10-04-2019 07:44 AM
Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?
I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements.
However NTPD within RHEL I could set that up.
How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk?
Has anyone conducted some hardening to the RHEL underlying components?
Solved! Go to Solution.
10-07-2019 06:21 AM
@AlanHarkleroad wrote:Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?
I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements.
However NTPD within RHEL I could set that up.
How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk?
Has anyone conducted some hardening to the RHEL underlying components?
Look like ISE version 2.6 is a rehat 7.5 release version:
ade # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
ade #
ade # uname -a
Linux rdhnkisedev002 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
ade # uname -r
3.10.0-862.3.2.el7.x86_64
ade #
ade # cat /etc/ntp.conf
restrict default limited kod nomodify notrap noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
server 10.0.0.1
server 10.0.1.1
crypto
keysdir /etc/ntp/auto-key
By default, the ISE contacts with external NTP servers every 18 minutes or so.
Not sure if that help you.
10-07-2019 08:33 AM
When you are dealing with DISA STIGs and CCRI audits (whatever they are called now), just treat ISE as an appliance. It doesn't fall into the standard categories of STIGs (hardening guides for non-DoD folks) so none of them apply. They ignore special-purpose appliances. Sometimes you have to educate the auditors a little. That goes for any compliance program. I just tell them that ISE is a hardened special-purpose appliance. You can also show them what you were able to control/configure in terms of password requirements, account lock-out, session timeouts, admin session ACL's, etc.
10-07-2019 06:21 AM
@AlanHarkleroad wrote:Is there a document I can read or seminar I can watch that adequately explains the relationship between the RHEL underlying OS services and security posture with the overlay ADE-OS in ISE?
I am trying to understand what relationships exist between security setting within the ISE ADE-OS and how they talk, if they talk to the RHEL equivalent. For example, the NTP setup. NTP within ISE does not have a polling interval to setup, so there is no clear defined value that is required by DISA STIG to configure to keep time set within a required time frame for auditing requirements.
However NTPD within RHEL I could set that up.
How does the Auditd/Audisp on RHEL tie to the ISE auditing agents? Or do they even talk?
Has anyone conducted some hardening to the RHEL underlying components?
Look like ISE version 2.6 is a rehat 7.5 release version:
ade # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
ade #
ade # uname -a
Linux rdhnkisedev002 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
ade # uname -r
3.10.0-862.3.2.el7.x86_64
ade #
ade # cat /etc/ntp.conf
restrict default limited kod nomodify notrap noquery
restrict 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
server 10.0.0.1
server 10.0.1.1
crypto
keysdir /etc/ntp/auto-key
By default, the ISE contacts with external NTP servers every 18 minutes or so.
Not sure if that help you.
10-07-2019 08:54 AM
Thank you. That answered the NTP polling question.
10-07-2019 08:33 AM
When you are dealing with DISA STIGs and CCRI audits (whatever they are called now), just treat ISE as an appliance. It doesn't fall into the standard categories of STIGs (hardening guides for non-DoD folks) so none of them apply. They ignore special-purpose appliances. Sometimes you have to educate the auditors a little. That goes for any compliance program. I just tell them that ISE is a hardened special-purpose appliance. You can also show them what you were able to control/configure in terms of password requirements, account lock-out, session timeouts, admin session ACL's, etc.
10-07-2019 08:46 AM
10-07-2019 09:15 AM
10-07-2019 09:37 AM
Obviously you can use the guides as that, guides, and pick settings/configurations from the various guides out there that you can apply to ISE. But my point is that the auditor shouldn't try to apply the Web Server STIG to ISE just because it serves HTTP and then hit you on items that you have no control over. It is always hit and miss whether you get a decent auditor that understands.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide