Secure Configuration Verification

Sets and Sub-sets

Each set has a certain purpose which was predefined for it. For example, one set can be used to define certain parameters, another could specify certain actions that should take place in a certain event etc. Sets are differentiated by their names and hierarchy in a recursive manner. Each set can have a sub-set, and each sub-set can have a sub-set of its own and so on. Subsets can also contain logical expressions. Sets and sub-sets with more than one sub-sets/conditions are delimited by left and right parentheses (), and start with the set/sub-set name. Differentiation between sub-sets/expressions with the same hierarchy is done using the colon :. .For example:

(SetName

    :SubSetName1 (

        :ExpressionName1_1 (5)

        :ExpressionName1_2 (false)

    )

    :SubSetName2 (

        :ExpressionName2_1 (true)

        :SubSetName2_1 (

            :ExpressionName2_1_1 (10)

        )

   )

)

In the example above the set named SetName has two subsets - SubSetName1 and SubSetName2:

• SubSetName1 has two conditions in it (ExpressionName1_1 and ExpressionName1_2).

• SubSetName2 has one condition (ExpressionName2_1) and one subset (SubSetName2_1) in it.

• SubSetName2_1 has one condition as well (ExpressionName2_1_1).

The "local.scv" Sets

The local.scv policy files contains one set called SCVObject.

This set must always be present and contains all the subsets which deal with the SCV checks and parameters.

SCVObject has these subsets:

• SCVNames - This section is the main SCV policy definition section, in which all of the SCV checks and actions are defined. This is the definition part of the SCV policy, and doesn't actually determine the SCV checks that will be performed. In this section sets of tests are defined. Later on, the administrator will choose from these sets those he wants to run on the user's desktop.

• SCVPolicy - This section specifies the names of the SCV checks that should actually be performed on the client's machine, from the SCV checks defined in SCVNames.

• SCVGlobalParams - This section contains some global SCV parameters.

The Difference between SCVNames and SCVPolicy

• The "SCVNames" section defines the different parameters for the checks.

• The "SCVPolicy" section states which checks are enforced.

To enforce a specific SCV check (such as Windows Security Monitor):

1. Configure the check's parameters in the "SCVNames" section.

2. Include the name of the check in the "SCVPolicy" section.

The expressions that you can use are set by the manufacturer. The names of the expressions are determined by the SCV check. The value of an expression is true or false, according to the result of an SCV check.

Logical Operators for RegMonitor Expressions

You can use these logical comparison operators when working with RegMonitor in the SCV policy. Other logical operations are not supported:

Expressions are evaluated by checking the value of the expression (which corresponds to an SCV check) and comparing it with the value defined for the expression (the value in the parentheses). For example, in the browser monitor SCV check provided with the client, you can specify the following expression:

This expression checks whether the version of the Internet Explorer browser installed on the client is 5.x. If the (major) version is 5, this expression is evaluated as true, otherwise it is evaluated as false. The name of the expression (e.g. "browser_major_version") is determined by the SCV application and is supplied by manufacturer.

If several expressions appear one after the other, they are logically ANDed, meaning that only if all expressions are evaluated as true, then the value of all of them taken together is true. Otherwise (if even one of the expressions is false), the value of all of them is false. For example:

These expressions are ANDed. If the version of Internet Explorer is 5 AND the minor version is 0 (i.e. version 5.0), then the result is true, otherwise it is false. If the version of Internet Explorer is, for example, 4.0, then the first expression is false and the second one is true, and the result of both of them is false.

Logical Sections

As mentioned earlier, subsequent expressions are automatically ANDed. However, sometimes it is necessary to perform a logical OR between expressions, instead of logical AND. This is done by using labels:

The begin_or (orX) label - this label starts a section containing several expressions. The end of this section is marked by the end (orX) label (X should be replaced with a number which differentiates between different sections OR sections). All of expressions inside this section are logically ORed, producing a single value for the section. For example:

This section checks whether the version of Internet Explorer is 5 OR 6 - if it is then the result is true, otherwise it is false.

The begin_and (andX) label - this label is similar to the begin_or (orX) label, but the expressions inside are evaluated and logically "AND"-ed. The end of this section is marked by the end (andX) or the end (orX) label. As mentioned earlier, simple subsequent expressions are automatically "AND"-ed. The reason that this label exists is to allow nested "AND"-ed sections inside "OR"-ed sections. For example, if an administrator considers old browsers as secure since they do not have a lot of potentially unsafe components, and new browsers as secure, since they contain all the latest security patches, the administrator can configure these SCV rules:

In the example above, the first AND section checks whether the version of IE >= 5.0, the second "AND" section checks whether the version of IE is <=3.0 and they are "OR"-ed. The entire example is evaluated as true only if the version of IE is larger than (or equal to) 5.0 "OR" lower than (or equal to) 3.0.

Example:

:browser_major_version (7)

This expression is a Check Point SCV check. It checks whether the version of the Internet Explorer browser installed on the client is 7.x. If the major version is 7, this expression is true.

Grouping Expressions

If several expressions appear one after the other, they are checked on AND logic. Only if all expressions are true, then the value of all of them together is true.

Example:

:browser_major_version (7)
                    :browser_minor_version (0)

If the version of Internet Explorer is 7 AND the minor version is 0 (version 7.0), the result is true. If the version is 6.0, the first expression is false and the second one is true: result is false.

Influential Expressions

Some expressions can influence the way in which others are evaluated.

Example:

:browser_major_version (10)
                        :browser_minor_version (0)
                    :browser_version_operand (">=")

The third expression influences the way that the first and second are evaluated:

• If the version of Internet Explorer is greater than or equal to (">=") 10, the result is true.

• If the version is 9, the result is false

• If the version is 11, the result is true.

Expressions and Labels with Special Meanings

There are several expressions and labels which have special meaning:

• begin_admin (admin) - this label starts a section defining several actions which are performed only if the client is considered as one that does not meet SCV by previous expressions in the subset (i.e. if previous expressions in the subset have returned a value of false). The end of this section is marked by the end (admin) label.

• send_log (type) - This expression is used as part of the begin_admin (admin) - end (admin) section, and determines whether to send a log to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. (and the client's diagnostic tool) specifying that the client does not meet SCV.

  The word type should be replaced by the type of log to send, such as log/alert. Alert means sending a log to the Security Management Server, while log means sending the log to the remote client's diagnostic tool.

• mismatchmessage ("Message") - This expression is used as part of the begin_admin (admin) - end (admin) section, and specifies that a popup message should be shown on the remote user's desktop, indicating the problem. The text in the inverted commas (Message) should be replaced by a meaningful text which should instruct the client about the possible sources of the problem and the action he should perform.

For example:

In this example, if the user's IE browser's version is lower than 5.0, an alert is sent to the Security Management Server machine and a popup message is shown to the user with indication of the problem.

1. From SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Menu, click Global Properties.

2. From the navigation tree, click Remote Access > Secure Configuration Verification (SCV).

3. Configure the settings:

   • Apply Secure Configurations on Simplified Mode - Specifies if SCV is applied to all remote access rules in the simplified policy mode.

   • Upon Verification failure - Specifies the action that is performed when the client fails one or more SCV checks. The options are to Block the client's connection or to Accept it and send a log about the event.

   • Basic configuration verification on client's machine - Specifies whether the Remote Access Client performs SCV checks to determine if the policy is installed on all network interfaces cards on the client's desktop, and if only TCP/IP protocols are installed on these interfaces.

   • Configurations Violation Notification on client's machine - Specifies if a log record is saved on the Security Management Server machine indicating that a remote user is not verified by SCV (this is a general indication, without a specification of a certain SCV check the user's desktop had failed).

4. From the left navigation tree, below Access Control, click Access Control Policy. In the Access Control Policy, make sure that all connections where you configure SCV match a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that is explicitly defined for Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway..

   Example Access Rules:

   No.	Source	Destination	VPN	Services & Applications	Action
   1 (Management Rule - Not relevant for this example)	_	_	_	_	_
   2	MP_Role	Host_10.10.0.10	Any	icmp-proto http	Accept
   3	MP_Role	Host_10.10.0.10	RemoteAccess	ssh	Accept

   For an HTTP connection from MP_Role to Host_10.10.0.10, SCV policy is not enforced. This is because the connection matches Rule 2. Rule 2 is for any VPN, and is not explicitly for Remote Access VPN.

   For an SSH connection from MP_Role to Host_10.10.0.10, SCV policy is enforced. This is because the connection matches Rule 3, which is explicitly for Remote Access VPN.

   For more information, see the R81.10 Security Management Administration Guide > chapter Creating an Access Control Policy.

5. Click OK and publish the changes.

Configure an SCV Policy in the text file $FWDIR/conf/local.scv on the Management Server. The local.scv file is a policy file, containing sets, subsets and expressions. In general, you can use the pre-defined checks (in the SCVNames section of the local.scv file) as templates and list the modified checks in the SCV Policy section, without writing new SCV subsets. You do not need to use expressions to create a basic SCV policy.

1. In the $FWDIR/conf/local.scv file, configure one or more of these SCV checks to create a basic SCV policy:

   "Groupmonitor"

   This checks that the logged on user belongs to the expected domain user groups.

   Parameter	Description
   "builtin\administrator" (false)	A name of a user group. The user must belong to this group for the machine configuration to be verified.

   "OsMonitor"

   For Windows 10 and Windows 11, osMonitor checks for version build numbers to do the checks. To support this functionality on Windows 10, you must have both these parameters:

   • os_build_number_10

   • os_build_operand_10

   If the parameter "enforce_screen_saver_minutes_to_activate" does not appear, the screen saver configuration is not checked.

   OSMonitor does not support begin_or or begin_and.

   Parameter	Description
   enforce_screen_saver_minutes_to_activate (3)	Time in minutes for the screen saver to activate. If the screen saver does not activate within this time, then the client is not considered verified. In addition, the screen saver must be password protected.
   screen_saver_mismatchmessage ("Your screen saver settings do not meet policy requirements")	Mismatch message for the screen saver check. The screen saver will not be checked if the property "enforce_screen_saver_minutes_to_activate" does not appear, or if the time is set to zero.
   service_pack_version_operand_8 (">=")	Operator for checking the operating system's service pack on Windows 8.
   major_os_version_number_81 (6)	Specifies the major version required for Windows 8.1 operating systems to be verified.
   minor_os_version_number_81 (3)	Specifies the minor version required for Windows 8.1 operating systems to be verified.
   os_version_operand_81 (“==”)	Operator for checking the operating system’s major and minor version on Windows 8.1.
   service_pack_major_version_number_81 (0)	Specifies the major service pack version required for Windows 8.1 operating systems to be verified.
   service_pack_minor_version_number_81 (0)	Specifies the minor service pack version required for Windows 8.1 operating systems to be verified.
   service_pack_version_operand_81 (“>=”)	Operator for checking the operating system’s service pack on Windows 8.1.
   major_os_version_number_10 (10)	Specifies the major version required for Windows 10 operating systems to be verified.
   minor_os_version_number_10 (0)	Specifies the minor version required for Windows 10 operating systems to be verified.
   os_version_operand_10 (“==”)	Operator for checking the operating system’s major and minor version on Windows 10.
   os_build_number_10 (0)	Specifies the version build number required for Windows 10 operating systems to be verified.
   os_build_operand_10 (“>=”)	Operator for checking the operating system’s version build number on Windows 10.
   major_os_version_number_11 (10)	Specifies the major version required for Windows 11 operating systems to be verified.
   minor_os_version_number_11 (0)	Specifies the minor version required for Windows 11 operating systems to be verified.
   os_version_operand_11 (“==”)	Operator for checking the operating system’s major and minor version on Windows 11.
   os_build_number_11 (0)	Specifies the version build number required for Windows 11 operating systems to be verified.
   os_build_operand_11 (“>=”)	Operator for checking the operating system’s version build number on Windows 11.
   os_version_mismatches ("Please upgrade your operating system")	Message to be displayed in case of a non-verified configuration for the operating system's version/service pack. The operating system's version and the service pack will not be checked if none of the parameters appear in the scv file.

   "ProcessMonitor"

   This check is for process activity. It supports AND and OR sections.

   It is based on the process name, with an additional hash check option for running processes.

   ProcessName.exe (true| false)

   ProcessName.exe (true;<SHA1 hash value>)

   For example: calc.exe (true;9018A7D6CDBE859A430E8794E73381F77C840BE0)

   If the value is true, the client is compliant if this process is running.

   If the value is false, the client is compliant if the process is not running.

   Note - Checking the SHA1 hash value can impact performance.

   "RegMonitor"

   These checks are for the system registry. RegMonitor supports AND and OR sections.

   Parameters

   PredefinedKeys (HIVE)

   Specify the registry hive from one of these choices:

   • HKEY_CURRENT_USER

   • HKEY_LOCAL_MACHINE

   • HKEY_USERS

   To configure a check for HKEY_CLASSES_ROOT, use HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes.

   Note - If the values of these parameters do not include the name of the registry hive, the HKEY_LOCAL_MACHINE hive is used by default. If you want to use another hive, you must explicitly use it in the value of the parameter.

   Parameter	Description
   value (registry_value_path)	The path of a registry DWORD will be checked. The value should be an operator followed by a number, e.g. "Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVer>=414"
   string (registry_string_path)	The path of a registry string will be checked. The string's value is compared to the given value, in the way that DWORDs are compared.
   keynexist (registry_key_path)	The path of a registry key to be checked for exclusion. For the machine to be verified, the key should not exist.
   keyexist (reistry_key_path)	The path of a registry key to be checked for inclusion. For the machine to be verified, the key must exist.

   Example: Script to check the version and service pack of Internet Explorer.

   Copy

   : (RegMonitor
                                           :type (plugin)
                                           :parameters (
                                           :begin_or (or1)
                                           :keynexist ("Software\Microsoft\Internet Explorer")
                                           :string ("Software\Microsoft\Internet Explorer\Version>=7")
                                           :begin_and (and1)
                                           :string ("Software\Microsoft\Internet Explorer\Version>=6.0")
                                           :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion>=SP2")
                                           :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion<=SP9")
                                           :end_and (and1)
                                           :begin_and (and2)
                                           :string ("Software\Microsoft\Internet Explorer\Version>=6.0")
                                           :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion>=;SP2")
                                           :string ("Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinorVersion<=;SP9")
                                           :end_and (and2)
                                           :end_or (or1)
                                           :begin_admin (admin)
                                           :send_log (alert)
                                           :mismatchmessage ("Your IE must be at least version 6.0 with SP2.")
                                           :end (admin)
                                           )
                                       )

2. In SmartConsole, install the policy.