1. Home
  2. Docs
  3. Zero Trust Access Control...
  4. Device Health Policy

Device Health Policy

Introduction

Device Health Policy is a security feature that ensures that devices connecting to a network or system meet certain security standards before they are granted access. PureAUTH have a security feature that allows only authorized devices to access a particular application or application to which the user has access. These two security features can be used together to provide an even higher level of security for a system or network.


By implementing a Device Health Policy as part of Zero Trust Access Controls (ZTAC), devices that meet the security standards defined in the policy can be added to the Device Health Policy. Devices that do not meet the policy requirements can either be denied access or placed in a quarantine network where they can be remediated before being granted access.

Setup Device Health Policy in the PureAUTH

To set up a Device Health Policy in PureAUTH, follow these steps:

  • Login to PureAUTH.
  • In the navigation pane, go to Zero Trust Controls > Device Health Policy.

To grant access to devices and applications, security standards need to be defined that devices must meet. These standards may include requirements such as having an up-to-date operating system, software updates, the latest antivirus updates installed, and verifying if the device is domain-joined. Organizations have the freedom to define any necessary checks for the corporate device to ensure that the device meets the necessary security standards before access is granted.

Here’s an example of security checks that may be defined to grant access:

  • To grant access, a security check must be implemented to verify that the Sophos Intercept X antivirus is installed and has the latest updates.
  • To grant access, a security check must be performed to ensure that the device’s Windows security updates are up to date, and any necessary updates have been installed within the last 90 days.
  • To grant access, a security check must be performed to ensure that the device running is joined to the domain.

Configure Device Health Policy, Configuration in JSON 

For Windows:

{
    "controls": [
        {
            "name": "AntiVirus",
            "directive": "run_prog",
            "program_name": "wmic",
            "file_to_read": "/proc/version",
            "command": "wmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get * /value",
            "score": 1,
            "regex_control": [
                {
                    "regex": "(displayName=Sophos Intercept X)",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": "displayName=Sophos Intercept X"
                },
                {
                "regex": "(displayName=Sophos Intercept X)(\\n.*\\n.*\\n.*\\n)(productState=)([0-9]*)",
                    "regex_group": 4,
                    "type": "match",
                    "expected_output": "266240"
                }
            ]
        },
        {
            "name": "Security_update",
            "directive": "run_prog",
            "program_name": "wmic",
            "file_to_read": "",
            "command": "wmic qfe where \"Description = 'Security Update'\" get InstalledOn",
            "score": 1,
            "regex_control": [
                {
                    "regex": "\\d{1,2}[-\\/]\\d{1,2}[-\\/]\\d{2,4}(?![\\s\\S]*?\\d{1,2}[-\\/]\\d{1,2}[-\\/]\\d{2,4})",
                    "regex_group": 0,
                    "type": "date",
                    "expected_output": "90"
                }
            ]
        },
        {
            "name": "Domain Check",
            "directive": "run_prog",
            "program_name": "wmic",
            "file_to_read": "",
            "command": "wmic computersystem get domain",
            "score": 1,
            "regex_control": [
                {
                    "regex": "youdomain.com",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": "yourdomain.com"
                }
            ]
        }
   {
                    "regex": "(\\n)*(displayName=)([A-z]* [A-z]*)",
                    "regex_group": 3,
                    "type": "match",
                    "expected_output": "Windows Defender"
                },
                {
                    "regex": "(\\n)*(productState=)([0-9]*)",
                    "regex_group": 3,
                    "type": "binary",
                    "expected_output": "4096"
                }
            ]
        }
    ],
    "minscore_high": 3,
    "minscore_med": 2
}

For Linux:

{
    "controls": [
        {
            "name": "kernel",
            "directive": "read_file",
            "program_name": "cat",
            "file_to_read": "/proc/version",
            "command": "cat /proc/version",
            "score": 1,
            "regex_control": [
                {
                    "regex": "[\\d\\.]+",
                    "regex_group": 0,
                    "type": "version",
                    "expected_output": "5.4.1"
                }
            ]
        },
        {
            "name": "OS",
            "directive": "read_file",
            "program_name": "cat",
            "file_to_read": "/etc/issue",
            "command": "cat /etc/issue",
            "score": 2,
            "regex_control": [
                {
                    "regex": "[\\d\\.]+",
                    "regex_group": 0,
                    "type": "version",
                    "expected_output": "20.04.4"
                }
            ]
        },
        {
            "name": "LockScreen",
            "directive": "run_prog",
            "program_name": "cat",
            "file_to_read": "",
            "command": "gsettings get org.gnome.desktop.screensaver lock-enabled",
            "score": 4,
            "regex_control": [
                {
                    "regex": ".*",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": "true"
                }
            ]
        },
        {
            "name": "AutoUpdates",
            "directive": "read_file",
            "program_name": "cat",
            "file_to_read": "/etc/apt/apt.conf.d/20auto-upgrades",
            "command": "cat /etc/apt/apt.conf.d/20auto-upgrades",
            "score": 8,
            "regex_control": [
                {
                    "regex": "(Unattended-Upgrade \")([01])",
                    "regex_group": 2,
                    "type": "match",
                    "expected_output": "1"
                }
            ]
        },
        {
            "name": "Remote_Desktop",
            "directive": "run_prog",
            "program_name": "netstat",
            "file_to_read": "",
            "command": "netstat -tupna",
            "score": 5,
            "regex_control": [
                {
                    "regex": ":7070 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },
                {
                    "regex": ":434 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },
                {
                    "regex": ":6568 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },

                {
                    "regex": ":5938 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },

                {
                    "regex": ":3389 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },
                {
                    "regex": ":5900 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                },
                {
                    "regex": ":22 .*ESTABLISHED",
                    "regex_group": 0,
                    "type": "match",
                    "expected_output": ""
                }
            ]
        }
    ],
    "minscore_high": 20,
    "minscore_med": 8
}

For macOS:

{
    "controls": [
        {
            "command": "sw_vers",
            "directive": "run_prog",
            "file_to_read": "/proc/version",
            "name": "MacOS Version",
            "program_name": "sw_vers",
            "regex_control": [
                {
                    "expected_output": "13.2",
                    "regex": "(ProductVersion:)\t\t([0-9]+.[0-9]+)",
                    "regex_group": 2,
                    "type": "version"
                }
            ],
            "score": 5
        },
        {
            "command": "defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist",
            "directive": "run_prog",
            "file_to_read": "/Library/Preferences/com.apple.SoftwareUpdate.plist",
            "name": "Auto Update",
            "program_name": "defaults",
            "regex_control": [
                {
                    "expected_output": "1",
                    "regex": "(AutomaticCheckEnabled = )([0-9])",
                    "regex_group": 2,
                    "type": "match"
                },
                {
                    "expected_output": "1",
                    "regex": "(AutomaticDownload = )([0-9])",
                    "regex_group": 2,
                    "type": "match"
                },
                {
                    "expected_output": "1",
                    "regex": "(AutomaticallyInstallMacOSUpdates = )([0-9])",
                    "regex_group": 2,
                    "type": "match"
                }
            ],
            "score": 5
        },
        {
            "command": "netstat -anp tcp",
            "directive": "run_prog",
            "file_to_read": "",
            "name": "Remote_Desktop",
            "program_name": "netstat",
            "regex_control": [
                {
                    "expected_output": "",
                    "regex": "(\\.7070 .*ESTABLISHED)",
                    "regex_group": 0,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.434 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.6568 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.5938 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.3389 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.5900 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                },
                {
                    "expected_output": "",
                    "regex": "(\\.22 .*ESTABLISHED)",
                    "regex_group": 1,
                    "type": "match"
                }
            ],
            "score": 5
        }
    ],
    "minscore_high": 15,
    "minscore_med": 4
}

Further Assistance

For further information or assistance, please contact PureID support team : support@pureid.io.

Was this article helpful to you? No Yes

How can we help?