tripwire enterprise server rule sets n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Tripwire Enterprise Server Rule Sets PowerPoint Presentation
Download Presentation
Tripwire Enterprise Server Rule Sets

Loading in 2 Seconds...

play fullscreen
1 / 48

Tripwire Enterprise Server Rule Sets - PowerPoint PPT Presentation


  • 313 Views
  • Uploaded on

Tripwire Enterprise Server Rule Sets. Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006. Working with Rule Sets. Questions Rule types and rule groups How does a rule work? The parts of a file system rule File system attributes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Tripwire Enterprise Server Rule Sets' - isolde


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tripwire enterprise server rule sets

Tripwire Enterprise Server Rule Sets

Vincent Fox, Doreen Meyer, and

Paul Singh

UC Davis, Information and Educational Technology

July 25, 2006

working with rule sets
Working with Rule Sets
  • Questions
  • Rule types and rule groups
  • How does a rule work?
  • The parts of a file system rule
  • File system attributes
  • Criteria sets
  • Rule buttons
file system rule types
File System Rule Types
  • UNIX file system rules (files and directories)
  • Windows or unix file system rules (files and directories)
  • Windows registry rules (keys and key values)
default rule groups
Default Rule Groups
  • Root rule group
  • Unlinked rule group
how does a file system rule work
How Does a File System Rule Work?
  • Run version check (baseline, promotion, task)
  • Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed.
  • If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server.
the components of a file system rule
The Components of a File System Rule
  • Start points
  • Criteria sets
  • Exclusions
  • Stop points
  • Actions
file system rule components stop point
File System Rule Components – Stop Point

If a stop point is added, the file system rule will not check the specified file or directory for changes.

adjusting rules feature
Adjusting Rules Feature
  • Add a start point
  • Edit an existing start point
  • Add a stop point
  • Delete a single stop point
severity levels and severity ranges
Severity Levels and Severity Ranges
  • A severity level is a numeric value that indicates the importance of a change.
  • Severity levels are assigned to every rule.
  • For file system rules, you assign a severity level to each start point in the rule.
attributes and criteria sets
Attributes and Criteria Sets
  • File system attributes
  • Creating and modifying criteria sets
  • Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32)
  • Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.
attributes file directories
Archive flag

Read-only flag

Hidden flag

Offline flag

Temporary flag

System flag

Directory flag

Last access time

Last write time

Create time

File size

Turns on event tracking for that object

MS-DOS 8.3 name

NTFS Compressed flag

NTFS Owner SID

NTFS Group SID

NTFS DACL

NTFS SACL

Security descriptor control

Size of security descriptor

CRC-32

MD5

SHA

HAVAL

Number of NTFS streams

CRC-32 hash of all alternative data streams

MD5 hash of all alternative data streams

SHA hash of all alternative data streams

HAVAL hash of all alternative data streams

Attributes –File/Directories
windows registry attributes
Windows Registry: Attributes
  • Registry Key Objects
    • Last write time
    • Owner SID
    • Group SID
    • DACL
    • SACL
    • Security descriptor control
    • Size of security descriptor for the key
    • Name of class
    • Number of subkeys
    • Maximum length of subkey name
    • Maximum length of classname
    • Number of values
    • Maximum length for value name
    • Maximum length of data for any value in the key
    • Turns on event tracking for that object
  • Registry Value Objects
    • Type of value data
    • Length of value data
    • CRC-32 hash of value data
    • MD5 hash of value data
    • SHA hash of value data
    • HAVAL hash of value data
windows registry
Windows Registry
  • User Settings:
    • HKEY_USERS
    • HKEY_CURRENT_USER
  • System Settings:
    • HKEY_LOCAL_MACHINE
    • HKEY_CLASSES_ROOT
    • HKEY_CURRENT_CONFIG
developing the ucd windows rule set
Developing the UCD Windows Rule Set
  • Critical OS system files and directories.
  • Determine critical registry keys.
    • Keep it general initially.
    • Tailor to more specifics per system

and business requirements.

rule buttons
Rule Buttons
  • New Group
  • New Rule
  • Import, Export
  • Move
  • Link, Unlink
  • Delete
rule import and export
Rule Import and Export
  • Import and export rules to preserve rule sets
  • “version control”
rule buttons1
Rule Buttons
  • Move
  • Link
  • Unlink
  • Delete
assignment for august 8
Assignment for August 8
  • Create a file system rule
  • Create a windows registry rule
  • Deployment options
july august training schedule
July-August Training Schedule
  • July 12: adding and configuring a node using the basic rule set
  • July 25: creating and modifying rules
  • August 8: reports, dashboard, deployment
contacts
Contacts
  • ucdtripwire@ucdavis.edu - class mailing list
  • Vincent Fox - vbfox@ucdavis.edu
  • Doreen Meyer - dimeyer@ucdavis.edu
  • Bob Ono - raono@ucdavis.edu
  • Paul Singh - pasingh@ucdavis.edu
  • Software - software@ucdavis.edu