Cisco ISE posture Checking

Started by icecream-guy, August 12, 2019, 08:23:19 AM

Previous topic - Next topic

icecream-guy

Running ISE for checking posture,  run across an issue, regarding MACOS  Gatekeeper, 10.13.
wondering if anyone out here is also running ISE for posture checks and if your resolved the way to  identify this ?
seems it's built into MACOS,  there is not really a service, process, or plist that i've come across to define it in the ISE posture rule
:professorcat:

My Moral Fibers have been cut.

deanwebb

Hmmm... I know that FSCT can log in with an SSH account and get a process list... or run a local agent... so, is this a MacOS with AnyConnect, because I'd assume that would be the Cisco way of getting that posture info.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on August 12, 2019, 09:30:28 AM
Hmmm... I know that FSCT can log in with an SSH account and get a process list... or run a local agent... so, is this a MacOS with AnyConnect, because I'd assume that would be the Cisco way of getting that posture info.

Yes MacOS with AnyConnect.  ISE sees the AV, recognizes it, its just useless if we can't confirm that it is running.  That's like having no AV at all.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on August 12, 2019, 10:46:28 AM
Quote from: deanwebb on August 12, 2019, 09:30:28 AM
Hmmm... I know that FSCT can log in with an SSH account and get a process list... or run a local agent... so, is this a MacOS with AnyConnect, because I'd assume that would be the Cisco way of getting that posture info.

Yes MacOS with AnyConnect.  ISE sees the AV, recognizes it, its just useless if we can't confirm that it is running.  That's like having no AV at all.


Well, the ps command should work on MacOS. Can you run a script locally to execute maybe "ps aux"?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.