Anda di halaman 1dari 69

For Internet Facing and Private Data Systems

Course Overview
Day 1
Section 1: Functionality and Purpose
Day 2
Section 2: Policies and Alerts
Section 3: Live Lab

Lab Setup Course DVD
Exercises & Demos
Hands on experience throughout the course
VMWare Player
Windows 2003 Server
Self-contained, server and agent are on the same
functional VMWare image
Demonstration preceding each exercise
Tripwire training books are available for checkout at the

Push agent out to Or, install agent
system youre Tripwire Server
manually on system
protecting youre protecting
Agents accept
settings from
server, perform
tasks, and send
results to server

Private Data System IIS Server

Tripwire Clients

Functionality and Purpose 5

Functionality and Purpose 6
Minimum hardware requirements
Network port and hostname requirements
Agent Installation Services Password!!
Demo: Installing Tripwire Enterprise Server
software on Windows 2003 Server

Functionality and Purpose 7

Port Requirements
Port Protocol Application Use
443 TCP HTTPS Secure HTTP connection to the
Tripwire Enterprise from a web
8080 TCP HTTP Alternate HTTP port for application
integration and agent updates
9898 TCP Services Communication to/from Agent
Any and all of these ports are configurable to a different port number
Host must have a statically assigned IP address and have a hostname resolvable to this address.

Functionality and Purpose 8

Functionality and Purpose 9
Contact the CU Licensing Office for License
Authorization Code (LAC)
Pre-generated LACs include 30 file system
nodes and 30 network nodes
Accessing the Tripwire Enterprise Console
Accepting the SSL Certificate
Logging In

Functionality and Purpose 10

Console Layout
Button Bar
Interface Toolbar
Tree Pane
Status Bar
Main Pane

Policies and Alerts 11

User Accounts, Roles, and Groups
Pre-defined Roles
Power User
Regular User
Monitor User
User Administrator
User Groups

Functionality and Purpose 12

Access Controls
An access control is used to limit the
permissions of the specific users and user
groups to nodes and node groups.

Functionality and Purpose 13

User Settings
User Preferences
User preferences affect only the display for a
Difference (Viewer) Preferences

Functionality and Purpose 14

System Settings
Global configuration options which apply to all

Policies and Alerts 15

Severity Ranges
A numeric value which is used in a rule to
indicate changes to monitored objects and
the relative importance of these changes.
Global Variables
Used in place of specific text strings or

Functionality and Purpose 16

Exercise 1: Accessing the Console
Exercise 2: Licenses
Exercise 3: Getting Help
Exercise 4: User Accounts and Roles
Exercise 5: User Groups
Exercise 6: Permissions
Exercise 7: User Preferences
Exercise 8: Severity Ranges
Exercise 9: Global Variables

Policies and Alerts 17

How would one obtain a license to run a Tripwire
Enterprise Server?
What are the configurable user settings?
What is a severity range?
What is a global variable?

Policies and Alerts 18

Functionality and Purpose 19
Tripwire Enterprise Objects

Functionality and Purpose 20

Policies and Alerts 21
Tripwire Enterprise Objects

Policies and Alerts 22


Index.html Search.php

Jan 3 July 30 April 7

Edit Edit Edit

Policies and Alerts 23

Understanding Groups
Node Groups
Rule Groups
Tasks and Nested Groups

Functionality and Purpose 24

Moving, Deleting, Linking, and Unlinking Objects
Copies of Node Objects
Discovered objects
The Unlinked Folder
Importing and exporting objects
Demo: Working with Objects

Functionality and Purpose 25

Exercise 1 Groups
Exercise 2 Moving, Linking, Unlinking, Deleting

Policies and Alerts 26

What is the difference between a node, rule,
action, and task?
How is a version related to an element?
Can actions be grouped?

Policies and Alerts 27

Functionality and Purpose 28
Place Nodes in Groups
The Node Tree
Geographical Location
Type of Node
Other Node Options
Security Tab
Variables Tab (node specific)

Functionality and Purpose 29

Exercise 1 Node Specific Variables
Exercise 2 Agent Logs

Policies and Alerts 30

Functionality and Purpose 31
Grouping Rules
The Rule Tree
Integrity Check
Links to Rules Library based on time to run
Rules Library
Type of Node
Handout: File System Rule Configuration Reference
Handout: Windows Registry Key and Value Attributes

Functionality and Purpose 32

Create Criteria Sets
Choosing file attributes
Static attributes
Dynamic attributes
Content attribute
Permissions attributes
Package data attributes

Functionality and Purpose 33

Exercise 1 Criteria Sets
Exercise 2 File System Rules
Exercise 3 Registry Rules
Exercise 4 Command Output Capture Rules

Policies and Alerts 34

Functionality and Purpose 35
Actions are an event that is executed given the
outcome of an element change
Predefined Actions for file systems
Handout: Actions and Conditional Actions

Functionality and Purpose 36

What is the best practice for organizing nodes?
Give an example of a rule that you would create.
Would you associate that rule with an action?

Policies and Alerts 37

Functionality and Purpose 38
Policies and Alerts 39
Creating Baselines
3 steps before running a baseline
Check Severity Ranges
Check Monitored Objects

Functionality and Purpose 40

Functionality and Purpose 41
Change Notification
E-mail Action Summary vs. Contextual
Execution Action
Finding Changed Objects

Functionality and Purpose 42

Using the Difference Viewer
Exercise: Examining changes

Functionality and Purpose 43

Exercise 1 Tasks and Baselines for File System

Policies and Alerts 44

Functionality and Purpose 45
Promoting expected changes
Promote by reference

Functionality and Purpose 46

Managing unexpected changes
Gathering audit information
Irrelevant Changes rule tuning

Policies and Alerts 47

What is a baseline?
What objects are necessary to schedule a
What is an indication of a change in the Tripwire
What are the different responses to changes?

Policies and Alerts 48

Functionality and Purpose 49
Archiving Log Messages
Compacting Element Versions

Functionality and Purpose 50

What is the purpose of Tripwire?
What does Tripwire monitor?
What are the objects that make up a task?
How does Tripwire detect changes?

Policies and Alerts 51

Creating Policies to Manage Change
General Principles
Step 1: Define a Policy
Step 2: Outline the Policy
Step 3: Create the Policy Objects

Policies and Alerts 53

Policies and Alerts 54
Categorize Objects
Remediate Changes
Minimize the amount of effort required by IT and
management staff

Policies and Alerts 55

Policies and Alerts 56
Internet Facing Systems Principles
Private Data Systems Principles
Live Lab Principles

Policies and Alerts 57

Policies and Alerts 58
Change Occurs

Scheduled Task Performed

Appropriate Administrator Alerted

Change Detected

Policies and Alerts 59

Change Occurred

Irrelevant Evaluate Expected

Tuning Promote


Unexpected Change

Policies and Alerts 60

Change Detected

Unauthorized Declare Security


Revert? Tuning

Run the task or
Revert Promote
check the rules

Policies and Alerts 61

Change Occurred

Irrelevant Evaluate Expected

Tuning Promote


Unexpected Change

Policies and Alerts 62

Change Unexpected
Detected Change

Fix the rule and task Run the task or

as necessary check the rules

Eliminate elements
Promote no longer checked

Policies and Alerts 63

Change Occurred

Irrelevant Evaluate Expected

Tuning Promote


Unexpected Change

Policies and Alerts 64

Change Unexpected
Detected Change

Promote changes as

Generate Reports

Policies and Alerts 65

Policies and Alerts 66
Policies and Alerts 67
Import the rules.xml file
Well follow step by step the reason behind the
pre-defined rules that are outlined in the rules.xml

Policies and Alerts 68