1 / 48

Tripwire Enterprise Server Rule Sets

xanto
Download Presentation

Tripwire Enterprise Server Rule Sets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006 BobBob

    2. Working with Rule Sets Questions Rule types and rule groups How does a rule work? The parts of a file system rule File system attributes Criteria sets Rule buttons

    4. File System Rule Types UNIX file system rules (files and directories) Windows or unix file system rules (files and directories) Windows registry rules (keys and key values)

    5. Rules and Rule Groups

    6. Rule Search

    7. Default Rule Groups Root rule group Unlinked rule group

    8. Default Rule Groups

    9. How Does a File System Rule Work? Run version check (baseline, promotion, task) Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server.

    10. The Components of a File System Rule Start points Criteria sets Exclusions Stop points Actions

    11. File System Rule Components – Start Point

    12. File System Rule Components – Criteria Set

    13. File System Rule Components – Stop Point

    14. File System Rule Components – Exclusions

    15. File System Components - Actions

    16. Adjusting Rules Feature Add a start point Edit an existing start point Add a stop point Delete a single stop point

    17. Adjusting a Rule in Node View

    18. Adjusting a Rule

    19. Severity Levels and Severity Ranges A severity level is a numeric value that indicates the importance of a change. Severity levels are assigned to every rule. For file system rules, you assign a severity level to each start point in the rule.

    20. Default Severity Ranges

    21. Global Severity Settings

    22. Attributes and Criteria Sets File system attributes Creating and modifying criteria sets Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.

    25. Attributes – File/Directories Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams DACL: Discretionary Access Control List. The Discretionary Access Control List (DACL) is controlled by the owner of an object and specifies the access particular users or groups can have to that object. If you need to manage DACLs of files or directories on an NTFS volume, you can use cacls, which comes with Windows, or the NT resource kit utility xcacls which provides some extended functionality SACL: The SACL is similar to the DACL except that the SACL is used to audit rather than control access to an object. When an audited action occurs, the operating system records the event in the security log. DACL: Discretionary Access Control List. The Discretionary Access Control List (DACL) is controlled by the owner of an object and specifies the access particular users or groups can have to that object. If you need to manage DACLs of files or directories on an NTFS volume, you can use cacls, which comes with Windows, or the NT resource kit utility xcacls which provides some extended functionality SACL: The SACL is similar to the DACL except that the SACL is used to audit rather than control access to an object. When an audited action occurs, the operating system records the event in the security log.

    27. Windows Registry: Attributes

    28. Windows Registry User Settings: HKEY_USERS HKEY_CURRENT_USER System Settings: HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CURRENT_CONFIG

    29. Developing the UCD Windows Rule Set Critical OS system files and directories. Determine critical registry keys. Keep it general initially. Tailor to more specifics per system and business requirements.

    31. File System Attributes for UNIX

    32. File System Attributes for UNIX

    33. File System Attributes for UNIX

    34. Criteria Sets for UNIX

    35. UNIX Criteria Set – Content Only

    36. UNIX Criteria Set – Permissions Only

    37. Rule Buttons New Group New Rule Import, Export Move Link, Unlink Delete

    38. New Rule Group

    39. New Rule

    40. New Rule

    41. New Rule

    42. New Rule

    43. New Rule

    44. Rule Import and Export Import and export rules to preserve rule sets “version control”

    45. Rule Buttons Move Link Unlink Delete

    46. Assignment for August 8 Create a file system rule Create a windows registry rule Deployment options

    47. July-August Training Schedule July 12: adding and configuring a node using the basic rule set July 25: creating and modifying rules August 8: reports, dashboard, deployment

    48. Contacts ucdtripwire@ucdavis.edu - class mailing list Vincent Fox - vbfox@ucdavis.edu Doreen Meyer - dimeyer@ucdavis.edu Bob Ono - raono@ucdavis.edu Paul Singh - pasingh@ucdavis.edu Software - software@ucdavis.edu

More Related