Download - Tripwire Enterprise Server Rule Sets
Tripwire Enterprise Tripwire Enterprise Server Server
Rule SetsRule Sets
Vincent Fox, Doreen Meyer, and Vincent Fox, Doreen Meyer, and Paul SinghPaul Singh
UC Davis, Information and UC Davis, Information and Educational TechnologyEducational Technology
July 25, 2006July 25, 2006
Working with Rule Working with Rule SetsSets Questions Questions Rule types and rule groupsRule types and rule groups How does a rule work?How does a rule work? The parts of a file system ruleThe parts of a file system rule File system attributesFile system attributes Criteria setsCriteria sets Rule buttonsRule buttons
Tripwire Enterprise Tripwire Enterprise ConsoleConsole
File System Rule TypesFile System Rule Types
UNIX file system rules (files and UNIX file system rules (files and directories)directories)
Windows or unix file system rules Windows or unix file system rules (files and directories)(files and directories)
Windows registry rules (keys and Windows registry rules (keys and key values)key values)
Rules and Rule GroupsRules and Rule Groups
Rule SearchRule Search
Default Rule GroupsDefault Rule Groups
Root rule groupRoot rule group Unlinked rule groupUnlinked rule group
Default Rule GroupsDefault Rule Groups
How Does a File How Does a File System Rule Work?System Rule Work? Run version check (baseline, promotion, Run version check (baseline, promotion,
task)task) Rule identifies files and directories Rule identifies files and directories
(objects) that are to be checked, and what (objects) that are to be checked, and what attributes to check. The local agent attributes to check. The local agent determines if monitored objects have determines if monitored objects have changed.changed.
If changes are detected, local agent If changes are detected, local agent creates new element versions and sends creates new element versions and sends the new versions to the Enterprise Server.the new versions to the Enterprise Server.
The Components of a The Components of a File System RuleFile System Rule Start pointsStart points Criteria setsCriteria sets ExclusionsExclusions Stop pointsStop points ActionsActions
File System Rule File System Rule Components – Start Components – Start PointPoint
File System Rule File System Rule Components – Criteria Components – Criteria SetSet
File System Rule File System Rule Components – Stop Components – Stop PointPoint
If a stop point is added, the file system rule will not check the specified file or directory for changes.
File System Rule File System Rule Components – Components – ExclusionsExclusions
File System File System Components - ActionsComponents - Actions
Adjusting Rules Adjusting Rules FeatureFeature Add a start pointAdd a start point Edit an existing start pointEdit an existing start point Add a stop pointAdd a stop point Delete a single stop pointDelete a single stop point
Adjusting a Rule in Adjusting a Rule in Node ViewNode View
Adjusting a RuleAdjusting a Rule
Severity Levels and Severity Levels and Severity RangesSeverity Ranges A severity level is a numeric value A severity level is a numeric value
that indicates the importance of a that indicates the importance of a change.change.
Severity levels are assigned to Severity levels are assigned to every rule.every rule.
For file system rules, you assign a For file system rules, you assign a severity level to each start point severity level to each start point in the rule.in the rule.
Default Severity Default Severity RangesRanges
RangeRange Indicator Indicator ColorColor
ValueValue
HighHigh RedRed 67-1000067-10000
MediumMedium YellowYellow 34-6634-66
LowLow BlueBlue 1-331-33
Global Severity Global Severity SettingsSettings
Attributes and Criteria Attributes and Criteria SetsSets File system attributesFile system attributes Creating and modifying criteria setsCreating and modifying criteria sets Keeps encrypted database of
File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32)
Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.
Rules: Windows Rules: Windows Directory AttributesDirectory Attributes
Rules: Windows Rules: Windows File AttributesFile Attributes
Attributes –Attributes –File/DirectoriesFile/Directories
Archive flagArchive flag Read-only flagRead-only flag Hidden flagHidden flag Offline flagOffline flag Temporary flagTemporary flag System flagSystem flag Directory flagDirectory flag Last access timeLast access time Last write timeLast write time Create timeCreate time File sizeFile size Turns on event tracking for Turns on event tracking for
that objectthat object MS-DOS 8.3 nameMS-DOS 8.3 name NTFS Compressed flagNTFS Compressed flag NTFS Owner SIDNTFS Owner SID
NTFS Group SIDNTFS Group SID NTFS DACLNTFS DACL NTFS SACLNTFS SACL Security descriptor controlSecurity descriptor control Size of security descriptorSize of security descriptor CRC-32CRC-32 MD5MD5 SHASHA HAVALHAVAL Number of NTFS streamsNumber of NTFS streams CRC-32 hash of all alternative CRC-32 hash of all alternative
data streamsdata streams MD5 hash of all alternative MD5 hash of all alternative
data streamsdata streams SHA hash of all alternative SHA hash of all alternative
data streamsdata streams HAVAL hash of all alternative HAVAL hash of all alternative
data streamsdata streams
Rules: Registry Rules: Registry AttributesAttributes
Windows Registry: Windows Registry: AttributesAttributes
Registry Key ObjectsRegistry Key Objects– Last write timeLast write time– Owner SIDOwner SID– Group SIDGroup SID– DACLDACL– SACLSACL– Security descriptor controlSecurity descriptor control– Size of security descriptor for the keySize of security descriptor for the key– Name of className of class– Number of subkeysNumber of subkeys– Maximum length of subkey nameMaximum length of subkey name– Maximum length of classnameMaximum length of classname– Number of valuesNumber of values– Maximum length for value nameMaximum length for value name– Maximum length of data for any Maximum length of data for any
value in the keyvalue in the key– Turns on event tracking for that Turns on event tracking for that
objectobject
Registry Value ObjectsRegistry Value Objects– Type of value dataType of value data– Length of value dataLength of value data– CRC-32 hash of value CRC-32 hash of value
datadata– MD5 hash of value dataMD5 hash of value data– SHA hash of value dataSHA hash of value data– HAVAL hash of value dataHAVAL hash of value data
Windows RegistryWindows Registry
User Settings: User Settings: – HKEY_USERSHKEY_USERS– HKEY_CURRENT_USERHKEY_CURRENT_USER
System Settings: System Settings: – HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE– HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT– HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG
Developing the UCD Developing the UCD Windows Rule SetWindows Rule Set Critical OS system files and Critical OS system files and
directories.directories.
Determine critical registry keys.Determine critical registry keys.– Keep it general initially.Keep it general initially.– Tailor to more specifics per system Tailor to more specifics per system
and business requirements.and business requirements.
Rules: UNIX File and Rules: UNIX File and Directory AttributesDirectory Attributes
File System Attributes File System Attributes for UNIXfor UNIX
AttributeAttribute Applies to…Applies to… DescriptionDescription
ACLACL Files and Files and directoriesdirectories
Access Access control listcontrol list
AccessAccess Files and Files and directoriesdirectories
Last date Last date and time and time accessedaccessed
ChangeChange Files and Files and directoriesdirectories
Last date Last date and time and time modified or modified or createdcreated
File System Attributes File System Attributes for UNIXfor UNIX
AttributeAttribute Applies toApplies to DescriptionDescription
GroupGroup Files and Files and directoriesdirectories
Group Group owning a file owning a file or directoryor directory
GrowingGrowing Files onlyFiles only Size/SHA-1 Size/SHA-1 hash. Size hash. Size must be must be larger than larger than baseline baseline and/or hash and/or hash changechange
File System Attributes File System Attributes for UNIXfor UNIX
AttributeAttribute Applies toApplies to DescriptionDescription
MD5MD5 Files onlyFiles only MD5 hashMD5 hash
ModifyModify Files and Files and directoriesdirectories
Last date Last date and time and time content content changedchanged
Criteria Sets for UNIXCriteria Sets for UNIX
UNIX Criteria Set – UNIX Criteria Set – Content OnlyContent Only
UNIX Criteria Set – UNIX Criteria Set – Permissions OnlyPermissions Only
Rule ButtonsRule Buttons
New GroupNew Group New RuleNew Rule Import, ExportImport, Export MoveMove Link, UnlinkLink, Unlink DeleteDelete
New Rule GroupNew Rule Group
New RuleNew Rule
New RuleNew Rule
New RuleNew Rule
New RuleNew Rule
New RuleNew Rule
Rule Import and ExportRule Import and Export
Import and export rules to Import and export rules to preserve rule setspreserve rule sets
““version control”version control”
Rule ButtonsRule Buttons
MoveMove LinkLink UnlinkUnlink DeleteDelete
Assignment for August Assignment for August 88 Create a file system ruleCreate a file system rule Create a windows registry ruleCreate a windows registry rule Deployment optionsDeployment options
July-August Training July-August Training ScheduleSchedule July 12: adding and configuring a July 12: adding and configuring a
node using the basic rule setnode using the basic rule set July 25: creating and modifying July 25: creating and modifying
rulesrules August 8: reports, dashboard, August 8: reports, dashboard,
deploymentdeployment
ContactsContacts
[email protected]@ucdavis.edu - class - class mailing listmailing list
Vincent Fox - Vincent Fox - [email protected]@ucdavis.edu Doreen Meyer - Doreen Meyer -
[email protected]@ucdavis.edu Bob Ono - Bob Ono - [email protected]@ucdavis.edu Paul Singh - [email protected] Singh - [email protected] Software - [email protected] - [email protected]