Forum Discussion
F5Team
Cirrus
CirrusAPM windows KB posture checks
I would like to understand how the APM (posture check) windows KB checks works exactly. Based on the sample condition below, will the F5 compares all of the KB's or any one or few of them to pass th...
Lucas_Thompson
Employee
EmployeeThe KB endpoint checks are performed on the client machine by using a Windows API to obtain the OS patch info, transformed into a list, signed, transmitted to APM, then verified with whatever expression you have set up. So all BIG-IP does here is obtain a simple text string.
In your example you have:
expr { [mcget {session.windows_info_os.last.updates}] contains "123456" || [mcget {session.windows_info_os.last.updates}] contains "7891011" || [mcget {session.windows_info_os.last.updates}] contains "3247922"
Leaving aside the missing end square and curly-braces, this is essentially 3 IF statements joined by an OR (||) operator, so there is no precedence here, it's just "X contains A or X contains B or X contains C" If X has A, B, or C it'll match.
It may be that X (session.windows_info_os.last.updates) wasn't being transmitted to BIG-IP correctly. In that case, you'll have to check the session variable viewer or logs to obtain the raw value of that session variable.
There are also some rare cases where strings become malformatted due to the our TCL script interpreter, but this usually happens with non-ASCII characters.
F5TeamHi Lucas,
Thanks for the update.
Could you help confirm more details on the Windows API and how does it fetch the OS patch info and transmit to APM.
would the API use commands similar to "wmic qfe list full / brief" or any other specific commands
- Lucas_Thompson
After a more thorough review, it appears that this particular function is part of the OPSWAT / OESIS functionality that we include in the client. We use the "GetInstalledPatches" method documented here:
https://software.opswat.com/OESIS_V4/html/c_method.html
Sorry for the confusion.