo parted /dev/sda mklabel gpt sudo parted /dev/sda mkpart primary 1MiB 513MiB sudo parted /dev/sda set 1 boot on sudo parted /dev/sda mkpart primary 513MiB 550MiB sudo parted /dev/sda mkpart primary 550MiB 55GB sudo sgdisk --typecode=1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B /dev/sda sudo sgdisk --typecode=2:0657FD6D-A4AB-43C4-84E5-0933C84B4F4F /dev/sda sudo sgdisk --typecode=3:A19D880F-05FC-4D3B-A006-743F0F84911E /dev/sda sudo sgdisk --partition-guid=1:125CDFD1-11A6-C444-BD0A-A7161E0C6947 /dev/sda sudo sgdisk --partition-guid=2:A690A365-B3FB-A24F-9ED1-585BFCC774F8 /dev/sda sudo sgdisk --partition-guid=3:251F310F-56EE-694D-941A-44057D9BCFD1 /dev/sda sudo mkfs.vfat -F 32 /dev/sda1 sudo mkswap /dev/sda2 sudo swapon /dev/sda2 sudo pvcreate /dev/sda3 # Create a volume group (VG) named "vg0" using /dev/sda3 sudo vgcreate vg0 /dev/sda3 # Create a logical volume (LV) named "root" with a size of 55GB sudo lvcreate -L 55G -n root vg0 # Format the logical volume as ext4 (or any other filesystem) sudo mkfs.ext4 /dev/vg0/root mount.cifs //10.59.20.200/tmp /mnt/cifs sudo pv /mnt/cifs/rvirt04/boot.img | sudo dd of=/dev/sda1 bs=4M status=progress fsck /dev/sda1 sudo pv /mnt/cifs/rvirt04/vg0-root.img | sudo dd of=/dev/mapper/vg0-root bs=4M status=progress # Optionally, mount the new logical volume to /mnt for testing sudo mkdir -p /mnt/root sudo mount /dev/vg0/root /mnt/root sudo mount /dev/sda1 /mnt/root/boot/efi sudo mount --bind /dev /mnt/root/dev sudo mount --bind /proc /mnt/root/proc sudo mount --bind /sys /mnt/root/sys sudo chroot /mnt/root grub-install --target=x86_64-efi update-grub new pass test rvirt04 vmadmin ctrhtn1! deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-main/ 1.7_x86-64 main contrib non-free deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-base/ 1.7_x86-64 main contrib non-free deb http://xpen.gorodperm.ru:8080/astra/frozen/1.7_x86-64/1.7.7/repository-extended/ 1.7_x86-64 main contrib non-free </code> ++ ===== Astra hint ===== * определить сборку и версию ''/etc/astra/build_version''- https://wiki.astralinux.ru/pages/viewpage.action?pageId=137563146 * структуру репозиториев основной, базовый, расширенный (только для CE) - https://wiki.astralinux.ru/pages/viewpage.action?pageId=149062354 * инструменты командной строки - https://wiki.astralinux.ru/pages/viewpage.action?pageId=109020865 ===== Astra теминология ===== <WRAP group> <WRAP half column> * СН - ... назначение * МКЦ - ман кон цел * МРД - ман управ дос * ПК СВ - прог комплекс системы виртуализации </WRAP> <WRAP half column> * faq - Уровень конф, категории конф и целостность: что есть что, и как с этим работать? - https://wiki.astralinux.ru/pages/viewpage.action?pageId=27362553 * faq - метки безопасности - https://wiki.astralinux.ru/pages/viewpage.action?pageId=48763550 </WRAP> </WRAP> ===== Linux.hint ===== * screen tmux killed after logout '' systemd-run --scope --user sreen'' <code BASH> /etc/systemd/logind.conf: #Можно KillUserProcesses=no KillExcludeUsers=root #restart systemd-logind $ sudo systemctl restart systemd-logind $loginctl enable-linger YOU_USER_NAME #for start recommendation $ systemd-run --scope --user screen -AmdS server </code> * Бесплатная Астра доступна http://dl.astralinux.ru/astra/stable/orel/iso/ ===== Astra EMERGENCY network===== <code BASH> # ethernet configure - networkmanager and networking nmcli con add type vlan con-name eth3.201 id 201 dev eth3 vlan.parent eth3 ipv4.method auto cat << EOF > /etc/network/interfaces.d/eth0 auto eth0 iface eth0 inet dhcp EOF # mount CIFS and prepare for install packages mount.cifs //10.59.20.200/test /mnt -o username=eam sudo cp -r /tmp/apt /etc/ sudo apt update sudo apt install openssh-server cifs-utils /etc/pam.d/sshd - отключаем parsec sudo passwd astra-live # for example astra-live sudo systemctl start ssh export http_proxy=http://proxy.gorod.ru:3128/ export https_proxy=http://proxy.gorod.ru:3128/ curl https://getmic.ro | bash && sudo mv ./micro /usr/bin mkdir -p ~/.config/micro/ echo '{ "clipboard": "terminal" }' > ~/.config/micro/settings.json </code> ===== Astra partition===== <code BASH> # https://internet-lab.ru/mdadm_useful - mdadm usefull # example restore DD with pigz sudo dd if=/dev/sda1 bs=4M | pigz -c | dd of=/path/to/image.gz bs=4M pigz -dc sdc1_prog.gz | dd of=/dev/md0p1 bs=4M status=progress # create RAID sudo mdadm --create /dev/md0 --level=1 --raid-devices=1 /dev/sdd3 --force # create LVM pvcreate /dev/md0 vgcreate vg0 /dev/md0 lvcreate -n root -L 50G vg0 mkfs.ext4 /dev/mapper/vg0-root # RSYNC sudo rsync -ax /mnt/1/ /mnt/2/ # CHROOT mount /dev/sdb2 /mnt/ mount /dev/md0p1 /mnt/2/boot/efi for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount --bind $i /mnt$i; done chroot /mnt modify fstab on UUID with lsblk -fs / blkid !comment /etc/initramfs-tools/conf.d/resume </code> ==== Monitoring program RAID ==== <code BASH> # !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function # recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync # recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array # Mdadm checkarray function # https://github.com/glensc/nagios-plugin-check_raid </code> ++++ check_linux_raid_mismatch.sh| <code BASH - check_linux_raid_mismatch.sh> #!/bin/bash #template from http://www.juliux.de/nagios-plugin-vorlage-bash # !!! mismatch_cnt https://web.archive.org/web/20201214182307/https://www.thomas-krenn.com/en/wiki/Mdadm_checkarray_function # recovery resync https://web.archive.org/web/20160801015011/https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync # recovery degraded https://web.archive.org/web/20150102095244/http://www.thomas-krenn.com/en/wiki/Mdadm_recover_degraded_Array # Mdadm checkarray function # https://github.com/glensc/nagios-plugin-check_raid WARN_LIMIT=$1 CRIT_LIMIT=$2 if [ -z $WARN_LIMIT ] || [ -z $CRIT_LIMIT ];then echo "Usage: check_linux_raid_mismatch WARNLIMIT CRITLIMIT" exit 3; else DATA=-1 for file in /sys/block/md*/md/mismatch_cnt do DATA2=`cat $file` DATA=$((DATA + DATA2)) MD_NAME=`echo $file | awk 'BEGIN { FS = "/" } ; { print $4 }'` PERF_DATA+="$MD_NAME=`cat $file` " done if [ $DATA -eq -1 ]; then echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA" exit 3; fi if [ $DATA -lt $WARN_LIMIT ]; then echo "OK - all software raid mismatch_cnts are smaller than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA" exit 0; fi if [ $DATA -ge $WARN_LIMIT ] && [ $DATA -lt $CRIT_LIMIT ]; then echo "WARNING - software raid mismatch_cnts are greater or equal than $WARN_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA" exit 1; fi if [ $DATA -ge $CRIT_LIMIT ]; then echo "CRITICAL - software raid mismatch_cnts are greater or equal than $CRIT_LIMIT / upd:'$(date +%d.%m.%Y\ %H:%M:%S) | $PERF_DATA" exit 2; fi if [ $DATA -eq -1 ]; then echo "UNKNOWN - software raid mismatch_cnts not found | $PERF_DATA" exit 3; fi fi </code> ++++ ===== Astra grub boot ===== <code BASH> # GRUB загрузка # https://wiki.debian.org/GrubEFIReinstall https://wiki.archlinux.org/title/GRUB # check UEFI or Bios [ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy boot" sudo apt install grub-pc sudo update-initramfs -u sudo grub-install --recheck /dev/sda sudo update-grub # управление mdadm raid https://www.dmosk.ru/miniinstruktions.php?mini=mdadm#create-raid sudo dd if=/dev/zero of=/dev/sdc bs=1M count=1 sudo partprobe /dev/sdc # MDADM grow active raid sudo mdadm --manage /dev/md124 --add /dev/sdc sudo mdadm -G /dev/md124 --raid-devices=2 # информация по raid sudo mdadm -D /dev/md124 # LVM snapshots https://www.tecmint.com/take-snapshot-of-logical-volume-and-restore-in-lvm/ lvcreate --size 1G --snapshot --name main_snap /dev/vg0/lv_name # если нужно оставить активныфй раздел без изменений lvremove /dev/vg0/main_snap # если нужно откатить изменения merge umount /data lvconvert --merge /dev/vg0/main_snap </code> ===== Astra migration - old ===== ++++ Astra migration - old| <code BASH> #-- Rvirt04 # Partition the disk using parted parted /dev/sda mklabel gpt parted /dev/sda mkpart primary 1MiB 1025MiB # sda1 - /boot/efi parted /dev/sda mkpart primary 1025MiB 2049MiB # sda2 - swap parted /dev/sda mkpart primary 2049MiB 300GB # sda3 - LVM # Format partitions mkfs.fat -F32 /dev/sda1 # Format sda1 as FAT32 for EFI mkswap /dev/sda2 # Format sda2 as swap pvcreate /dev/sda3 # Initialize sda3 as LVM physical volume # Create LVM structure vgcreate vg_system /dev/sda3 # Create volume group lvcreate -L 60G -n lv_root vg_system # Create root logical volume (60GB) lvcreate -L 100G -n lv_data vg_system # Create data logical volume (100GB) # Format LVM partitions mkfs.ext4 /dev/vg_system/lv_root # Format root as ext4 mkfs.ext4 /dev/vg_system/lv_data # Format data as ext4 mount /dev/vg_system/lv_data /mnt/ # Mount data to /mnt/root/data # Restore the image to the LVM logical volume with progress sudo pv /mnt/boot.img | sudo dd of=/dev/sda1 bs=4M status=progress -- get data # Mount root, boot/efi, and data partitions mount /dev/vg_system/lv_root /mnt/root # Mount root to /mnt/root mkdir -p /mnt/root/boot/efi # Create boot/efi directory mount /dev/sda1 /mnt/root/boot/efi # Mount sda1 to /mnt/root/boot/efi mkdir -p /mnt/root/data # Create data directory mount /dev/vg_system/lv_data /mnt/root/data # Mount data to /mnt/root/data sudo sfdisk /dev/sdX < partition_table_backup.txt part: label: gpt label-id: 7F6B3CF0-40F7-504A-A0D1-9E21442B0E57 device: /dev/sdd unit: sectors first-lba: 2048 last-lba: 468862094 /dev/sdd1 : start= 2048, size= 1048576, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=125CDFD1-11A6-C444-BD0A-A7161E0C6947 /dev/sdd2 : start= 1050624, size= 19531776, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=A690A365-B3FB-A24F-9ED1-585BFCC774F8 /dev/sdd3 : start= 20582400, size= 419430400, type=A19D880F-05FC-4D3B-A006-743F0F84911E, uuid=251F310F-56EE-694D-941A-44057D9BCFD1 </code> ++++ ===== Astra audit ufix ===== {{ :linux:pasted:ufix.zip |}} ++++Src code| <code BASH> # get mkdir -p /tmp/ufix cd /tmp/ufix scp user@server:/tmp/ufix.zip ./ # archive FILENAME=$(hostname)_$(date +%Y-%m-%d).tgz; tar -czf "$FILENAME" --exclude ufix.tgz --exclude "ufix 1.sh" --exclude "$FILENAME" . chmod 777 ./ufix chmod u+x ./ufix ./ufix -jR /boot /bin /sbin /lib /usr /bin/ /lib/security /etc/init.d /etc/opt/drweb.com /etc/opt/kaspersky > ListFile.txt ./ufix -e ./ListFile.txt ./ufix -h ./ListFile.prj systemctl list-dependencies > services.txt lsb_release -a > lsb.txt apt list --installed > astra_apt_list.txt yum list --installed > redos_yum_list.txt dpkg -l > dpkg.txt dpkg --get-selections | grep -v deinstall > pkgs.txt cat /etc/ssh/sshd_config > ssh_conf.txt cat /etc/astra/build_version > astra_build.txt cat /etc/audit/auditd.conf > audit1.txt cat /etc/audit/audit.rules > auditrul.txt cat /etc/audit/audit.rules.prev > audrulpr.txt cat /etc/audit/audit-stop.rules > audstop.txt cat /etc/audit/rules.d > rules.txt ip a > ip.txt uname -a > uname.txt # Информация о ядре и системе uptime > uptime.txt # Время работы системы hostnamectl > hostname.txt # Информация о хосте dmesg > dmesg.txt # Запись сообщений ядра lsblk > lsblk.txt # Информация о блоковых устройствах df -h > disk_usage.txt # Информация о свободном месте на дисках free -h > memory_usage.txt # Информация о потреблении памяти top -b -n 1 > top.txt # Состояние процессов ps aux > processes.txt # Список запущенных процессов ip route > ip_route.txt # Таблица маршрутизации cat /etc/hosts > hosts.txt # Содержимое файла hosts cat /etc/network/interfaces > interfaces.txt # Настройки сетевых интерфейсов netstat -tuln > netstat.txt # Состояние сетевых соединений ss -tuln > ss_list.txt # Альтернативная команда для сетевых соединений iptables -L -v -n > iptables.txt # Правила iptables firewall-cmd --list-all > firewall.txt # Настройки Firewall (если используется firewalld) tcpdump -i any -c 100 > tcpdump.txt # Сниффинг трафика cat /etc/passwd > passwd.txt # Список пользователей cat /etc/shadow > shadow.txt # Хеши паролей cat /etc/group > group.txt # Список групп last > last_logins.txt # Последние входы в систему auditctl -l > audit_current_rules.txt # Текущие правила аудита ausearch -m avc -ts recent > selinux.txt # Логи SELinux find /etc/ -perm -4000 -o -perm -2000 > setuid_setgid.txt # Поиск SUID/SGID файлов chkconfig --list > services_runlevel.txt # Уровни запуска служб rpm -qa > rpm_installed.txt # Установленные пакеты RPM snap list > snap_installed.txt # Установленные пакеты Snap cat /var/log/auth.log > auth_log.txt # Логи аутентификации (на Ubuntu) cat /var/log/secure > secure_log.txt # Логи безопасности (на CentOS) cat /var/log/syslog > syslog.txt # Общая информация о системе cat /var/log/messages > messages_log.txt # Основные системные сообщения cat /etc/ssh/ssh_config > ssh_client_conf.txt # Конфигурация клиента SSH </code> ++++ ===== Astra config ===== * Astra Set ++timezone| <code BASH> timedatectl status timedatectl set-timezone Asia/Yekaterinburg </code> ++ linux/astra.txt Last modified: 2025/05/22 19:47by admin