Clever Geek Handbook

Astra Linux 1.6 (Smolensk). Is the system ready to work with ordinary users? Crutch Examples



User neutralization and the process of installing a new OS



Hi, Habr. Today we want to share the experience of migrating one organization (hereinafter - the Customer) to the domestic OS as part of the implementation of import substitution requirements. It is immediately necessary to indicate that the Customer has selected and purchased this OS on his own. But we got the pleasure of deploying, optimizing this OS and fulfilling information protection requirements.



Task



There is a state information system of the 2nd security class (hereinafter - GIS) with about 1000 conditionally of the same type of users, with a strictly defined range of official tasks. GIS itself consists of web services distributed around 30 sites with local databases. There are also remote jobs in the settlements. At the same time, there is a common domain (but not everywhere), there are local / corporate balls. In some places, the park of computers and office equipment is not the first freshness; transmission channels between objects are not so hot. There are local system administrators and chief administrators. In general, the standard situation that is characteristic of medium-sized state institutions before the great migration to domestic software.



Problems, tests, study





1. We connected the ball through the Astrov graphic file manager (fly-fm). There are no problems with displaying Russian file names on “window” balls. But these names turn into a set of characters unreadable by a person when copying these files to the desktop and to other places on the disk . We worked with developers on this issue, the question is complex, although there are fixes.



There is a way to mount balls using Linux, regardless of the features of Astrov software. The method works, but it takes time to test in real conditions. Preliminary tests showed that the files are not distorted when displayed and copied, but there are compatibility issues with some versions of Windows Server. The essence of the problems with restricting access to files on the ball when connecting a Linux client, we test the connection with various options recommended by the developers of the cifs-tools package, which is responsible for mounting the ball. Sometimes we use autofs, in other cases we instruct how “no need to do” from what they are used to.



2. Associated with the first. When mounting balls from Astrov fly-fm, users cannot save files from Firefox directly to the "ball". They have to do two operations, from Firefox they first save to the desktop, and then throw the document onto the ball. The same thing in order to put the file on the site, first take it from the balls to the desktop, and then drop it from it into their databases.



This is due to the fact that Firefox uses its own dialog for opening and writing files, in which there is no way to point to the symbolic link of the balls that we created in the Astrov fly-fm.



This problem would not exist, if Astra didn’t use his graphical environment, but some of the most popular in Linux. For now, it remains to use autofs or write instructions to employees about the rules for copying and downloading files.



3. Sharing USB printers to the network. Two standard options: through the print server cups and samba, the protocol did not take off with the standard settings. We turned it into Client mode, and connected to the CUPS of another computer and it worked, only with the caveat - one client can have only 1 print server and the computer configured in client mode cannot use its local Printers, because its print server is jammed.



4. Institutions often use macros in documents from the previous office suite. These macros are not compatible with macros in Libre Office, because in the latter they are written not in Visual Basic, but in Java.



And moreover, the creators of Astra threw out everything related to Java from the distribution kit, since it belongs to the American company Oracle. That is, it is still impossible to write macros in the Astrov office. The only option is emulation or a nearby computer with Windows.



Conclusions and decisions



Based on the analysis of the current situation with the infrastructure, it was decided that the automation of the process of switching to the domestic OS could lead to unexpected troubles. This approach could only be applied in management (central office) - in which case it was possible to respond quickly. Although there were quite typical workplaces and technological processes at local facilities in the districts, this does not give full standardization and the possibility of a “silent installation”.



What still prevented the launch of a simultaneous installation over the network:





As a result, it was decided to create the most universal distribution for deployment on-site by hands. In addition, it was necessary to organize channels of technical support for system administrators in the field, for consultations and broadcast experience with official tasks.



In general, on the topic of switching to domestic software: at the moment, issues with the migration of many applications have not been resolved. Both completely standard and exotic (including self-written). Therefore, migration to a new OS now includes, among other things, finding optimal solutions for fulfilling official tasks anew and, possibly, a significant change in existing technological processes of organizations. Which, in turn, may entail the need for updating / revising design and certification documents, and other philosophical reflections on the topic of information security throughout the country.



Migration in the considered organization continues. The stages are outlined, the following objects and other workplaces are selected for the transition to a new OS. Also, this project is correlated with the plan launched from above for the transition to domestic software in our other Customers and new customers. While the process is progressing difficult, although sometimes urgently, a variety of approaches are tested and then applied. There is plenty of information for analytics, the choice of solutions, we will certainly cover as far as possible and possible.



Further technical details, shamanism and crutches.



Flash drive preparation and installation



1. To install, you will need a USB flash drive or other external NTFS USB drive

less than 16GB. Porteus image weighs 270MB. This is essentially a mobile Linux, which is needed only to run our installer script. The image of the installed Astra Linux weighs 8GB. If you wish, you can shrink the image on the floor of a gigabyte and then 8 gigabytes of flash drive will be enough.



2. Copy the system image and the directory tree to it on the Porteus portable OS that we slightly modified .



3. Make the flash drive bootable by running the script: 



/boot/Porteus-installer-for-Linux.com —  Linux /boot/Porteus-installer-for-Windows.exe —  Windows


4. Boot from the prepared drive and follow the instructions:







For Porteus, we created a module containing a bash script for deploying Astra Linux in interactive mode.







The script scans the boot drive for system images, allows you to select a disk to install the system, deploys the image to it, and allows you to make some settings before the system first boots up.



Script 
 #!/bin/sh # unmount swap disks for i in `cat /proc/swaps | grep dev | awk -F" " '{print $1}'`; do swapoff $i; done #variables DIALOG=${DIALOG=dialog} tempfile=`mktemp 2>/dev/null` || tempfile=/tmp/temp$$ tempfile1=`mktemp 2>/dev/null` || tempfile1=/tmp/temp$$ tempfile2=`mktemp 2>/dev/null` || tempfile2=/tmp/temp$$ tempfile3=`mktemp 2>/dev/null` || tempfile3=/tmp/temp$$ tempfile4=`mktemp 2>/dev/null` || tempfile4=/tmp/temp$$ #image selection setimage () { mdevs=`mount | grep fuseblk | awk -F" " '{print $3}'` cd / $DIALOG --backtitle "   :" \ --menu " " 15 80 5 \ `find $mdevs -name *.di -type f | awk '{print $0,"image"}'` 2> $tempfile retval=$? case $retval in 0) image=`cat $tempfile | awk -F/ '{print $6}'` input=`cat $tempfile` echo "  : $image" sleep 2;; 1) echo "  ." exit 0;; 255) echo "  ESC." exit 0;; esac } #disk selection setdisk () { sdisk=`mount | grep fuseblk | awk -F" " '{print $1}' | awk -F/ '{print $3}' | tr -d [0-9]` $DIALOG --backtitle "     $image :" \ --menu "`parted -l | grep -E "| \/"`" 15 80 5 \ `fdisk -l | grep " /"| grep "/dev/s" | awk -F" " '{print $2,$1}'| awk -F: '{print $1,$2}' | sed "/$sdisk/d"` 2> $tempfile1 retval=$? case $retval in 0) disk=`cat $tempfile1 | awk -F/ '{print $3}'` output=`cat $tempfile1` echo " $disk       $image" sleep 2;; 1) echo "  ." exit 0;; 255) echo "  ESC." exit 0;; esac } #cloning (dd process) cloning () { bs=`hdparm -I $output | grep "cache/buffer size" | awk -F" " '{print $4}'` umount -l $output"*" dd if=/dev/zero of=$output bs=512 count=1 clear sleep 1 echo "  $image   $disk..." #dd if=$input of=$output bs=$bs 2>/tmp/error & pid=$! dd if=$input of=$output bs=8M 2>/tmp/error & pid=$! sleep 2 while [ -d /proc/$pid ]; do kill -USR1 $pid && tail -n 2 /tmp/error | grep GB && sleep 10 && clear; done clear tail -n 3 /tmp/error echo "  ." rm /tmp/error sleep 2 } #resize second partition resizepart () { echo "     :" fdisk -l $output"2" | head -n 1 echo "    $disk..." parted $output rm 2 parted $output mkpart primary 2GB 100% resize2fs -f $output"2" e2fsck $output"2" echo "   :" fdisk -l $output"2" | head -n 1 sleep 2 } #hostname sethost () { $DIALOG --inputbox "  :" 10 80 2> $tempfile2 retval=$? case $retval in 0) hostn=`cat $tempfile2` mount $output"2" echo $hostn >/mnt/$disk"2"/etc/hostname hosts=/mnt/$disk"2"/etc/hosts /bin/cat << ENDFILE >$hosts 127.0.0.1 localhost 127.0.1.1 $hostn # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip-allnodes ff02::2 ip6-allrouters ENDFILE echo "   : `cat /mnt/$disk"2"/etc/hostname`" sleep 2;; 1) echo "  ." exit 0;; 255) echo "  ESC." exit 0;; esac } #adduser adduser () { $DIALOG --inputbox "  :" 8 40 --inputbox " :" 8 40 2> $tempfile3 retval=$? case $retval in 0) name=`awk '{print $1}' $tempfile3` pass=`awk '{print $2}' $tempfile3` passf=/mnt/$disk"2"/tmp/pass /bin/cat << ENDFILE >$passf parsec_pam del useradd -m -N -s /bin/bash -G cdrom,audio,video,floppy,plugdev,dialout,users $name echo -e "$pass\n$pass\n" | passwd $name passwd -w 14 -x 90 $name parsec_pam add ENDFILE chmod 755 $passf chroot /mnt/$disk"2" /tmp/pass echo " : $name" echo " : $pass" sleep 2;; 1) echo "  ." exit 0;; 255) echo "  ESC." exit 0;; esac } #kasperftp kasper () { $DIALOG --inputbox " ip  ftp    :" 10 80 2> $tempfile4 retval=$? case $retval in 0) kftp=`cat $tempfile4` obnovftp=/mnt/$disk"2"/opt/kaspersky/kesl/bin/kesl-obnovftp /bin/cat << ENDFILE >$obnovftp SourceType=Custom ConnectionTimeout=10 [CustomSources.item_1] URL=ftp://ftpuser:1qwertyuiop_0@$kftp/Updates Enabled=Yes ENDFILE echo "ip  ftp    : $kftp" sleep 2;; 1) echo "  ." exit 0;; 255) echo "  ESC." exit 0;; esac } autofs () { mcedit /mnt/$disk"2"/etc/auto.share } #statement state () { echo " $image    $disk." echo "     $disk:" fdisk -l /dev/$disk echo "ip  ftp    : `cat /mnt/$disk"2"/opt/kaspersky/kesl/bin/kesl-obnovftp | grep URL | awk -F@ '{print $2}' | awk -F/ '{print $1}'`" echo " : `cat /mnt/$disk"2"/etc/hostname`" echo " : $name" echo " : $pass" echo "  :" cat /mnt/$disk"2"/etc/group | grep $name | awk -F: '{print $1}' echo "  .  reboot   Ctrl+Alt+Del   ." } #program start: setimage setdisk cloning resizepart sethost adduser kasper autofs state exit 0




Changes we made to the system configuration



1. Turn on the numeric keypad on the welcome screen of the system, by default it was turned off. Option "NumLock = On" in the configuration file:



/ etc / X11 / fly-dm / fly-dmrc



2. Eliminated artifacts and slow window rendering for integrated video cards based on Intel chips, enabling the UXA rendering mode in the file:



/etc/X11/xorg.conf.d/20-intel.conf 



 Section "Device" Identifier "Intel Graphics" Driver "intel" Option "AccelMethod" "uxa" Option "TearFree" "true" Option "Tiling" "true" EndSection Section "Extensions" Option "Composite" "Enable" Option "RENDER" "Enable" EndSection Section "ServerFlags" Option "AIGLX" "true" EndSection


3. Added the ability to make the local CUPS print server a client of another server. This allows you to use printers that are connected to other Linux machines via USB when there are problems with connecting them over the network via the web interface.



Created file:



/etc/cups/client.conf 



 #ServerName 10.12.xx


Here you need to remove the line comment and append the address of the remote machine with the printer. After that, the printer will immediately be available for printing.



4. Rewritten font mapping configuration files. Added the ability to enable and disable their smoothing at the system-wide level, and not at the application level.



Files:



/etc/fonts/conf.avail/11-fontsalias.conf



Code 
 <?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <fontconfig> <alias> <family>serif</family> <prefer><family>PT Sans</family></prefer> </alias> <alias> <family>sans-serif</family> <prefer><family>PT Sans</family></prefer> </alias> <alias> <family>sans</family> <prefer><family>PT Sans</family></prefer> </alias> <alias> <family>monospace</family> <prefer><family>PT Sans</family></prefer> </alias> <alias> <family>mono</family> <prefer><family>PT Sans</family></prefer> </alias> <match> <test name="family"><string>Arial</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Helvetica</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Verdana</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Tahoma</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <!-- Insert joke here --> <test name="family"><string>Comic Sans MS</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Times New Roman</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Serif</string> </edit> </match> <match> <test name="family"><string>Times</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Courier New</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Arimo</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Roboto</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>OpenSymbol</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Noto Sans</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Carlito</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Fixed</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> <match> <test name="family"><string>Lucida</string></test> <edit name="family" mode="assign" binding="strong"> <string>PT Sans</string> </edit> </match> </fontconfig>




/etc/fonts/conf.avail/12-noaa.conf



Code 
 <?xml version = '1.0'?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <!-- /etc/fonts/local.conf file for local customizations --> <fontconfig> <match target="font" > <edit mode="assign" name="hinting" > <bool>true</bool> </edit> </match> <match target="font" > <edit mode="assign" name="antialias" > <bool>false</bool> </edit> </match> <match target="font" > <edit mode="assign" name="embeddedbitmap" > <bool>false</bool> </edit> </match> <match target="font" > <edit mode="assign" name="hintstyle" > <const>hintfull</const> </edit> </match> <match target="font" > <edit mode="assign" name="autohint" > <bool>false</bool> </edit> </match> <match target="font" > <edit mode="assign" name="lcdfilter" > <const>lcdlight</const> </edit> </match> <match target="font" > <edit mode="assign" name="rgba" > <const>rgb</const> </edit> </match> <match target="pattern" > <edit mode="assign" name="dpi" > <double>96</double> </edit> </match> </fontconfig>




/etc/fonts/conf.avail/13-aa.conf



Code 
 <?xml version = '1.0'?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <!-- /etc/fonts/local.conf file for local customizations --> <fontconfig> <match target="font" > <edit mode="assign" name="hinting" > <bool>true</bool> </edit> </match> <match target="font" > <edit mode="assign" name="antialias" > <bool>true</bool> </edit> </match> <match target="font" > <edit mode="assign" name="embeddedbitmap" > <bool>false</bool> </edit> </match> <match target="font" > <edit mode="assign" name="hintstyle" > <const>hintslight</const> </edit> </match> <match target="font" > <edit mode="assign" name="autohint" > <bool>false</bool> </edit> </match> <match target="font" > <edit mode="assign" name="lcdfilter" > <const>lcdlight</const> </edit> </match> <match target="font" > <edit mode="assign" name="rgba" > <const>rgb</const> </edit> </match> <match target="pattern" > <edit mode="assign" name="dpi" > <double>96</double> </edit> </match> </fontconfig>




The scripts are responsible for turning on and off smoothing:



/ usr / local / bin / aaon

/ usr / local / bin / aaoff



5. A network folder has been added for scanning from network MFPs, which allow saving images using the smb protocol. To the standard Samba server configuration file:



/etc/samba/smb.conf



section introduced: 



 [scan] path = /var/scan comment = scan read only = no guest ok = no guest only = no valid users = scan create mask = 0666 directory mask = 0777


as well as a commented section for quickly creating a public exchange folder: 



 #[share] #path = /var/share #comment = share #read only = no #guest ok = yes #create mask = 0666 #directory mask = 0777


a samba user scan is registered with the password scan



6. A skeleton of settings has been created for newly registered local users of the system. It contains minor changes to the appearance of the desktop, changed settings for user applications, certificates for connecting the browser to the necessary network resources, etc. Some changes will be described in detail later in the text.



7. An rc-local service configuration file has been created for the Linux initialization subsystem. This makes it possible, if necessary, to load any scripts at the initialization stage of the system.



Files:



/etc/rc.local 



 #!/bin/sh -e exit 0


/etc/systemd/system/rc-local.service 



 [Unit] Description=/etc/rc.local Compatibility ConditionPathExists=/etc/rc.local [Service] Type=forking ExecStart=/etc/rc.local start TimeoutSec=0 StandardOutput=tty RemainAfterExit=yes SysVStartPriority=99 [Install] WantedBy=multi-user.target


8. Added proprietary Xerox drivers for some network printers.



9. The autofs package is installed and configured. Allows you to connect network folders through cifs-utils at the system level. To file:



/etc/auto.master



added line: 



 /mnt /etc/auto.share --ghost --timeout=60


created a configuration file with instructions inside:



/etc/auto.share



10. A script has been written to initialize the update server for Kaspersky Anti-Virus and check for database updates:



/ usr / local / bin / kasperftp 



 #!/bin/sh echo " ,    ..." /opt/kaspersky/kesl/bin/kesl-control --stop-task 6 sleep 2 echo "   ." /opt/kaspersky/kesl/bin/kesl-control --set-settings 6 --file /opt/kaspersky/kesl/bin/kesl-obnovftp echo " ..." /opt/kaspersky/kesl/bin/kesl-control --start-task 6 /opt/kaspersky/kesl/bin/kesl-control -W exit 0


11. Added desktop wallpaper and a custom theme for the system’s welcome screen.



Connection of printers.



Printers are configured through the CUPS configuration page in a browser at: 127.0.0.1 : 631 or localhost : 631



The page has been translated into Russian and is intuitive. To install the printer, you need system administrator rights. To publish printers on the network, you need to activate two items in the server settings.



When adding a network printer, AppSocket / HP JetDirect or the Internet Printing Protocol (ipp) with the ip address is usually used.



If the network printer did not connect using these methods, then you can make the local CUPS print server a client of another server by editing the /etc/cups/client.conf file, indicating the network address of the machine with the printers connected in it. In this case, you do not need to install any drivers. Although there are a huge number of drivers in the CUPS database, installation of branded drivers is sometimes required.



For some Xerox network printers, we have already installed proprietary drivers and a configurator, the command: 



 xeroxprtmgr


When a printer is detected, you will need to select it and specify the queue name, which is also the name of the printer in the system. Some printer models, by default, are configured to print a page with a number for each individual job. Find this option in the queue settings and disable it.



If you have an HP printer, then it is better to use proprietary drivers that are also preinstalled on the system. Go to the control panel> equipment> install the additional HP plug-in, then there> install printers, faxes, HP scanners.



Scanners



To install the scanner, you need to enter the scanimage -L command in the terminal from the system administrator. If a scanner is found, you will see the output with its name. If the output is empty, then you should look for branded drivers on the Internet.



That's all for now. Share your experience in implementing domestic OS in the comments.


More articles:


All Articles