View Issue Details

IDProjectCategoryView StatusLast Update
0005236Kali LinuxGeneral Bugpublic2020-12-01 10:48
Reporterbfbcping Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2018.4 
Fixed in Version2019.3 
Summary0005236: Reduce or remove automatic updates
Description

While on site at a location where I was pentesting, an inline proxy flagged traffic that my machine was automatically sending in the background to look for updates for Kali.
Right now, the process to remove automatic updating is complex and amounts to a whack-a-mole approach to quieting Kali when it's on a network. In addition unattended-upgrades (including removing that package and editing some files), gnome has its own call back (many helpful places on the internet correctly suggest two gsettings entries), and recently there has been another change that has resulted in my installation prompting me to update that I have not traced down yet.
I would classify this as a bug rather than a feature request as Backtrack was originally designed to not beacon or respond to requests in order to stay unnoticed in a hostile environment, and I believe Kali is intended to further that mission.

Steps To Reproduce

Install Kali, wait for pop-up with updates available.
If you'd like to filter out the requests that I have already found, I co-wrote the attached script that applies the changes every time updating is desired (we have found that some updates will overwrite our changes during normal updating)

Activities

bfbcping

bfbcping

2019-02-04 19:30

reporter   ~0010253

The update script...

bfbcping

bfbcping

2019-02-04 19:35

reporter   ~0010254

Tired to attach the update script, and it failed twice. Tried to cut and paste it, and it was flagged as malicious.
Basically, it:
Removes unattended-upgrades, /etc/apt/apt.conf.d/50unattended-upgrades, /etc/apt/apt.conf.d/10periodic
Modifies /etc/apt/apt.conf.d/20auto-upgrades, /etc/apt/apt.conf.d/99synaptic, /usr/lib/apt/apt.systemd.daily
gsettings set org.gnome.software download-updates false
gsettings set org.gnome.software download-updates-notify false

rhertzog

rhertzog

2019-02-04 20:45

administrator   ~0010255

Thanks for the helpful feedback. We will look into fixing this in the live image and thus in the default installation.

The gsettings are the most important for the GNOME desktop. But the apt package also has its own daily update mechanism that we can likely just disable at the systemd level by disabling/masking apt-daily.timer and apt-daily-upgrade.timer.

As for unattended-upgrades, I believe it's no longer installed by default with the latest debian-installer. Will have to double check though.

I also don't see why synaptic comes into play, is that a package that you install on your own? It should not be in the default image.

bfbcping

bfbcping

2019-02-04 22:19

reporter   ~0010256

Yes, we install Synaptic as part of our standard build - feel free to ignore it.

bfbcping

bfbcping

2019-03-04 12:40

reporter   ~0010384

I renamed every instance of apt-daily.timer and apt-daily-upgrade.timer along with our changes, and I am still seeing "Software Updates Available" on a vanilla install.

bfbcping

bfbcping

2019-03-27 10:41

reporter   ~0010443

It looks like adding an additional Gnome setting at least shuts off the notification (although it may not shut off all beaconing for updates).

The three that we've found so far are:
gsettings set org.gnome.software download-updates false
gsettings set org.gnome.software download-updates-notify false
gsettings set org.gnome.software allow-updates false

fl0

fl0

2019-03-27 12:51

reporter   ~0010444

That is not sufficient, you need to deal with packagekit:

systemctl mask packagekit
rm /etc/apt/apt.conf.d/20packagekit

fl0

fl0

2019-03-27 13:04

reporter   ~0010445

On my systems i have :

  • Disable services apt-daily and apt-daily-upgrade
  • Set to foase the three Gnome settings (see below)
  • Mask packagekit and remove the packagekit apt hook file (to remove the warnings)
  • disable ntp: timedatectl set-ntp false

to finely have quiet Kali systems.

“The quieter you become, the more you are able to hear.” :)

rhertzog

rhertzog

2019-07-23 13:40

administrator   ~0010793

The situation is even worse nowadays:

  • there's also "fwupd" which is connecting to cdn.fwupd.org (might be triggered by GNOME software too)
  • something is connecting to extensions.gnome.org (might be GNOME software too)
  • GNOME software is still asking for a refresh of the metadata despite the 3 gsettings
  • GNOME software is also connecting to odrs.gnome.org
  • GNOME calculator is making requests to www.imf.org every time that you do a search in the dashboard !
rhertzog

rhertzog

2019-07-23 14:43

administrator   ~0010794

I filed a new wishlist issue against gnome-software to request a working option to disable network connections in the background: https://gitlab.gnome.org/GNOME/gnome-software/issues/748

I made a quick try by dropping /etc/xdg/autostart/gnome-software-service.desktop and it was enough to disable all network connections I had seen on session startup.

rhertzog

rhertzog

2019-07-23 15:23

administrator   ~0010795

kali-defaults 2019.3.9 now disables gnome-software-service on session startup (by diverting the file in /etc/xdg/autostart/), it also contains supplementary gsettings to cope with the other issues... base-files 2019.3.0 disables the APT timers by default (will only work on new ISO).

Issue History

Date Modified Username Field Change
2019-02-04 19:20 bfbcping New Issue
2019-02-04 19:30 bfbcping Note Added: 0010253
2019-02-04 19:35 bfbcping Note Added: 0010254
2019-02-04 20:34 rhertzog Assigned To => rhertzog
2019-02-04 20:34 rhertzog Status new => assigned
2019-02-04 20:45 rhertzog Note Added: 0010255
2019-02-04 22:19 bfbcping Note Added: 0010256
2019-03-04 12:40 bfbcping Note Added: 0010384
2019-03-27 10:41 bfbcping Note Added: 0010443
2019-03-27 12:51 fl0 Note Added: 0010444
2019-03-27 13:04 fl0 Note Added: 0010445
2019-03-29 16:34 rhertzog Priority normal => high
2019-07-23 13:40 rhertzog Note Added: 0010793
2019-07-23 14:43 rhertzog Note Added: 0010794
2019-07-23 15:23 rhertzog Status assigned => resolved
2019-07-23 15:23 rhertzog Resolution open => fixed
2019-07-23 15:23 rhertzog Fixed in Version => 2019.3
2019-07-23 15:23 rhertzog Note Added: 0010795
2020-12-01 10:48 g0tmi1k Priority high => normal