I won’t be creating a full guide on how to use SaltStack, just a simple setup guide. More information on SaltStack is on their website here.
Installing the salt master is simple and can be done by using the commands
sudo apt update
sudo apt install salt-master -y
I’m using Ubuntu 18.04.2 x64 as the Salt Master; if you’re facing issues installing I would recommend checking out the SaltStack install page it covers most distros and windows!
Using the command “sudo salt-master –version” shows what Salt Master version you have installed and to ensure installed correctly.
Salt master is up and running its time to add minions, for this example three minions Kali, Mint and Parrot. One of the best parts I love about SaltStack is the fact minions won’t need any open ports, only the salt master needs TCP port 4505 and 4506 open.
Using the apt command to install the salt-minion, the commands as followed:
sudo apt update
sudo apt install salt-minion -y
Using the command “sudo salt-minion –version” shows what Salt Minion version you have installed and to ensure it installed correctly.
Again, if you’re facing issues installing, I would recommend checking out the SaltStack install page it covers most distros and windows!
Now that we have the salt-minion installed on our distros, we need to tell the minions where to find the salt master, for this example my salt master is at 177.31.249.68. Create local.conf within “/etc/salt/minion.d/” also, ensure to add the correct fields:
master: 177.31.249.68 (Change this to your Salt Master’s IP address).
id: Mint (If you wish to set an ID for your minion, for example, you could call it test box, Steve, Robot).
I have also created a simple code which can create the local.conf:
sudo sh -c “echo 'master: 177.31.249.68
id: '$HOSTNAME'' > /etc/salt/minion.d/local.conf”Run within a terminal, creates the file local.conf within “/etc/salt/minion.d/local.conf” The code puts the master IP (Ensure to change this to your Master’s IP), and uses the hostname of the computer as the id (Again, you can change this).
Don’t forget to restart the salt-minion service or else it won’t take effect!
sudo service salt-minion restartNow that you have both your Salt Master and Salt minions installed and running, let’s jump back to the Salt Master again and accept the minions to the salt master, using the command salt-key you should (If everything has gone correctly) see all the minions (depending what you had named them using the id: )
So, we now have three minions in our “Unaccepted keys”, if you wish to choose which minion to accept the -a minion name (-a accept) for example if you wish to accept kali only you would need to do the following:
salt-key -a kali
Now kali is part of our accepted keys, and if you wanted to delete a minion you would use the -d (-d delete) for example let’s delete kali only:
salt-key -d kali
Kali is no more, don’t worry if you deleted a minion by mistake, restart the minion service again:
sudo service salt-minion restartKali comes back, and you need to reaccept them again!
Let’s move on and to save time, use the command -A and -y (-A accepts all and -y yes) this accepts all unaccepted keys:
salt-key -A -y
Now we have all our minions added to our salt master if you wish to find more commands for the salt-key use:
salt-key -hShows what commands are available and what they offer.
Now let’s move onto issuing commands to our minions from the salt master, the first command (and mostly always noted) is the ping command, this command tells you if the minion is online and if the master can “speak” to them:
salt '*' test.ping
All of our minions are awake, and the salt master can “speak” to them, let’s try another command and this time let’s try and issue a terminal command from the salt master to the minions using cmd.run:
salt '*' cmd.run 'df -h'
So, we have told the minions to issue the command df -h (df is a Unix command to show the disk space) SaltStack automatedly returns the results and errors if any! Let’s issue some more commands.
We just issued whoami, pwd, w and even did an echo, all from one salt master! You noticed we use the ‘*’ a lot, and this means to send the commands to all minions (* is a wildcard). If you only wanted to send commands to one minion you would change the ‘*’ with the id name of that minion, for example:
salt ‘Mate’ cmd.run ‘command here.'
Salt master issued the commands only to the Mate minion, and only the Mate minion gave back any results, parrot and kali didn’t, this is how you can issue commands to one minion at a time. However, if you wish to issue commands to multiple minions you would need to use -L (-L Take a comma or space delimited list of minions.) which would be something like this:
salt -L 'Mate,kali' cmd.run 'uname -a' 
Now, the salt master is issuing commands to Mate and kali only and is getting results back from Mate and kali only, and parrot doesn’t do anything. Now let’s do something a bit more fun, let’s run a nmap scan from one of our salt minions and get the results back kind of like a Zombie.
Let’s use the minion Mate this way we can install a package using the salt master:
salt 'Mate' cmd.run 'apt install nmap -y'
Nmap installed successfully on the Mate minion, and now we issue the following command:
salt 'Mate' cmd.run 'nmap -p 1-100 scanme.nmap.org'
So, we were able to install nmap and then perform a nmap scan just from the salt master and nothing else, from a security point of view you can see how “fun” this can be, you’re able to run any Linux command in root mode without being asked for the root password (unless changed within he minion settings).
SaltStack is a big project, as I said at the start of this guide, I won’t be covering everything about SaltStack as there is a lot to cover! Such as states, Pillars, Grains and so much more. SaltStack Documentation is a great place to start.
I hope you have enjoyed my little guide on SaltStack.
Thanks for reading!
-Mr J
“Made for educational purposes Only.”