I recently was handed a project to setup LUA scripting in CIsco iOS to allow for more granular and precise Hostscan checks from a Cisco ASA with the AnyConnect client. I had a hard time finding good documentation for this so here is what I learned. The following is what i created to allow Hostscan to check for the following:
1. selected anti-malware is installed and host has a matching registry key
2. or the endpoint has another selected AM installed
3. or if the endpoint has AM installed and a required file
assert(function()
local block_connection = true
#check for antimalware install and registry key
if (EVAL(endpoint.am[“<antimalware ID#>”].exists,”EQ”,”true”,”string”) and EVAL(endpoint.registry[“<HostScanID>”].value,”EQ”,”<registry value>”,”string”)
or #check if the other approved AM is installed
(EVAL(endpoint.am[“<antimalware ID#>”].exists,”EQ”,”true”,”string”)
or #check if AM solution is installed and a required file exists
(EVAL(endpoint.file[“HostScanID”].exists,”EQ”,”true”,”string”) and EVAL(endpoint.process[“HostScanID”].exists,”EQ”,”true”,”string”))
)
then
block_connection = false
else
block_connection = true
end
return block_connection
end)()
The contents of the EVAL() statement were found by creating a test Dynamic Access Policy and attempting to connecting to the VPN, then dumping the log and reviewing the applied DAPs looking for endpoint.am”<antimalwareID#>”. The file and registry EVAL() statement names were set on the ASA under:
Remote Access VPN -> Secure Desktp Manager -> Host scan
and creating registry and file checks as required.
The biggest struggle was for me finding a valid LUA example so I hope the above is helpful. You can adjust it by changing the values in the <>’s and and adding or removing OR / And statements as required.