Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006

Working with Rule Sets Questions Questions Rule types and rule groups Rule types and rule groups How does a rule work? How does a rule work? The parts of a file system rule The parts of a file system rule File system attributes File system attributes Criteria sets Criteria sets Rule buttons Rule buttons

Tripwire Enterprise Console

File System Rule Types UNIX file system rules (files and directories) UNIX file system rules (files and directories) Windows or unix file system rules (files and directories) Windows or unix file system rules (files and directories) Windows registry rules (keys and key values) Windows registry rules (keys and key values)

Rules and Rule Groups

Rule Search

Default Rule Groups Root rule group Root rule group Unlinked rule group Unlinked rule group

Default Rule Groups

How Does a File System Rule Work? Run version check (baseline, promotion, task) Run version check (baseline, promotion, task) Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server.

The Components of a File System Rule Start points Start points Criteria sets Criteria sets Exclusions Exclusions Stop points Stop points Actions Actions

File System Rule Components – Start Point

File System Rule Components – Criteria Set

File System Rule Components – Stop Point If a stop point is added, the file system rule will not check the specified file or directory for changes.

File System Rule Components – Exclusions

File System Components - Actions

Adjusting Rules Feature Add a start point Add a start point Edit an existing start point Edit an existing start point Add a stop point Add a stop point Delete a single stop point Delete a single stop point

Adjusting a Rule in Node View

Adjusting a Rule

Severity Levels and Severity Ranges A severity level is a numeric value that indicates the importance of a change. A severity level is a numeric value that indicates the importance of a change. Severity levels are assigned to every rule. Severity levels are assigned to every rule. For file system rules, you assign a severity level to each start point in the rule. For file system rules, you assign a severity level to each start point in the rule.

Default Severity Ranges Range Range Indicator Color Value HighRed MediumYellow34-66 LowBlue1-33

Global Severity Settings

Attributes and Criteria Sets File system attributes File system attributes Creating and modifying criteria sets Creating and modifying criteria sets Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.

Rules: Windows Directory Attributes

Rules: Windows File Attributes

Attributes – File/Directories Archive flag Archive flag Read-only flag Read-only flag Hidden flag Hidden flag Offline flag Offline flag Temporary flag Temporary flag System flag System flag Directory flag Directory flag Last access time Last access time Last write time Last write time Create time Create time File size File size Turns on event tracking for that object Turns on event tracking for that object MS-DOS 8.3 name MS-DOS 8.3 name NTFS Compressed flag NTFS Compressed flag NTFS Owner SID NTFS Owner SID NTFS Group SID NTFS Group SID NTFS DACL NTFS DACL NTFS SACL NTFS SACL Security descriptor control Security descriptor control Size of security descriptor Size of security descriptor CRC-32 CRC-32 MD5 MD5 SHA SHA HAVAL HAVAL Number of NTFS streams Number of NTFS streams CRC-32 hash of all alternative data streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams HAVAL hash of all alternative data streams

Rules: Registry Attributes

Windows Registry: Attributes Registry Key Objects Registry Key Objects –Last write time –Owner SID –Group SID –DACL –SACL –Security descriptor control –Size of security descriptor for the key –Name of class –Number of subkeys –Maximum length of subkey name –Maximum length of classname –Number of values –Maximum length for value name –Maximum length of data for any value in the key –Turns on event tracking for that object Registry Value Objects Registry Value Objects –Type of value data –Length of value data –CRC-32 hash of value data –MD5 hash of value data –SHA hash of value data –HAVAL hash of value data

Windows Registry User Settings: User Settings: –HKEY_USERS –HKEY_CURRENT_USER System Settings: System Settings: –HKEY_LOCAL_MACHINE –HKEY_CLASSES_ROOT –HKEY_CURRENT_CONFIG

Developing the UCD Windows Rule Set Critical OS system files and directories. Critical OS system files and directories. Determine critical registry keys. Determine critical registry keys. –Keep it general initially. –Tailor to more specifics per system and business requirements.

Rules: UNIX File and Directory Attributes

File System Attributes for UNIX Attribute Applies to… Description ACL Files and directories Access control list Access Files and directories Last date and time accessed Change Files and directories Last date and time modified or created

File System Attributes for UNIX Attribute Applies to Description Group Files and directories Group owning a file or directory Growing Files only Size/SHA-1 hash. Size must be larger than baseline and/or hash change

File System Attributes for UNIX Attribute Applies to Description MD5 Files only MD5 hash Modify Files and directories Last date and time content changed

Criteria Sets for UNIX

UNIX Criteria Set – Content Only

UNIX Criteria Set – Permissions Only

Rule Buttons New Group New Group New Rule New Rule Import, Export Import, Export Move Move Link, Unlink Link, Unlink Delete Delete

New Rule Group

New Rule

Rule Import and Export Import and export rules to preserve rule sets Import and export rules to preserve rule sets “version control” “version control”

Rule Buttons Move Move Link Link Unlink Unlink Delete Delete

Assignment for August 8 Create a file system rule Create a file system rule Create a windows registry rule Create a windows registry rule Deployment options Deployment options

July-August Training Schedule July 12: adding and configuring a node using the basic rule set July 12: adding and configuring a node using the basic rule set July 25: creating and modifying rules July 25: creating and modifying rules August 8: reports, dashboard, deployment August 8: reports, dashboard, deployment

Contacts - class mailing list - class mailing list Vincent Fox - Vincent Fox - Doreen Meyer - Doreen Meyer - Bob Ono - Bob Ono - Paul Singh - Paul Singh - Software - Software -