未命名 1

I. System Initialization and Network Configuration

1. Operating System Installation

• Action: Install Rocky Linux 9.3 (Minimal Install) with kernel version ≥ 5.15.

• Steps:

  • Boot from Rocky Linux 9.3 ISO, select "Minimal Install."

  • Configure disk partitions:

    • /boot: 2GB (xfs)

    • /: 100GB (xfs)

    • Remaining space on the 500GB SSD reserved for LVM.

  • Verify kernel version post-install:

    bash

    uname -r
    

    Ensure output shows kernel ≥ 5.15 (e.g., 5.15.x).

2. Network Configuration

• Main Interface (ens192):

  • Assign static IP: 192.168.30.20/24

  • Gateway: 192.168.30.1

  • DNS: 223.5.5.5, 223.6.6.6

  • Commands:

    bash

    nmcli con mod ens192 ipv4.addresses 192.168.30.20/24
    nmcli con mod ens192 ipv4.gateway 192.168.30.1
    nmcli con mod ens192 ipv4.dns "223.5.5.5 223.6.6.6"
    nmcli con mod ens192 ipv4.method manual
    nmcli con up ens192
    

• Backup Interface (ens224):

  • Configure DHCP for emergency maintenance:

    bash

    nmcli con mod ens224 ipv4.method auto
    nmcli con up ens224
    

• Verification:

  bash

  nmcli con show
  ip addr show ens192
  ip addr show ens224
  

3. SSH Security Hardening

• Disable Root Login:

  bash

  sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
  

• Enable SSH Key Authentication:

  • Place ops_admin SSH public key (e.g., ssh-ed25519 AAAAC3Nz... ops@key) in /home/ops_admin/.ssh/authorized_keys:

    bash

    mkdir -p /home/ops_admin/.ssh
    echo 'ssh-ed25519 AAAAC3Nz... ops@key' > /home/ops_admin/.ssh/authorized_keys
    chmod 600 /home/ops_admin/.ssh/authorized_keys
    chown ops_admin:ops_admin /home/ops_admin/.ssh -R
    

  • Disable password authentication:

    bash

    sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
    

• Restart SSH:

  bash

  systemctl restart sshd
  

• Automatic Security Updates:

  • Install and configure dnf-automatic:

    bash

    dnf install -y dnf-automatic
    sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
    systemctl enable --now dnf-automatic.timer
    

  • Schedule updates at 3 AM daily:

    bash

    systemctl edit dnf-automatic.timer
    

    Add:

    [Timer]
    OnCalendar=*-*-* 03:00:00
    

---

II. User and Group Management

1. Create Groups

bash

groupadd dev_team
groupadd test_team
groupadd ops_admin

2. Create Users and Set Policies

• Create Users (example for 35 dev_team, 12 test_team, 3 ops_admin):

  bash

  for i in {1..35}; do
    useradd -G dev_team -s /bin/bash dev$i
    chage -d 0 dev$i  # Force password change on first login
  done
  for i in {1..12}; do
    useradd -G test_team -s /bin/bash test$i
    chage -d 0 test$i
  done
  for i in {1..3}; do
    useradd -G ops_admin -s /bin/bash ops$i
    chage -d 0 ops$i
  done
  

• Password Policy (12 characters, mixed case, numbers, symbols):

  bash

  dnf install -y libpwquality
  sed -i 's/^# minlen.*/minlen = 12/' /etc/security/pwquality.conf
  sed -i 's/^# minclass.*/minclass = 4/' /etc/security/pwquality.conf
  

3. Configure sudo Permissions

• dev_team (docker, git):

  bash

  echo "%dev_team ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/git" > /etc/sudoers.d/dev
  

• test_team (nginx restart):

  bash

  echo "%test_team ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx" > /etc/sudoers.d/test
  

• Prevent dev_team from accessing /etc:

  bash

  setfacl -m g:dev_team:--- /etc
  

• sudo Audit Logging:

  bash

  echo "Defaults logfile=/var/log/sudo_audit.log" >> /etc/sudoers
  

---

III. LVM Storage Configuration

1. Initialize Physical Volume and Volume Group

• Data Disk: 2TB HDD (/dev/sdb assumed).

  bash

  pvcreate /dev/sdb
  vgcreate dev_vg /dev/sdb
  

2. Create Logical Volumes

bash

lvcreate -n code -L 500G dev_vg
lvcreate -n test -L 300G dev_vg
lvcreate -n home -L 200G dev_vg

3. Format and Mount

• Format Filesystems:

  bash

  mkfs.xfs /dev/dev_vg/code
  mkfs.ext4 /dev/dev_vg/test
  mkfs.ext4 /dev/dev_vg/home
  

• Create Mount Points:

  bash

  mkdir -p /data/{code,test,logs,docs}
  mkdir /home
  

• Mount:

  bash

  mount /dev/dev_vg/code /data/code
  mount /dev/dev_vg/test /data/test
  mount /dev/dev_vg/home /home
  

• Update /etc/fstab:

  bash

  echo "/dev/dev_vg/code /data/code xfs defaults,usrquota,grpquota 0 0" >> /etc/fstab
  echo "/dev/dev_vg/test /data/test ext4 defaults,usrquota,grpquota 0 0" >> /etc/fstab
  echo "/dev/dev_vg/home /home ext4 defaults,usrquota,grpquota 0 0" >> /etc/fstab
  

4. Disk Quotas

• Enable Quotas:

  bash

  quotacheck -cugm /home
  quotacheck -cugm /data/test
  quotaon -av
  

• Set User Quotas for /home (15GB per user):

  bash

  for i in {1..35}; do
    setquota -u dev$i 10240 15360 0 0 /home
  done
  for i in {1..12}; do
    setquota -u test$i 10240 15360 0 0 /home
  done
  

• Set Group Quota for /data/test (200GB for test_team):

  bash

  setquota -g test_team 204800 204800 0 0 /data/test
  

---

IV. Directory Permissions Configuration

1. Basic Permissions

• /data/code (dev_team read/write, test_team read-only, SGID):

  bash

  chown :dev_team /data/code
  chmod 2775 /data/code
  setfacl -m g:test_team:r-x /data/code
  

• /data/test (test_team read/write, Sticky Bit):

  bash

  chown :test_team /data/test
  chmod 1777 /data/test
  

• /data/logs (loguser write, others read-only):

  bash

  useradd -r -s /sbin/nologin loguser
  chown loguser:loguser /data/logs
  chmod 755 /data/logs
  

• /data/docs (ops_admin manage, others read-only):

  bash

  chown :ops_admin /data/docs
  chmod 775 /data/docs
  setfacl -m g:dev_team:r-x,g:test_team:r-x /data/docs
  

2. ACL Permissions

• Allow ops_admin to modify /data/code:

  bash

  setfacl -m g:ops_admin:rwx /data/code
  

• Default ACL for /data/code subdirectories:

  bash

  setfacl -d -m g:dev_team:rwx /data/code
  

3. Automated Tasks

• Daily Backup of /data/code (2 AM, retain 30 days):

  bash

  mkdir /backup
  echo "0 2 * * * root tar czf /backup/code_$(date +\%F).tar.gz /data/code" > /etc/cron.d/code_backup
  echo "0 3 * * * root find /backup -name 'code_*.tar.gz' -mtime +30 -delete" > /etc/cron.d/backup_clean
  

• Weekly Cleanup of /data/test (Friday 23:30, delete files >14 days):

  bash

  echo "30 23 * * 5 root find /data/test -type f -mtime +14 -delete" > /etc/cron.d/test_clean
  

---

V. System Services and Nginx Deployment

1. Firewall Configuration

• Open Ports (22, 80, 443):

  bash

  firewall-cmd --permanent --add-port={22,80,443}/tcp
  

• Allow MySQL (3306) for 192.168.30.0/24:

  bash

  firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.30.0/24" port port="3306" protocol="tcp" accept'
  

• Reload Firewall:

  bash

  firewall-cmd --reload
  

2. Time Synchronization

• Configure chronyd (Aliyun NTP):

  bash

  sed -i 's/^server.*/server ntp1.aliyun.com iburst/' /etc/chrony.conf
  systemctl enable --now chronyd
  

• Verify (error ≤ 10ms):

  bash

  chronyc tracking
  

3. Log Management

• Configure rsyslog for remote logs:

  bash

  mkdir /var/log/remote
  echo "*.* /var/log/remote/system.log" >> /etc/rsyslog.conf
  echo "0 0 * * 0 root tar czf /var/log/remote/system_$(date +\%F).tar.gz /var/log/remote/system.log && :> /var/log/remote/system.log" > /etc/cron.d/log_rotate
  systemctl restart rsyslog
  

4. Nginx Deployment (Using YUM for Simplicity)

• Install Nginx:

  bash

  dnf install -y nginx
  

• Configure Virtual Hosts:

  • Create /etc/nginx/conf.d/dev.conf:

    nginx

    server {
        listen 443 ssl http2;
        server_name dev.internal.com;
        root /data/web/dev;
        ssl_certificate /etc/ssl/dev.internal.com.crt;
        ssl_certificate_key /etc/ssl/dev.internal.com.key;
        client_max_body_size 500m;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        location / {
            index index.php index.html;
        }
    }
    

  • Create /etc/nginx/conf.d/test.conf:

    nginx

    server {
        listen 80;
        server_name test.internal.com;
        root /data/test;
        allow 192.168.30.0/24;
        deny all;
        location / {
            autoindex on;
        }
    }
    

• Hide Nginx Version:

  bash

  sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf
  

• Start and Enable Nginx:

  bash

  systemctl enable --now nginx
  

---

VI. Verification Commands

1. Storage Verification

bash

vgs dev_vg
repquota /home
repquota /data/test

2. Permissions Verification

bash

sudo -u dev1 touch /data/code/test.txt  # Should succeed
sudo -u test1 systemctl restart nginx  # Should succeed
sudo -u test1 vim /etc/hosts  # Should fail

3. Service Verification

bash

curl -I https://dev.internal.com
ss -tulnp | grep nginx

4. Security Verification

bash

nmap -sS -p 22,80,443 192.168.30.20
grep 'sudo' /var/log/sudo_audit.log

---

VII. Troubleshooting

**1 ව

System: LVM Expansion:

bash

lvextend -L +100G /dev/dev_vg/code
xfs_growfs /data/code

ACL Fix:

bash

setfacl -m u:dev1:rwx /data/code/frontend

Nginx Failure:

bash

journalctl -u nginx --since "5 minutes ago"
nginx -t

---

Notes

• SSL Certificates: Since the provided certificate paths (/etc/ssl/dev.internal.com.crt) are placeholders, consider using Let's Encrypt or self-signed certificates for testing:

  bash

  dnf install -y certbot python3-certbot-nginx
  certbot --nginx -d dev.internal.com
  

• Backup Strategy: Ensure /backup is on a separate disk or NFS mount to avoid data loss.

• Testing: Validate configurations in a VM or test environment before production deployment.

• Snapshots: Take LVM or VM snapshots before critical operations.

This implementation meets all specified requirements, is optimized for enterprise use, and includes verification steps to ensure compliance. Let me know if you need further clarification or additional configurations!