Difference between revisions of "Setup - Kali Linux"

Revision as of 19:48, 6 February 2020

Create Install Setup

Create a bootable USB from Kali linux

https://www.kali.org/docs/usb/kali-linux-live-usb-install/

Use default partition (single partition and swap around same as memory)

GUI install works fine. Default options

Account Setup

Create a local account that does not match in name the SOE LDAP. E.g: jrenau vs renau

Basic Setup

SSH Server (not for laptop, just desktop and servers)

apt-get install openssh-server
systemctl enable ssh.service
systemctl start  ssh.service

Get the time in sync with NTP

systemctl enable ntp.service
systemctl start  ntp.service

Firewall Setup

Setup the firewall:

apt-get install ufw
ufw default deny
ufw reject auth
ufw limit ssh/tcp
ufw logging off

The next line is only needed the first time you install the package.

ufw enable

Follow it by enabling ufw with systemctl.

systemctl enable ufw.service

Finally, query the rules being applied via the status command.

ufw status

Determinism for QEMU/ESESC/LiveHD/....

mmap problem for qemu, enable perf monitoring for everyone, no randomization (determinism)

echo "vm.mmap_min_addr = 4096"             >>/etc/sysctl.d/10-masc.conf
echo "fs.inotify.max_user_watches = 65535" >>/etc/sysctl.d/10-masc.conf
echo "kernel.randomize_va_space = 0"       >>/etc/sysctl.d/10-masc.conf
echo "kernel.perf_event_paranoid = -1"     >>/etc/sysctl.d/10-masc.conf

restart sysctl or wait for reboot

systemctl restart systemd-sysctl.service

Packages

Get Atom/Bazel repos

Get Atom package

curl -L https://packagecloud.io/AtomEditor/atom/gpgkey | apt-key add -
echo "deb [arch=amd64] https://packagecloud.io/AtomEditor/atom/any/ any main" > /etc/apt/sources.list.d/atom.list
apt update
apt install atom

Get Bazel package

curl https://bazel.build/bazel-release.pub.gpg | sudo apt-key add -
echo "deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
apt update
apt install bazel

Get Basic Packages

Go to a Kali Linux machine (mada4?), dump the packages installed

dpkg --get-selections | grep -v deinstall > installed_packages.txt

Go to your new machine, and install the missing packages

cut -f 1 installed_packages.txt | xargs apt-get install -y

NOTE: There may be some conflicts with the older kali machine. My suggestion is to upgrade to the latest version before. At the end, there may be also issues for packages like atom

Backports (zfs and related stuff)

1. vi /etc/apt/sources.list.d/buster-backports.list

deb http://deb.debian.org/debian buster-backports main contrib deb-src http://deb.debian.org/debian buster-backports main contrib

LDAP

ldap directory access

Copy the cacerts from SOE (firedance in example)

scp -r renau@firedance:/etc/openldap/cacerts /etc/ldap/
scp -r renau@firedance:/etc/openldap/ldap.conf /etc/ldap/ldap.conf.soe
sed -s/openldap/ldap/g /etc/ldap/ldap.conf.soe >/etc/ldap/ldap.conf

Now you should be able to execute the following command.

ldapsearch -x LLL

pam

Use default options of this two packages

apt install libnss-ldap
apt-get install nss-updatedb

Edit /etc/nsswitch.conf to have ldap

passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap

Update the pam_ldap.conf

cp /etc/ldap/ldap.conf /etc/pam_ldap.conf

Get the nss_ldap

scp mada0:/etc/*nss_ldap.conf /etc/libnss_ldap.conf

After this, you should have a getent

getent passwd | grep -i renau

security

Restrict access only to masc/vlsi/vama groups Add to /etc/security/access.conf

+ : root : ALL
+ : (masc) : ALL
+ : (vlsi) : ALL
+ : (vama) : ALL
-:ALL :ALL

ZFS (server)

This explains the ZFS setup for large filesystem server (not for desktop)

Get the latest kernel and headers

apt update
apt install linux-headers-`uname -r`

Install zfs packages

apt install zfsutils-linux zfs-dkms spl-dkms