Difference between revisions of "Setup - Kali Linux"
(→pam) |
(→pam) |
||
Line 108: | Line 108: | ||
Use default options of this two packages | Use default options of this two packages | ||
− | apt install libnss-ldap | + | apt install libnss-ldap |
+ | apt-get install nss-updatedb | ||
Edit /etc/nsswitch.conf to have ldap | Edit /etc/nsswitch.conf to have ldap | ||
Line 117: | Line 118: | ||
Update the pam_ldap.conf | Update the pam_ldap.conf | ||
cp /etc/ldap/ldap.conf /etc/pam_ldap.conf | cp /etc/ldap/ldap.conf /etc/pam_ldap.conf | ||
+ | |||
+ | Get the nss_ldap | ||
+ | scp mada0:/etc/*nss_ldap.conf /etc/libnss_ldap.conf | ||
+ | |||
+ | After this, you should have a getent | ||
+ | getent passwd | grep -i renau | ||
+ | |||
+ | === security === | ||
+ | |||
+ | Restrict access only to masc/vlsi/vama groups | ||
+ | Add to /etc/security/access.conf | ||
+ | |||
+ | + : root : ALL | ||
+ | + : (masc) : ALL | ||
+ | + : (vlsi) : ALL | ||
+ | + : (vama) : ALL | ||
+ | -:ALL :ALL |
Revision as of 02:08, 6 February 2020
Contents
Create Install Setup
Create a bootable USB from Kali linux
https://www.kali.org/docs/usb/kali-linux-live-usb-install/
Use default partition (single partition and swap around same as memory)
GUI install works fine. Default options
Account Setup
Create a local account that does not match in name the SOE LDAP. E.g: jrenau vs renau
Basic Setup
SSH Server (not for laptop, just desktop and servers)
apt-get install openssh-server systemctl enable ssh.service systemctl start ssh.service
Get the time in sync with NTP
systemctl enable ntp.service systemctl start ntp.service
Firewall Setup
Setup the firewall:
apt-get install ufw ufw default deny ufw reject auth ufw limit ssh/tcp ufw logging off
The next line is only needed the first time you install the package.
ufw enable
Follow it by enabling ufw with systemctl.
systemctl enable ufw.service
Finally, query the rules being applied via the status command.
ufw status
Determinism for QEMU/ESESC/LiveHD/....
mmap problem for qemu, enable perf monitoring for everyone, no randomization (determinism)
echo "vm.mmap_min_addr = 4096" >>/etc/sysctl.d/10-masc.conf echo "fs.inotify.max_user_watches = 65535" >>/etc/sysctl.d/10-masc.conf echo "kernel.randomize_va_space = 0" >>/etc/sysctl.d/10-masc.conf echo "kernel.perf_event_paranoid = -1" >>/etc/sysctl.d/10-masc.conf
restart sysctl or wait for reboot
systemctl restart systemd-sysctl.service
Get Atom/Bazel repos
Get Atom package
curl -L https://packagecloud.io/AtomEditor/atom/gpgkey | apt-key add - echo "deb [arch=amd64] https://packagecloud.io/AtomEditor/atom/any/ any main" > /etc/apt/sources.list.d/atom.list apt update apt install atom
Get Bazel package
curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add - echo "deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list apt update apt install bazel
Get Basic Packages
Go to a Kali Linux machine (mada4?), dump the packages installed
dpkg --get-selections | grep -v deinstall > installed_packages.txt
Go to your new machine, and install the missing packages
cut -f 1 installed_packages.txt | xargs apt-get install -y
NOTE: There may be some conflicts with the older kali machine. My suggestion is to upgrade to the latest version before. At the end, there may be also issues for packages like atom
LDAP
ldap directory access
Copy the cacerts from SOE (firedance in example)
scp -r renau@firedance:/etc/openldap/cacerts /etc/ldap/ scp -r renau@firedance:/etc/openldap/ldap.conf /etc/ldap/ldap.conf.soe sed -s/openldap/ldap/g /etc/ldap/ldap.conf.soe >/etc/ldap/ldap.conf
Now you should be able to execute the following command.
ldapsearch -x LLL
pam
Use default options of this two packages
apt install libnss-ldap apt-get install nss-updatedb
Edit /etc/nsswitch.conf to have ldap
passwd: files systemd ldap group: files systemd ldap shadow: files ldap
Update the pam_ldap.conf
cp /etc/ldap/ldap.conf /etc/pam_ldap.conf
Get the nss_ldap
scp mada0:/etc/*nss_ldap.conf /etc/libnss_ldap.conf
After this, you should have a getent
getent passwd | grep -i renau
security
Restrict access only to masc/vlsi/vama groups Add to /etc/security/access.conf
+ : root : ALL + : (masc) : ALL + : (vlsi) : ALL + : (vama) : ALL -:ALL :ALL