You are on page 1of 69

For Internet Facing and Private Data Systems

 Audience
 Prerequisites
 Course Overview
◦ Day 1
 Section 1: Functionality and Purpose
◦ Day 2
 Section 2: Policies and Alerts
 Section 3: Live Lab

2

 Lab Setup – Course DVD
 Exercises & Demos
◦ Hands on experience throughout the course
◦ VMWare Player
 Windows 2003 Server
 Self-contained, server and agent are on the same
functional VMWare image
 Demonstration preceding each exercise
 Tripwire training books are available for checkout at the
library

3

.

perform tasks. install agent system you’re Tripwire Server manually on system protecting you’re protecting Agents accept settings from server. and send results to server Private Data System IIS Server Tripwire Clients Functionality and Purpose 5 .Push agent out to Or.

Functionality and Purpose 6 .

 Minimum hardware requirements  Network port and hostname requirements  Agent Installation – Services Password!!  Demo: Installing Tripwire Enterprise Server software on Windows 2003 Server Functionality and Purpose 7 .

Functionality and Purpose 8 . Port Requirements Port Protocol Application Use 443 TCP HTTPS Secure HTTP connection to the Tripwire Enterprise from a web browser 8080 TCP HTTP Alternate HTTP port for application integration and agent updates 9898 TCP Services Communication to/from Agent Service Any and all of these ports are configurable to a different port number Host must have a statically assigned IP address and have a hostname resolvable to this address.

Functionality and Purpose 9 .

 Licensing ◦Contact the CU Licensing Office for License Authorization Code (LAC) ◦Pre-generated LACs include 30 file system nodes and 30 network nodes  Accessing the Tripwire Enterprise Console ◦ Accepting the SSL Certificate ◦ Logging In Functionality and Purpose 10 .

 Console Layout ◦ Sidebar ◦ Tabs ◦ Button Bar ◦ Interface Toolbar ◦ Tree Pane ◦ Status Bar ◦ Main Pane Policies and Alerts 11 .

 User Accounts. and Groups ◦Pre-defined Roles  Administrator  Power User  Regular User  Monitor User  User Administrator ◦User Groups Functionality and Purpose 12 . Roles.

Functionality and Purpose 13 . Access Controls ◦An access control is used to limit the permissions of the specific users and user groups to nodes and node groups.

 User Settings ◦User Preferences  User preferences affect only the display for a user ◦Difference (Viewer) Preferences Functionality and Purpose 14 .

 System Settings ◦Global configuration options which apply to all users Policies and Alerts 15 .

◦Severity Ranges  A numeric value which is used in a rule to indicate changes to monitored objects and the relative importance of these changes. ◦ Global Variables  Used in place of specific text strings or passwords. Functionality and Purpose 16 .

 Exercise 1: Accessing the Console  Exercise 2: Licenses  Exercise 3: Getting Help  Exercise 4: User Accounts and Roles  Exercise 5: User Groups  Exercise 6: Permissions  Exercise 7: User Preferences  Exercise 8: Severity Ranges  Exercise 9: Global Variables Policies and Alerts 17 .

 How would one obtain a license to run a Tripwire Enterprise Server?  What are the configurable user settings?  What is a severity range?  What is a global variable? Policies and Alerts 18 .

Functionality and Purpose 19 .

 Tripwire Enterprise Objects ◦Nodes ◦Rules ◦Actions ◦Tasks Functionality and Purpose 20 .

Policies and Alerts 21 .

 Tripwire Enterprise Objects ◦Elements ◦Versions Policies and Alerts 22 .

html Search.php Jan 3 July 30 April 7 Edit Edit Edit Policies and Alerts 23 . IIS Server Index.

 Understanding Groups ◦Node Groups ◦Rule Groups ◦Tasks and Nested Groups Functionality and Purpose 24 .

 Moving. and Unlinking Objects ◦ Move ◦ Delete ◦ Copies of Node Objects ◦ Linking  Discovered objects ◦ Unlinking  The Unlinked Folder ◦ Importing and exporting objects  Demo: Working with Objects Functionality and Purpose 25 . Deleting. Linking.

Linking. Unlinking. Exercise 1 – Groups  Exercise 2 – Moving. Deleting Objects Policies and Alerts 26 .

 What is the difference between a node. rule. and task?  How is a version related to an element?  Can actions be grouped? Policies and Alerts 27 . action.

Functionality and Purpose 28 .

 Place Nodes in Groups ◦The Node Tree  Geographical Location  Type of Node  Other Node Options ◦Security Tab ◦Variables Tab (node specific) Functionality and Purpose 29 .

 Exercise 1 – Node Specific Variables  Exercise 2 – Agent Logs Policies and Alerts 30 .

Functionality and Purpose 31 .

 Grouping Rules ◦The Rule Tree  Integrity Check  Links to Rules Library based on time to run  Rules Library  Type of Node  Platform  Handout: File System Rule Configuration Reference  Handout: Windows Registry Key and Value Attributes Functionality and Purpose 32 .

 Create Criteria Sets ◦Choosing file attributes  Static attributes  Dynamic attributes  Content attribute  Permissions attributes  Package data attributes Functionality and Purpose 33 .

 Exercise 1 – Criteria Sets  Exercise 2 – File System Rules  Exercise 3 – Registry Rules  Exercise 4 – Command Output Capture Rules Policies and Alerts 34 .

Functionality and Purpose 35 .

 Actions are an event that is executed given the outcome of an element change  Predefined Actions for file systems  Handout: Actions and Conditional Actions Functionality and Purpose 36 .

Would you associate that rule with an action? Policies and Alerts 37 . What is the best practice for organizing nodes?  Give an example of a rule that you would create.

Functionality and Purpose 38 .

Policies and Alerts 39 .

 Creating Baselines ◦3 steps before running a baseline  Check Severity Ranges  Check Monitored Objects  Schedule Functionality and Purpose 40 .

Functionality and Purpose 41 .

Contextual ◦ Execution Action  Finding Changed Objects Functionality and Purpose 42 . Change Notification ◦ E-mail Action – Summary vs.

 Using the Difference Viewer ◦ Modification ◦ Addition ◦ Removal  Exercise: Examining changes Functionality and Purpose 43 .

 Exercise 1 – Tasks and Baselines for File System Objects Policies and Alerts 44 .

Functionality and Purpose 45 .

 Promoting expected changes ◦ Manual ◦ Promote by reference Functionality and Purpose 46 .

 Managing unexpected changes  Gathering audit information  Irrelevant Changes – rule tuning Policies and Alerts 47 .

 What is a baseline?  What objects are necessary to schedule a baseline?  What is an indication of a change in the Tripwire console?  What are the different responses to changes? Policies and Alerts 48 .

Functionality and Purpose 49 .

 Archiving Log Messages  Compacting Element Versions Functionality and Purpose 50 .

 What is the purpose of Tripwire?  What does Tripwire monitor?  What are the objects that make up a task?  How does Tripwire detect changes? Policies and Alerts 51 .

.

 Creating Policies to Manage Change ◦ General Principles ◦ Step 1: Define a Policy ◦ Step 2: Outline the Policy ◦ Step 3: Create the Policy Objects Policies and Alerts 53 .

Policies and Alerts 54 .

 Categorize Objects  Remediate Changes  Minimize the amount of effort required by IT and management staff Policies and Alerts 55 .

Policies and Alerts 56 .

 Internet Facing Systems Principles  Private Data Systems Principles  Live Lab Principles Policies and Alerts 57 .

Policies and Alerts 58

Change Occurs

Scheduled Task Performed

Appropriate Administrator Alerted

Change Detected

Policies and Alerts 59

Change Occurred

Irrelevant Evaluate Expected
Tuning Promote
Change

Unexpected

Unexpected Change

Policies and Alerts 60

Change Detected Unauthorized Declare Security Unexpected? Incident Authorized No Revert? Tuning Yes Run the task or Revert Promote check the rules Policies and Alerts 61 .

Change Occurred Irrelevant Evaluate Expected Tuning Promote Change Unexpected Unexpected Change Policies and Alerts 62 .

Change Unexpected Detected Change Fix the rule and task Run the task or as necessary check the rules Eliminate elements Promote no longer checked Policies and Alerts 63 .

Change Occurred Irrelevant Evaluate Expected Tuning Promote Change Unexpected Unexpected Change Policies and Alerts 64 .

Change Unexpected Detected Change Tuning Promote changes as necessary Generate Reports Policies and Alerts 65 .

Policies and Alerts 66 .

Policies and Alerts 67 .

xml file  We’ll follow step by step the reason behind the pre-defined rules that are outlined in the rules. Import the rules.xml file Policies and Alerts 68 .

69 .