From ee4d243ac562bc951f21be9c5a9124d89ae356b3 Mon Sep 17 00:00:00 2001 From: Arnaud Rebillout Date: Fri, 10 Feb 2023 18:59:31 +0700 Subject: [PATCH 1/4] Set simple-cdd profiles from build.sh (instead of guessing from config) With this change, we do NOT set profiles based on DISKTYPE anymore. Instead, we set profiles (and auto_profiles) in build.sh, depending on the variant. This change is in preparation for next commit, where we'll introduce a new installer variant. --- build.sh | 12 ++++++++++-- simple-cdd/simple-cdd.conf | 14 ++------------ 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/build.sh b/build.sh index 774c866..f4e7071 100755 --- a/build.sh +++ b/build.sh @@ -323,10 +323,16 @@ case "$IMAGE_TYPE" in if [ "$KALI_VARIANT" = "netinst" ]; then export DISKTYPE="NETINST" - else + profiles="kali" + auto_profiles="kali" + else # plain installer export DISKTYPE="BD" + profiles="kali offline" + auto_profiles="kali offline" fi debug "DISKTYPE: $DISKTYPE" + debug "profiles: $profiles" + debug "auto_profiles: $auto_profiles" if [ -e .mirror ]; then kali_mirror=$(cat .mirror) @@ -379,7 +385,9 @@ case "$IMAGE_TYPE" in --force-root \ --conf simple-cdd.conf \ --dist $CODENAME \ - --debian-mirror $kali_mirror + --debian-mirror $kali_mirror \ + --profiles "$profiles" \ + --auto-profiles "$auto_profiles" res=$? cd ../ if [ $res -ne 0 ] || [ ! -e $IMAGE_NAME ]; then diff --git a/simple-cdd/simple-cdd.conf b/simple-cdd/simple-cdd.conf index 39b5a0b..e7be992 100644 --- a/simple-cdd/simple-cdd.conf +++ b/simple-cdd/simple-cdd.conf @@ -23,20 +23,10 @@ # options to determine which profiles you want to install. # Profiles to include on the CD -#profiles="" -#profiles="x-basic ltsp" +profiles=${profiles:-kali} # To automatically select profiles (must also be listed in profiles): -# auto_profiles="foo bar baz" - -if [ "$DISKTYPE" = "NETINST" ]; then - profiles="kali" - auto_profiles="kali" -else - # Enable offline installation for full installer image - profiles="kali offline" - auto_profiles="kali offline" -fi +auto_profiles=${auto_profiles:-kali} # To include profiles which only effect the CD build # build_profiles="kali" From b327625da0efb1c7c72558714b172bd7be78761b Mon Sep 17 00:00:00 2001 From: Arnaud Rebillout Date: Tue, 31 Jan 2023 14:23:27 +0700 Subject: [PATCH 2/4] Add installer-purple variant build.sh: Note that the installer-purple variant does NOT include the offline profile, that's on purpose. There's no requirement for this installer to work offline, and on top of that, we can't include all the packages in the iso at the moment (the package exploitdb-papers is too big). So we very much expect to have network, and to download big packages during the installation. See next commits for more details. kali-config/installer-purple/packages: Unlike other variants, the "base" metapackage is kali-system-core, which is a very stripped down metapackage with no offensive tools. (kali-system-core is basically what used to be kali-linux-core, minus the few offensive tools that were in there). --- build.sh | 4 ++++ kali-config/installer-purple/packages | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 kali-config/installer-purple/packages diff --git a/build.sh b/build.sh index f4e7071..f2d374b 100755 --- a/build.sh +++ b/build.sh @@ -325,6 +325,10 @@ case "$IMAGE_TYPE" in export DISKTYPE="NETINST" profiles="kali" auto_profiles="kali" + elif [ "$KALI_VARIANT" = "purple" ]; then + export DISKTYPE="BD" + profiles="kali kali-purple" + auto_profiles="kali kali-purple" else # plain installer export DISKTYPE="BD" profiles="kali offline" diff --git a/kali-config/installer-purple/packages b/kali-config/installer-purple/packages new file mode 100644 index 0000000..803887a --- /dev/null +++ b/kali-config/installer-purple/packages @@ -0,0 +1,19 @@ +# Installer for Kali Purple + +# Metapackages +# You can customize the set of Kali metapackages (groups of tools) available +# in the installer ISO. +# For the complete list see: https://tools.kali.org/kali-metapackages +kali-system-core + +# Tools +kali-tools-detect +kali-tools-identify +kali-tools-protect +kali-tools-recover +kali-tools-respond + +# Graphical desktops +kali-desktop-xfce +kali-desktop-gnome +kali-desktop-kde From 825d3dcc52d0567df6ae3207777f865f2711c3fa Mon Sep 17 00:00:00 2001 From: Arnaud Rebillout Date: Tue, 31 Jan 2023 14:11:29 +0700 Subject: [PATCH 3/4] Add kali-purple simple-cdd profile This profile does the following: - it enables the elastic apt repo - it also enables the network during installation - finally, it makes sure to exclude the very big package exploitdb-papers, otherwise the iso is too big (~ 6 GB) I'm a bit surprised that we need to enable the network via a preseed file. I thought that it would be enough to just make sure that the installer-purple variant does NOT include the offline profile, but in practice no, it's not enough. --- simple-cdd/profiles/kali-purple.excludes | 3 +++ simple-cdd/profiles/kali-purple.postinst | 18 ++++++++++++++++++ simple-cdd/profiles/kali-purple.preseed | 4 ++++ 3 files changed, 25 insertions(+) create mode 100644 simple-cdd/profiles/kali-purple.excludes create mode 100755 simple-cdd/profiles/kali-purple.postinst create mode 100644 simple-cdd/profiles/kali-purple.preseed diff --git a/simple-cdd/profiles/kali-purple.excludes b/simple-cdd/profiles/kali-purple.excludes new file mode 100644 index 0000000..2870ae3 --- /dev/null +++ b/simple-cdd/profiles/kali-purple.excludes @@ -0,0 +1,3 @@ +# Exclude big packages that are Recommended by defensive tools metapackages. +# Keep this list in sync with kali-meta/debian/control. +exploitdb-papers diff --git a/simple-cdd/profiles/kali-purple.postinst b/simple-cdd/profiles/kali-purple.postinst new file mode 100755 index 0000000..64f09ca --- /dev/null +++ b/simple-cdd/profiles/kali-purple.postinst @@ -0,0 +1,18 @@ +#!/bin/sh + +set -eu + +configure_elastic() { + # Install the elastic archive keyring + wget -q -O- https://artifacts.elastic.co/GPG-KEY-elasticsearch \ + > /etc/apt/keyrings/elastic-keyring.asc + + # Enable the repository + cat >/etc/apt/sources.list.d/elastic.list < Date: Thu, 9 Feb 2023 09:32:18 +0700 Subject: [PATCH 4/4] Add preseed for tripwire tripwire comes as a Recommends of tiger, itself a Depends of kali-tools-identify. It needs to be heavily pre-seeded, otherwise it's very chatty. --- kali-config/common/includes.installer/preseed.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kali-config/common/includes.installer/preseed.cfg b/kali-config/common/includes.installer/preseed.cfg index 0725ccf..848fede 100644 --- a/kali-config/common/includes.installer/preseed.cfg +++ b/kali-config/common/includes.installer/preseed.cfg @@ -61,3 +61,11 @@ kismet-capture-common kismet-capture-common/install-setuid boolean true wireshark-common wireshark-common/install-setuid boolean true sslh sslh/inetd_or_standalone select standalone atftpd atftpd/use_inetd boolean false + +# Defensive packages +tripwire tripwire/installed boolean true +tripwire tripwire/installed seen true +tripwire tripwire/rebuild-config boolean false +tripwire tripwire/rebuild-policy boolean false +tripwire tripwire/use-localkey boolean false +tripwire tripwire/use-sitekey boolean false