10.4. Summary

10.4. Summary

Kali Linux scales beyond the desktop to medium or large scale deployments and even to the enterprise level. In this chapter, we covered how to centralize management of multiple Kali installations with SaltStack, allowing you to quickly deploy highly secure Kali systems preconfigured for your specific needs. We also revealed how you can keep them synchronized thanks to Kali's (semi-automatic) installation of package updates.

We discussed package forking, which allows you to create your own customized distributable source packages.

In summary, let's review the major steps required to establish Salt masters and minions, which allow you remote control and configuration of remote hosts.

Summary Tips:

  • Boot machine from the network with PXE, with at least a TFTP file server, a DHCP/BOOTP server (and a web server for debconf preseeding). dnsmasq handles both DHCP and TFTP, and the apache2 web server comes pre-installed (but disabled) on Kali.

  • The Debian installation manual covers the setup of isc-dhcp-server and tftpd-hpa for PXE booting:

    https://www.debian.org/releases/stable/amd64/ch04s05.html

  • dnsmasq is configured through /etc/dnsmasq.conf. A basic configuration consists of only a few key lines:

  • Unpack 32-bit (i386), 64-bit (amd64), standard or graphical (gtk) installation boot files from the Kali archive into /tftpboot/. The archives can be found here:

    http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images/netboot/gtk/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images/netboot/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-i386/current/images/netboot/gtk/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-i386/current/images/netboot/netboot.tar.gz

  • Optionally modify txt.cfg to preseed parameters or custom timeouts. See Section 4.3, "Unattended Installations". Next, you can leverage configuration management tools to manage machines or configure remote computers to any desired state.

  • SaltStack is a centralized configuration management service: a Salt master manages many Salt minions. Install the salt-master package on a reachable server and salt-minion on managed hosts.

  • Edit the /etc/salt/minion YAML-formatted config file and set the master key to the DNS name (or IP address) of the Salt master.

  • Set minion's unique identifier in /etc/salt/minion_id:

  • Key exchange will follow. On the master, accept minion's identification key. Subsequent connections will be automatic:

  • Once minions are connected, you can execute commands on them from the master. Examples:

  • The full list of execution modules can be found at https://docs.saltstack.com/en/latest/ref/modules/all/index.html.

  • Use Salt state files (re-usable configuration templates) to schedule actions, collect data, orchestrate sequences of operations on multiple minions, provision cloud systems and bring them under management, and more. Save time with pre-defined Salt formulas:

    https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

  • When it comes time to fork a package, first decide if it is a task that you need to tackle. There are significant advantages and disadvantages. Review them carefully. The kali-meta, desktop-base, and kali-menu packages are interesting, probable choices. The process of forking a package can be daunting and is difficult to summarize.

Now that we have covered all the bases in terms of installation, configuration, customization, and deployment of Kali Linux, let's turn towards the role of Kali Linux in the field of Information Security.