Cisco does not hide the fact that Cisco Secure Access Control System (Secure ACS) 5.X is based on CentOS but provides no way to get to a Linux shell. Instead, when you log into Secure ACS you are presented with a Cisco IOS-like shell.
This post will show you how to access the bash shell as root, and explores the underlying filesystem layout and utilities which make up Secure ACS. For the purposes of this blog, I am using Secure ACS VM 5.2. There may be slight variations in filesystem layout and utilities in later versions of Secure ACS.
So what is Secure ACS I hear you ask? Secure ACS is a centralized identity and access policy solution that ties together an enterprise’s network access policy and identity strategy. Secure ACS is essentially Cisco’s implementation of the familiar AAA (Authentication, Authorization, and Accounting) security model. It is a policy-based access control system and an integration point for network access control and identity management.
- It centralizes identity management and access policy
- It supports RADIUS, TACACS+ and IEEE 802.1X
- It supports external databases like Microsoft Active directory
- It comes in both software only and hardware plus software versions
It is a well-respected product used in over 40000 installations.
Like many Linux distributions that are more than two years old, Secure ACS uses GRUB (Grand Unified boot Loader) Legacy as its bootloader. GRUB is password-protected and thus you cannot easily modify the GRUB menu or access the GRUB shell to boot ADE-OS into single user mode so you can access a Linux Shell. I have no idea what the GRUB password is but it is easy to work around. Simply boot your ACS VM using a Linux Live CD such as Parted Magic, mount the Secure ACS /boot filesystem and modify menu.lst (or gruf.conf) to comment out the GRUB password line and add a new single user stanza.
Here is the VM disk layout. Just mount /dev/sda1 on /mnt to access the boot partition.
Here is the unmodified GRUB configuration file:
Here is my modified GRUB configuration file (menu.lst). Just use vi to edit the configuration file. EMACS or pico are not available.
Here is what GRUB looks like with the new menu stanza:
and here is what is displayed when you select the single user GRUB menu option:
ADE-OS is the Cisco Application Deployment Engine (ADE) Operating System.
OK, now that we have got to a root shell prompt, what can we do? Let’s first look at the Linux kernel and the CentOS versions:
As you can see, Secure ACS uses the older 2.4 Linux kernel.
Here is the output from the df command:
As you can see Secure ACS uses LVM (Logical Volume Manager).
Turning now to /etc/passwd, we can see that the default Secure ACS console login user, i.e. admin, is assigned a login shell script called carssh.sh.
Two other things to note are the use of an Apache web server and a Squid caching server.
It turns out that the admin login shell script is a simple shell wrapper around an executable called carssh. Looks like some of the same Cisco technology is used in Secure ACS as in Cisco’s VOIP products!
Looking at /etc/inittab, it shows that the default runlevel is 3 even though /etc/rc5.d is populated:
and all 6 Linux virtual consoles are still enabled:
Secure ACS appears to use the standard /etc/syslog.conf configuration file:
and make use of the local6 and local10 facilities.
Most Secure ACS logs are placed in /opt/CSCOacs/logs:
The logrotate utility is used to control the size of the above logs. Look up /etc/logrotate.d/acs-logrotate for full details. Here is some of the configuration information:
All of the ACS-specific files are located under /opt/CSCOacs:
There are lots of interesting configuration files and shell scripts there. For example here are the default firewall rules:
Well, I could go on for a long time detailing interesting things in Secure ACS v5.2. However, now that you know how to access the root shell, you can go explore the internals of Secure ACS for yourself.