1 / 48

Tripwire Enterprise Server Rule Sets

Tripwire Enterprise Server Rule Sets. Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006. Working with Rule Sets. Questions Rule types and rule groups How does a rule work? The parts of a file system rule File system attributes

isolde
Download Presentation

Tripwire Enterprise Server Rule Sets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006

  2. Working with Rule Sets • Questions • Rule types and rule groups • How does a rule work? • The parts of a file system rule • File system attributes • Criteria sets • Rule buttons

  3. Tripwire Enterprise Console

  4. File System Rule Types • UNIX file system rules (files and directories) • Windows or unix file system rules (files and directories) • Windows registry rules (keys and key values)

  5. Rules and Rule Groups

  6. Rule Search

  7. Default Rule Groups • Root rule group • Unlinked rule group

  8. Default Rule Groups

  9. How Does a File System Rule Work? • Run version check (baseline, promotion, task) • Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. • If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server.

  10. The Components of a File System Rule • Start points • Criteria sets • Exclusions • Stop points • Actions

  11. File System Rule Components – Start Point

  12. File System Rule Components – Criteria Set

  13. File System Rule Components – Stop Point If a stop point is added, the file system rule will not check the specified file or directory for changes.

  14. File System Rule Components – Exclusions

  15. File System Components - Actions

  16. Adjusting Rules Feature • Add a start point • Edit an existing start point • Add a stop point • Delete a single stop point

  17. Adjusting a Rule in Node View

  18. Adjusting a Rule

  19. Severity Levels and Severity Ranges • A severity level is a numeric value that indicates the importance of a change. • Severity levels are assigned to every rule. • For file system rules, you assign a severity level to each start point in the rule.

  20. Default Severity Ranges

  21. Global Severity Settings

  22. Attributes and Criteria Sets • File system attributes • Creating and modifying criteria sets • Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) • Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.

  23. Rules: Windows Directory Attributes

  24. Rules: Windows File Attributes

  25. Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams Attributes –File/Directories

  26. Rules: Registry Attributes

  27. Windows Registry: Attributes • Registry Key Objects • Last write time • Owner SID • Group SID • DACL • SACL • Security descriptor control • Size of security descriptor for the key • Name of class • Number of subkeys • Maximum length of subkey name • Maximum length of classname • Number of values • Maximum length for value name • Maximum length of data for any value in the key • Turns on event tracking for that object • Registry Value Objects • Type of value data • Length of value data • CRC-32 hash of value data • MD5 hash of value data • SHA hash of value data • HAVAL hash of value data

  28. Windows Registry • User Settings: • HKEY_USERS • HKEY_CURRENT_USER • System Settings: • HKEY_LOCAL_MACHINE • HKEY_CLASSES_ROOT • HKEY_CURRENT_CONFIG

  29. Developing the UCD Windows Rule Set • Critical OS system files and directories. • Determine critical registry keys. • Keep it general initially. • Tailor to more specifics per system and business requirements.

  30. Rules: UNIX File and Directory Attributes

  31. File System Attributes for UNIX

  32. File System Attributes for UNIX

  33. File System Attributes for UNIX

  34. Criteria Sets for UNIX

  35. UNIX Criteria Set – Content Only

  36. UNIX Criteria Set – Permissions Only

  37. Rule Buttons • New Group • New Rule • Import, Export • Move • Link, Unlink • Delete

  38. New Rule Group

  39. New Rule

  40. New Rule

  41. New Rule

  42. New Rule

  43. New Rule

  44. Rule Import and Export • Import and export rules to preserve rule sets • “version control”

  45. Rule Buttons • Move • Link • Unlink • Delete

  46. Assignment for August 8 • Create a file system rule • Create a windows registry rule • Deployment options

  47. July-August Training Schedule • July 12: adding and configuring a node using the basic rule set • July 25: creating and modifying rules • August 8: reports, dashboard, deployment

  48. Contacts • ucdtripwire@ucdavis.edu - class mailing list • Vincent Fox - vbfox@ucdavis.edu • Doreen Meyer - dimeyer@ucdavis.edu • Bob Ono - raono@ucdavis.edu • Paul Singh - pasingh@ucdavis.edu • Software - software@ucdavis.edu

More Related