Dr. Shahab Linux Workstation Deployment
Device Information
| Field | Value |
|---|---|
Owner |
Dr. Shahab Asgharzadeh |
Department |
Spatial Biology and Genomics Core |
Location |
SRT Building, 9th Floor |
MAC Address |
|
Switch |
SRT-9-9300 |
Port |
Gi1/0/36 |
Current IP |
10.238.179.128 |
NAS IP |
10.134.144.109 |
Current Policy |
Research_Onboard (TOO OPEN) |
Target Policy |
Linux_Research_EAP_TLS (hardened) |
Phase 1: SSH Validation (Evan - InfoSec)
Connect to Workstation
ssh evan@10.238.179.128
# or
ssh shahab@10.238.179.1281.1 System Information
echo "=== HOSTNAME ==="
hostname -f
echo "=== OS VERSION ==="
cat /etc/os-release | head -5
echo "=== KERNEL ==="
uname -a
echo "=== NETWORK INTERFACE ==="
ip link show | grep -E "^[0-9]|ether"1.2 LUKS Disk Encryption
echo "=== LUKS CHECK ==="
lsblk -f | grep -i crypt
echo "=== CRYPTTAB ==="
cat /etc/crypttab
echo "=== ROOT FILESYSTEM ==="
df -h / | grep mapperExpected: crypto_LUKS in lsblk, /etc/crypttab exists, root on
/dev/mapper/*
-
LUKS encryption verified
1.3 AD Domain Join
echo "=== REALM LIST ==="
realm list
echo "=== SSSD STATUS ==="
systemctl status sssd --no-pager
echo "=== TEST USER RESOLUTION ==="
id shahab@la.ad.chla.org 2>/dev/null || echo "User not found - check domain"
getent passwd shahab@la.ad.chla.org 2>/dev/null || echo "NSS lookup failed"Expected: realm list shows la.ad.chla.org configured, sssd
running
-
AD domain joined
-
Users resolvable
1.4 Microsoft Defender for Endpoint
echo "=== DEFENDER SERVICE ==="
systemctl status mdatp --no-pager 2>/dev/null || echo "mdatp not installed"
echo "=== DEFENDER HEALTH ==="
mdatp health 2>/dev/null || echo "mdatp not installed"
echo "=== REAL-TIME PROTECTION ==="
mdatp health --field healthy 2>/dev/null
mdatp health --field real_time_protection_enabled 2>/dev/nullExpected: healthy: true, real_time_protection_enabled: true
-
Defender installed
-
Real-time protection enabled
1.5 UFW Firewall
echo "=== UFW STATUS ==="
sudo ufw status verbose
echo "=== UFW DEFAULTS ==="
sudo ufw status | head -5Expected: Status active, default deny incoming, allow outgoing
-
UFW enabled
-
Default deny incoming
1.6 Sudoers Configuration
echo "=== SUDOERS FILES ==="
ls -la /etc/sudoers.d/
echo "=== SUDOERS CONTENT ==="
sudo cat /etc/sudoers.d/* 2>/dev/null
echo "=== TEST SUDO FOR DOMAIN USER ==="
# Domain users should NOT have sudoExpected: Only admin groups have sudo, domain users denied
-
Zero-trust sudoers configured
1.7 Certificates (if installed)
echo "=== CA CERTIFICATES ==="
ls -la /etc/ssl/certs/ | grep -i chla
echo "=== MACHINE CERTIFICATE ==="
ls -la /etc/ssl/certs/*.pem 2>/dev/null | head -5
ls -la /etc/ssl/private/*.key 2>/dev/null
echo "=== CERTIFICATE DETAILS ==="
# Replace with actual cert path if found
openssl x509 -in /etc/ssl/certs/machine.crt -noout -subject -dates 2>/dev/null || echo "No machine cert found"-
Root CA installed
-
Machine certificate installed
1.8 wpa_supplicant (802.1X)
echo "=== WPA_SUPPLICANT CONFIG ==="
ls -la /etc/wpa_supplicant/
echo "=== WPA_SUPPLICANT SERVICE ==="
systemctl list-units | grep wpa
echo "=== 802.1X STATUS ==="
# Find the wired interface name first
IFACE=$(ip link | grep -E "^[0-9].*en" | awk -F: '{print $2}' | tr -d ' ' | head -1)
echo "Interface: $IFACE"
wpa_cli -i $IFACE status 2>/dev/null || echo "wpa_supplicant not running on $IFACE"-
wpa_supplicant configured
-
802.1X authenticated
Phase 1 Summary Script
Run this single script to collect all validation data:
#!/bin/bash
echo "=========================================="
echo "CHLA Linux Workstation Validation Report"
echo "Date: $(date)"
echo "Host: $(hostname -f)"
echo "=========================================="
echo -e "\n=== 1. LUKS ENCRYPTION ==="
lsblk -f | grep -i crypt && echo "PASS: LUKS detected" || echo "FAIL: No LUKS"
[ -f /etc/crypttab ] && echo "PASS: crypttab exists" || echo "FAIL: No crypttab"
echo -e "\n=== 2. AD DOMAIN JOIN ==="
realm list 2>/dev/null | head -5
systemctl is-active sssd >/dev/null && echo "PASS: SSSD running" || echo "FAIL: SSSD not running"
echo -e "\n=== 3. MICROSOFT DEFENDER ==="
systemctl is-active mdatp >/dev/null 2>&1 && echo "PASS: Defender running" || echo "FAIL/PENDING: Defender not running"
mdatp health --field healthy 2>/dev/null || echo "mdatp not installed"
echo -e "\n=== 4. UFW FIREWALL ==="
sudo ufw status | grep -q "Status: active" && echo "PASS: UFW active" || echo "FAIL: UFW not active"
sudo ufw status verbose | head -10
echo -e "\n=== 5. SUDOERS ==="
ls /etc/sudoers.d/ 2>/dev/null
echo -e "\n=== 6. CERTIFICATES ==="
ls /etc/ssl/certs/*.pem 2>/dev/null | head -3 || echo "No .pem certs in /etc/ssl/certs"
ls /etc/ssl/private/*.key 2>/dev/null || echo "No private keys"
echo -e "\n=== 7. 802.1X STATUS ==="
IFACE=$(ip link | grep -E "^[0-9].*en" | awk -F: '{print $2}' | tr -d ' ' | head -1)
wpa_cli -i $IFACE status 2>/dev/null | grep -E "wpa_state|EAP" || echo "wpa_supplicant not active"
echo -e "\n=========================================="
echo "Validation Complete"
echo "=========================================="Phase 2: ISE Hardening (Evan - InfoSec)
2.1 Current State - Research_Onboard is TOO OPEN
The device is currently in Research_Onboard with no dACL - full
network access.
2.2 Create Hardened dACL
ISE GUI: Policy > Policy Elements > Results > Authorization > Downloadable ACLs
Name: DACL_LINUX_RESEARCH_HARDENED
! ============================================== ! dACL: DACL_LINUX_RESEARCH_HARDENED ! Purpose: Zero-trust - block internal, permit internet ! ============================================== ! Block ALL Internal Networks FIRST deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 ! Permit DNS (internal DNS servers only) permit udp any host 10.112.142.41 eq 53 permit udp any host 10.112.142.42 eq 53 ! Permit DHCP permit udp any any eq 67 permit udp any any eq 68 ! Permit NTP permit udp any any eq 123 ! Permit AD/Kerberos (DC IPs) permit tcp any host <DC-1-IP> eq 88 permit udp any host <DC-1-IP> eq 88 permit tcp any host <DC-1-IP> eq 389 permit tcp any host <DC-1-IP> eq 636 ! Permit ISE Posture permit tcp any host <ISE-PSN-1> eq 8443 permit tcp any host <ISE-PSN-1> eq 8905 permit tcp any host <ISE-PSN-2> eq 8443 permit tcp any host <ISE-PSN-2> eq 8905 ! Permit Internet (HTTP/HTTPS/SSH) permit tcp any any eq 80 permit tcp any any eq 443 permit tcp any any eq 22 ! Log and deny everything else deny ip any any log
Or use netapi:
netapi ise create-dacl "DACL_LINUX_RESEARCH_HARDENED" --aces "
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit udp any host 10.112.142.41 eq 53
permit udp any host 10.112.142.42 eq 53
permit udp any any eq 67
permit udp any any eq 68
permit udp any any eq 123
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 22
deny ip any any log
"2.3 Create Authorization Profile
ISE GUI: Policy > Policy Elements > Results > Authorization > Authorization Profiles
Name: Linux_Research_EAP_TLS
| Setting | Value |
|---|---|
Access Type |
ACCESS_ACCEPT |
DACL Name |
DACL_LINUX_RESEARCH_HARDENED |
VLAN |
(keep current or specify) |
Reauth Timer |
3600 |
Or use netapi:
netapi ise create-authz-profile "Linux_Research_EAP_TLS" \
--dacl "DACL_LINUX_RESEARCH_HARDENED" \
--reauth-timer 36002.4 Update Authorization Rule
ISE GUI: Policy > Policy Sets > Wired Dot1X Closed > Authorization Policy
Add rule (or modify Research_Onboard):
| Rule Name | Conditions | Profile |
|---|---|---|
Linux_Research_Hardened |
EndpointMAC EQUALS b4:e9:b8:f6:c8:17 |
Linux_Research_EAP_TLS |
Or use netapi:
netapi ise add-authz-rule "Wired Dot1X Closed" "Linux_Research_Hardened" \
"Linux_Research_EAP_TLS" \
--dict "Cisco" \
--attr "cisco-av-pair" \
--value "endpoint-mac-address=b4:e9:b8:f6:c8:17" \
--operator equals2.5 Force Reauth and Verify
On Switch (SRT-9-9300):
show access-session mac b4e9.b8f6.c817 detail ! Force reauth to apply new policy clear access-session mac b4e9.b8f6.c817 ! Verify new dACL applied show access-session mac b4e9.b8f6.c817 detail show ip access-list | include DACL_LINUX
Via netapi:
netapi ise mnt session b4:e9:b8:f6:c8:172.6 Test dACL Effectiveness (from workstation)
# Internet should WORK
curl -sI https://google.com | head -1
# Expected: HTTP/2 200 or 301
# Internal servers should be BLOCKED
ping -c 2 10.134.144.1
# Expected: 100% packet loss
# DNS should WORK
nslookup google.com
# Expected: resolvesPhase 3: Deliverables for Team
For Ben Castillo (SysEng)
Missing items from validation (check boxes above):
-
LUKS encryption
-
AD domain join
-
Microsoft Defender
-
UFW firewall
-
Sudoers configuration
-
Machine certificate request/install
-
wpa_supplicant configuration
For Victor Negri (Cloud/AD)
-
AD groups created:
-
GRP-Research-Linux-Workstations -
GRP-Research-Linux-Users -
GRP-Research-Linux-Admins
-
-
Machine account added to Workstations group
-
Certificate template available
-
Machine certificate issued
For Sarah Clizer (Approval)
Status Update Template:
Subject: Linux Research Workstation Status - Dr. Shahab Current State: - Device: b4:e9:b8:f6:c8:17 on SRT-9-9300 Gi1/0/36 - ISE Policy: Research_Onboard (temporary) Validation Results: - LUKS: [PASS/FAIL/PENDING] - AD Join: [PASS/FAIL/PENDING] - Defender: [PASS/FAIL/PENDING] - Firewall: [PASS/FAIL/PENDING] - Certificates: [PASS/FAIL/PENDING] - 802.1X: [PASS/FAIL/PENDING] ISE Hardening: - Created dACL: DACL_LINUX_RESEARCH_HARDENED - Blocks all internal networks (zero-trust) - Permits: DNS, DHCP, NTP, Internet (80/443/22) Next Steps: 1. Ben to complete [missing items] 2. Victor to issue machine certificate 3. Final validation and policy switch to Linux_Research_EAP_TLS ETA: [date]
Quick Reference
Switch Commands
show access-session interface Gi1/0/36 detail show access-session mac b4e9.b8f6.c817 detail show ip access-list | include DACL_LINUX clear access-session mac b4e9.b8f6.c817
netapi Commands
netapi ise mnt session b4:e9:b8:f6:c8:17
netapi ise get-authz-profile "Linux_Research_EAP_TLS"
netapi ise get-dacl "DACL_LINUX_RESEARCH_HARDENED"Session Log
2026-01-23 - Initial Validation
[timestamp] SSH to 10.238.179.128 [timestamp] Validation results: - LUKS: - AD Join: - Defender: - UFW: - Certs: - 802.1X: