10.4. Summary

Topic Progress:

10.4. Summary

Kali Linux scales beyond the desktop to medium or large scale deployments and even to the enterprise level. In this chapter, we covered how to centralize management of multiple Kali installations with SaltStack, allowing you to quickly deploy highly secure Kali systems preconfigured for your specific needs. We also revealed how you can keep them synchronized thanks to Kali's (semi-automatic) installation of package updates.

We discussed package forking, which allows you to create your own customized distributable source packages.

In summary, let's review the major steps required to establish Salt masters and minions, which allow you remote control and configuration of remote hosts.

Summary Tips:

  • Boot machine from the network with PXE, with at least a TFTP file server, a DHCP/BOOTP server (and a web server for debconf preseeding). dnsmasq handles both DHCP and TFTP, and the apache2 web server comes pre-installed (but disabled) on Kali.

  • The Debian installation manual covers the setup of isc-dhcp-server and tftpd-hpa for PXE booting:

    https://www.debian.org/releases/stable/amd64/ch04s05

  • dnsmasq is configured through /etc/dnsmasq.conf. A basic configuration consists of only a few key lines:

    # Network interface to handle
    interface=eth0
    # DHCP options
    # IP range to allocate
    dhcp-range=192.168.101.100,192.168.101.200,12h
    # Gateway to announce to clients
    dhcp-option=option:router,192.168.101.1
    # DNS servers to announce to clients
    dhcp-option=option:dns-server,8.8.8.8,8.8.4.4
    # Boot file to announce to clients
    dhcp-boot=pxelinux.0
    # TFTP options
    enable-tftp
    # Directory hosting files to serve
    tftp-root=/tftpboot/
  • Unpack 32-bit (i386), 64-bit (amd64), standard or graphical (gtk) installation boot files from the Kali archive into /tftpboot/. The archives can be found here:

    http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images/netboot/gtk/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images/netboot/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-i386/current/images/netboot/gtk/netboot.tar.gz

    http://http.kali.org/dists/kali-rolling/main/installer-i386/current/images/netboot/netboot.tar.gz

    # mkdir /tftpboot
    # cd /tftpboot
    # wget http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images/netboot/netboot.tar.gz
    # tar xf netboot.tar.gz
  • Optionally modify txt.cfg to preseed parameters or custom timeouts. See Section 4.3, "Unattended Installations". Next, you can leverage configuration management tools to manage machines or configure remote computers to any desired state.

  • SaltStack is a centralized configuration management service: a Salt master manages many Salt minions. Install the salt-master package on a reachable server and salt-minion on managed hosts.

  • Edit the /etc/salt/minion YAML-formatted config file and set the master key to the DNS name (or IP address) of the Salt master.

  • Set minion's unique identifier in /etc/salt/minion_id:

    minion# echo kali-scratch >/etc/salt/minion_id
    minion# systemctl enable salt-minion
    minion# systemctl start salt-minion
  • Key exchange will follow. On the master, accept minion's identification key. Subsequent connections will be automatic:

    master# systemctl enable salt-master
    master# systemctl start salt-master
    master# salt-key --list all
    Accepted Keys:
    Denied Keys:
    Unaccepted Keys:
    kali-scratch
    Rejected Keys:
    master# salt-key --accept kali-scratch
    The following keys are going to be accepted:
    Unaccepted Keys:
    kali-scratch
    Proceed? [n/Y] y
    Key for minion kali-scratch accepted.
  • Once minions are connected, you can execute commands on them from the master. Examples:

    master# salt '*' test.ping
    kali-scratch:
    True
    kali-master:
    True
    master# salt kali-scratch cmd.shell 'uptime; uname -a'
    master# salt kali-scratch sys.doc'
    master# salt '*' service.enable ssh
    [...]
    master# salt '*' service.start ssh
    [...]
    master# salt '*' pkg.refresh_db
    [...]
    master# salt '*' pkg.upgrade dist_upgrade=True
    server# salt '*' cmd.shell 'pkill -f dnmap_client'
  • The full list of execution modules can be found at https://docs.saltstack.com/en/latest/ref/modules/all/index.html.

  • Use Salt state files (re-usable configuration templates) to schedule actions, collect data, orchestrate sequences of operations on multiple minions, provision cloud systems and bring them under management, and more. Save time with pre-defined Salt formulas:

    https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html

  • When it comes time to fork a package, first decide if it is a task that you need to tackle. There are significant advantages and disadvantages. Review them carefully. The kali-meta, desktop-base, and kali-menu packages are interesting, probable choices. The process of forking a package can be daunting and is difficult to summarize.

Now that we have covered all the bases in terms of installation, configuration, customization, and deployment of Kali Linux, let's turn towards the role of Kali Linux in the field of Information Security.