Are there hardening/best practices documentation available for TACPLUS?

[mattablaze]

As we move forward with GovRAMP, we're being asked if there's any hardening or best practice guides for TACPLUS? There's a wealth of information in the documentation that is provided, but is there anything separate that documents best practices with the configuration or deployment of TACPLUS? A long shot, but I thought I'd ask.

[MarcJHuber]

Hi,

I'm not aware of any tac_plus-ng specific best-practice guides.

Personally, I think that syslog might be a better option than logging to files, and scaling the number of workers and mavis backend processes shouldn't be condisdered optional as it depends on the work load. As for the protocol itself, using the same key on each-and-every device likely isn't a good idea, and if TLS gets more momentum I'd certainly move on to that.

Also, the TACACS+ RFCs or drafts give some suggestions on what to avoid (but remembering vaguely, I tended to disagree with a couple).

Cheers,

Marc

[mattablaze]

Great, thanks for the tip on logging - we're already exporting logs to our SIEM. Can you elaborate on how we would use different keys for each device? Like I know how we can auto-generate it and push it out to the network devices, but how would that work in the TACPLUS config when it looks like there's just one option for the key. If we have 300+ network devices, I'm not sure how that would scale easily.

[mattablaze]

To elaborate, we use ansible to push out to the configs to the TACPLUS server and setting the key with this line that we pull from our secure repo (earlier in the playbook). Would we need 300+ "device {}" sections or is there some other way to handle this?
key = {{ tac_default_secret_key }}

[MarcJHuber]

Hi,

I'd likely use some database to store devices and their keys (plus additional data, if required) and let tac_plus-ng retrieve that data via a MAVIS backend. The GIT provides skeleton code for that (tac_plus-ng/tac_plus-ng-demo-database.cfg, mavis/perl/mavis_tacplus-ng-demo-database.pl).

Cheers,

Marc