Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1772
Views
20
Helpful
6
Replies

Cisco ISE Hardening - RHEL to ADE-OS relationship

Go to solution
AlanHarkleroad
Level 1
Level 1

‎10-04-2019 07:44 AM

Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?

 

I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements. 

 

However NTPD within RHEL I could set that up. 

 

How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk? 

 

Has anyone conducted some hardening to the RHEL underlying components?

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cciesec2011
Level 3
Level 3

‎10-07-2019 06:21 AM

@AlanHarkleroad wrote:

Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?

 

I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements. 

 

However NTPD within RHEL I could set that up. 

 

How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk? 

 

Has anyone conducted some hardening to the RHEL underlying components?

 

 

Look like ISE version 2.6 is a rehat 7.5 release version:

 

ade # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
ade #

ade # uname -a
Linux rdhnkisedev002 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
ade # uname -r
3.10.0-862.3.2.el7.x86_64
ade #

ade # cat /etc/ntp.conf
restrict default limited kod nomodify notrap noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
server 10.0.0.1
server 10.0.1.1
crypto
keysdir /etc/ntp/auto-key

 

By default, the ISE contacts with external NTP servers every 18 minutes or so.

 

Not sure if that help you.

View solution in original post

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 08:33 AM

When you are dealing with DISA STIGs and CCRI audits (whatever they are called now), just treat ISE as an appliance.  It doesn't fall into the standard categories of STIGs (hardening guides for non-DoD folks) so none of them apply.  They ignore special-purpose appliances.  Sometimes you have to educate the auditors a little.  That goes for any compliance program.  I just tell them that ISE is a hardened special-purpose appliance.  You can also show them what you were able to control/configure in terms of password requirements, account lock-out, session timeouts, admin session ACL's, etc.

View solution in original post

6 Replies 6

Go to solution
cciesec2011
Level 3
Level 3

‎10-07-2019 06:21 AM

@AlanHarkleroad wrote:

Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?

 

I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements. 

 

However NTPD within RHEL I could set that up. 

 

How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk? 

 

Has anyone conducted some hardening to the RHEL underlying components?

 

 

Look like ISE version 2.6 is a rehat 7.5 release version:

 

ade # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
ade #

ade # uname -a
Linux rdhnkisedev002 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
ade # uname -r
3.10.0-862.3.2.el7.x86_64
ade #

ade # cat /etc/ntp.conf
restrict default limited kod nomodify notrap noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
server 10.0.0.1
server 10.0.1.1
crypto
keysdir /etc/ntp/auto-key

 

By default, the ISE contacts with external NTP servers every 18 minutes or so.

 

Not sure if that help you.

Go to solution
AlanHarkleroad
Level 1
Level 1
In response to cciesec2011

‎10-07-2019 08:54 AM

Thank you. That answered the NTP polling question. 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 08:33 AM

When you are dealing with DISA STIGs and CCRI audits (whatever they are called now), just treat ISE as an appliance.  It doesn't fall into the standard categories of STIGs (hardening guides for non-DoD folks) so none of them apply.  They ignore special-purpose appliances.  Sometimes you have to educate the auditors a little.  That goes for any compliance program.  I just tell them that ISE is a hardened special-purpose appliance.  You can also show them what you were able to control/configure in terms of password requirements, account lock-out, session timeouts, admin session ACL's, etc.

Go to solution
AlanHarkleroad
Level 1
Level 1
In response to Colby LeMaire

‎10-07-2019 09:15 AM

Actually there are "6" STIG/SRG lists that apply per DISA if you look up ISE on the APL.
That is where the multitude of session requirements, cipher requirements, FIPS and so forth are all derived from. However some of the settings will either be OBE due to limited capability within ISE to set them or they are controlled in the underlying RHEL and mapped to ADE-OS feature but are not clearly defined how that happens. And some will not apply. But as a total they are very helpful in doing all you can to protect the ISE properly.

- Application Security and Development Security Technical Implementation Guide
- Network Device Management Security Requirements Guide
- Network Devices Security Technical Implementation Guide
- Network Infrastructure Policy Security Technical Implementation Guide
- Web Server Security Requirements Guide
- Remote Access Policy STIG
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to AlanHarkleroad

‎10-07-2019 09:37 AM

Obviously you can use the guides as that, guides, and pick settings/configurations from the various guides out there that you can apply to ISE.  But my point is that the auditor shouldn't try to apply the Web Server STIG to ISE just because it serves HTTP and then hit you on items that you have no control over.  It is always hit and miss whether you get a decent auditor that understands.

0 Helpful
Customers Also Viewed These Support Documents