Tripwire Enterprise Tripwire Enterprise Server – Basic TasksServer – Basic Tasks

TopicsTopics Server install Q&AServer install Q&A Understanding the UIUnderstanding the UI Settings managerSettings manager Your first node!Your first node!o Importing useful rulesImporting useful ruleso Agent installAgent installo The managers: nodes, rules, The managers: nodes, rules,

actions, tasks, logsactions, tasks, logso Baselining, version Checks, Baselining, version Checks,

promotionpromotion

Server InstallServer Install

Single-server, just run the installerSingle-server, just run the installer Dual-server, you will need to add Dual-server, you will need to add

parameters to the install commandparameters to the install command Windows cannot install over TSWindows cannot install over TS STORE THOSE PASSWORDS!STORE THOSE PASSWORDS! *Note: in 5.5 problems using a *Note: in 5.5 problems using a

Services Password > 8 charsServices Password > 8 chars

Server firewall/NATServer firewall/NAT

Firewall, see Installation Guide, Firewall, see Installation Guide, Chapter 1. Network requirementsChapter 1. Network requirements

NAT, see Reference Guide, NAT, see Reference Guide, Chapter 4. System PropertiesChapter 4. System Properties

Tripwire UITripwire UI

The TE GUI has many elements of The TE GUI has many elements of a familiar desktop, but is not. This a familiar desktop, but is not. This can lead to frustration and broken can lead to frustration and broken mice.mice.

Zones of the consoleZones of the console

TE Console AreasTE Console Areas

TE Console FlubsTE Console Flubs

Server SettingsServer Settings

User preference settingsUser preference settings System preferencesSystem preferences Email serverEmail server

Useful Account SettingUseful Account Setting

System PreferencesSystem Preferences

Shorten ‘session timeout’ to 10 Shorten ‘session timeout’ to 10 minutesminutes

Email ServersEmail Servers

Administration Administration SettingsSettings Configure login methodConfigure login method Creating rolesCreating roles Creating a user groupCreating a user group Creating usersCreating users

Configure Login Configure Login MethodMethod

RolesRoles

Modifying RolesModifying Roles

Creating User GroupsCreating User Groups

Functional groups usually by roleFunctional groups usually by role Obvious groupings: staff/admins, Obvious groupings: staff/admins,

operations, managementoperations, management

Node Setup TasksNode Setup Tasks

Import TFS and/or UCD-basic rulesetsImport TFS and/or UCD-basic rulesets Install agent on a nodeInstall agent on a node Create an actionCreate an action Use tasks to associate rule, node, Use tasks to associate rule, node,

action, and schedule a time to run.action, and schedule a time to run. Create a baseline for the nodeCreate a baseline for the node Wait.Wait. Example for a rule with 7,000 Example for a rule with 7,000

elements stored, took ~600 seconds.elements stored, took ~600 seconds.

Import Useful RulesImport Useful Rules

TFS rules very generic, usually result TFS rules very generic, usually result in many elements stored.in many elements stored.

UCD rules leaner, meaner.UCD rules leaner, meaner. Rule names need to be unique or Rule names need to be unique or

collision will occur.collision will occur.

Install the Agent Install the Agent SoftwareSoftware Install as AdministratorInstall as Administrator Enter port + services passwordEnter port + services password Punch holes in firewall!Punch holes in firewall! There is a silent install option, see There is a silent install option, see

Users Guide, Ch. 2, Installation Users Guide, Ch. 2, Installation Procedures for TE AgentProcedures for TE Agent

Agent InstallAgent Install

Agent InstallAgent Install

Firewall on ClientFirewall on Client

Create Email ActionCreate Email Action

Create Email ActionCreate Email Action

Move Discovered NodeMove Discovered Node

Move Discovered NodeMove Discovered Node

Move Discovered NodeMove Discovered Node

Create First TaskCreate First Task

We just want a Check Rule Task for our example

Create First TaskCreate First Task

Create First TaskCreate First Task

Create First Task Create First Task

Test That It WorksTest That It Works

Modify a “watched” elementModify a “watched” element Run the task, or do a ‘node check’Run the task, or do a ‘node check’ Note the change or check your Note the change or check your

emailemail Take action on the intrusion! Or, Take action on the intrusion! Or,

just promote the changes.just promote the changes.

Node ManagerNode Manager

Adding a node groupAdding a node group Linking a nodeLinking a node Elements for file system nodesElements for file system nodes Element versionsElement versions Node viewing filter Node viewing filter

Adding a Node GroupAdding a Node Group

Linking a NodeLinking a Node

Link SymbolLink Symbol

TE Symbols ExposedTE Symbols Exposed

Node ElementsNode Elements

Element VersionsElement Versions

Node Viewing FilterNode Viewing Filter

Without filtering, TMIWithout filtering, TMI

Now we can see the Now we can see the treestrees

Viewing RulesViewing Rules

Rule SpecifiersRule Specifiers

Action ManagerAction Manager

Viewing ActionsViewing Actions Creating an email actionCreating an email action Creating an SNMP actionCreating an SNMP action Creating an execution action Creating an execution action

(locally or on TE server)(locally or on TE server)

An Execution ActionAn Execution Action

An Execution Action An Execution Action echoing the file name of echoing the file name of a changed element to a a changed element to a filefile

Task ManagerTask Manager

Viewing tasksViewing tasks Creating and deleting tasksCreating and deleting tasks

Task ManagerTask Manager

Log ManagerLog Manager

Viewing logsViewing logs Sorting and filtering LogsSorting and filtering Logs

Log ManagerLog Manager

Log Manager - SearchLog Manager - Search

The Baseline- What is The Baseline- What is Happening?Happening?

Baselining I/O intensive on DB Baselining I/O intensive on DB disksdisks

Recommend baselining only a Recommend baselining only a small number of systems at once.small number of systems at once.

Snapshot definedSnapshot defined

Temporary record of the Temporary record of the monitored object’s current monitored object’s current attributes. In a baseline attributes. In a baseline execution, this would become the execution, this would become the baseline version. In a version baseline version. In a version check this is the “now” state we check this is the “now” state we compare the baseline against.compare the baseline against.

VersioVersion n CheckCheck

Viewing ChangesViewing Changes

Difference ViewerDifference Viewer

PromotionPromotion

Promote selected versionsPromote selected versions Promote by matchPromote by match Promote by referencePromote by reference Promote by packagePromote by package

Promote Selected Promote Selected VersionsVersions

Promote current snapshot(s) to Promote current snapshot(s) to baseline. Select using the GUI.baseline. Select using the GUI.

Homework for July 26Homework for July 26

Install an agent and associate it Install an agent and associate it with a basic rule or rule set and a with a basic rule or rule set and a task or actiontask or action

Practice the proceduresPractice the procedures Deployment optionsDeployment options

Training ScheduleTraining Schedule

July 12: adding and configuring a July 12: adding and configuring a node using the basic rule setnode using the basic rule set

July 26: creating and modifying July 26: creating and modifying rulesrules

Aug 1 or 8?: reports, dashboard, Aug 1 or 8?: reports, dashboard, deployment stepsdeployment steps

ResourcesResources

http://security.ucdavis.edu/tripwire.cfm - Rulesets and presentations - Rulesets and presentations

ucdtripwire@ucdavis.edu - mailing list - mailing list Vincent Fox - Vincent Fox - vbfox@ucdavis.edu Doreen Meyer - Doreen Meyer - dimeyer@ucdavis.edu Bob Ono - Bob Ono - raono@ucdavis.edu Software - software@ucdavis.eduSoftware - software@ucdavis.edu