Re: Secure Configuration Verification

zsszlama

Hello Guys,

One of our customer wants to have a demo about host compliance check when they are connecting via RA VPN. They are using only hard clients. So I thought to create a demo environment with Secure Configuration Verification (SCV). As I read it's a legacy solution but I'm not aware of a different solution as they don't have Check Point Endpoint Security.

During my tests I run into two issues. I hope you can help me where should I search for a solution.

Issue1:

I cannot create an easy check where the SCV check says the client is compliant. I tried the following checks:

(SCVObject
	:SCVNames (
		: (BrowserMonitor
			:type (plugin)
			:parameters (
				:browser_major_version (5)
				:browser_minor_version (0)
				:browser_version_operand (">=")
				:browser_version_mismatchmassage ("Please upgrade your Internet browser.")
			)
		)
		: (OsMonitor
			:type (plugin)
			:parameters (
			:begin_or (or1)
			:begin_and (and1)
				os_build_number_10 (0)
				:os_build_operand_10 ("==")
			:end (and1)
			:begin_and (and2)
				:os_build_number_11 (0)
				:os_build_operand_11 ("==")
			:end (and2)
			:end (or1)
			:begin_admin (admin)
				:send_log (alert)
				:mismatchmessage ("update os")
			:end (admin)
			)
		)
		: (ProcessMonitor
			:type (plugin)
			:parameters (
				:explorer.exe (true)
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("explorer.exe is not running")
				:end (admin)
			)
		)
		: (AntiVirusMonitor
			:type (plugin)
			:parameters (
				:type ("Windows Defender")
				:begin_admin (admin)
					:send_log (alert)
					:mismatchmessage ("Please update your AntiVirus (use the LiveUpdate option).")
				:end (admin)
			)
		)
	)
	:SCVPolicy (
		:(I tried all abow individually)
	)
	:SCVGlobalParams (
		:enable_status_notifications (true)
		:status_notifications_timeout (10)
		:disconnect_when_not_verified (false)
		:block_connections_on_unverified (false)
		:scv_policy_timeout_hours (168)
		:enforce_ip_forwarding (false)
		:not_verified_script ("")
		:not_verified_script_run_show (false)
		:not_verified_script_run_admin (false)
		:not_verified_script_run_always (false)
		:allow_non_scv_clients (false)
		:skip_firewall_enforcement_check (false)
	)
)

Issue2:

I rolled back the changes with copying back the original $FWDIR/conf/local.scv file. At this point the policy change worked. When I did a change by modifying $FWDIR/conf/local.scv the policy install failed with the following:

Policy: ##Standard
Status: Failed
- Failed to merge SCV policies. Local SCV file may be corrupt
- Desktop policies will not be installed on Policy Servers
- Failed to merge SCV policies. Local SCV file may be corrupt
- Desktop policies will not be installed on Policy Servers

I've restored again $FWDIR/conf/local.scv the policy install worked and after another config modification the install failed again.

Can you guys give me some helping hand with this issues?

Please let me know if you need more details.

Thanks in advance!

Zsolt

the_rock

I remember back in the day working with TAC T3 and escalation guy after to try get this work for a customer and we could never sadly get it to function the way they wanted. Let me see if I can "dig" out some notes about it.

Andy

zsszlama

that would be great!

the_rock

I cant seem to find much on it, sorry mate 😞

PhoneBoy

Considering we just released SCV support for macOS in E88.50, I'd say SCV is not exactly a "legacy" solution.
However, the Endpoint Security variant is a lot easier to configure.

In the above, you have this section:

	:SCVPolicy (
		:(I tried all abow individually)
	)

Pretty sure this is not valid or actually what you have here.
If you need to mask sensitive data, fine, but we need to see something approximating what you have here.
If it's what you've shown, yes, this message is expected.

Not exactly sure how to debug SCV.
From what I've been able to work out from here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topic...
For the debug flags (Step 8), I believe you'll need fw ctl debug -m fw + scv
Otherwise, I suggest contacting TAC.

the_rock

@zsszlama I totally see what @PhoneBoy is saying. I just checked clean local.scv file on both R81.20 and R82 gateways and such line is not there, so I am pretty sure you forgot it inadvertently.

Andy

)
:SCVPolicy (
)
:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcement_check (false)
)
)

zsszlama

Hello Guys,

Sorry for the delayed response!

About this line:

:SCVPolicy (
		:(I tried all abow individually)
	)

I know it's a syntax error. Maybe a language barrier from my side. 🙂 I just wanted to refer here that I didn't called all the security checks instead of that I tried the calls individually.

But meantime I've found a true syntax error. In the :SCVPolicy section when I call a security check then I have define the security check after 3 TABs and a space is needed between the column and the starting parenthesis, like this:

	:SCVPolicy (
                : (ProcessMonitor)
	)

So atleast I know it's case-sensitive and in addition it solved my Policy Installation (Issue2) failure. Maybe the security check functions are working with the same behavior.

I'm testing it further in my lab and keep you updated.

the_rock

Keep us posted, sounds good.

Andy

Are you a member of CheckMates?

Secure Configuration Verification