Anda di halaman 1dari 69

For Internet Facing and Private Data Systems

Audience
Prerequisites
Course Overview
Day 1
Section 1: Functionality and Purpose
Day 2
Section 2: Policies and Alerts
Section 3: Live Lab

2
Lab Setup Course DVD
Exercises & Demos
Hands on experience throughout the course
VMWare Player
Windows 2003 Server
Self-contained, server and agent are on the same
functional VMWare image
Demonstration preceding each exercise
Tripwire training books are available for checkout at the
library

3
Push agent out to Or, install agent
system youre Tripwire Server
manually on system
protecting youre protecting
Agents accept
settings from
server, perform
tasks, and send
results to server

Private Data System IIS Server

Tripwire Clients

Functionality and Purpose 5


Functionality and Purpose 6
Minimum hardware requirements
Network port and hostname requirements
Agent Installation Services Password!!
Demo: Installing Tripwire Enterprise Server
software on Windows 2003 Server

Functionality and Purpose 7


Port Requirements
Port Protocol Application Use
443 TCP HTTPS Secure HTTP connection to the
Tripwire Enterprise from a web
browser
8080 TCP HTTP Alternate HTTP port for application
integration and agent updates
9898 TCP Services Communication to/from Agent
Service
Any and all of these ports are configurable to a different port number
Host must have a statically assigned IP address and have a hostname resolvable to this address.

Functionality and Purpose 8


Functionality and Purpose 9
Licensing
Contact the CU Licensing Office for License
Authorization Code (LAC)
Pre-generated LACs include 30 file system
nodes and 30 network nodes
Accessing the Tripwire Enterprise Console
Accepting the SSL Certificate
Logging In

Functionality and Purpose 10


Console Layout
Sidebar
Tabs
Button Bar
Interface Toolbar
Tree Pane
Status Bar
Main Pane

Policies and Alerts 11


User Accounts, Roles, and Groups
Pre-defined Roles
Administrator
Power User
Regular User
Monitor User
User Administrator
User Groups

Functionality and Purpose 12


Access Controls
An access control is used to limit the
permissions of the specific users and user
groups to nodes and node groups.

Functionality and Purpose 13


User Settings
User Preferences
User preferences affect only the display for a
user
Difference (Viewer) Preferences

Functionality and Purpose 14


System Settings
Global configuration options which apply to all
users

Policies and Alerts 15


Severity Ranges
A numeric value which is used in a rule to
indicate changes to monitored objects and
the relative importance of these changes.
Global Variables
Used in place of specific text strings or
passwords.

Functionality and Purpose 16


Exercise 1: Accessing the Console
Exercise 2: Licenses
Exercise 3: Getting Help
Exercise 4: User Accounts and Roles
Exercise 5: User Groups
Exercise 6: Permissions
Exercise 7: User Preferences
Exercise 8: Severity Ranges
Exercise 9: Global Variables

Policies and Alerts 17


How would one obtain a license to run a Tripwire
Enterprise Server?
What are the configurable user settings?
What is a severity range?
What is a global variable?

Policies and Alerts 18


Functionality and Purpose 19
Tripwire Enterprise Objects
Nodes
Rules
Actions
Tasks

Functionality and Purpose 20


Policies and Alerts 21
Tripwire Enterprise Objects
Elements
Versions

Policies and Alerts 22


IIS
Server

Index.html Search.php

Jan 3 July 30 April 7


Edit Edit Edit

Policies and Alerts 23


Understanding Groups
Node Groups
Rule Groups
Tasks and Nested Groups

Functionality and Purpose 24


Moving, Deleting, Linking, and Unlinking Objects
Move
Delete
Copies of Node Objects
Linking
Discovered objects
Unlinking
The Unlinked Folder
Importing and exporting objects
Demo: Working with Objects

Functionality and Purpose 25


Exercise 1 Groups
Exercise 2 Moving, Linking, Unlinking, Deleting
Objects

Policies and Alerts 26


What is the difference between a node, rule,
action, and task?
How is a version related to an element?
Can actions be grouped?

Policies and Alerts 27


Functionality and Purpose 28
Place Nodes in Groups
The Node Tree
Geographical Location
Type of Node
Other Node Options
Security Tab
Variables Tab (node specific)

Functionality and Purpose 29


Exercise 1 Node Specific Variables
Exercise 2 Agent Logs

Policies and Alerts 30


Functionality and Purpose 31
Grouping Rules
The Rule Tree
Integrity Check
Links to Rules Library based on time to run
Rules Library
Type of Node
Platform
Handout: File System Rule Configuration Reference
Handout: Windows Registry Key and Value Attributes

Functionality and Purpose 32


Create Criteria Sets
Choosing file attributes
Static attributes
Dynamic attributes
Content attribute
Permissions attributes
Package data attributes

Functionality and Purpose 33


Exercise 1 Criteria Sets
Exercise 2 File System Rules
Exercise 3 Registry Rules
Exercise 4 Command Output Capture Rules

Policies and Alerts 34


Functionality and Purpose 35
Actions are an event that is executed given the
outcome of an element change
Predefined Actions for file systems
Handout: Actions and Conditional Actions

Functionality and Purpose 36


What is the best practice for organizing nodes?
Give an example of a rule that you would create.
Would you associate that rule with an action?

Policies and Alerts 37


Functionality and Purpose 38
Policies and Alerts 39
Creating Baselines
3 steps before running a baseline
Check Severity Ranges
Check Monitored Objects
Schedule

Functionality and Purpose 40


Functionality and Purpose 41
Change Notification
E-mail Action Summary vs. Contextual
Execution Action
Finding Changed Objects

Functionality and Purpose 42


Using the Difference Viewer
Modification
Addition
Removal
Exercise: Examining changes

Functionality and Purpose 43


Exercise 1 Tasks and Baselines for File System
Objects

Policies and Alerts 44


Functionality and Purpose 45
Promoting expected changes
Manual
Promote by reference

Functionality and Purpose 46


Managing unexpected changes
Gathering audit information
Irrelevant Changes rule tuning

Policies and Alerts 47


What is a baseline?
What objects are necessary to schedule a
baseline?
What is an indication of a change in the Tripwire
console?
What are the different responses to changes?

Policies and Alerts 48


Functionality and Purpose 49
Archiving Log Messages
Compacting Element Versions

Functionality and Purpose 50


What is the purpose of Tripwire?
What does Tripwire monitor?
What are the objects that make up a task?
How does Tripwire detect changes?

Policies and Alerts 51


Creating Policies to Manage Change
General Principles
Step 1: Define a Policy
Step 2: Outline the Policy
Step 3: Create the Policy Objects

Policies and Alerts 53


Policies and Alerts 54
Categorize Objects
Remediate Changes
Minimize the amount of effort required by IT and
management staff

Policies and Alerts 55


Policies and Alerts 56
Internet Facing Systems Principles
Private Data Systems Principles
Live Lab Principles

Policies and Alerts 57


Policies and Alerts 58
Change Occurs

Scheduled Task Performed

Appropriate Administrator Alerted

Change Detected

Policies and Alerts 59


Change Occurred

Irrelevant Evaluate Expected


Tuning Promote
Change

Unexpected

Unexpected Change

Policies and Alerts 60


Change Detected

Unauthorized Declare Security


Unexpected?
Incident

Authorized
No
Revert? Tuning

Yes
Run the task or
Revert Promote
check the rules

Policies and Alerts 61


Change Occurred

Irrelevant Evaluate Expected


Tuning Promote
Change

Unexpected

Unexpected Change

Policies and Alerts 62


Change Unexpected
Detected Change

Fix the rule and task Run the task or


as necessary check the rules

Eliminate elements
Promote no longer checked

Policies and Alerts 63


Change Occurred

Irrelevant Evaluate Expected


Tuning Promote
Change

Unexpected

Unexpected Change

Policies and Alerts 64


Change Unexpected
Detected Change
Tuning

Promote changes as
necessary

Generate Reports

Policies and Alerts 65


Policies and Alerts 66
Policies and Alerts 67
Import the rules.xml file
Well follow step by step the reason behind the
pre-defined rules that are outlined in the rules.xml
file

Policies and Alerts 68


69