Overview
Custom rules allow admin to define checks to collect system health using Integrity message collector (IMC) and evaluate using Integrity message verifier (IMV) of TNC framework. The custom rules are created by the admin to include inspection checks such as absence or presence of specific file, certificate checks, TCP ports, processes, registry key settings, NetBIOS name, MAC addresses or certificate of the client machine and third-party inspection methods (custom DLLs).
You can invoke Host Checker at the role level, or the realm level to specify access requirements for endpoints attempting to authenticate.
All Host Checker rules are implemented through IMCs and IMVs based on the TNC open architecture. IMCs are software modules that Host Checker runs on the client machine. You can also configure Host Checker to monitor third-party IMCs installed on client computers by using third-party IMVs that are installed on a remote IMV server.
•IMCs are responsible for collecting information, such as antivirus, antispyware, patch management, firewall, and other configuration and security information for a client machine.
•IMVs are software modules running on the device that are responsible for verifying a particular aspect of an endpoint's integrity.
•The system and Host Checker manage the flow of information between the corresponding pairs of IMVs and IMCs. Each IMV on the device works with the corresponding IMC on the client machine to verify that the client meets the Host Checker rules.
Trusted Network Connect
Host Checker is compliant with the Trusted Network Connect (TNC) model developed by Trusted Computing Group (TCG). TCG created an architecture and set of standards for verifying endpoint integrity and policy compliance during or after a network access request. For more information about TNC, see www.trustedcomputinggroup.or
Policies
Ivanti Policy Secure(Ivanti Policy Secure) Host checker component supports many different type of product policy evaluation on endpoint along with continues monitoring of system health. The below table lists the description of various policies and features, which can be defined as part of device compliance check.
Supported Policies
|
Policy |
Description |
|
Predefined |
|
|
Antivirus Policy |
Policy to detect whether the Antivirus is installed and up-to-date with latest virus signatures. It also includes other options to check the last scan time, virus signature download, and remediation options. |
|
Firewall Policy |
Policy to detect the firewall installed on endpoint and the remediation option to turn on the firewall if it’s turned off. |
|
Anti-Spyware Policy |
Policy to detect the installed spyware on endpoints. |
|
Hard disk Encryption |
Policy to detect and check the encryption status of the specified or all drives using installed encryption software. |
|
Patch Management |
Policy to check whether the required operating system patches are installed properly. |
|
OS Checks |
Policy to check the version of the windows operating systems and minimum service packs. |
|
Common Vulnerability and Exposure (CVE) |
Policy to check any vulnerable attacks such as ransomware attack. |
|
System Integrity Protection (SIP) |
Policy to check the status (enabled/disabled) of System Integrity Protection (SIP) on the Mac OS endpoints. |
|
Custom |
|
|
3rd Party NHC Check |
Policy to specify the location of custom DLL files. |
|
Ports policy |
Policy to check if a particular port is either opened or closed to allow or reject the user authentication. |
|
Process policy |
Policy to control the software or processes that runs on the client machine. |
|
File policy |
Policy to check if a particular file with specific version or checksum, or last modified file is present on endpoint to allow or reject the user authentication. |
|
Registry Settings policy |
Policy to check the registry and its value to allow or reject the user authentication, with a remediation option to set the registry value if not configured. |
|
NetBIOS policy |
Policy to check the NetBIOS name from list of NetBIOS names provided to control user access. |
|
MAC Address policy |
Policy to check if the endpoint MAC address is in the provided regex or white listing of mac addresses to control user access. |
|
Machine Certificate policy |
Policy to check for the required machine certificate on the endpoint to control user access. This policy evaluates both public and private keys of the installed machine certificate on endpoint for users using Ivanti Secure Access Client. For agentless users, only public key is evaluated. |
|
Advanced Host Checking |
Policy to dynamically check the compliance status of the endpoints. It includes combining 2 policy types for obtaining the expected values of the check type. The expected values are fetched from registry location on the client machine for evaluating the policies. The advanced support for checking the expected values against another policy is supported on Ports, Process, File, Registry, NETBIOS, MAC Address, and Machine certificate. |
|
Statement of Health |
Policy to perform the health state validation to determine which roles or realms can be accessed by endpoints. It checks the system health indicators such as antivirus is enabled and up to date, antispyware is enabled and up to date, firewall is enabled and so on. |
|
Command |
Policy to check the versions of the installed applications on the Mac OS endpoints. |
|
Host Checker General Settings |
Ivanti Policy Secure provides following admin configuration options while performing host checking. |
|
General Options |
|
|
Continuous Policy Evaluation |
Option to configure periodic and continuous policy evaluation so that the endpoint is compliant with the Host Checker policy. |
|
Virus Signature Version Monitoring |
Option to monitor and verify the virus signatures, operating systems, and patches installed are up to date. |
|
Pre-Authentication Host Checking |
Pre-Authentication host checking are policies that are enforced at the realm level before authentication. |
|
Post-Authentication Host Checking |
Post-Authentication host checking are policies that are enforced when role assignment happens after authentication. |
Supported Platform Matrix
A Host Checker policy contains one or more rules. Each rule can apply to different host checks and for different device types (Windows, Mac, Linux, Solaris, iOS, Android). The below table lists the Host Checker policies that are supported on Windows, Mac, Linux, and Solaris.
Supported Policies for Agent/Agentless Login
|
Policy |
Windows |
Macintosh |
Linux |
Solaris |
Mobile |
||||||
|
|
Client |
Clientless |
Client |
Clientless |
Client |
Clientless |
Client |
Clientless |
Windows Phone & ChromeOS |
iOS |
Android |
|
Antivirus |
Yes |
Yes* |
Yes |
Yes* |
No |
No |
No |
No |
No |
No |
No |
|
Firewall |
Yes |
Yes* |
Yes |
Yes* |
No |
No |
No |
No |
No |
No |
No |
|
AntiSpyware |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Hard Disk Encryption |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Patch Assessment |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
OS Checks |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
Yes |
Yes |
Yes |
|
Rooting Detection |
No |
No |
No |
No |
No |
No |
No |
No |
No |
No |
Yes |
|
Jail Breaking Detection |
No |
No |
No |
No |
No |
No |
No |
No |
No |
Yes |
No |
|
Common Vulnerability and Exposure (CVE) Check |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
No |
No |
|
3rd Party NHC Checks |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
No |
No |
|
Ports |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
|
Process |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
|
Files |
Yes |
Yes** |
Yes |
Yes** |
Yes |
Yes** |
Yes |
Yes** |
No |
No |
No |
|
Registry Setting |
Yes |
Yes*** |
No |
No |
No |
No |
No |
No |
No |
No |
No |
|
NetBIOS |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
MAC Address |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Machine Certificates |
Yes |
Yes**** |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Statement of Health |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
No |
No |
|
System Integrity Protection (SIP) |
No |
No |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Command |
No |
No |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
|
Advanced Host Checking |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
No |
No |
No |
- * In some occasions, Antivirus/Firewall products restricts the remediation actions to admin/services (For example but not limited to, turning on firewall). In such scenarios, certain remediation actions won’t work with browser/clientless logins. Note that, this is defined by the corresponding security products.
- **Admin should enable system level access for accessing certain files and file locations for browser login.
- ***To access device-certificates from system store, the plugin needs admin rights. With browser/clientless login private key verification is not supported in Agentless login.
- ****Registry verification requires admin privileges for accessing certain registry files. There are limitations with accessing some of the registry hierarchy for evaluating registry checks for browser login.
- Agentless mode with Profiler is supported only with Windows platforms. The supported policies are Antivirus, Firewall, Antispyware, OS checks, Ports, Process, NetBIOS, and MAC Address. For more information, see the Ivanti Policy Secure Profiler Administration Guide.
Host Checker Remediation Capabilities
|
|
Windows |
Mac OS |
Linux |
|
Custom Instructions |
Yes |
Yes |
Yes |
|
Custom Actions |
Yes |
- |
- |
|
Kill Process |
Yes |
Yes |
Yes |
|
Delete Files |
Yes |
Yes |
Yes |
|
Reason String |
Yes |
Yes |
Yes |