Professional Documents
Culture Documents
Mobiel Acces Clients
Mobiel Acces Clients
SCV SDK
E75.20 and higher
Technical Reference Guide
15 September 2011
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12629
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients SCV SDK
E75.20 and higher Technical Reference Guide).
Contents
Each check produces a boolean value of compliant or non-compliant that is called by Remote Access
Clients. There are multiple SCV checks installed on a computer running Remote Access Clients. A single
SCV check can test many settings. For example: An Anti-Virus SCV check can test if the anti-virus software
is running, has boot sector protection on and has the latest signature files.
The SCV check can open a pop up a message to the user and send a log to the Remote Access Clients log
file.
The client does a checksum check on each of the SCV DLLs. If the file has been tampered with, the client is
not compliant.
Programming Model
This is a detailed description of the usage and integration of SCV checks by Remote Access Clients.
Note - For a third party SCV check, the DLL must keep a static data structure if it is
necessary to maintain data during its operation.
Required Files 7
General APIs 7
This section describes the functions provided by the OPSEC SCV API.
Required Files
Header files required for the SCV OPSEC API
File name Description
Scv_Api.h Contains the functions used to communicate with the user and Remote Access
Clients
Scv_callback.h Contains the functions that must be implemented by the third party
Scv_Internals.h Contains the internal file that must be included in the user implementation
You must statically link these libraries into the SCV DLL to transmit information correctly with Remote
Access Clients.
Libraries required for the SCV OPSEC API
Library name Description
PiLib.lib Includes the interface that binds 3rd party code to SCV
Register.lib Includes an auto registration mechanism of the SCV PLL into the registry of
Remote Access Clients
General APIs
The general APIs can be used as needed in the SCV DLL.
In this section:
UserMessageBox 8
LogScv 8
UserAllocateString 8
Impersonate User 9
RevertSelf 9
IsUserLoggedOn 9
NotifySCVStatus 10
UserMessageBox
UserMessageBox creates Remote Access Clients message pop-ups for the user.
Prototype
SCV_STATUS UserMessageBox (char * lpText,char * lpCaption, unsigned int uType);
Arguments
Argument Meaning
uType window type win32 message box options such as: MB_OK,
etc.
Return Values
SCV_STATUS as defined in SCV_error.h
LogScv
LogScv creates a log entry which will be sent to the log server via the Policy Server.
Prototype
SCV_STATUS LogScv (char* Origin, char* LogMessage, int Alert);
Arguments
Argument Meaning
Return Values
SCV_STATUS as defined in SCV_error.h.
UserAllocateString
UserAllocateString tells the SCV DLL allocate a buffer in which to store the SCV name.
Note - You can allocate the SCV name buffer. GetScvRegistrationParams expects
to receive a pointer to this buffer. This API is restricted to the scope of
GetScvRegistryParams do not use it in other scopes.
Prototype
SCV_STATUS UserAllocateString (int StringSize, char ** AllocatedPointer)
Arguments
Argument Meaning
Argument Meaning
Return Values
SCV_SUCCESS on success, SCV_ILLEGAL_STRING_SIZE or SCV_ALLOCATION_FAILED on failure.
Impersonate User
ImpersonateUser lets the calling thread impersonate the security context of a logged in User.
Before you run ImpersonateUser, run IsUserLoggedOn to see if the user is logged in.
Prototype
SCV_STATUS ImpersonateUser();
Arguments
None
Return Values
SCV_SUCCESS on success, SCV_FAILED_TO_IMPERSONATE on impersonation failure or
SCV_NOT_IMPLEMENTED if not implemented.
RevertSelf
RevertSelf terminates the impersonation of a client application.
Prototype
SCV_STATUS RevertSelf();
Arguments
None
Return Values
SCV_SUCCESS on success, SCV_FAILED_TO_REVERT on revert failure or SCV_NOT_IMPLEMENTED if
not implemented.
IsUserLoggedOn
IsUserLoggedOn lets the calling thread the information to see if user logged on and if the user's GUI is up.
Prototype
SCV_STATUS IsUserLoggedOn(BOOL * bIsActive);
Arguments
Argument Meaning
Return Values
SCV_SUCCESS on success, SCV_FAILED_TO_GET_STATE on failing fetch logged on state,
SCV_NOT_IMPLEMENTED if not implemented.
NotifySCVStatus
NotifySCVStatus is not supported in this version
Return Values
SCV_NOT_IMPLEMENTED
In this section:
GetScvRegistrationParams 10
Start 11
Stop 11
Init 11
Clean 12
Status 12
GetScvDiagnostics 12
GetScvRegistrationParams
GetScvRegistrationParams is called by the automatic registration mechanism (Pireg.exe) to register or de-
register the SCV check into the registry.
Prototype
GetScvRegistrationParams (char**vPiName, DWORD*dwMajorVersion, DWORD
*dwMinorVersion, char **vDisplayName, char **vszPrivateData, int install);
Arguments
Argument Meaning
Return Values
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure
Note - SCV API.s: UserMessageBox and LogScv should not be called in the above
callback scope.
Start
Start is called when the SCV check is started. After Start is called the client can query the SCV status.
Start is called after Init is called.
Prototype
SCV_Status Start(int argc, char ** argv);
Arguments
Argument Meaning
Return Values
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure.
Stop
Stop is called when the client stops usage of a SCV DLL. After Stop is called SCV status is not sent to the
client.
Prototype
SCV_STATUS Stop ();
Arguments
none
Return Values
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure.
Init
Init is the initialization function for SCV DLLs. It can be used for allocation and initialization.
Prototype
SCV_Status Init(void *Reserved);
Argument Meaning
Return Values
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure.
Clean
Clean is the function that unloads SCV DLLs. It can be used for de-allocation.
Prototype
SCV_STATUS Clean();
Arguments
None
Return Values
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure.
Status
Status is called by Remote Access Clients when it requires the SCV status (compliant or non-compliant)
from the SCV DLL.
Prototype
SCV_STATUS Status();
Arguments
None
Return Values
SCV_CHECK_PASSED if the status is compliant or SCV_CHECK_FAILED if the status is non-compliant.
GetScvDiagnostics
Remote Access Clients calls GetScvDiagnostics when it requires an SCV rational string, to show secure or
insecure configuration from the SCV DLL. In every periodic check, the client queries the SCV DLL for status
callback and GetScvDiagnostics.
Prototype
SCV_STATUS GetScvDiagnostics (char ** ppDiagnostics);
Arguments
Argument Meaning
Note - Copy rational string into ppDiagnostics which is a pre-allocated buffer limited
to 1024 characters.
Return Value
Error code SCV_STATUS on success, SCV_GENERAL_FAIL on failure.
Note -
We recommend that you use version Visual C++ 6.0 Service Pack 4 or above.
Minimum libraries for compilation on a MSDEV environment using WIN32 is
advapi32.lib.
This example shows part of a local.scv file with a third party SCV check added. In the example, it has one
parameter, Checkfile, with the value 0.
(SCVObject
:SCVNames (
: (3rdPartyScv
:type (plugin)
:parameters (
:CheckFile (0)
)
)
: (SCVMonitor
:type (plugin)
:parameters (
:scv_version (54014)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please upgrade your Secure Configuration Verification
products package")
:end (admin)
)
)
: (sc_ver_scv
:type (plugin)
:parameters (
:Default_SecureClientBuildNumber (52032)
:Default_EnforceBuildOperand ("==")
:MismatchMessage ("Please upgrade your
SecureClient.")
:EnforceBuild_9X_Operand (">=")
:SecureClient_9X_BuildNumber (52030)
:EnforceBuild_NT_Operand ("==")
:SecureClient_NT_BuildNumber (52032)
:EnforceBuild_2K_Operand (">=")
:SecureClient_2K_BuildNumber (52032)
:EnforceBuild_XP_Operand (">=")
:SecureClient_XP_BuildNumber (52032)
)
)
: (ckp_scv
:type (plugin)
:parameters (
:protect_all_ifc (true)
:non_ip_protocols (true)
:send_log (true)
:send_warning (true)
)
)
)
:SCVPolicy (
: (SCVMonitor)
: (3rdPartyScv)
)
:SCVEpsPolicy (
: (WindowsSecurityMonitor)
)
:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (168)
:enforce_ip_forwarding (false)
:not_verified_script ()
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:skip_firewall_enforcment_check (true)
)
)
)
Note - If you add the check to an existing installation on Windows 7, you must run
the PiReg command with administrator permissions. Right-click the cmd.exe
program and select Run as Administrator. When the command line opens, run the
correct PiReg command.
If it is necessary to replace the DLL file, first unregister the current file. This makes the file inactive.
To unregister a third party check on a client computer:
1. Run: net stop tracsrvwrapper from the CLI of the client computer.
2. Download PiReg.exe from www.opsec.com (http://www.opsec.com) to the client computers.
3. On the client computers, run: PiReg.exe -d <full path of SCV DLL>
4. Run: net start tracsrvwrapper from the CLI of the client computer.
3 Get Scv check Status Gets status from the Status callback of the SCV DLL
and query GetScvDiagnostics for SCV rational string
9 Operate Scv under robust scenario Runs a simulation that tests a realistic scenario. Call this
after Clean or Reset or before Init.
10 Set Parameters file path Direct the Check Tool to the directory of your
params.txt file.
11 Load params from file Initiate loading of params from the params.txt file
4. Run Clean.
5. Repeat all of the above as necessary.
Checking Parameters
If the SCV DLL uses parameters, for example, the argc and argv parameters of the Start callback, you can
do a test of the parameters in the SCV DLL.
To make sure the parameters work correctly:
1. Create a text file called Params.txt and put your parameters in it.
2. Use menu item 10, Set parameters file, to direct the Check Tool to the file path.
3. Use menu item 11, Load params from file, to load the parameters.
4. The next time you call menu item 2, Get Scv check status, the parameters will pass to the SCV DLL.
Format of Params.txt file
Use this format for the contents of the file:
Scvname
Param1=value1
Param2=value2
Example:
samplescv
n1param1=value1
n1param2=value2
n1param3=value3