Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006.

Published byRosa Montgomery Modified over 8 years ago

Similar presentations

Presentation on theme: "Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006."— Presentation transcript:

1 Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006

2 Working with Rule Sets Questions Questions Rule types and rule groups Rule types and rule groups How does a rule work? How does a rule work? The parts of a file system rule The parts of a file system rule File system attributes File system attributes Criteria sets Criteria sets Rule buttons Rule buttons

3 Tripwire Enterprise Console

4 File System Rule Types UNIX file system rules (files and directories) UNIX file system rules (files and directories) Windows or unix file system rules (files and directories) Windows or unix file system rules (files and directories) Windows registry rules (keys and key values) Windows registry rules (keys and key values)

5 Rules and Rule Groups

6 Rule Search

7 Default Rule Groups Root rule group Root rule group Unlinked rule group Unlinked rule group

8 Default Rule Groups

9 How Does a File System Rule Work? Run version check (baseline, promotion, task) Run version check (baseline, promotion, task) Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server.

10 The Components of a File System Rule Start points Start points Criteria sets Criteria sets Exclusions Exclusions Stop points Stop points Actions Actions

11 File System Rule Components – Start Point

12 File System Rule Components – Criteria Set

13 File System Rule Components – Stop Point If a stop point is added, the file system rule will not check the specified file or directory for changes.

14 File System Rule Components – Exclusions

15 File System Components - Actions

16 Adjusting Rules Feature Add a start point Add a start point Edit an existing start point Edit an existing start point Add a stop point Add a stop point Delete a single stop point Delete a single stop point

17 Adjusting a Rule in Node View

18 Adjusting a Rule

19 Severity Levels and Severity Ranges A severity level is a numeric value that indicates the importance of a change. A severity level is a numeric value that indicates the importance of a change. Severity levels are assigned to every rule. Severity levels are assigned to every rule. For file system rules, you assign a severity level to each start point in the rule. For file system rules, you assign a severity level to each start point in the rule.

20 Default Severity Ranges Range Range Indicator Color Value HighRed67-10000 MediumYellow34-66 LowBlue1-33

21 Global Severity Settings

22 Attributes and Criteria Sets File system attributes File system attributes Creating and modifying criteria sets Creating and modifying criteria sets Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.

23 Rules: Windows Directory Attributes

24 Rules: Windows File Attributes

25 Attributes – File/Directories Archive flag Archive flag Read-only flag Read-only flag Hidden flag Hidden flag Offline flag Offline flag Temporary flag Temporary flag System flag System flag Directory flag Directory flag Last access time Last access time Last write time Last write time Create time Create time File size File size Turns on event tracking for that object Turns on event tracking for that object MS-DOS 8.3 name MS-DOS 8.3 name NTFS Compressed flag NTFS Compressed flag NTFS Owner SID NTFS Owner SID NTFS Group SID NTFS Group SID NTFS DACL NTFS DACL NTFS SACL NTFS SACL Security descriptor control Security descriptor control Size of security descriptor Size of security descriptor CRC-32 CRC-32 MD5 MD5 SHA SHA HAVAL HAVAL Number of NTFS streams Number of NTFS streams CRC-32 hash of all alternative data streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams HAVAL hash of all alternative data streams

26 Rules: Registry Attributes

27 Windows Registry: Attributes Registry Key Objects Registry Key Objects –Last write time –Owner SID –Group SID –DACL –SACL –Security descriptor control –Size of security descriptor for the key –Name of class –Number of subkeys –Maximum length of subkey name –Maximum length of classname –Number of values –Maximum length for value name –Maximum length of data for any value in the key –Turns on event tracking for that object Registry Value Objects Registry Value Objects –Type of value data –Length of value data –CRC-32 hash of value data –MD5 hash of value data –SHA hash of value data –HAVAL hash of value data

28 Windows Registry User Settings: User Settings: –HKEY_USERS –HKEY_CURRENT_USER System Settings: System Settings: –HKEY_LOCAL_MACHINE –HKEY_CLASSES_ROOT –HKEY_CURRENT_CONFIG

29 Developing the UCD Windows Rule Set Critical OS system files and directories. Critical OS system files and directories. Determine critical registry keys. Determine critical registry keys. –Keep it general initially. –Tailor to more specifics per system and business requirements.

30 Rules: UNIX File and Directory Attributes

31 File System Attributes for UNIX Attribute Applies to… Description ACL Files and directories Access control list Access Files and directories Last date and time accessed Change Files and directories Last date and time modified or created

32 File System Attributes for UNIX Attribute Applies to Description Group Files and directories Group owning a file or directory Growing Files only Size/SHA-1 hash. Size must be larger than baseline and/or hash change

33 File System Attributes for UNIX Attribute Applies to Description MD5 Files only MD5 hash Modify Files and directories Last date and time content changed

34 Criteria Sets for UNIX

35 UNIX Criteria Set – Content Only

36 UNIX Criteria Set – Permissions Only

37 Rule Buttons New Group New Group New Rule New Rule Import, Export Import, Export Move Move Link, Unlink Link, Unlink Delete Delete

38 New Rule Group

39 New Rule

40

41

42

43

44 Rule Import and Export Import and export rules to preserve rule sets Import and export rules to preserve rule sets “version control” “version control”

45 Rule Buttons Move Move Link Link Unlink Unlink Delete Delete

46 Assignment for August 8 Create a file system rule Create a file system rule Create a windows registry rule Create a windows registry rule Deployment options Deployment options

47 July-August Training Schedule July 12: adding and configuring a node using the basic rule set July 12: adding and configuring a node using the basic rule set July 25: creating and modifying rules July 25: creating and modifying rules August 8: reports, dashboard, deployment August 8: reports, dashboard, deployment

48 Contacts ucdtripwire@ucdavis.edu - class mailing list ucdtripwire@ucdavis.edu - class mailing list ucdtripwire@ucdavis.edu Vincent Fox - vbfox@ucdavis.edu Vincent Fox - vbfox@ucdavis.eduvbfox@ucdavis.edu Doreen Meyer - dimeyer@ucdavis.edu Doreen Meyer - dimeyer@ucdavis.edudimeyer@ucdavis.edu Bob Ono - raono@ucdavis.edu Bob Ono - raono@ucdavis.eduraono@ucdavis.edu Paul Singh - pasingh@ucdavis.edu Paul Singh - pasingh@ucdavis.edu Software - software@ucdavis.edu Software - software@ucdavis.edu

Download ppt "Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006."

Similar presentations

Tripwire Enterprise Server – Basic Tasks Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology July 12, 2006.

Tripwire Enterprise Server – Basic Tasks Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology July 12, 2006.
Tripwire Enterprise Server Network Nodes, Reports, and Dashboards Vincent Fox and Doreen Meyer UC Davis, Information and Educational Technology August.

Tripwire Enterprise Server Network Nodes, Reports, and Dashboards Vincent Fox and Doreen Meyer UC Davis, Information and Educational Technology August.
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Managing Security and System Integrity. Value Proposition  Need for high reliability and integrity of information networks  Need for security at multiple.

Managing Security and System Integrity. Value Proposition  Need for high reliability and integrity of information networks  Need for security at multiple.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
MIS 431 Chapter 71 Ch. 7: Advanced File Management System MIS 431 Created Spring 2006.

MIS 431 Chapter 71 Ch. 7: Advanced File Management System MIS 431 Created Spring 2006.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Similar presentations

Ads by Google