Help

Juniper host check for File Vault 2 encryption

echilders
New Contributor II

Posted on ‎04-16-2014 01:35 PM

We use Juniper as our remote access provider, I was wondering if anyone knew of an easy way to create a host check for File Vault 2 encryption. We had used Sophos encryption until Mavericks, and were able to key on a running process. Any help would be greatly appreciated.

0 Kudos
Reply
4 REPLIES 4

alexjdale
Valued Contributor III

Posted on ‎04-16-2014 01:41 PM

The problem is that with the right knowledge, it's really easy to spoof the Juniper host checker since it can really only check for certain files or processes (unless things have changed, we switched to a new VPN client this last year).

I'm not sure what your tolerances are, but you could have a system login script that confirms FV encryption and then creates or destroys a certain file with a certain hash that can be checked by Juniper. Again, that is still spoofable if someone can reverse-engineer it (relying on obscurity) and not real-time, but it may satisfy your security folks.

Unless you can have the host checker run a script, I can't think of anything else.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎04-16-2014 01:56 PM

Yeah, we've had to ask the same questions with our NAC host validation processes. If the appliance or application can't run a script, its not easy to check on something like FV2 enablement. It needs to be able to run something like sudo fdesetup isactive, or similar, and check its exit status. There is no real "file" to look for when FileVault is active, and even if there was, as mentioned, it could be pretty easily spoofed.

0 Kudos
Reply

dwandro92
Contributor III

Posted on ‎04-16-2014 08:53 PM

We use Juniper as well, and I also had to come up with a solution for this. Host Checker is easily fooled if you know what it's checking for, regardless of which platform it is running on. What I did was create a script that is coupled with my FileVault Self-Service policy. The script simply creates a file (using the "touch" command") and Host Checker verifies the existence of that file to determine a client's validity.

Hope this helps!

0 Kudos
Reply

JPDyson
Valued Contributor

Posted on ‎04-17-2014 07:19 AM

We tag our Macs (touch command, predetermined file, as above) via Casper policy once a day. If the Mac is encrypted, it gets the tag. If it's not, and the tag is present, it is removed.

If these guys want to get serious about posture-checking Macs, they'll learn to run shell commands as a part of the process.

0 Kudos
Reply