Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
4
Replies

ISE posture: Is it possible to "trace" posture conditions on the client?

rmueller@cisco.com
Cisco Employee
Cisco Employee

‎04-05-2017 02:38 AM

Hi all,


my customer is asking if it is possible to actually "trace" or sleuthing posture requirements that are checked on the client? For example, if the customer is checking for file existence, would it be possible to acutally find out which file posture assessment is checking for (filename/path) by digging into logs or debugging the client somehow?

This question is especially for MACBooks.

Roland

0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎04-05-2017 02:20 PM

A file condition requires the the File Path. Since the path is defined as the check, we need not trace how the agent performing the checks. If it's not doing what it supposed to, please open a TAC case and TAC uses some internal tool to decode the client support files for this.

Screen Shot 2017-04-05 at 2.16.36 PM.png

0 Helpful

rmueller@cisco.com
Cisco Employee
Cisco Employee
In response to hslai

‎04-06-2017 06:39 AM

Hi,

thanks for the quick response.

However, the question goes more into direction if this can actually be „hacked“ by looking at log files etc. if someone outside of the organization wants to “make” his workstation to be compliant.

Roland

Roland Mueller

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

rmueller@cisco.com<mailto:rmueller@cisco.com>

Tel: +49 711 2391 1306

Cisco Systems, Inc.

City Plaza - 4th Floor Rotebuehlplatz 21-25

STUTTGART

70178

Germany

cisco.com

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

Preview file
1 KB
Preview file
93 KB
0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to rmueller@cisco.com

‎04-06-2017 03:54 PM

I've not heard of any incident like that. If customers have one, please report it to Cisco TAC or Cisco PSIRT team.

0 Helpful

gbekmezi-DD
Level 5
Level 5
In response to hslai

‎04-06-2017 04:07 PM

The posture client logs have historically been encrypted (probably for this very reason). Having said that, if your customer has admin access to his desktop he can probably run things like Process Monitor (https://technet.microsoft.com/en-us/sysinternals/bb896645) to try to get insight into what the posture agent is looking for. Of course he will have to fail at least once before this happens :).

George

0 Helpful
Customers Also Viewed These Support Documents