5.1.7 Client Integrity Check

NOTE:Access Manager 4.4 Service Pack 4 and later do not support this class.

You can configure a client integrity check policy to verify the recommended software (such as firewall and antivirus software) are installed on the client machine. You can configure different policies for Windows, Linux, and Macintosh machines and specify software that must be available in client machines to pass the client integrity check.

You need to create an identity provider authentication class that checks for the specified software on the client machine. You can configure policies to check processes, files, Windows registry, system services, and so on. This class can be executed with the first method of the contract. If the check fails, the user authentication fails.

Configuring Client Integrity Check

  1. Download the Client Integrity Check (CIC) package from the CIC Package download page and extract the CIC_utility.tar.gz file.

    Specifying details for the Operating System

  2. Traverse to CICtool/conf/config.xml file. Add the following details to the config.xml file:

    <OperatingSystem Name="Linux" UserInterfaceID="Linux" CICOSID="Linux"> . . . </OperatingSystem>

    To define operating system details for Windows and Macintosh, substitute UserInterfaceID, Name and CICOSID with Macintosh or Windows.

    NOTE:The attribute Name indicates the identifier for the operating system. Ensure that you use the same identifier for UserInterfaceID and CICOSID.

    Adding a Category

    A category is a group of similar software. For example, a firewall category can contain a list of firewalls such as the Windows Firewall and ZoneAlarm firewall. You can configure multiple software categories under each operating system in single cic policy.

    When multiple categories are configured for an operating system, if one of the enabled category does not exist on the client, the client integrity check fails.

  3. A category can be added to a operating system by adding <Type> tag in config.xml as follows:

    <OperatingSystem Name="Linux" UserInterfaceID="Linux" CICOSID="Linux"> <Type Name="Firewall_Linux" UserInterfaceID="Firewall_Linux" Status="true" CICTypeID="Firewall_Linux"> ... </Type> <Type Name="Antivirus_Linux" UserInterfaceID="Antivirus_Linux" Status="true" CICTypeID="Antivirus_Linux"> . </Type></OperatingSystem>

    As described in this example, multiple categories can be configured under an operating system.The Name attribute inside the <Type> tags indicate the category name.

    Set status to true to enable a specific category.

    Adding Applications for a Category

    A category consists of group of applications. You can add more than one application under a category. A client workstation is checked for the presence of any one of the software items in the category. If at least one of the enabled application definition exists on the system, the client integrity check passes for that category.

  4. To configure applications to a category, add <Info> tag as shown below.

    <OperatingSystem Name="Linux" UserInterfaceID="Linux" CICOSID="Linux"> <Type Name="Firewall_Linux" UserInterfaceID="Firewall_Linux" Status="true" CICTypeID="Firewall_Linux"> <Info Name="FireStarter" UserInterfaceID="FireStarter" Status="true"> . . . </Info> </Type> <Type Name="Antivirus_Linux" UserInterfaceID="Antivirus_Linux" Status="true" CICTypeID="Antivirus_Linux"> <Info Name="AntiVir" UserInterfaceID="AntiVir" Status="true"> . . . </Info> </Type></OperatingSystem>

    The Name attribute inside the <Info> tags indicate the application name. Set status to true to enable a specific application.

    NOTE:To enable an application you must have already enabled the category that it belongs to.

    Adding Attributes for an Application

    After you have added an application to a category, you must configure the attributes for each of these applications. These attributes can be in the form of RPMs, processes, registry keys, or executable files. The client integrity check detects the presence of these attributes.

  5. These attributes can be configured under each application by adding attribute type tags to config.xml as follows:

    <OperatingSystem Name="Linux" UserInterfaceID="Linux" CICOSID="Linux"> <Type Name="Firewall_Linux" UserInterfaceID="Firewall_Linux" Status="true" CICTypeID="Firewall_Linux"> <Info Name="FireStarter" UserInterfaceID="FireStarter" Status="true"> <AbsoluteFile UserInterfaceID="0" Name="/var/lock/subsys/firestarter" HashMD5="" /> <RPM UserInterfaceID="1" Name="FireStarter" Version="0.9.3" /> </Info> </Type> <Type Name="Antivirus_Linux" UserInterfaceID="Antivirus_Linux" Status="true" CICTypeID="Antivirus_Linux"> <Info Name="AntiVir" UserInterfaceID="AntiVir" Status="true"> <Process UserInterfaceID="0" Name="antivir" Owner="root" /> <AbsoluteFile UserInterfaceID="1" Name="/usr/lib/AntiVir/avguard" HashMD5="ss" /> </Info> </Type> </OperatingSystem>

    In this example, <AbsoluteFile>,<RPM>,<Process>,<AbsoluteFile> are examples of attribute type tags and fields like Name,Version,Owner are examples of attribute names.

    For more information about attributes for applications on different operating systems, see Configuring Attributes for an Application

    Client Security Levels

  6. You can configure different levels of client security. For more information about the different levels of client security, see Client Security Levels

    The security level can be configured by adding the following details to the config.xml file:

    <SecurityLevel Name="None" UserInterfaceID="None" DisplayMessage="Client Integrity failed" SecurityLevelID="None" CICReferenceCount="0" TrafficReferenceCount="1" /><SecurityLevel Name="Low" UserInterfaceID="Low" DisplayMessage="Your workstation is at Least Secure Level" SecurityLevelID="1" CICReferenceCount="3" TrafficReferenceCount="1"> . . .</SecurityLevel>

    The value of the Name field can be None,Low,Moderate and High,and the SecurityLevelID value in each case must be None,1,2 and 3 respectively.

    Adding Operating System details to the Security Level

  7. Under each security level, an operating system can be configured by adding <CICOS> tag as follows:

    <SecurityLevel Name="Low" UserInterfaceID="Low" DisplayMessage="Your workstation is at Least Secure Level" SecurityLevelID="1" CICReferenceCount="3" TrafficReferenceCount="1"> <CICOS UserInterfaceID="Linux" CICOSIDRef="Linux"> . </CICOS> <CICOS UserInterfaceID="Windows" CICOSIDRef="Windows"> . </CICOS> <CICOS UserInterfaceID="Macintosh" CICOSIDRef="Macintosh"> . . . </CICOS></SecurityLevel>

    This example shows configuration of operating system for security level Low,Other levels can be incorporated in the same manner.

  8. Under each operating system, category can be configured by adding <CICType> tag as follows:

    <SecurityLevel Name="Low" UserInterfaceID="Low" DisplayMessage="Your workstation is at Least Secure Level" SecurityLevelID="1" CICReferenceCount="3" TrafficReferenceCount="1"> <CICOS UserInterfaceID="Linux" CICOSIDRef="Linux"> <CICType UserInterfaceID="Firewall_Linux" CICTypeIDRef="Firewall_Linux" CICTypeStatus="true" /> <CICType UserInterfaceID="Antivirus_Linux" CICTypeIDRef="Antivirus_Linux" CICTypeStatus="true" /> </CICOS> <CICOS UserInterfaceID="Windows" CICOSIDRef="Windows"> <CICType UserInterfaceID="Firewall_Windows" CICTypeIDRef="Firewall_Windows" CICTypeStatus="true" /> <CICType UserInterfaceID="Antivirus_Windows" CICTypeIDRef="Antivirus_Windows" CICTypeStatus="true" /> </CICOS> <CICOS UserInterfaceID="Macintosh" CICOSIDRef="Macintosh"> <CICType UserInterfaceID="Antivirus_Mac" CICTypeIDRef="Antivirus_Mac" CICTypeStatus="true" /> </CICOS></SecurityLevel>

  9. Traverse to the CIC/CICtool/bin directory. Execute the CICtool binary by using the following command:

    $./CICtool ../conf/config.xml.

    This creates .txt policy files in the CICtext folder.

  10. In Identity Server, create the following directories by using the following commands:

    For Linux: $mkdir /opt/novell/nam/idp/webapps/nidp/classUtils/linux

    For Macintosh: $mkdir /opt/novell/nam/idp/webapps/nidp/classUtils/mac

    For Windows: $mkdir /opt/novell/nam/idp/webapps/nidp/classUtils/windows

  11. From the CICtext directory, copy the cic_linux.txt, cic_mac.txt and cic_windows.txt to the respective CIC system directory created in step 10.

    Use the following command to copy:

    For Linux: $ scp cic_linux.txt <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/linux

    For Macintosh: $ scp cic_mac.txt <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/mac

    For Windows: $ scp cic_windows.txt <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/windows

    Substitute idp login credentials with the server IPaddress, port, username and password to log in to Identity Server.

  12. From the CIC bin directory, copy the LinCic, MacCic and wincic.exe to the respective CIC system directory created in step 10.

    Use the following commands to copy:

    For Linux: $ scp LinCic <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/linux

    For Macintosh: $ scp MacCic <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/mac

    For Windows: $ scp wincic.exe <idp login credentials>:/opt/novell/nam/idp/webapps/nidp/classUtils/windows

    Substitute idp login credentials with the server IPaddress, port, username and password to log in to Identity Server

  13. Click Identity Server > Edit > Local > Classes > New

  14. Specify a name for the class and select ClientIntegrityCheckClass in Java class. Click Next.

  15. Click New and specify the following property name and property value:

    Name

    Value

    windowsBinary

    /nidp/classUtils/windows/wincic.exe

    windowsPolicy 

    /nidp/classUtils/windows/cic_windows.txt

    linuxBinary 

    /nidp/classUtils/linux/LinCic

    linuxPolicy 

    /nidp/classUtils/linux/cic_linux.txt

    maci386Binary 

    /nidp/classUtils/mac/MacCic

    maci386Policy 

    /nidp/classUtils/mac/cic_mac.txt

  16. Click OK > Finish.

  17. Create a method for this class and deselect Identifies User check box and set all other fields to default settings and click OK. For instructions, see Section 5.1.3, Configuring Authentication Methods.

  18. Go to the Contracts tab and select CIC method from the Available Methods list and click OK. For instructions, see Section 5.1.4, Configuring Authentication Contracts.

Client Security Levels

You can configure the level of security configured at the client machine. You can decide the categories of software that you want to be present for each level.

You can configure the following security levels:

  • Least Secure: Specifies the minimum categories of software that must be present on a client machine for the client to be at the lowest secure level. When a client is at a least secure level, you can configure the traffic policies so that the client has access to limited set of resources.

  • Moderately Secure: Specifies the categories of software that must be present on a client machine for the client to be at a moderately secure level. When a client is at a moderately secure level, you can configure the traffic policies accordingly.

  • Secure: Specifies the software categories that must be present on a client machine for the client to be secure. When a client is at a secure, the traffic policies can be configured so that the client has access to all or most of the protected resources, depending on the role of the client.

  • None: If a client does not have any of the software such as firewall or antivirus specified in the client integrity check policy, then the security level of that client is None. When a client is at this level, the SSL VPN connection is established, but the client is given access to only a minimal set of resources.

Configuring Attributes for an Application

Specify details for the attributes. The following table lists the attributes for applications on different operating systems:

Operating System

Attribute Type

Attribute Name

Linux

RPM

Name: Specify the name of the RPM that must be present on the client machine.

Version: Specify the version of the RPM that must be present on the client machine.

Process

Name: Specify the name of the process that must be present on the client machine.

Owner: Specify the owner of the process.

Absolute File

Name: Specify the name and absolute path of the file that must be present on the client machine.

HashMD5: Specify the MD5 checksum value of the absolute file. To calculate the MD5 checksum value of an absolute file located in your local system, click Select File to select the file. The MD5 checksum value of the selected file is displayed.

To calculate the MD5 checksum value for an absolute file that is on another system, remotely connect to that system, calculate the MD5 value, then copy the value in the HasMD5 field.

NOTE:You can also copy the file from the remote system to the local system, then calculate the MD5 checksum by using the Select File option. However, this might change the MD5 value of the file during the process. If you want to use this method, then ensure that the file size and file contents did not change during the process.

Macintosh

Package

Name: Specify the name of the software package that must be present on the client machine.

 

Version Specify the version of the software package.

Process

Name: Specify the name of the executable file that must be present on the client machine.

 

Owner: Specify the owner of the process.

Absolute File

Name: Specify the name and absolute path of the file that must be present on the client machine.

HashMD5: Specify the MD5 checksum value of the absolute file. To calculate the MD5 checksum value of an absolute file located in your local system, click Select File to select the file. The MD5 checksum value of the selected file is displayed.

To calculate the MD5 checksum value for an absolute file that is on another system, remotely connect to that system, calculate the MD5 value, then copy the value in the HasMD5 field.

NOTE:You can also copy the file from the remote system to the local system, then calculate the MD5 checksum by using the Select File option. However, this might change the MD5 value of the file during the process. If you want to use this method, then ensure that the file size and file contents did not change during the process.

Windows

Process

Name: Specify the name of the executable file that must be present on the client machine.

 

RegistryKeyName: Specify the registry key name. When you add this name, ensure that you also specify a value for RegistryKey Value.

 

ValueName: Specifies the value for RegistryKey configured. The data found in this key value must be the absolute path of the folder where the process file is present.

 

Version: Specify the version of the software process that must be running in the client machine.

NOTE:The version attribute specifies the Windows Explorer file version number.

 

RegistryKey

Name: Specify the name and absolute path of the registry key that must be present on the client machine.

Value Name: Specify the name of the registry key value.

Value Data: Specify a data for the registry key value. This data can be for registry type REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_MULTI_SZ, or REG_SZ. The value for REG_DWORD and REG_DWORD_LITTLE_ENDIAN is hexadecimal or decimal. The value of a REG_MULTI_SZ or REG_SZ can be a string value or, numeric or alphanumeric. The value of REG_BINARY can be binary or hexadecimal.

The Value name and Value data are separated by a comparison operator such as =, >. <, <=, >=. You must always use = with a string or with the registry type REG_BINARY. You can use any comparison operator with other registry types

For example, if the registry key name is specified as RegKey with a Value Name of RegValue, a comparison operator of =, and a Value Data of RegData, the client integrity check process looks for the presence of RegKey with a value name RegValue = value data RegData on the client machine. If the registry is present with the specified values, the client passes the client integrity check.

NOTE:Registry keys are not case sensitive, and they can contain either a single backslash (\) or double backslash (\\).

For example: One of the registry key descriptions is HKEY_Local_Machine\\Software\\Symantec. It can also be written as HKEY_Local_Machine\Software\Symantec.

 

Absolute File

Name: Specify the name and absolute path of the file that must be present on the client machine.

Version: Specify the version of the absolute file that must be running on the client machine.

HashMD5: Specify the MD5 checksum value of the absolute file. To calculate the MD5 checksum value of an absolute file located in your local system, click Select File to select the file. The MD5 checksum value of the selected file is displayed.

To calculate the MD5 checksum value for an absolute file that is on another system, remotely connect to that system, calculate the MD5 value, then copy the value in the HasMD5 field.

NOTE:You can also copy the file from the remote system to the local system, then calculate the MD5 checksum by using the Select File option. However, this might change the MD5 value of the file during the process. If you want to use this method, then ensure that the file size and file contents did not change during the process.

 

Service

Name: Specify the display name of the service.

Status: Specify the status of the process in the client machine. The status of the process can be Running or Stopped.